3. Preface
This document aims to present the "ICS Cybersecurity Training".
Intellectual property
All product names mentioned in this document are trademarks of their respective manufacturers.
This document and the information contained here are confidential and proprietary of TI Safe. All property rights
(including, without limitation, trademarks, comercial secrets, etc.) evidenced by or included in attachments or
relative documents are solely for TI Safe. TI Safe provides restricted use of this material to explicitly authorized
employees, customers and business partners through the integrity and confidentiality maintenance agreement.
Unauthorized use, distribution, or reproduction will be considered a violation of property rights and civil or criminal
measures will be applied under applicable law.
Warning
This document is intended to be complete and clear. TI Safe shall not be liable for any damages, financial or
business losses resulting from omissions or imperfections contained herein. This document is subject to change
without advance notice. It is recommended to contact TI Safe for updates and / or additional information.
Contact
TI Safe provides different channels of communication with its customers, suppliers and associates:
Rio de Janeiro, Brazil
Estrada do Pau Ferro 480 , Bloco 1, Loja R, Pechincha
ZIP Code – 22743-051 – Rio de Janeiro, RJ – Brasil
Telefone: +55 (21) 3576-4861
São Paulo, Brazil
Rua Dr. Guilherme Bannitz, nº 126 - 2º andar
Cj 21, CV 9035 - Itaim Bibi – ZIP Code - 04532-060 - São Paulo, SP - Brasil
Telefones: +55 (11) 3040-8656
Salvador, Brazil
Av. Tancredo Neves nº 450 – 16º andar – Edifício Suarez Trade
ZIP Code – 41820-901 – Salvador, BA – Brasil
Telefone: +55 (71) 3340-0633
Lisbon, Portugal
Av. da Liberdade 110, 1269-046 Lisbon, Portugal
Telefone: +351 21 340 4500
e-mail: contato@tisafe.com
website: www.tisafe.com
skype (somente voz): ti-safe
Twitter: @tisafe
4. Certificate of documentation changes
Version Date Author Description
1.00 03.05.2009 Marcelo Branquinho Generation of the first document
1.01 09.10.2009 Marcelo Branquinho Review and update of inserted topics
1.02 10.13.2009 Marcelo Branquinho Content review for 20 hours
1.03 04.13.2010 Marcelo Branquinho OPC Security Inclusion
1.04 07.19.2011 Marcelo Branquinho Inclusion of new chapters based on information security
and practical demonstrations of attacks on networks and
systems
1.05 07.26.2011 Marcelo Branquinho Conceptual review of the summary
1.06 07.28.2011 Marcelo Branquinho Conceptual review of the summary
1.07 07.30.2011 Marcelo Branquinho Conceptual review of the summary
1.08 08.03.2011 Marcelo Branquinho Conceptual review of the summary
1.09 08.06.2011 Marcelo Branquinho Conceptual review of the summary
1.10 08.10.2011 Marcelo Branquinho Conceptual review of the summary
1.11 08.12.2011 Marcelo Branquinho Conceptual review of the summary
1.12 08.16.2011 Marcelo Branquinho Conceptual review of the summary. Insertion of case
study for CSMS Framework.
1.13 09.06.2011 Marcelo Branquinho Conceptual review of the summary
1.14 04.04.2012 Marcelo Branquinho
e Jan Seidl
Review of several chapters with content addition and
technological update of the training.
1.15 06.027.2012 Marcelo Branquinho Added theoretical reference in the summary.
1.16 10.10.2012 Marcelo Branquinho Added content in the apostille and revised the sequence
of chapters. Chapter 12 created.
1.17 05.09.2013 Marcelo Branquinho Inserted content about one-way security gateways.
1.18 05.21.2013 Marcelo Branquinho Updated content standards with NERC-CIP.
1.19 06.11.2013 Marcelo Branquinho Inserted content about continuous monitoring.
1.20 08.12.2013 Marcelo Branquinho Included ANSI / ISA-100.11a standard and revised
security content in industrial wireless networks.
1.21 09.19.2013 Marcelo Branquinho Change in chapter order and lesson plan.
2.01 11.28.2017 Marcelo Branquinho Conceptual review of the summary according to
ICS.SecurityFramework.
2.02 12.08.2017 Marcelo Branquinho New document layout.
2.03 12.11.2017 Marcelo Pessoa Review of indexing of apostille.
2.04 08.02.2018 Marcelo Branquinho English version revision
2.05 08.13.2018 Marcelo Branquinho Update with new contents.
2.06 02.09.2019 Marcelo Branquinho Update with new contents.
2.07 04.22.2019 Marcelo Branquinho Update with new Cyber Security for Industry 4.0 (IIoT)
chapter.
5. Summary Data
Training name
ICS Cybersecurity Training
Reasons for the creation of "ICS Cybersecurity Training".
