Critical Infrastructure Protection Training

N&HS develops and deploys training and exercises to enhance critical infrastructure security. The training and exercises are a result of an emphasis on multi-agency collaboration, partnering and sharing of experts and research facilities. This approach accelerates the maturation of technologies and methodologies from the conceptual to deployment stages; optimizes the benefits of leveraging investments in expertise, research programs and technical infrastructure; and creates effective environments for immediate information sharing of discoveries and emerging threats. The following trainings are developed and conducted with support from the U.S. Department of Homeland Security.


Army ICS Cyber Assessor Training Course

This course is intended for U.S. military and/or Department of Defense personnel assigned to conduct cyber vulnerability evaluations of DoD critical infrastructure. This intermediate to advanced-level course utilizes defense-in-depth concepts to provide an understanding of the methods for assessing industrial control system cybersecurity from the device level to the system level. Upon completion, students will be qualified with the technical skills to assess critical infrastructure and enumerate potential cyber findings and discuss these findings within the context of mission impact.

Although students do not need to have any specific programming experience to attend this course, the tools built on this course are presented in virtual machines consisting of Linux variances including Kali and Security Onion. Students should take some time to review and understand material based on Linux commands, virtual machines, and running tools and applications within a virtual environment.

In addition, students should have a working knowledge of foundation of industrial control system (ICS) architecture and information technology (IT) assessment concepts per DAMO-CY and OTMA-C. The course is updated on a continuous basis stemming from lessons learned by field teams and the general fluid nature of the cyber threatscape. Additional pre-requisites may be required by the course instructor and will be identified during the registration process.

Students completing this course will have the knowledge, skills, and abilities to complete NDAA 1650 2017 critical infrastructure assessments as follows:

  • ICS cybersecurity posture at the device, system, and/or architecture levels
  • Utilizing OT mission specific hardware and software tools in a Cyber Assessment Kit (CAK) to complete assessment objectives within the course
  • Cradle to grave ICS Assessment process including RFI fulfillment to on-site out-brief
  • Section capstone (mini) exercises, performed in teams, measuring training efficacy and retained skill. Mini-exercises scored on 20 specific objectives, per training section, based on progressive skill level as Beginner, Familiar, Proficient/Expert, and Mastery.
  • A final capstone assessment exercise formed in assessment-like size teams ‘mimicking’ a live assessment. Assessment scored and hot-washed against expected assessment products like those required for live assessment.

Course Details:

Official Course Name: Army Operational Technology Mission Assurance – Cyber (OTMA-C) Assessment Course

Time Commitment: 91 hours / 13 days

Location: Idaho National Laboratory (INL) / Idaho Falls

Idaho Contact: LTC Jason Burns / jason.e.burns.mil@mail.mil

Register Here


Operational Security (OPSEC) for Control Systems (100W)

One-hour online module providing an overview of operational security (OPSEC) issues. It provides information on what an adversary may view as valuable and how to protect it. It discusses the tools necessary to recognize potential weaknesses in daily operations and provides techniques to mitigate those weaknesses.

At the completion of the course, you will be able to:

  • Describe OPSEC and its importance
  • Identify the five steps in the OPSEC process
  • Describe common information-collection techniques and how to protect yourself from them
  • Identify several methods to protect critical information
  • State ways to physically protect critical assets at work, at home and while traveling
  • Identify what things and activities are typically not allowed in the control room

Training location: Web based

Contact: Ralph.Ley@inl.gov

Register Here


Differences in Deployments of ICS (210W-01)

Cyber attacks on critical infrastructure are a growing problem. Every day, there are disclosures about vulnerabilities in computer systems that run critical infrastructures. We have made progress in strengthening the resiliency of our control systems, but some of our most critical systems depend on technology that was not designed to protect our systems against the types of attacks we are seeing today. This course discusses what, where, and how industrial control systems (ICSs) are used and describes some of specific examples of how ICSs work in real-life situations.

After completing this course, you will be able to:

  • Describe critical sectors and their importance
  • Define ICS
  • Identify the different types of processes and their dependencies
  • Recognize the types of facilities that support critical infrastructure

Register Here


Influence of Common IT Components (210W-02)

If you understand what the components of IT networks do and they communicate, you can better recognize their use in ICS networks. This course covers the elements of a traditional IT network, uncover specific issues that relate to emerging cybersecurity problems, and work through some of the complexity associated with trying to mitigate those problems.

After completing this course, you will be able to:

  • Describe common IT components and identify where they are located within the IT infrastructure
  • Explain common IT vulnerabilities
  • Describe network models and how they apply to IT communications

Register Here


Common ICS Components (210W-03)

This course describes ICS components. It defines ICS architectures including the nomenclature used in ICS environments, how the systems work, and their requirements for functionality.

After completing this course, you will be able to:

  • Describe common ICS components
  • Discuss data flow within an ICS
  • Identify ICS architectures
  • Recognize ICS communication topologies, methods, and physical media
  • Discuss common protocols used in ICS

Register Here


Cybersecurity within IT and ICS Domains (210W-04)

A move to integrate the components of information technology (IT) and industrial control systems (ICSs) has created security concerns, as interconnections between IT and ICS may increase the vulnerability of the ICS to cyberattacks. Understanding the basic concepts of cybersecurity will provide the necessary foundation to determine the appropriate controls to protect ICS. ICSs are dependent on IT, and as contemporary IT is often troubled with cyber vulnerabilities, so are ICSs that use IT.

After completing this course, you will able to:

  • Identify security concerns created by the integration of IT and ICSs
  • Describe IT and ICS communication differences
  • Describe IT and ICS operations differences
  • Describe IT and ICS support differences

Register Here


Cybersecurity Risk (210W-05)

This course is designed to help you gain a better understanding of cyber risk, how it is defined in the context of ICS security, and the factors that contribute to risk. This will empower you to develop cybersecurity strategies that align directly with the ICS environment. You will also learn how IT-based countermeasures can be customized to accommodate for the uniqueness of ICS architectures.

After completing this course, you will be able to:

  • Describe the elements of the risk equation including threat, vulnerability, and consequence
  • Discuss the cultural and technical factors that have recently contributed to and caused an elevation in risk to ICS
  • Explain the security issues created by integrating IT systems with ICS

Register Here


Current Trends (Threats) (210W-06)

Risk is a function of threat, vulnerability, and consequence. The most complex attribute is threat because it can be intentional or unintentional, natural or man-made. When trying to develop defensive strategies to protect control systems, it is important to understand the threat landscape in order for appropriate countermeasures or compensating controls to be deployed.

After completing this course, you will be able to:

  • Describe the three attributes of human threat
  • Differentiate between the three categories of threat actors
  • Explain the risk curve as it relates to threat groups
  • Describe intentional versus unintentional “insider” cyberthreats
  • Discuss threat trend for industrial control systems
  • Describe attacker tools and techniques

This course builds on the content in the Cybersecurity Risk (210w-05) course.

Register Here


Current Trends (Vulnerabilities) (210W-07)

In this course, we examine some of the current trends in cybersecurity vulnerabilities that contribute directly to cyber risk in industrial control systems (ICSs). The goal is to identify the root causes and their associated countermeasures that can be used to protect control systems.

After completing this course, you will be able to:

  • Identify the elements that are vulnerable in an ICS
  • Discuss the factors that contribute to ICS vulnerabilities
  • Describe the root causes of ICS cyber vulnerabilities
  • Describe existing DHS programs that assist asset owners and vendors in identifying ICS vulnerabilities

Register Here


Determining the Impacts of a Cybersecurity Incident (210W-08)

Consider the potential impact of a successful cyberattack on your ICS. We usually assume that they will be more severe if you are manufacturing a toxic chemical than if you are making simple widgets. A cyberattack that results in the release of a toxic chemical and kills 10 people is more significant than a cyberattack that temporarily disables the HVAC in a control – or is it? This course will help you better understand the impacts a cyber-based attack can have on an ICS, and provide you with different ways of looking at the potential consequences of three types of events.

After completing this course, you will be able to:

  • Explain the three tenants of information security
  • Discuss events that can lead to disruptions
  • Describe loss of view, loss of control, and denial of service (DoS)

Register Here


Attack Methodologies in IT and ICS (210W-09)

A good defense understands what the offense can do. So, the better you can think like an adversary, the better defenses or security you can set up that are specific to your system. Understanding how hackers attack systems helps you better understand how to defend against cyberattacks.

