ICS Penetration Testing


Table of Contents


The ICS Penetration Testing program was constructed primarily for the security industry and was meant to equip participants with advanced techniques and information warfare. Energy companies, telecommunications, transportation, healthcare, and many other such industries are perceived as critical infrastructure for the continual maintenance of the state. SCADA (Supervisory Control and Data Acquisition) systems are considered the “weak link” in the defense chain, for reasons you will discover throughout the training.

This training covers possible attack methods by hostile entities and the security challenges that naturally follow. Cyberwarfare is one of the most fascinating and advanced disciplines in the Cyber Security world.

How to make the most of this course?

In order to succeed in the course, the following requirements must be met:

  • Participation in all practical laboratories
    Self-work at home between lessons;
  • Repetition of materials, self-learning, performing tasks, etc …

In addition to regular classroom studies, the participant is required to practice at least 10 hours a week in order to gain practical experience in the field.

The participant will also need a good personal computer suitable for running virtual machines, with a broadband Internet connection.

Target audience

  • Operations Technology Engineering and Support teams
  • Incident responders
  • Cyber forensics investigators


  • Various aspects of cyber-warfare on the defensive side
  • Expand ICS knowledge in both methodologies and required techniques


  • ThinkCyber Level-2 Courses



During this module, participants will learn cybersecurity in the environment of Industrial Control Systems. Participants will learn how a control system can be attacked from the internet and perform hands-on practice sessions on network discovery techniques.

Technical content

  • IT vs. OT
    • Types of ICS Systems
    o DCS vs. SCADA
  • SCADA components
    o Human Machine Interface (HMI)
    o Supervisory System
    o Remote Terminal Units (RTUs)
    o Programmable Logic Controller (PLCs)
  • ICS security overview
    o Basic Security Concepts
    o Physical Security
    o Digital Security
    o ICS Lifecycle Challenges
  • ICS Network Architectures
  • Known ICS Protocols
    o Modbus
    o DNP3
    o How to Approach Protocols Research
    o ICS Protocol Fuzzing


During this module, participants will be trained on network discovery using Metasploit and practicing in hands-on Red Team exercises. In this module, we will cover the ways to attack the SCADA environment. Participants will develop a broader understanding of where these specific attack vectors exist, as well as the tools that are used to discover vulnerabilities.

Technical content

  • Security in ICS
    o Encryption
    o Firewalls with ICS
    o DMZ Approach
    o Access Control
    o Intrusion Detection (IDS)
  • Web Application Attacks
    o Brute Force
    o Extracting Data
    o SQL Injection
  • ICS Exploitation using Metasploit
    o Metasploit modules for SCADA
    o Exploit with Metasploit
    o Control with Metasploit
  • ICS Attack Tools
    o Modscan
    o SMOD
  • Network attacks
    o Flooding
    o MiTM
    o Denial of Service (DoS)
    o Jamming
    o Wi-Fi Security Issues
  • Attacks on HMI
    o ICS Security Framework
    o Brute Force


In this module, we will present to participants ways to plan, design, and implement an effective program to protect SCADA systems using Penetration Testing methods. Participants will gain knowledge of conducting these tests on the “Test-environment” using advanced techniques.

Technical content

  • Preparing for Penetration Testing
    o Setting up a Virtual Machine for Penetration Testing
    o Creating your VM Network
    o Architectures Overview
  • Testing your Network
    o Gathering Information Passively
    o Port Scanning
    o System Fingerprinting
    o Passwords Complexity Testing
    o Administrator Privileges Escalation Testing
  • Testing for Vulnerabilities on Master Servers
    o Checking for Vulnerabilities
    o Analyzing Services and Ports
    o Analyzing Communications
  • Testing for Vulnerabilities on User Interfaces
    o Web Applications
    ▪ Identifying Attacks
    ▪ Exploiting Vulnerabilities
    ▪ PHP Vulnerabilities
    o Terminal Interfaces
    o Traditional Applications
  • Testing for Vulnerabilities on Network Protocols
    o Breaking Open Network Protocols
    o Protocol Analysis
    o Using Network-Based Signatures
    o Radio Frequency Capture
    o Sniffing Network Traffic
    o Extracting Network Traffic
  • Testing for Vulnerabilities in Embedded devices
    o Firmware Fuzzing
    o Analyzing the Firmware
    o Exploiting Firmware Vulnerabilities
  • Security Assessment
  • Writing a Penetration Testing Report


The following labs are part of the actual RT431 course:
  • Lab 1 Modbus and DNP3
  • Lab 2 ICS with Metasploit
  • Lab 3 ICS Protocols
  • Lab 4 Using Shodan to Attack
  • Lab 5 ICS Network Traffic
  • Lab 6 ICS Frameworks
  • Lab 7 Creating Zero-Days
  • Lab 8 Writing Penetration Report

Real cases studies

Case study #1 (ICP001)
The US Department of Homeland security is warning about vulnerabilities in a common SCADA package that is used to monitor and manage solar energy-generating power plants remotely. This type of attack allows unauthenticated remote attackers to gain administrative access and execute arbitrary commands. As the OT expert, your manager asks you to find the vulnerability and mitigation.
Case study #2 (ICP002)
Security researchers have uncovered a new malware, named "Havex", which was used in several previous cyberattacks against organizations in the energy sector. IT researchers suspect a backdoor implementation that acts as a remote access Trojan. The local power station hired you to locate the RAT and mitigate it.

 Course type

This course is delivered in the following ways:

  • Virtual classroom with proctored labs and scenarios executed in our Cyberium Arena
  • In situe classroom with proctored labs and scenarios executed in our Cyberium Arena

All sessions are recorded and attendees can replay them  during 30 days. All course material is electronically made available to the participant.

 Course Group: FOUNDATION


 Hands-on / Theory MiX

The following course incorporates a high level of hands-on labs exercises, as well as real life case studies.

1 %
Case Studies


This course prepares the participant to the following certification:


Required EqUIPMENT

Network connection

As this course extensively uses a cloud based Learning Management System, including a lab arena, attendees need a stable broadband connection to the Internet.

BYOD – Bring Your Own Device

As it is a very practical course, and in order for the participants to make the most of the course, they need a laptop with the following capabilities:

  • Audio and Video
  • 8 GB RAM
  • 200 GB Disk Space
  • Virtualization capabilities ( supporting latest version of Virtualbox or similar virtual machine application)

And also a Good Headset with Mic

More Details