SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
ICS613: ICS/OT Penetration Testing & Assessments
ICS613Industrial Control Systems Security
- 5 Days (Instructor-Led)
- 30 Hours (Self-Paced)
Course created by:
Jason Dely, Tyler Webb & Don C. Weber
Course created by:Jason Dely, Tyler Webb & Don C. Weber
- 30 CPEs
Apply your credits to renew your certifications
- In-Person
Attend a live, instructor-led class at a location near you
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 27 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Security professionals gain critical skills to conduct safe, effective penetration tests and assessments in ICS/OT environments without compromising operational integrity.
Featured Quote
The content from the labs in this section of the book, for me, had the biggest takeaways and were great sources of practical and actionable information for real in-world ICS testing.
Course Overview
Industrial Control Systems (ICS) and Operational Technology (OT) are increasingly targeted by adversaries, yet traditional penetration testing approaches often focus on the wrong outcomes and can cause unintended disruptions with severe consequences – including production outages, injury to personnel, loss of life, and environmental hazards.
ICS613: ICS/OT Penetration Testing & Assessments trains engineering, operations, and security professionals with the mindset, methodologies, and techniques to safely and appropriately conduct ICS penetration tests and security assessments, identify practical mitigations, and effectively communicate results to stakeholders and leadership to improve the operational resilience of ICS environments. As a specialized ICS pentesting course, ICS613 equips students to approach assessments with precision and safety in mind.
What You'll Learn
- Plan and execute safe, effective, and valuable penetration tests and security assessments, using both passive and active techniques to assess ICS operational resilience
- Tailor ICS penetration tests and security assessments to organizational and operational security objectives
- Identify realistic ICS attack scenarios targeting Crown Jewel Assets (CJA)
- Communicate with stakeholders to define expectations, goals, and outcomes for ICS security assessments, and deliver accurate, actionable reports that support these outcomes
- Understand the benefits of a top-down/bottom-up approach to active testing, and align penetration test methodologies to the ICS Cyber Kill chain
- Evaluate tools and techniques for effectiveness and safety before applying them to ICS devices and networks
- Identify relevant targets and select applicable adversary TTPs for developing effective attack scenarios in ICS penetration tests and security assessments, regardless of industry sector
Business Takeaways
- Reduce risk of unplanned outages during security testing
- Enhance protection of operational crown jewel assets
- Improve communication between IT security and OT teams
- Demonstrate compliance with sector-specific regulations
- Gain practical risk mitigation strategies for industrial systems
- Increase operational resilience against cyber threats
- Implement cost-effective security recommendations
Meet Your Authors
- Slide 1 of 3
Jason Dely
Certified InstructorJason Dely brings over 20 years of experience and a diverse industrial control system background to SANS and the industrial control system (ICS) community.
Read more about Jason Dely - Slide 2 of 3
Tyler Webb
Associate InstructorTyler Webb contributes specialized expertise in ICS penetration testing methodologies, focusing on practical techniques that protect operational integrity while identifying critical vulnerabilities.
Read more about Tyler Webb - Slide 3 of 3
Don C. Weber
Certified InstructorDon C. Weber brings 20+ years of ICS security experience to SANS. As Principal Consultant at Cutaway Security, he specializes in penetration assessment, architecture review, and security assessment across financial, energy, and manufacturing sectors.
Read more about Don C. Weber
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in ICS613: ICS Penetration Testing and Assessments.
Section 1ICS Assessment Types and Concepts
This section introduces passive and active security assessments for ICS environments, covering how to define goals, choose approaches aligned with industry standards, apply frameworks and threat intelligence, understand terminology, and analyze impacts of assessments on physical equipment operations.
Topics covered
- Define assessment goals and outcomes
- Choose appropriate approaches
- Apply frameworks and intelligence
- Understand testing terminology
- Analyze physical impacts
Labs
- Build and program student kit
- Leverage frameworks and threat intel
- Exploit operator workstation services
- Develop custom scripts
- Validate tools and techniques
Section 2ICS Assessment Engagements
This section prepares students to plan, execute, and deliver effective ICS security assessments. Students learn methodical preparation through documentation analysis, protocol identification, communication manipulation, and security posture assessment, while emphasizing stakeholder collaboration.
Topics covered
- Outline phased assessment methodology
- Collaborate with stakeholders
- Understand documentation importance
- Align with critical controls
- Master network analysis techniques
Labs
- Collect and analyze documentation
- Analyze industrial communications
- Identify unknown protocols
- Automate security assessment
- Adversary-in-the-middle attacks
Section 3Top-Down Active Methodology
This section introduces a top-down penetration methodology aligned with the ICS Cyber Kill Chain. Students learn to execute engagement objectives in simulated production environments using "living off the land" techniques while focusing on privilege escalation and OT boundary pivoting.
Topics covered
- Align with ICS Cyber Kill Chain
- Understand Crown Jewel Analysis
- Follow assumed breach scenarios
- Master process enumeration
- Identify effective targets
Labs
- Exploit certificate services
- Abuse credential reuse
- Transfer tools using native binaries
- Hijack operator sessions
- Bypass endpoint hardening controls
Section 4Bottom-Up Passive Methodology
This section covers a bottom-up approach to ICS attack identification aligned with the ICS Cyber Kill Chain.Students learn to develop realistic attack scenarios with expected physical consequences, and demonstrate attacks in controlled environments, while emphasizing stakeholder collaboration.
Topics covered
- Identify realistic attack scenarios
- Focus on attack delivery and execution
- Identify relevant targets and TTPs
- Structure actionable test reports
- Balance mitigation options
Labs
- Enumerate DCS architectures
- Deploy shadow HMI
- Develop realistic attack scenarios
- Demonstrate safety system attacks
- Create actionable test reports
Section 5Active Assessment and Capture-the-Flag Exercise
This culminating section allows students to apply all skills learned throughout the course in a comprehensive hands-on exercise against the ICS613 kit and in-class physical range, identifying vulnerabilities and recommending improvements to enhance ICS defenses.
Topics covered
- Conduct unstructured assessments
- Understand operational impacts
- Evaluate security recommendations
- Prioritize defense improvements
- Apply real-world scenarios
Labs
- Apply all previously learned skills
- Assess operational weaknesses
- Identify vulnerabilities
- Prioritize recommendations
- Enhance ICS defenses
Things You Need To Know
Relevant Job Roles
Process Control Engineering
Industrial Control SystemsTests, programs, troubleshoots, and oversees changes of existing processes or implements new engineering processes through the deployment and operations of engineering systems and automation devices.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Don C. WeberDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxesEnrollment options
Showing 1 of 1
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4Great course and a lot of great content discussion with tons of applicable, real-life thoughts, processes, examples, and in-depth descriptions.
- Slide 2 of 4This course is immensely educational.
- Slide 3 of 4The content from the labs in this section of the book, for me, had the biggest takeaways and were great sources of practical and actionable information for real in-world ICS testing.
- Slide 4 of 4The sections referring to real-world events really solidified the fact that you need to be careful when dealing with anything OT-related.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources