SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
ICS410: ICS/SCADA Security Essentials
ICS410Industrial Control Systems Security
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Justin Searle
Course created by:Justin Searle
- GIAC Global Industrial Cyber Security Professional (GICSP)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Essential Skill Level
Course material is for individuals with an understanding of IT or cyber security concepts
- 15 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Reinforce critical cybersecurity skills to secure industrial control systems and operational technology against emerging threats while maintaining operational resilience in industrial environments.
Featured Quote
The real-world, practical examples, paired with an instructor who clearly knew the subject matter inside and out, made this course invaluable.
Course Overview
Operational Technology (OT) environments face a growing wave of sophisticated cyber threats, yet many organizations rely on IT-centric security measures ill-suited to the distinct challenges of Industrial Control Systems (ICS) and SCADA systems. The absence of specialized knowledge and practical expertise in ICS/OT cybersecurity leaves critical infrastructure exposed, increasing the risk of operational disruptions, financial losses, and safety incidents.
This course builds on foundational ICS cybersecurity principles to provide industrial cybersecurity professionals with the advanced skills necessary to secure OT environments effectively. By focusing on the unique demands of industrial systems, the SCADA security training course equips both IT and OT cybersecurity professionals to address emerging threats, ensuring the safety, security, and resilience of critical infrastructure with minimal operational impact. This course is also a key preparation path for individuals pursuing the GICSP certification (Global Industrial Cyber Security Professional), a leading ICS cyber security certification that validates real-world, cross-disciplinary expertise in securing industrial systems.
What You'll Learn
- Understand ICS components and protocols
- Design secure ICS network architectures
- Analyze activity with command-line tools
- Detect and respond to ICS threats
- Handle ICS-specific incidents effectively
- Map ICS to cybersecurity frameworks
- Improve ICS security through governance
Business Takeaways
- Protect industrial and critical infrastructure systems against emerging threats
- Bridge gaps between IT security and operational technology
- Reduce risk of operational disruption from cyberattacks
- Comply with industry regulations and best practices
- Secure industrial networks without compromising function
- Implement effective incident response for OT environments
- Develop comprehensive industrial security programs
Meet Your Author
Justin Searle
Senior InstructorJustin Searle has redefined industrial cybersecurity by leading the development of NIST IR 7628, a cornerstone in smart grid security, and creating open-source tools like ControlThings that have become essential for ICS/IIoT assessments.
Read more about Justin SearleCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in ICS410: ICS/SCADA Security Essentials.
Section 1ICS Overview
Develop a common understanding of ICS cybersecurity with emphasis on cyber-to-physical operations. Students receive programmable logic controller (PLC) devices to keep, allowing practical exploration of the cyber-physical interface. This section covers essential terminology, architectures, methodologies, and devices used across different industrial sectors.
Topics covered
- Global Industrial Cybersecurity Professional (GICSP) Overview
- ICS processes, roles, and industries
- Controllers and field devices
- HMIs, historians, and SCADA systems
- IT and ICS differences
Labs
- Learning from industry peers
- Programming a PLC
- Programming an HMI
- Analyzing physical and cyber security
Section 2Architectures and Processes
Learn defensive approaches by understanding adversarial tactics against ICS environments. Examine attack vectors specific to industrial systems, particularly at Purdue Levels 0 and 1. Investigate technologies and communications that distinguish control systems from IT networks, with hands-on experience capturing fieldbus traffic from PLCs.
Topics covered
- ICS attack surface analysis
- Secure network architectures
- Purdue Level 0/1 technologies
- Fieldbus protocol families
- Safety Instrumented Systems (SIS)
Labs
- Identifying external attack surfaces
- Architecting secure ICS sites
- Finding passwords in EEPROM dumps
- Exploring fieldbus protocols
- Implementing defensive controls
Section 3Communications and Protocols
Analyze network communication protocols and examine network captures of control protocols traversing Ethernet and TCP/IP networks. Learn segmentation methods and traffic flow control for industrial networks. Explore cryptographic concepts for protecting communications and sensitive data, plus wireless technologies used in control systems.
Topics covered
- Ethernet and TCP/IP concepts
- ICS protocols and wireshark analysis
- Enforcement zone devices
- Basic cryptography for ICS
- Wireless technologies and defenses
Labs
- Network capture analysis
- Enumerating Modbus TCP
- Setting up NextGen firewalls
- Manual cryptography
- Wireless security assessment
Section 4Supervisory Systems
Explore essential server and workstation operating systems for ICS environments. Perform network forensics to track attackers from phishing to HMI breach. Examine technologies at Purdue Levels 2 and 3, including HMI and historian systems. Learn to create baselines and secure Windows-based workstations and servers in industrial environments.
Topics covered
- Supervisory server attacks
- HMI and UI vulnerabilities
- Windows defense strategies
- Patching decision frameworks
- Security policy implementation
Labs
- Bypassing auth with SQL injection
- Password fuzzing techniques
- Baselining with PowerShell
- Host firewall configuration
- Windows event log analysis
Section 5ICS Security Governance
Explore system hardening for Linux-based industrial systems, examining log management and audit approaches. Learn about common applications used across multiple industrial sectors. Study governance models and industry-specific regulations for critical infrastructure protection, focusing on risk assessment, disaster recovery, and contingency planning.
