ICS612: ICS Cybersecurity In-Depth


hide_responciveBundle AddonPriceAdd to Cart
Sans November Netwars BundleSGD$2,247.00

What You Will Learn


The ICS612: ICS Cybersecurity In-Depth course will help you:

  • Learn active and passive methods to safely gather information about an ICS environment
  • Identify vulnerabilities in ICS environments
  • Determine how attackers can maliciously interrupt and control processes and how to build defenses
  • Implement proactive measures to prevent, detect, slow down, or stop attacks
  • Understand ICS operations and what “normal” looks like
  • Build choke points into an architecture and determine how they can be used to detect and respond to security incidents
  • Manage complex ICS environments and develop the capability to detect and respond to ICS security events

The course concepts and learning objectives are primarily driven by the focus on hands-on labs. The in-classroom lab setup was developed to simulate a real-world environment where a controller is monitoring/controlling devices deployed in the field along with a field-mounted touchscreen Human Machine Interface (HMI) available for local personnel to make needed process changes. Utilizing operator workstations in a remotely located control center, system operators use a SCADA system to monitor and control the field equipment. Representative of a real ICS environment, the classroom setup includes a connection to the enterprise, allowing for data transfer (i.e., Historian), remote access, and other typical corporate functions.

The labs move students through a variety of exercises that demonstrate how an attacker can attack a poorly architected ICS (which, sadly, is not uncommon) and how defenders can secure and manage the environment.


ICS612 is an advanced course that focuses on the engineering, implementation, and support of secure control system environments. Students taking ICS612 should have completed ICS410 or should have a strong understanding of the objectives taught in that course. The course also builds upon the skills learned in ICS515 and ICS612 students should have working knowledge of network security monitoring and data collection techniques.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

The ICS612 course consists of instruction and a significant number of hands-on exercises. The exercises are designed to allow students to put knowledge gained throughout the course into practice in an instructor-led environment. Students will have the opportunity to install, configure, and use the tools and techniques that they have learned.

NOTE: Do not bring a regular production laptop for this class! When installing software, there is always a chance of breaking something else on the system. Students should assume that all data could be lost.

NOTE: It is critical that students have administrator access to the operating system and the ability to disable all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

Laptop requirements include the following:

  • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • 64-bit processor with 64-bit operating system
  • VT or other 64-bit virtualization settings enabled in your BIOS to run 64-bit VMs
  • At least 8 GB of RAM
  • At least 50 GB of free hard-drive space
  • At least one USB port
  • Ability to update BIOS configuration settings to enable virtualization (VT) support
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
  • Access to an account with administrative permissions and the ability to disable all security software on your laptop such as Antivirus and/or firewalls if needed for the class
  • If you are using Linux for your host machine, you will need ExFAT drivers installed to read the class USB drive

Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 – 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

“During my 30+ years of working directly in the field of industrial automation, the biggest change I have seen is not with control fundamentals. Rather, the most disruptive change has been with connectivity technology. By connectivity technology I mean there has been a move away from proprietary physical and logical layers to a pervasive adoption to commercial off-the-shelf Ethernet technology. Ethernet adoption has changed the industrial control discipline. Industrial control engineers are forced to either learn networking and security principles or work with other professionals to achieve a reliable and secure infrastructure to support real-time control systems.”

– Jeff Shearer

“I am very excited to be a part of the author team that has worked on and will be bringing this great course to the dedicated industrial control system community. This course has been designed to provide students with practitioner-focused, hands-on lab exercises that have been developed to reinforce the skills necessary for professionals working to defend critical operational environments. As these control system environments become increasingly cyber-enabled, interconnected, and targeted by adversaries; it is essential that the capabilities of the workforce continue to progress in order to ensure safe and reliable operations. The lab exercises, tools, control system components, exposure to leading ICS solutions, and development of expanded defender capabilities in this course will be immediately applicable for students.”

– Tim Conway

“I am excited to bring my 20 years of working on and securing industrial control systems (ICS) across multiple industries to this course to help others accelerate the development of their knowledge and skills. Under what might seem like a simple category such as ICS, it is easy to overlook the complex variations around business requirements, technologies, and operations across various industry types and organizations. ICS supports the mission of the organization and we must secure these environments in alignment with what makes them unique. To do this, the selection of the right security technology and security processes requires an ability to discover and understand the ‘glue’ behind the entire technology stack and operational requirements that make these systems unique. The students will take a journey that teaches them how to pull back the curtain and truly understand how to engineer security specific to the environments they will face in their career.”

– Jason Dely

“I am really excited to be on the team developing this course and to be able to share some of the things I have learned over my career. As the ICS industry continues to change and evolve, we, as security practitioners, need to understand the capabilities and risks of these ICS environments and be prepared to support and defend them. While many SANS courses focus on either defending or attacking the environment or responding to an attack, this course is designed to give the students the complete picture. Students will learn everything from programming a PLC to designing a more secure ICS environment to understanding how an attacker may try to circumvent the protections in place. This is truly a hands-on class that promises to have something for everyone.”

– Chris Robinson