Industrial Control Systems Cybersecurity Training

View Training Calendar

The INL Advantage in Operational Security

Idaho National Laboratory (INL), in collaboration with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), delivers ICS cybersecurity training designed to strengthen the operational readiness of critical infrastructure defenders. Through classroom instruction, applied exercises, and immersive operational environments, INL prepares professionals to defend IT and OT systems.

INL’s training programs are informed by the laboratory’s ongoing research in industrial control system security, adversary techniques, and critical infrastructure resilience. Insights from vulnerability analysis, adversary emulation, and sector partnerships directly shape course development, ensuring participants train against scenarios grounded in evolving threat intelligence.

Advanced In-Person Training:

Upcoming Sessions

What Sets INL Training Apart

  • Operational Realism
    Purpose-built environments modeled on real industrial systems
  • Research-Driven Training
    Course scenarios informed by active ICS security research
  • National Security Impact
    Supporting DOE, DHS, and critical infrastructure partners

How INL Delivers ICS Cybersecurity Training

INL’s advanced ICS cybersecurity training is delivered in immersive, operationally realistic environments designed to simulate real-world cyber incidents. Participants move beyond lecture-based instruction into collaborative, scenario-driven exercises that replicate the pressures and complexity of defending industrial systems.

ICS 301: ICS Cybersecurity & Red/Blue Exercise

ICS 301 is INL’s advanced, in-person training experience focused on defending and responding to cyber threats across IT and OT environments. Participants apply cybersecurity principles in a live industrial setting that integrates control system architecture, network defense, adversary techniques, and collaborative response strategies.

Through structured instruction and guided hands-on activities, participants build toward a culminating exercise that simulates the complexity of defending operational systems under real-world conditions. As the capstone of the course, participants engage in a full Red Team versus Blue Team exercise conducted within INL’s purpose-built ICS environments.

ICS 301 Course Details

ICS Cybersecurity Escape Rooms

INL’s ICS cybersecurity escape rooms reinforce concepts learned in the ICS 300 and 301 learning objectives. The cyber escape rooms place teams inside time-sensitive scenarios that simulate real-world operational disruption. Participants must analyze evolving threats, communicate effectively, and make coordinated decisions under pressure.

Each scenario presents a distinct industrial setting and cyber challenge designed to test technical skill, teamwork, and adaptive problem-solving across both IT and OT systems. These environments reinforce applied capabilities in detection, mitigation, and system recovery while reflecting the complexity of modern industrial infrastructure.

Escape Rooms Descriptions (PDF)
Red/Blue Exercise Scenarios
Network Discovery
A distress signal has been received from the space station Asteroid Covenant. Its critical life support control systems have been compromised, and oxygen and HVAC systems are failing. With only 60 minutes of air remaining, your team must quickly identify the network, locate the affected systems, and restore control before the crew runs out of time.
Solar, Wind and Fire
Acme Energy Corporation has fallen victim to a cyber attack that shut down its industrial control systems. Power and heat have been lost across the region, leaving thousands of people affected. Your mission is to identify and contain the cyber threat while restoring functionality to Acme’s industrial operations before the outage escalates further.
Insider Threat
A disgruntled employee, Bob, has been planning retaliation against his employer. He has constructed an electromagnetic pulse (EMP) device capable of disabling sensitive industrial control systems in the area. Your team must investigate Bob’s office, uncover critical clues, and disarm the EMP before irreversible damage is done.
Pandemonium
Following a hostile takeover attempt, employees at Acme International Incorporated sabotaged the company’s control systems as they left. PLC equipment has been hidden, ladder logic scrambled, HMI displays altered, and power shut down. Your team has been hired to recover the system—locate the equipment, restore the correct logic and interfaces, reapply power, and validate production before operations grind to a halt.
Trapped!
In a scenario inspired by Jurassic Park, a disgruntled employee has disabled the protective barrier keeping the dangers of the jungle at bay. Restoring the barrier is no longer possible, and evacuation is the only option. To escape, your team must confront deleted ladder logic, misconfigured networks, missing passwords, and damaged automation systems—reprogramming what remains to get out in time.
Blackstart
On the coldest and stormiest night of the year, an adversary breaches your electric utility network. A remote access trojan is deployed, and the power goes out as you watch the lights disappear. Isolated with your team and racing against the elements, you must regain control of the system and restore power before everything freezes. The clock is ticking...

ICS 311: Detect the Attacker – Advanced Threat Detection

ICS 311 is INL’s advanced threat detection course focused on identifying, analyzing, and responding to adversary activity in Industrial Control Systems (ICS) and Operational Technology (OT) environments. Designed for cybersecurity professionals responsible for monitoring and defending operational networks. The course emphasizes proactive detection over reactive response.

Through scenario-driven instruction and adversary emulation, participants develop a structured, hypothesis-based methodology tailored specifically to ICS and OT systems. Rather than simply responding to alerts, trainees learn to uncover subtle indicators of compromise, correlate activity across data sources, and think like an adversary operating inside critical infrastructure environments.

ICS 311 Course Details
ICS cybersecurity detect the attacker

Book Your Training Today!

Stay ahead of evolving cyber threats with INL’s industry-leading ICS cybersecurity training. Our courses provide hands-on experience in defending industrial control systems, combining real-world scenarios with expert instruction to strengthen critical infrastructure resilience. Training is delivered through programs supported by the U.S. Department of Energy and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).  Explore the training calendar to find upcoming sessions designed for professionals who protect the nation’s most vital systems.

Event Location
  • Idaho Falls, ID
  • National

Questions? Contact our team at icstraining@inl.gov

In-Person & Online Trainings

In collaboration with the U.S. Department of Energy and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Idaho National Laboratory delivers a suite of ICS cybersecurity training programs available online and at regional and in-person events.

Download Course Overview (PDF)
Course TitleSponsorDescriptionLengthLocation
Web Based ICS TrainingCISAWe offer 13 online OT-related training courses via the Virtual Learning Portal (VLP).~ 1 hour eachOnline#course-details
Regional Training EventsCISAThis series of courses provide technical and hands-on instruction on the protection of Industrial Control Systems using offensive and defensive methods101: 6 hrs
201: 8 hrs
202: 8 hrsv CS LO: 8 hrs
Varies#ics-regional
300: Industrial Control Systems (ICS) CybersecurityCISAThis online course provides extensive hands-on training on understanding, protecting, and securing Industrial Control Systems (ICS) from cyber-attacks. Hands-on exercises include network discovery and mapping, network defense/ detection/analysis, exploitation and attack process.12-15 hoursOnline#ics300
301: ICS Cybersecurity & Red/Blue ExerciseCISAThis program features classes on wireless communications, ICS architecture, network discovery and mapping, network defense, and an attacker-focused perspective. Escape rooms are used to provide critical thinking exercises on the lessons learned. Finally, there is a full day red vs blue exercise, using a complex IT/OT environment.4 daysIdaho Falls, ID#ics301
311 Detect the AttackerCISAThis scenario-driven course will elevate your threat detection expertise. Participants will master a comprehensive threat detection methodology, and enhance skills in detecting, correlating and analyzing cyberthreats within industrial environments.4 daysIdaho Falls, ID#ics311
401: ICS Cybersecurity EvaluationCISAThis online course provides hands-on training on how to analyze, evaluate, and document the cybersecurity posture of an organization’s Industrial Control Systems (ICS) for the purpose of identifying recommended changes.15-20 hoursOnline#ics401
CyberstrikeDOEThere are multiple trainings designed to enhance the ability of energy sector owners and operators to prepare for a cyber incident impacting industrial control systems. Each workshop provides hands-on exercises that emulate the topics and attacks being discussed. The various workshops include Lights Out (electric sector), Nemesis (threat brief), Shadow Valve (oil and natural gas), StormCloud (renewables) and Incident Response (technical analysis).8 hoursVirtual and In-person (location varies)https://inl.gov/national-security/cyberstrike/
AccelerateDOEProvides participants with a fundamental knowledge of the CCE methodology focused on securing the nation’s critical infrastructure systems.2 daysVirtual and In-person at INL Campushttps://inl.gov/national-security/cce/
ICS FundamentalsDOEProvides a solid foundation of ICS basics and terminology through instruction and hands-on ICS exercises. Includes eld trips showing diverse working ICS environments. (This is not an ICS Cybersecurity course)3 daysIdaho Falls, IDmailto:amanda.belloff@inl.gov

Full Course Details

The sections below provide detailed descriptions of U.S. Department of Energy–sponsored courses, including format, structure, and learning outcomes. Offerings range from regional foundational training (101–202) to advanced in-person courses at INL (301, 311) and online evaluation-focused training (300, 401).

Web-based training courses are available through the Virtual Learning Portal (VLP) and provide self-paced instruction on a range of Industrial Control Systems (ICS) and Operational Technology (OT) cybersecurity topics.

These courses are designed to support foundational learning, targeted topic exploration, and continuing education for professionals working in or supporting ICS environments.

These short (~1 hour each) self-paced courses are commonly used for introductory learning, targeted topic refresh, or preparation for instructor-led training.

Course Topics & Titles:

  1. General
    • Industrial Control Systems (ICS) Cybersecurity Practices
    • ICS Cybersecurity Landscape for Managers
  2. OT/ICS Fundamentals
    • Differences in Deployments of ICS
    • Influence of IT Components on ICS
    • Common ICS Components
    • Cybersecurity within IT and ICS Domains
  3. Risk
    • ICS Cybersecurity Risk
    • ICS Cybersecurity Threats
    • ICS Cybersecurity Vulnerabilities
    • ICS Cybersecurity Consequences
  4. Attacker Perspectives
    • Attack methodologies in IT and ICS
  5. Defense
    • Mapping IT Defense-in-Depth Security Solutions to ICS (Part 1)
    • Mapping IT Defense-in-Depth Security Solutions to ICS (Part 2)

Learning outcomes:

  • Build foundational knowledge of ICS components and architectures
  • Understand how cybersecurity risks and threats affect ICS environments
  • Recognize common attack methodologies targeting IT and ICS systems
  • Apply cybersecurity concepts to support ICS risk awareness and decision-making

Course details

  • Format: Online, self-paced
  • Availability: On-demand. Registration
  • Cost: No tuition cost to attendees
  • Certificate: Certificates available upon course completion
  • Accreditation: CEUs may be awarded for select courses
  • Sponsor: CISA

These in-person regional courses are delivered as a progression from foundational ICS cybersecurity concepts through intermediate classroom instruction to applied, hands-on lab experience.

101 – Introduction to Control Systems Cybersecurity

Introduces foundational Industrial Control Systems (ICS) cybersecurity concepts and establishes a baseline understanding of how cybersecurity principles apply within operational technology environments. Participants examine the differences between IT and ICS architectures, explore risk and consequence in control systems, and review common vulnerabilities and mitigation strategies unique to the control system domain.

Topics include:

  • ICS deployments, components, and information flow
  • Differences between IT and ICS cybersecurity practices
  • Risk, consequence, and sector dependencies
  • Available cybersecurity resources within CISA
201 – Intermediate Cybersecurity for ICS (Classroom)

Builds on 101 with instructor-led technical instruction focused on how attacks are conducted and defended within ICS environments. This course emphasizes analytical understanding of attack stages and defensive strategy development to strengthen control system security posture.

Topics include:

  • Ladder logic fundamentals
  • Network discovery concepts
  • The three primary stages of an attack
  • Baseline development using CSET
  • Defense-in-depth strategies

Recommended background: Completion of 101 or equivalent experience.

202 – Intermediate Cybersecurity for ICS (Hands-On Lab)

Provides applied, hands-on training within a simulated process control network environment. Participants practice identifying, exploiting, and mitigating ICS vulnerabilities using guided lab exercises in a structured technical setting.

Topics include:

  • Network discovery and mapping
  • Exploitation techniques using Metasploit
  • Network attacks and exploits
  • Network defense, detection, and analysis
  • Practical mitigation within a simulated ICS network

Recommended background: Completion of 201 or equivalent experience.

Course details

  • Format: In-person (regional venues)
  • Availability: Check our training calendar for upcoming sessions
  • Cost: No tuition cost to attendees
  • Certificate: Certificate of completion provided
  • Accreditation: IACET-accredited (CEUs awarded)
  • Sponsor: CISA

This course provides online virtual training focused on understanding, protecting, and securing Industrial Control Systems (ICS) from cyber-attacks. To effectively defend IT and OT systems, participants learn about common cyber vulnerabilities and the importance of understanding the environments they are tasked to protect.

Understanding system weaknesses enables participants to identify mitigation strategies, policies, and programs that support defense-in-depth for more secure ICS environments.

Course structure
The online course consists of pre-recorded videos and hands-on activities organized into five learning sessions:

  1. Overview of Industrial Control Systems (including an attack demonstration)
  2. Network discovery and mapping
  3. Network defense, detection, and analysis
  4. The exploitation process
  5. Network attacks and exploits

Pacing and completion requirements
Participants should plan to dedicate approximately 12–15 hours to complete the course. Sessions must be completed in order, and all videos and hands-on activities must be finished by the course closing date. Hands-on activities using NetLab may be completed at any time.