Topics covered
- Unix and Linux defense strategies
- Endpoint protection and SIEMS
- ICS security program frameworks
- Security policy development
- Risk measurement approaches
Labs
- Hardening Linux for ICS
- Analyzing Windows event logs
- ICS security policy review
- Tabletop incident response
- Industry-specific compliance testing
Section 6Capstone CTF
Apply knowledge gained throughout the course in a capture-the-flag exercise based on incident response. Identify indicators of compromise, determine appropriate containment actions, and adapt to changing adversary tactics as they progress through an ICS/OT network. Leave with industry-specific resources and be well prepared to pursue the GICSP.
Things You Need To Know
Relevant Job Roles
Systems Security Analyst (DCWF 461)
DoD 8140: Software EngineeringEnsures systems and software security from development to maintenance by analyzing and improving security across all lifecycle phases.
Explore learning pathTechnical Support Specialist (DCWF 411)
DoD 8140: Cyber ITDelivers technical support to users, helping them resolve issues with client hardware/software according to organizational service processes.
Explore learning pathVulnerability Assessment Analyst (DCWF 541)
DoD 8140: CybersecurityAssesses systems and networks to ensure compliance with policies and identify vulnerabilities in support of secure and resilient operations.
Explore learning pathProcess Control Engineering
Industrial Control SystemsTests, programs, troubleshoots, and oversees changes of existing processes or implements new engineering processes through the deployment and operations of engineering systems and automation devices.
Explore learning pathICS Security Architect
Industrial Control SystemsEnsures control system network security compliance and best practises for control networks.
Explore learning pathInformation Systems Security Developer (DCWF 631)
DoD 8140: CybersecurityDesigns and evaluates information system security throughout the software lifecycle to ensure confidentiality, integrity, and availability.
Explore learning pathCyber Defense Infrastructure Support Specialist (DCWF 521)
DoD 8140: CybersecurityDeploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning pathNetwork Operations Specialist (DCWF 441)
DoD 8140: Cyber ITImplements and maintains network services, including hardware and virtual systems, ensuring operational support for infrastructure platforms.
Explore learning pathInformation Systems Security Manager (DCWF 722)
DoD 8140: CybersecurityOversees program, system, or enclave cybersecurity, ensuring protection from cyber threats and compliance with organizational standards.
Explore learning pathCOMSEC Manager (DCWF 723)
DoD 8140: CybersecurityManages organization’s COMSEC resources to ensure secure handling of communications materials as required by national and agency policies.
Explore learning pathControl Systems Security Specialist (DCWF 462)
DoD 8140: CybersecurityOversees cybersecurity configuration and daily security operations of control systems, ensuring mission support and stakeholder coordination.
Explore learning pathData Architect (DCWF 653)
DoD 8140: Data/AIDesigns system data models and flow architectures to meet mission or business data requirements using scalable and efficient solutions.
Explore learning pathSecurity Architect (DCWF 652)
DoD 8140: CybersecurityDesigns secure enterprise systems considering environmental constraints and translates them into enforceable security processes and protocols.
Explore learning pathSecurity Control Assessor (DCWF 612)
DoD 8140: CybersecurityConducts independent assessments of IT system security controls to evaluate their overall effectiveness in protecting mission-critical systems.
Explore learning pathEnterprise Architect (DCWF 651)
DoD 8140: Cyber ITDevelops business and IT process architectures, creating baseline and target architectures to meet mission or enterprise goals.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathCyber Defense Analyst (DCWF 511)
DoD 8140: CybersecurityMonitors cyber defense tools like IDS and logs to analyze network events, identifying and mitigating potential threats to security environments.
Explore learning pathICS Security Incident Responder
Industrial Control SystemsExecutes specific industrial incident response for incidents that threaten or impact control system networks and assets, while maintaining the safety and reliability of operations.
Explore learning pathICS Security Analyst
Industrial Control SystemsAcquires and manages resources, supports, and performs key industrial security protection while adhering to safety and engineering goals.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Justin SearleDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$9,230 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Monta ElkinsDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
Anaheim, CA, US & Virtual (live)
Instructed by Stephen MathezerDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
London, GB & Virtual (live)
Instructed by Christopher RobinsonDate & TimeFetching schedule..View event detailsCourse price£7,505 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
London, GB & Virtual (live)
Instructed by Christopher RobinsonDate & TimeFetching schedule..View event detailsCourse price£7,505 GBP*Prices exclude applicable taxes | EUR price available during checkoutEnrollment options - Location & instructor
San Antonio, TX, US & Virtual (live)
Instructed by Don C. WeberDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by Justin SearleDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxes - Location & instructor
Virginia Beach, VA, US & Virtual (live)
Instructed by Justin SearleDate & TimeFetching schedule..View event detailsCourse price$9,230 USD*Prices exclude applicable local taxesEnrollment options
Showing 8 of 29
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3As an individual who is new to the ICS/OT, with 5 years in Cybersecurity and 25 years in IT, this course has been a game changer for me.
- Slide 2 of 3ICS410 provides an unparalleled educational experience with impeccably organized content. Its integration of case studies bridges the gap between theory and practical application.
- Slide 3 of 3This was my first SANS training and I'm impressed. Content was at the right level, good explanation, room for [the instructor] to add their examples, and enough time for questions.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources