ICS Training Available Through CISA

Web - Based Training available on the CISA Virtual Learning Portal

We offer several online training courses via the CISA Training Virtual Learning Portal (VLP). Topics include: 

Operational Security (OPSEC) for Control Systems (100W) - 1 hour
Differences in Deployments of ICS (210W-1) – 1.5 hours
Influence of Common IT Components on ICS (210W-2) – 1.5 hours
Common ICS Components (210W-3) – 1.5 hours
Cybersecurity within IT & ICS Domains (210W-4) – 1.5 hours
Cybersecurity Risk (210W-5) – 1.5 hours
Current Trends (Threat) (210W-6) – 1.5 hours
Current Trends (Vulnerabilities) (210W-7) – 1.5 hours
Determining the Impacts of a Cybersecurity Incident (210W-8) – 1.5 hours
Attack Methodologies in IT & ICS (210W-9) – 1.5 hours
Mapping IT Defense-in-Depth Security Solutions to ICS - Part 1 (210W-10) – 1.5 hours
Mapping IT Defense-in-Depth Security Solutions to ICS - Part 2 (210W-11) – 1.5 hours
Industrial Control Systems Cybersecurity Landscape for Managers (FRE2115) - 1 hour

Access the CISA VLP for more information and to register for and complete the courses. There are no tuition costs for these courses.

Instructor Led Training

Introduction to Control Systems Cybersecurity (101) - 4 hrs
Intermediate Cybersecurity for Industrial Control Systems (201) - 8 hrs
Intermediate Cybersecurity for Industrial Control Systems (202) - 8 hrs
ICS Cybersecurity (301V)
ICS Cybersecurity (301L) - 4 days
ICS Evaluation (401) - 3 days
ICS Evaluation (401V)

CISA program training events consist of 'regional' training courses and workshops at venues in various locations in addition to the training events held in Idaho Falls, Idaho. Refer to the CISA calendar for a schedule of these training options. Note that all CISA training courses are presented with no tuition cost to the attendee.

Scheduled training is on the CISA Calendar

Note: Training personnel do not possess proprietary interest in any product, instrument, device, service or material discussed in these courses or in any course materials.

 


Introduction to Control Systems Cybersecurity (101)

This course introduces students to the basics of Industrial Control Systems (ICS) cybersecurity. This includes a comparative analysis of IT and ICS architectures, understanding risk in terms of consequence, security vulnerabilities within ICS environments, and effective cyber risk mitigation strategies for the Control System domain.

After attending this course, you will be able to:

  • Describe ICS deployments, components, and information flow
  • Differentiate cybersecurity within IT and ICS domains
  • Explain a cyber exploit in an ICS architecture
  • Recognize sector dependencies
  • Identify cybersecurity resources available within CISA

A Certificate of Completion will be provided at the conclusion of the course. This course is IACET accredited, awarding attendees Continuing Education Units (CEUs) upon completion. 

This course is presented at regional venues in various locations throughout the year. If the course has an open enrollment, it will be posted to the CISA calendar. There is no tuition cost to the attendee for this training.

Back to top


Intermediate Cybersecurity for Industrial Control Systems (201) Part 1

This course builds on the concepts learned in the Introduction to ICS Cybersecurity (101) course. This course provides technical instruction on the protection of Industrial Control Systems using offensive and defensive methods. Attendees will recognize how cyber attacks are launched, why they work, and mitigation strategies to increase the cybersecurity posture of their Control System networks. In addition, this course acts as a prerequisite for the next course, Intermediate Cybersecurity for Industrial Control Systems (202), which offers hands-on application of concepts presented.

After attending this course, you will be able to:

  • Describe ladder logic
  • Describe network discovery
  • Discuss the three main stages of an attack
  • Create a baseline using CSET
  • Describe defense-in-depth strategies

A Certificate of Completion will be provided at the conclusion of the course. This course is IACET accredited, awarding attendees Continuing Education Units (CEUs) upon completion. 

This course is presented at regional venues in various locations throughout the year. If the course has an open enrollment, it will be posted to the CISA calendar. There is no tuition cost to the attendee for this training.