This course is not a deep dive into specific tools, control system protocols, vulnerability details, or exploits against control system devices. The “300” designation is a course number and does not indicate a college-level classification.

Instruction includes:

  • Overview of Industrial Control Systems, including an attack demonstration
  • Network discovery and mapping
  • Network defense, detection, and analysis
  • The exploitation process
  • Network attacks and exploits

Learning outcomes:

  • Understand common cyber vulnerabilities affecting ICS environments
  • Analyze IT and OT system weaknesses
  • Identify mitigation strategies to improve ICS security
  • Apply defense-in-depth concepts to ICS networks

Course details

  • Format: Online (Virtual Learning Portal)
  • Availability: On demand. Registration
  • Cost: No tuition cost to attendees
  • Assessment: End-of-course exam (minimum passing score of 80%)
  • Certificate: Certificate of completion provided
  • Accreditation: IACET-accredited (CEUs awarded upon successful completion)
  • Sponsor: CISA

ICS Cybersecurity 301 is an instructor-led, advanced course that serves as a hands-on companion to the online 300 course. It focuses on understanding, protecting, and securing Industrial Control Systems (ICS) from cyber-attacks through applied instruction across both IT and OT environments.

The course emphasizes practical application using open-source operating systems and security tools, while providing opportunities for collaboration and peer learning among professionals responsible for operating and protecting control system networks.

Course structure
This course consists of hands-on activities aligned with the five sessions covered in the 300 course, followed by a Red Team versus Blue Team capstone exercise and a facilitated discussion of lessons learned.

Capstone experience: Red & Blue Exercise
Participants engage in cyber escape room challenges and a full Red Team versus Blue Team exercise conducted in an immersive, complex IT/OT environment. The capstone emphasizes applied technical skills, teamwork, communication, and operational decision-making under pressure.

Daily Schedule

  • Day 1: Review of ICS cybersecurity concepts, IT/OT differences, and a process control attack demonstration. Hands-on activities focused on wireless communications, network discovery and mapping, defense, detection, analysis, and exploitation.
  • Day 2: Continuation of hands-on breakout sessions and cyber escape room challenges, followed by facilitated debriefs.
  • Day 3: Continued escape room activities and preparation for the Red Team vs. Blue Team exercise.
  • Day 4: Full-day Red Team vs. Blue Team exercise defending and attacking IT and OT networks, followed by a roundtable discussion of lessons learned.

This course is not a deep dive into specific tools, control system protocols, vulnerability details, or exploits against specific control system devices. The “301” designation is a course number and does not indicate a college-level classification.

Instruction includes:

  • Hands-on use of open-source operating systems and security tools
  • Network discovery and mapping
  • Network defense, detection, and analysis
  • Exploitation techniques using tools such as Metasploit
  • Wireless communications in ICS environments

Learning outcomes:

  • Apply cybersecurity concepts to real-world ICS environments
  • Use tools introduced in the 300 course to analyze and defend ICS networks
  • Collaborate effectively across IT and OT roles during cyber incidents
  • Analyze attacker and defender behaviors in complex control system environments

Course details

  • Format: In-person, instructor-led
  • Location: Idaho Falls, ID
  • Availability: In-Person Registration
  • Cost: No tuition cost to attendees
  • Certificate: Certificate of completion provided
  • Accreditation: IACET-accredited (CEUs awarded)
  • Sponsor: CISA

Prerequisites

  • Completion of 300 – ICS Cybersecurity
  • Minimum passing score of 80% on the assessment
    Note: Completion and a passing score do not guarantee acceptance; attendance is subject to review 

ICS 311 is an advanced, immersive course designed to strengthen cyber defense capabilities in Industrial Control Systems (ICS) and Operational Technology (OT) through disciplined analytic reasoning and hands-on detection practice. Built around INL’s THINK framework—Threat Hypothesis, Intelligence & Network Knowledge — the course teaches analysts how to detect through comprehension rather than coincidence.

Participants learn to integrate intelligence, terrain awareness, and telemetry analysis to uncover adversary behavior across complex industrial ecosystems.

Additional Details

Training takes place in INL’s live CSAC (Control Systems Analysis Center) cyber range, a full-scale IT/OT environment that includes enterprise infrastructure, industrial controllers, field devices, and responsive physical processes.