• There was no other similar training in Latin America
• Professional experiences in developing and deploying solutions for ICS Cybersecurity already waved
vulnerabilities in critical infrastructures, and training would disseminate this culture.
Offer justification
The course fills a market segment that has great demand from industries whose infrastructures are critical to the
nations.
This is the first Latin American Traning, with Portuguese and English versions, to teach the application of the
good practices of ANSI/ISA 99 and ISA-IEC 62443 standards for the cyber security of industrial systems and
networks. Fulfills all ISA requirements (details at http://www.isa.org/) for ICS cybersecurity.
Goals
Educate professionals to be capable of identifying risks in industrial networks, as well as recommend the main
countermeasures for them, according to the main international security standards and the ICS.SecurityFramework
methodology developed by TI Safe.
To capacitate professionals to design and deploy the CSMS (Cyber Security Management System) in critical
infrastructure automation networks.
Student Profile
IT or OT professionals with knowledge of operating systems, network protocols, programming languages,
hardware and software. Desirable knowledge in information security and Industrial Control Systems (ICS). English
language proficiency is recommended for watching videos and reading training support material.
Field of activity
ICS Cybersecurity.
Workload and course duration
The course is available in a 20 hours format, divided into 5 periods of 4 classroom hours each.
6. Theoretical reference
In the preparation of the apostille and materials presented in the training were used technical contents from
several sources of research that are part of the recommended bibliography:
• “Segurança de Automação Industrial e SCADA”, written by TI Safe Team – Elsevier publisher
• “Securing SCADA Systems”, written by Ronald L. Krutz – Wiley publisher.
• “Techno Security's Guide to Securing SCADA” written by Jack Wiles, Ted Claypoole, Phil Drake, Paul
A. Henry, Lester J. Johnson Jr, Sean Lowther, Greg Miles e James H. Windle – Syngress publisher.
• “Protecting Industrial Control Systems from Electronic Threats”, written by Joseph Weiss. Momentum
Press publisher.
• “The Stuxnet Computer Worm and ICS Security”, written by Jackson C. Rebane. Nova Publisher.
• “Inside Cyber Warfare”, written by Jeffrey Carr. O´Reilly publisher.
• “Cyber War: The Next Threat to National Security and What to Do About It”, written by Richard A.
Clarke e Robert Knake. Ecco publisher.
• “Cyberpower and National Security (National Defense University)”, written by Franklin D. Kramer, Stuart
H. Starr e Larry Wentz. NDU Press publisher.
• “A Arte de Enganar”, written by William L. Simon, Kevin Mitnick, Makron Books publisher.
This comprehensive bibliography includes the same technical benchmarks used in the official ICS cybersecurity
training programs of the major North American cyber defense institutes and is based on the recommended content
for training and awareness plans of the ISA/IEC 62443 standard.
Text Books
The training apostilles were prepared in Portuguese and English and distributed in digital format (PDF file). They
are constantly updated and improved. In addition to the mentioned bibliographical references, we have the
important support of the leading companies in the ICS Cybersecurity arena to ensure that we have the insights
on the latest industrial systems defense technologies used today.
Picture: Module 1 cover sheet
One week before the start date of each training, TI Safe will send the data so that enrolled students can download
the apostille and supporting material from the Internet. It is up to each student to print the apostille or take their
laptop or tablet to classes with the apostille in digital format. TI Safe respects the environment and natural
resources and follows strictly the principles of its environmental policy, so it does not print or recommend the
printing of digital files.
7. Practical Classes and Technical Demonstrations
During the training will be held practical classes and technical demonstrations of attacks and defenses against
simulated automation networks.
For the demonstration of attacks against industrial networks we counted on simulators of automation networks
industrial plants shown in the figure below:
Figure: Industrial Network Simulators used in the ICS Cybersecurity Training
Trainning Agenda
8. Goals and Contents
Module Goals Contents
Module 1 - Introduction
Presentation of training objectives rules,
instructors and students.
• Brief presentation of
instructors and students.
• Presentation of the training
agenda and objectives,
bibliography and supporting
material.
• About TI Safe.
Module 2 - Risks
Overview of a SCADA system, its
elements, protocols and typical
architecture.
Definition of critical infrastructures, their
importance and presentation of recent
cyberterrorism cases.
Presentation of the types of attackers, the
market that feeds the cyber attacks and
the main challenges for implementation
of cyber security in critical infrastructures
Presentation of techniques for the
elaboration of risk analysis in industrial
networks according to ISA/IEC-62443
standard and the TI Safe´s
ICS.SecurityFramework methodology.
• Overview of an ICS
• Industrial control systems
architecture. The Purdue
model (ISA-95)
• Industrial networks
• SCADA systems
• Industry 4.0
• What are Critical
Infrastructures?
