ICS410

Welcome to the CutSec SANS ICS410 resources page. These are just a few extra online resources and items that didn’t make it into the class. We hope these help your ICS / OT cybersecurity journey. Contact us if you have something to add or a suggestion.

Quick Reference Links

#

• Dragos 2025 Year In Review Report - an extremely important representation of the state of many sectors related to ICS/OT cybersecurity.
• Updated BP Texas City Animation on the 15th Anniversary of the Explosion
• 1947: Texas City Disaster Part 1
• 55 gallon steel drum can crush using atmospheric pressure
• Social Engineering - Reporter Gets Mobile Account Hacked
• S4 Conference Videos: S4Events Youtube
• SANS ICS Videos: YouTube
• Op de Schouders van Reuzen (On the Shoulders of Giants - The six storm surge barriers of Rijkswaterstaat) - In Dutch
• CISA Known Exploited Vulnerabilities (KEV)
• ICS Advisory Project - CVE-CPEs Dashboard
• Free 8 hour Linux Basics Course
• Industrial Control Systems - Understanding ICS Architectures by Chris Sistrunk
• A microsecond is 1/1000th of a millisecond (1000 us = 1 ms)

Certification Study Links

#

• Leslie Carhart guide to taking SANS test: Better GIAC Testing with Pancakes
• Matthew Toussain - Get Certified! All You Need to Know to Rock GIAC Exams
• Matthew Toussain - Wargaming GIAC Certifications
• Matthew Toussain - Rocking the GIAC Exam with Voltaire
• Matthew Toussain - Voltaire (Index building App)
• Anki Powerful Flash Cards
• Develop Technical Recall Skills: Spaced Repetition with Anki
• Ron Hamann - Are You Certifiable? | SANS@MIC Talk

Books

#

• The Cuckoo’s Egg by Cliff Stoll
• Countdown to Zero Day by Kim Zetter
  • Stuxnet Documentary “Zero Days” - this movie has been moved to pay-per-view
• Sandworm by Andy Greenberg

Important OT Podcasts, Talks, and Interviews

#

• OT Under Threat: Dragos’ Robert M. Lee on Navigating Cyber-Physical Risks
• Water Sector Cyber Risk with Gus Serino
• Killing Time - SANS ICS Security Summit 2021 with Jeff Shearer
• Triton - A Report From The Trenches with Julian Gutmanis
• FuxNet: The New ICS Malware that Targets Critical Infrastructure Sensors with Noam Moshe

General Topic Links

#

• Differences between SCAP and STIGs
• Wireshark OUI Lookup Tool
• CISA Network Architecture Verification and Validation (NAVV)
• INL Consequence-driven Cyber-informed Engineering (CCE)
• Google Learn Computer Networking Free Course
• CISA ICS Training Resources
• Information Trust Institute (ITI) ICS Security Tools GitHub
• Original Sheep-Dip Project

Equipment Links

#

• Remote / Onsite Security Assessment Jumpkit - I started documenting my equipment in 2019. I’ll try to keep this up-to-date. Feel free to submit a Community Case to the project.
• Essentials for Your ICS Incident Response Jump Bag - Dean Parson’s brief on essential items for your ICS IR jump bag.

Purdue Level 0/1 Links

#

• Image of an old relay setup to help understand where Ladder Logic came from.
• Modernizing Hardwired Relay Logic With PLCs
• Forescout OT:ICEFALL Report
• Velocio Datasheet
• Industrial Protocols and Ports
• More Industrial Protocols and Ports
• Top 20 Secure PLC Coding Practices
• Comparison of Real-Time Operating Systems (RTOS)
• Simply Modbus
• How to Analyze I2C - Saleae Support
• Remote Terminal Units (RTUs) based on SIMATIC
• Introduction to Yokogawa DCS
• DNP3 vs IEC104 vs IEC61850
• Choosing the Best Communication Protocol: DNP3 vs IEC 61850
• Hardware Hacking Class: ControlThings.io Accessing and Exploiting Control Systems and IIoT
• Riverloop Hardware Hacking
  • Dumping EMMC Flash
  • Introduction to JTAG
  • Communicating with JTAG via OpenOCD
• Hacking The Xbox
• Wireshark and Fieldbus Protocols
• OPC DA DCOM Port Range Restrictions
  • Microsoft Tech Blog - RPC/DCOM port ranges are more limited after win2008 (49152-65535)
  • OPC Expert
  • OPC Training Institute
• How Relays Work - Basic working principle
• SEL RTAC Security - Leveraging Security – Using the SEL RTAC’s Built-In Security Features
• IAEI Blog describing Timing Considerations for Arc Flash Protections - Key Considerations for Selecting an Arc-Flash Relay

Attack Consequence Videos

#

• United States Chemical Safety and Hazard Investigation Board YouTube Awareness Videos
• Hydrocarbon Release Hazard Awareness
• Animation of Bayer CropScience Pesticide Waste Tank Explosion

Attacks on Remote Sites

#

General

#

• Aurora Attack - Staged cyber attack reveals vulnerability in power grid
• Repository of Industrial Security Incidents Database - last updated on January 28, 2015
• Dallas Emergency Sirens Activated in 2017 via UHF 450MHz radio signal.