After completing this course, you will be able to:

  • Describe the most common elements in the life cycle of a cyberattack
  • Explain cyber exploitation and how certain attack methods can apply to control systems

Register Here


Mapping IT Defense-in-Depth Security Solutions to ICS (210W-10)

Mitigating cyber vulnerabilities in your ICS is not a few simple tasks that you can easily do and then pronounce that your system has proper security. Instead, it requires the development and enforcement of security policies and procedures, as well as an ongoing commitment of continuous review and improvement of your security infrastructure.

After completing this course, you will able to:

  • Define defense in depth
  • Create a baseline for defending your ICS
  • Describe the security management layer of defense
  • Describe the physical security layer of defense
  • Describe the network security layer of defense
  • Describe the hardware security layer of defense
  • Describe the software security layer of defense

Register Here


Introduction to Control Systems Cybersecurity

Eight-hour session introducing students to the basics of industrial control systems security. This includes a comparative analysis of IT and ICS architecture, understanding risk in terms of consequence, security vulnerabilities within ICS environments, and effective cyber risk mitigation strategies for the control system domain.

After attending this course, you will be able to:

  • Describe ICS deployments, components, and information flow
  • Differentiate cybersecurity within IT and ICS domains
  • Explain a cyber exploit in an ICS architecture
  • Recognize sector dependencies
  • Identify cybersecurity resources available within NPPD

Typically taught as part of a 101/201/202 series.

Course #: 101

Training location: Various locations around the world

Contact: Ralph.Ley@inl.gov


Intermediate Cybersecurity for Industrial Control Systems – Part 1

Eight-hour session continuing technical instruction on the protection of industrial control systems using offensive and defensive methods. Trainees will recognize how cyberattacks are launched, why they work, and mitigation strategies to increase the cybersecurity posture of their control system networks.

After attending this course, you will be able to:

  • Describe ladder logic
  • Describe network discovery
  • Discuss the three main stages of an attack
  • Create a baseline using CSET
  • Describe defense-in-depth strategies

This course is a prerequisite for 202 and is typically taught as part of a 101/201/202 series.

Course #: 201

Training location: Various locations around the world

Contact: Ralph.Ley@inl.gov


Intermediate Cybersecurity for Industrial Control Systems – Part 2

Eight-hour hands-on session structured to help students recognize how attacks against process control systems could be launched, why they work, and provides mitigation strategies. This course provides a brief review of industrial control systems security. This includes a comparative analysis of IT and control system architecture, security vulnerabilities, and mitigation strategies unique to the control systems domain. Because this course is hands-on, students will get a deeper understanding of how the various tools work. Accompanying this course is a sample process control network that demonstrates exploits used for unauthorized control of the equipment and mitigation solutions. This network is also used during the course for the hands-on exercises that will help the students develop control systems cybersecurity skills they can apply in their work environment. After attending this course, you will be able to:

  • Identify risks in ICSs
  • Demonstrate a process control exploitation
  • Use passive discovery tools
  • Use active discovery tools
  • Describe Metasploit
  • Use the Metasploit Framework
  • Discuss basic web hacking techniques
  • Describe password security
  • Discuss wireless attacks and exploits
  • Describe packet analysis
  • Define intrusion detection and prevention systems

Typically taught as part of a 101/201/202 series.

Course #: 202

Training location: Various locations around the world

Contact: Ralph.Ley@inl.gov


Industrial Control Systems Cybersecurity

Five-day session providing extensive hands-on training on understanding, protecting, and securing industrial control systems (ICSs) from cyberattacks and includes a Red Team/Blue Team exercise conducted within an actual control systems environment.

In order to understand how to best defend a system, trainees will learn about common vulnerabilities and the importance of understanding the environment they are tasked to protect. Learning the weaknesses of a system will enable trainees to implement the mitigation strategies and institute policies and programs that will provide the defense in depth needed to ensure a more secure ICS environment. The training offers the opportunity to network and collaborate with other colleagues involved in operating and protecting control system networks.

This course consists of six sessions, followed by a Red Team/Blue Team exercise and a discussion of the lessons learned.

Course #: 301

Training location: Idaho Falls, Idaho

Contact: Ralph.Ley@inl.gov