• Cyber warfare – the 5th
dimension of war
• Characteristics of the new
attackers
• The cybercrime Market
• The Dark Web
• Vulnerabilities in industrial
control systems
• History of cyber attacks to
industrial networks
• Malware, the main hacker´s
weapon
• Cyber security challenges for
industrial control systems
• Basic concepts
• Risk Scenarios
• Classification of critical
infrastructure networks
• Classification method
• Risk analysis
• Controls evaluated in static
analysis
• Physical security analysis
• Dynamic analysis
• Example of Risk Analysis
Report (ACME company)
Module 3 - Planning
Presentation of methods for the
development of an Industrial Cyber
Security Plan.
• Considerations for a
cybersecurity strategy
• Planning for deployment of
cybersecurity
countermeasures in an
industrial network
• ICS Cybersecurity Plan
example (ACME Company)
9. Module 4 - Controls
Governance and Monitoring:
Presentation of the main international
standards that guide the implementation
of cybersecurity policies in industrial
networks. Basic concepts for the
development of a business continuity
plan (BCP).
Edge Security:
Presentation of Firewalls, VPNs,
unidirectional security gateways and
strategies for security in industrial WiFi
networks.
Industrial Network Protection:
Details of the defense in depth strategy
recommended by ANSI/ISA-99 / ISA
62443 and presentation of the zones and
conduits model
Presentation of cyber security solutions
used for industrial network protection.
Malware Control:
Presentation of the weaknesses of
solutions traditionally used for malware
protection in automation networks.
Malware control in OT networks and
presentation of modern solutions to
prevent malware attacks.
Data Security:
Presentation of threats to access to
computer networks and the weaknesses
of remote access to industrial networks.
Presentation of solution for second factor
of authentication in systems and
industrial applications.
Cybersecurity for Industry 4.0 (IIoT):
Presentation of the challenges of
implementing cyber security for industry
4.0, based on IIoT (Industrial Internet of
Things).
Education and Awareness:
Presentation of concepts to build an
education and awareness plan aiming at
establishing the culture of cyber security
for automation networks.
• Reference standards
• The ANSI/ISA 99 | ISA/IEC
62443 standard
• The NIST 800-82 Guide
• The NERC-CIP standard
• Industrial Internet Consortium
• Automation security policies
• Business Continuity Plan
(BCP)
• Firewall architectures and
DMZ deployment
• Next generation firewalls
• VPNs and Unidirectional
security gateways
• Industrial WiFi security
• Why do security solutions fail?
• Direct attacks on the control
network
• Zones and Conduits Model
• Network segmentation with
NGFW and services
• VLANs
• Industrial firewalls.
• Zero Trust Architecture
• Inventory and asset visibility
with Machine Learning
• The use of antivirus and
patches in OT networks
• Blacklisting x Whitelisting
• Example of solution for
protection against malware
infections in automation
networks
• Threats to access control
• Access Control: Concepts and
Methodologies
• Main authentication
mechanisms.
• Remote access to industrial
networks and SCADA
• Example of solution for second
authentication factor in remote
access to industrial networks.
• What are IoT and IIoT?
• IIoT in Manufacturing.
• IoE - IIoT in energy networks.
• Cloud security.
• Security framework for IIoT.
• Education and awareness plan
• Training and certifications
available on the market
• Awareness-raising methods
• Main international events
10. Module 5 - Monitoring
Presentation of methods for the
implementation of continuous monitoring
in automation plants, including SIEM
technologies and managed security
services (ICS-SOC).
Presentation of new technologies for ICS
Cybersecurity.
• Continuous monitoring and
trends
• What to monitor in an
automation network?
• Basics and benefits of using
an SIEM tool
• Internal Monitoring Center
• Challenges for implementing a
SOC
• TI Safe ICS-SOC
• Trends in industrial cyber
Security
Module 6 - Pratices
Ensure that the student has contact with
the main hacking techniques and also the
ICS Cybersecurity countermeasures
presented during the training.
• Initial setup of simulators and
attacker machine on Kali Linux
• Web Target Scanning with
Shodan
• Port scanning and services
(Port Scan)
• Scan PLC variables using
Wireshark
• Internal DoS Attack against
PLC
• DoS Attack against IIoT
• Attack throught the values
manipulation of PLC control
variables
• Development of Ciberweapon
for remote control
• Attack on the PLC via
cyberweapon in PDF
• Demonstrations and practices
of cyber security
countermeasures.
• Demonstration of malware
control solution for USB
scanning
• Demonstration of Malware
industrial endpoint protection
• NGFW Log Inspection Demo
• Demonstration of Industrial
Network Protection solution
with Machine Learning
• Demonstration of Industrial
Intelligence using SIEM Tool