Water

#

• US Moves to Shield Drinking Water
• Maroochy Water Services Attack (Insider Threat)
  • MITRE Malicious Control Systems Cyber Security Attack Case Study - Maroochy Water Services, Australia
  • Maroochy Water Breach YouTube Video
  • Maroochy Shire Sewage Spill
• CISA Exploitation of Unitronics PLCs used in Water and Wastewater Systems
  • Hackers breach US water facility via exposed Unitronics PLCs
  • Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure
• Norwegian police say pro-Russian hackers were likely behind suspected sabotage at a dam

Electrical

#

• Sektor CERT - The attack against Danish critical infrastructure
• Watch How Hackers Took Over a Ukrainian Power Station - HMI attack on power substation
• The story of Jason Woodring, the Arkansas power grid vandal
• Why the US Power Grid Is Under Attack
• California Man Arrested for Transformer Bombings
• Smart Meters in Puerto Rico Hacked

Nuclear

#

• Can you HEAR Stuxnet damaging centrifuges at Natanz?

Rail

#

• Polish Teen Hacks Tram in 2008
• The Cheap Radio Hack That Disrupted Poland’s Railway System

Ports

#

• Inside Job: How a Hacker Helped Cocaine Traffickers Infiltrate Europe’s Biggest Ports (Insider Threat)

Food/Beverage

#

• Caught in the cyber crosshairs: A candy manufacturer’s 2025 ransomware ordeal - Ganong Bros.

ICS Vendor

#

• Sensata Technologies’ operations disrupted by ransomware attack

Physical Security Links

#

• The White House: National Strategy for Physical Protection of Critical Infrastructure
• CISA Cybersecurity and Physical Security Convergence Action Guide
• CISA SECTOR SPOTLIGHT: Electricity Substation Physical Security
• CutSec Blog: ICS/OT Cybersecurity Self Analysis – Physical Security
• Light Water Reactor Sustainability (LWRS) INL
  • Risked Informed Physical Security
  • Physical Security Resources
• Public Health Emergency (PHE): Physical Security

Managing Your IR Efforts

#

• What are your goals?
• What questions help you achieve your goals?
• What data would answer those questions?
• How do you acquire that data?

Incident Response Table Top Links

#

• CISA Tabletop Exercise Packages (CTEPs)
• CISA ICS Training
• Dean Parson’s ICS Incident Response Tabletops
• Lenny Zeltser Cheat Sheets and Presentations
• NERC’s Grid Security Exercise (GridEx)
• MITRE Cyber Exercise Playbook
• Black Hills Information Security (BHIS) Backdoors and Breaches
• BHIS ICS/OT Backdoors and Breaches
• Center for Internet Security: Tabletop Exercises - Six Scenarios
• Red Canary: Are You Using Tabletop Simulations to Improve Your Information Security Program?
• Dragos Preparing for Industrial Cyber Response
• Dragos Preparing for Incident Handling and Response in ICS
• Dragos Tabletop Exercise
• ICS4ICS Incident Command System for Industrial Control Systems
• European Network for Cyber security (ENCS) Red Team - Blue Team Training
• Ron Hammond Presentation: You want ME to run a tabletop?: Slides
• STOic TTX Youtube Playlist: Videos

Velocio and PLC Links

#

• Velocio PLC Teardown/Review
• Velocio Youtube Channel
• Velocio Tutorials
• Learning PLCs on a Budget
• CLICK PLC Hardware: The Best PLC for Everyday Control Systems Needs
• Virtual Cyber Ranges: Thomas Van Norman

Network Links

#

• Wireshark OUI
• Private VLANs
• Multicast Addresses
  • IANA Multicast Address Space

Radio Links

#

• GRC Transmission Analysis: Getting To the Bytes - how-to use Gnu-Radio to get data out of transmissions.
• Software Defined Radio with HackRF Lessons - free radio courses that take a deep dive into radio theory.
• MouseJack - CrazyRadio PA - keyboard and mouse interception and injection project.
• Flipper Zero
• Great Scott Gadgets HackRF
  • PortaPack Versions
• Hak5 WiFi Pentesting - Lots of wireless tools
• Field Expedient SDR - book about Gnu Radio Companion and radio theory basics.
• LoRa and LoRaWAN
• Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare (GPS related)
• Satellite attack write-ups
  • A Wake-up Call for SATCOM Security (April 2014)
  • Last Call for SATCOM Security (Aug 2018)
  • Missed Calls for SATCOM Cybersecurity (March 2022)
  • VIASAT incident: from speculation to technical details (March 2022)
  • Update on SATCOM Terminal Attacks During the War in Ukraine (May 2022)

Remote Access Links

#

Just a few solutions to help start research into remote access solutions. These are not a recommendation, just links to the solutions.

