Education

ICS-CERT ICS Cybersecurity 301 – Awesomeness.

I had the absolute privilege this week to take the ICS-CERT Industrial Control System Cyber Security 301 Training. This week long training exercise is held in Idaho Falls, Idaho at the National Cybersecurity & Communication Integration Center. This training is meant to meld the IT (Information Technology) and OT (Operational Technology) cybersecurity challenges so that we can better protect our critical assets. The class consists of 3 days of classroom instruction, a 1 day Red Team / Blue Team exercise and a 1/2 day debrief on the exercise.

I just want to say off the bat, this was the absolute most fun I have had in a long time doing training. And this training is free.. That’s right – $0… You have to pay for your travel and lodging, but they provide the training and even provide lunch everyday. I can say this is one time where the old adage “You Get What You Pay For” is no where even CLOSE to being true, both for the training and the food (I know I gained at LEAST 5 pounds).

The first 3 days are standard training, with a focus on why OT/ICS environments are so challenging. There is a mini ICS and Corporate environment in the class for testing the skills you are learning. The staff are extremely nice and knowledgeable and will help you if you have challenges or discuss other strategies and let you work “outside the box” if you have a more advanced skillset.

On Wednesday you get introduced to where the Red Team / Blue Team exercise will take place and you are told which team you will be on. A disclaimer… I will NOT give away ANY details on the exercise as to assure integrity and quality of the exercise for future teams. But I will give an overview of my experience.

I was chosen for the Blue Team, and at first I was a little disappointed in that, as I love doing Red Team exercises and I thought the defense part would not be as exciting. BOY WAS I WRONG. If you attend this training, trust me when I tell you, you will NOT be disappointed no matter which team you are on.

The quality of this simulated exercise was one of the absolute best I have ever been a part of. From the equipment, staff, scenario, processes, procedures it was just spot on. Was it “perfect”, no, but it is as close as I think you can come when doing a simulated exercise. The challenges you face are things we see in real world everyday, and not all the challenges are technical (matter of fact there are MANY challenges that involve no technical expertise whatsoever).

I was extremely blessed to be part of an truly awesome Blue Team. The absolute great thing about this exercise is that every single person on the Blue Team checked their egos at the door and did what needed to be done to be successful. It was utterly amazing to me how quick a large team of people came together and gelled to accomplish the objective of defending our critical infrastructure systems from the band of hackers that were trying unmercilessly to get in and destroy us. I did not know anyone I was on the team with other than from the prior 3 days of training. The speed at which we were able to come together, effectively delegate tasks, assign roles and responsibilities, accomplish our goals and help other team mates out was something I have never, ever experienced, and honestly was something I was extremely proud to be a part of. I wish I could work with that whole team everyday, as there is nothing we could not accomplish together.

The 8 hours for the exercise FLEW by, and in the end The Blue Team came out ahead and won the exercise. It was very close, but in the end we squeaked out the win. But in reality, no one lost that day. The last day is a debrief on the operation from both the Blue and Red Teams, and judging from the debrief, I know everyone learned a lot, everyone had fun, and everyone left armed with ideas on how we can do better at protecting our IT and OT assets.

Most important, I left with a LOT more friends who share my passion for this industry.

I came back to the hotel to call my wife before we went out to celebrate, and I felt like a little chatty school girl, talking about how much fun we had, and the scenarios, the challenges, the victories and the defeats. My wife was like “Wow, you really did have fun didn’t you! I can’t get a word in edgewise”

Thursday night members from both teams and some of the staff went out to a local brewery and had a great discussion of tactics, what we did, what they did, what the staff did, and there were many others that were just as excited as me. A good time was had by all!

I highly recommend this training for anyone who has OT assets or are just curious on how to protect IT and OT assets. And you don’t have to be a technical guru, as it takes all skill levels to protect and run OT operations. But if you have technical chops, you will have plenty of work to do 🙂 If you get a chance and can get in, take this course, you will not be disappointed.

Greg

3 thoughts on “ICS-CERT ICS Cybersecurity 301 – Awesomeness.

  1. Wow, great recap of the week! I think it was the single best week of training I’ve attended in my life. Likewise, i enjoyed the experience and the wonderful people I met, like yourself, who displayed exceptional professionalism. Great to have met you.

  2. I, too, have attended the same course, and was the Blue Team captain. Unfortunately, we lost, but not by much. The reality is, is that this is a lessons learned exercise, and not a true exercise. Good nonetheless. Also, I’ve posted this blog post onto the SCADASEC list, as I think others would appreciate your comments. -rad

Leave a Reply

Your email address will not be published. Required fields are marked *