Students confront curated adversary campaigns designed to traverse IT and OT boundaries using ICS-specific exploits. Hands-on exercises require participants to analyze industrial protocol traffic at the packet level, correlate host and network telemetry, and align findings with process behavior. Emphasis is placed on identifying visibility gaps and tuning existing data sources to strengthen detection.

The course uses open-source tools—including Security Onion, Malcolm, Arkime, Wireshark, Suricata, and MITRE ATT&CK®—to ensure portability and sustainability across organizations of varying maturity levels.

Instruction includes:

  • Threat hunting methodologies tailored to ICS/OT environments
  • Intelligence-driven detection planning and adversary modeling
  • Mapping assets, trust boundaries, and communication flows
  • Evaluating and improving detection coverage using existing telemetry
  • SOC operations adapted for industrial mission requirements

Learning outcomes:

  • Apply CTI to model realistic adversary attack paths
  • Document and interpret industrial architectures as both terrain and telemetry
  • Analyze anomalous ICS protocol behavior within legitimate operations
  • Develop cross-domain detection strategies grounded in hypothesis testing
  • Conduct proactive, intelligence-led threat hunting across IT and OT systems

Course details

  • Format: In-person, scenario-driven training
  • Location: Idaho Falls, ID
  • Availability: In-Person Registration
  • Cost: No tuition cost to attendees
  • Certificate: Certificate of completion provided
  • Accreditation: IACET-accredited (3.6 CEUs / 35.5 contact hours)
  • Sponsor: CISA

Who should attend

Participants with prior experience in ICS or OT cybersecurity who are responsible for detecting, analyzing, or responding to cyber threats in industrial environments.

ICS Cybersecurity 401 provides hands-on training on how to analyze, evaluate, and document the cybersecurity posture of an organization’s Industrial Control Systems (ICS). The course focuses on identifying cybersecurity weaknesses and determining recommended changes to improve security.

Participants learn a repeatable evaluation process that can be applied within their own organizations to assess risk, document findings, and support informed decision-making. This course uses a simulated ICS environment to guide participants through a structured evaluation process, including:

  1. Analyze business purpose
  2. Identify assets
  3. Determine ICS connectivity
  4. Determine ICS dependencies
  5. Assess risk to business
  6. Determine critical risk
  7. Recommend actions
  8. Monitor and reassess

Optional components may include a final evaluation exercise and use of CSET.

Course structure and pacing
The online course consists of pre-recorded videos and hands-on activities organized into sequential sessions. Participants should plan to dedicate approximately 15–20 hours over a two-week period to complete the course. Sessions must be completed in order, and all videos and hands-on activities must be finished by the course closing date. Hands-on activities using NetLab may be completed at any time.

Instruction includes:

  • Analysis of ICS business purpose and operational context
  • Identification of ICS assets, connectivity, and dependencies
  • Evaluation of cybersecurity weaknesses and threats
  • Documentation of findings and recommended mitigations
  • Use of a structured, repeatable evaluation methodology

Learning outcomes:

  • Analyze and document the cybersecurity posture of an ICS environment
  • Identify and assess risks to business operations
  • Evaluate ICS connectivity and dependencies
  • Determine critical risks and prioritize recommended actions
  • Apply a repeatable evaluation process within your organization

Course details

  • Format: Online and in-person
  • Availability: On demand. Registration
  • Cost: No tuition cost to attendees
  • Certificate: Certificate of completion provided
  • Accreditation: CEUs awarded upon successful completion
  • Sponsor: CISA

Who should attend

Individuals responsible for evaluating or influencing the cybersecurity posture of critical infrastructure systems, including cybersecurity management, risk management personnel, IT and OT security staff, network engineers, and OT engineers and managers. This course is particularly well suited for small to medium-sized organizations without dedicated OT risk management personnel, though participants from larger organizations are also welcome.

Looking for Cyberstrike, Accelerate, or ICS Fundamentals course details? 

Sponsoring Organizations

CISA is the operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience. CISA works with partners to defend against today’s threats and collaborate to build a more secure and resilient infrastructure for the future.

U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) leads efforts to strengthen the security and resilience of the U.S. energy infrastructure against all threats and hazards. CESER leads the Department of Energy’s statutory role as the Sector Risk Management Agency for the energy sector. 

Contact Information

Jeff Hahn

Send a Message

Additional Links