Back to top


Intermediate Cybersecurity for Industrial Control Systems (202) Part 2

This hands-on course is structured to help students recognize how attacks against Process Control Systems can be launched, why they work, and provides mitigation strategies to increase the cyber security posture of their Control Systems networks.

This course provides a brief review of Industrial Control Systems security. This includes a comparative analysis of IT and control system architectures, security vulnerabilities, and mitigation strategies unique to the Control System domain. Because this course is hands-on, students will get a deeper understanding of how the various tools work. Accompanying this course is a sample Process Control network that demonstrates exploits used for unauthorized control of the equipment and mitigation solutions. This network is also used during the course for the hands-on exercises that will help the students develop Control Systems cybersecurity skills they can apply in their work environment.

Note that this course is not a deep dive into training on specific tools, Control System protocols, Control System vulnerability details or exploits against Control System devices.

This course is split into five sessions: (1) Industrial Control System Overview, (2) Network Discovery and Mapping,  (3) Exploitation and Using Metasploit,  (4) Network Attacks and Exploits, (5) Network Defense, Detection, and Analysis  

After attending this course, you will be able to:

  • Identify risks in ICSs
  • Demonstrate a process control exploitation
  • Use passive discovery tools
  • Use active discovery tools
  • Describe Metasploit
  • Use the Metasploit Framework
  • Discuss basic web hacking techniques
  • Describe password security
  • Discuss wireless attacks and exploits
  • Describe packet analysis
  • Define intrusion detection and prevention systems

A Certificate of Completion will be provided at the conclusion of the course. This course is IACET accredited, awarding attendees Continuing Education Units (CEUs) upon completion. 

This course is presented at regional venues in various locations throughout the year. If the course has an open enrollment, it will be posted to the CISA calendar. There is no tuition cost to the attendee for this training.

Back to top


ICS Cybersecurity (301V/301L)

IMPORTANT CHANGES TO THE 301 COURSE: In an effort to make the 301 course more accessible to industry professionals, it has been divided into two offerings; 301V and 301L. The 301V is a self-paced online course that is accessed through the CISA Virtual Learning Portal (VLP). The 301V contains approximately 12 hours of instructional material and is a prerequisite to the 301L. The 301L is a four-day instructor-led hands-on lab that is taught at a training facility in Idaho Falls, Idaho, USA. This course has a full day capstone activity dedicated to a Red Team versus Blue Team exercise. More information on each course can be found below.

ICS Cybersecurity (301V)

This course provides an online virtual training based on understanding, protecting, and securing Industrial Control Systems (ICS) from cyber-attacks. In order to understand how to defend IT and OT systems, trainees will learn about common cyber vulnerabilities and the importance of understanding the environment they are tasked to protect. Learning the weaknesses of systems will enable trainees to identify mitigation strategies, policies, and programs that will provide the defense-in-depth needed to ensure a more secure ICS environment.

The online course consists of pre-recorded videos compiled into five main learning sessions:

  • Session 1: Overview of Industrial Control Systems including an attack demonstration
  • Session 2: Network Discovery and Mapping
  • Session 3: Network Defense, Detection, and Analysis
  • Session 4: The Exploitation Process
  • Session 5: Network Attacks and Exploits

Note that this course is not a deep dive into training on specific tools, Control System protocols, Control System vulnerability details, or exploits against Control System devices. The 301V designation is simply a course number and has no reference to a “300 level” college course.

This course serves as a primer and is a mandatory prerequisite course to the in-person 301L class. A comprehensive exam with questions from each section will test the learners understanding of the principles taught. A passing score of at least 80% is required to be considered as an attendee in the 301L class. Although completion of the 301V course, along with a passing score on the associated assessment, is required to attend the in-person 301L it does not guarantee attendance. Acceptance to the 301L is subject to review.

The 301V course is IACET accredited, and attendees will be awarded Continuing Education Units (CEUs) and receive a certificate upon completion of the sessions and a passing score of 80% or above on the end of course exam.