• Beyond Trust Privileged Access Management
• Zscalar Secure Remote Access

NBAD / Asset Management Links

#

Just a few solutions to help start research into asset management and Network Behavior Anomaly Detection (NBAD) solutions. These are not a recommendation, just links to the solutions.

• PAS Automation Asset Management
• Hexagon Asset Lifecycle Information Management
• Claroty Integrated and Comprehensive IoT-OT Security
• Dragos Industrial Cybersecurity Platform
• Nozomi Automating My Asset Inventory
• Otorio RAM^2 Asset Inventory Management
• Armis Cybersecurity Asset Management
• Tenable Tenable.OT

Software Bill of Materials (SBOM) Links

#

Just a few solutions to help start research into Software Bill of Materials (SBOM) solutions. These are not a recommendation, just links to the solutions.

• Adolus Technology OT and IoT Supply Chain Security
• NetRise Firmware Security
• Cybeats SBOM Studio
• Finite State End-to-end SBOM Solutions
• Security Risk Advisors Cyber Physical Systems Security

Josh Wright Links

#

• Will Hack For SUSHI
• Essential Crypto for Pen Testers (Without the Math!)
• PcapHistogram Python Version

Jason Larsen Videos

#

• 14 Hours and a Power Grid: BSides Track 2
• 14 Hours and a Power Grid: S4Events
• Rocking the Pocket Book: Hacking Chem Plants: DEFCON 23 - Krotofil, Larsen
• Remote Physical Damage from Jason Larsen of IOActive - 55 gallon barrel implosion

Monta Elkins

#

• Hackers in your power tools and other unexpected places - news article about hacking hardware to demonstrate control of the device.
• Hacking firmware where you least expect it: in your tools - presentation about hardware hacking

Justin Searle Videos

#

• Dealing with Remote Access to Critical ICS Infrastructure

Paul Piotrowski Links

#

• ICS 410 Supplementary Practice Slides
• Duke fined $10M for cybersecurity lapses since 2015
• MIT-HACK: Tetris at the MIT Green building

Mike Hoffman Videos

#

• Gaining Endpoint Log Visibility in ICS Environments

Don C. Weber Videos

#

• SANS Instructor Spotlight - Don C. Weber
• SANS ICS Videos: YouTube
• SANS@MIC - Pen Testing ICS and Other Highly Restricted Environments
• SANS Webcast (registration required) - Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World
• SANS Webcast (registration required) - Yes, IT and OT Are Converging So How Does This Affect Compliance
• DEF CON 20 - Cutaway - Looking Into The Eye Of The Meter
• Black Hat USA 2012 - Looking into the Eye of the Meter

Podcasts

#

• @BEERISAC - a consolidation of ICS / OT podcasts
• Unsolicited Response Podcast
• The CyberWire
• Darknet Diaries
• Malicious Life

TShark Commands

#

Industrial Control Protocols

#

Purpose:

• Identify master servers and client / slaves
• Identify common protocols in use by master servers
• Also want to identify proprietary protocols in use, but this will be more difficult as Wireshark / Tshark may not have protocol dissectors for their identification and analysis.

# Modbus

## Masters
tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -r <file.pcap> | sort | uniq
## Masters with function codes
tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -e modbus.func_code -r <file.pcap> | sort | uniq
## Slaves
tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -e eth.dst -r <file.pcap> | sort | uniq
### Note: The OUI hardware address does not resolve for field outputs. You have to check them yourself.
tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -r <file.pcap> | sort | uniq | wc -l

# Aveva / WonderWare SuiteLink
## Servers
tshark -Y "tcp.dstport == 5413" -T fields -e ip.dst -r <file.pcap> | sort | uniq
## Clients
tshark -Y "tcp.dstport == 5413" -T fields -e ip.src -r <file.pcap> | sort | uniq

# Aveva / WonderWare InBatch
## Servers
tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.dst -r <file.pcap> | sort | uniq
# Clients
tshark -Y "tcp.dstport >= 9000 && tcp.dstport >= 9015" -T fields -e ip.src -r <file.pcap> | sort | uniq

# BACnet
## I-Am responses to Who-Is - sorted by source IP address
tshark -d udp.port==47809,bvlc -Y 'bacapp.unconfirmed_service == 0' -T fields -e ip.src -e bacapp.instance_number -e bacnet.sadr_mstp -e bacnet.snet -E separator=, -r <file.pcap> | sort | uniq | sort -g -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4
## Device Count BACnet source
tshark -d udp.port==47809,bvlc -Y 'bacnet' -T fields -e ip.src -e ip.dst -r <file.pcap> | grep -v ',' | sort | uniq > <file.pcap>
### NOTE: The resulting file still needs to be counted. Probably best to export Wireshark filtered communications to an MS Excel file and do a pivot table.