Prerequisites:

  • Trainees should have practical knowledge and experience with ICS networks, software, and components. They should have a practical understanding of IT network basics such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), as well as Media Access Control (MAC) and Internal Protocol (IP) addressing.

Refer to the CISA calendar for a schedule of this training option. There is no tuition cost to the attendee for this training.

 

Back to top


ICS Cybersecurity Lab (301L) - 4 days

The 301L is an instructor-led companion course to the 301V. This course provides hands-on training for understanding, protecting, and securing Industrial Control Systems (ICS) from cyber-attacks and includes a red team versus blue team exercise conducted within an actual Control Systems environment. Attendees will get an instructor-led hands-on experience with open-source operating systems and security tools such as Kali Linux and Security Onion. Attendees will also use their cyber skills along with tools covered in the 301V to solve a series of cyber escape rooms. In addition, the training provides the opportunity to network and collaborate with other colleagues involved in operating and protecting Control System networks.

Note that this course is not a deep dive into training on specific tools, Control System protocols, Control System vulnerability details or exploits against Control System devices. The 301L designation is simply a course number and has no reference to a “300 level” course.

This course consists of hands-on activities correlated with the five sessions covered in the 301V, followed by a Red Team versus Blue Team exercise and a brief discussion of the lessons learned.

  • Day 1 - Includes a welcome, a brief review of cybersecurity for Industrial Control Systems, and a process control attack demonstration. The morning also includes a discussion on the main differences between IT and OT networks, roles, responsibilities, and strategies for working together. Following the IT/OT discussion is a lecture and hands-on activities dealing with wireless communications, building on the topic discussion from the 301V. Hands-on activities in the afternoon are run in smaller groups as breakout sessions and  focus on network discovery and mapping, network defense, detection, and analysis, and exploitation using Metasploit.
  • Day 2 - The morning includes the continuation of the break-out sessions listed above.  In the afternoon, the groups will participate in solving cyber escape rooms drawing on the topics and tools discussed in the 301V and 301L break-out sessions. The cyber escape rooms include a fun mix of cyber puzzles and traditional escape room puzzles.  There will be a short debrief reviewing the skills and tools used in the cyber escape rooms following the completion of each cyber escape room.
  • Day 3 - The morning includes the continuation of the cyber escape room activities. In the afternoon, trainees will be divided into Red and Blue teams and will receive training and instruction in preparation for the Red Team vs. Blue Team exercise.
  • Day 4 - Includes a 7-hour hands-on exercise where trainees are either attacking (Red Team) or defending (Blue Team) IT and OT networks. The Blue Team is tasked with providing the cyber defense for a corporate environment while maintaining the operation of a chemical batch mixing plant and monitoring an electrical distribution substation SCADA system. After the exercise, there will be a brief round-table discussion of lessons learned to close out the training.

Prerequisites:

  • Trainees must have previously participated in the virtual 301 (301V) and passed the assessment test with an 80% or better.
  • Trainees should have practical knowledge and experience with ICS networks, software, and components. They should have a practical understanding of IT network basics such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), as well as Media Access Control (MAC) and Internal Protocol (IP) addressing.

This course is presented at a facility in Idaho Falls, Idaho, USA configured specifically for the aspects of the course.

The 301L course is IACET accredited and attendees will be awarded Continuing Education Units (CEUs) and receive a certificate upon completion.

Refer to the CISA calendar for a schedule of this training option. There is no tuition cost to the attendee for this training.

Back to top


ICS Evaluation (401) - 3 days

NOTE: 401V, 301, 301V or 301L is NOT a prerequisite for this course. The 401V is identical in content to the 401L. The course is just offered in both in-person and online formats.

This instructor-led, 3-day course provides hands-on training on how to analyze, evaluate, and document the cybersecurity posture of an organization’s Industrial Control Systems (ICS) for the purpose of identifying recommended changes. Specifically, this course will utilize the Cyber Security Evaluation Tool (CSET®), along with a simulated ICS scenario, that teaches how to analyze cybersecurity weaknesses and threats, evaluate issues, document potential mitigations, and provide ongoing resolutions to strengthen the organization’s cybersecurity posture.

This course will also increase awareness of how a threat related to the Industrial Control System translates into a threat to business operations. Attendees will come to more fully appreciate that most businesses have numerous support processes and systems controlled by, or otherwise dependent on, an ICS.

At the completion of this course, attendees will have the basic skills necessary to conduct a self-evaluation of their organization’s ICS and deliver their recommendations to an upper-management audience. Attendees will have a tool (CSET®) that can be used for evaluating the cybersecurity posture at their workplace.

Attendees will be able to:

  • Discuss components of an ICS evaluation
  • Identify assets within ICS networks
  • Determine ICS connectivity
  • Evaluate network monitoring capabilities
  • Discuss the use of Wireless in ICS environments
  • Evaluate risk using OSINT and OPSEC methods
  • Evaluate adversarial risk
  • Determine ICS dependencies
  • Assess supply risk
  • Evaluate risk management and mitigation approaches

Prerequisites:

  • Basic understanding of Cybersecurity in an ICS environment
  • Suggested prerequisite courses at https://ics-training.inl.gov.
    • 100W Cybersecurity Practices for Industrial Control Systems
    • 210W-03 Common ICS Components
    • 210W-05 ICS Cybersecurity Risk or ICS Cybersecurity Landscape for Managers

Who Should attend:

Individuals who are responsible for evaluating or assessing the cybersecurity posture of critical infrastructure. This could include any number of specific roles and responsibilities such as cybersecurity management, risk management personnel, Information Technology (IT) and Operational Technology (OT) security personnel, and IT and OT managers.

This course is IACET accredited and attendees who successfully complete the course will be granted Continuing Education Units (CEUs) and given a certificate of completion.

There is no tuition cost to attend this training.

 

Back to top


ICS Evaluation (401V)

Completion of 301/301V is NOT a prerequisite for this course. The 401V is identical in content to the 401L. The course is just offered in both in-person and online formats.

The 401V course provides training on analyzing and doing a self-evaluation on an Industrial Control Systems (ICS) network to determine its defense status and what changes need to be made.

The purpose of the course is to provide hands-on training analyzing, evaluating, and documenting the cybersecurity posture of an ICS system for internal and/or external recommended changes. Specifically, this course will utilize a repeatable process within a simulated ICS environment to analyze cybersecurity weaknesses and threats, evaluate and map findings, and document potential mitigations. Trainees will leave with a template that can be used for evaluations at their workplace.

The online course consists of pre-recorded videos and hands-on activities compiled into sessions by our instructional staff:

  • Analysis and Evaluation Overview
  • Step 1 - Analyze Business Purpose
  • Step 2 - Identify Assets
  • Step 3 - Determine ICS Connectivity
  • Step 4 - Determine ICS Dependencies
  • Step 5 - Assess Risk to Business
  • Step 6 - Determine Critical Risk
  • Step 7 - Recommend Actions
  • Step 8 - Monitor and Reassess
  • Optional: Final Evaluation
  • Optional: CSET

Plan on dedicating around 15-20 hours over the two-week period to complete the online course. Hands-on activities may be additional time. Participants can go through the sessions at their own pace during the week, but the sessions must be completed in order. In other words, each session must be completed before the next session will be available for viewing. Hands-on activities using NetLab can be completed at any time. All videos and hands-on activities must be completed by the closing date. If you do not or cannot complete the course in the allotted time frame, you may register for the next available 401 course to finish the videos and hands-on labs.

A certificate of completion and CEUs will be offered to those who complete all sessions of the course.

If at any time you have questions or input for the course, please email icstraining@inl.gov.

Who Should attend:

Individuals who are responsible for evaluating or influencing the cybersecurity posture of critical infrastructure. This could include any of a number of specific roles and responsibilities such as cybersecurity management, risk management personnel, IT and control system (OT) security personnel, network engineers, OT engineers and managers. This class is geared towards small to medium sized companies with no OT risk management personnel but personnel from large business are welcome also.

Refer to the CISA calendar for a schedule of this training option. There is no tuition cost to the attendee for this training.