Module 1 :
Briefing of ICS

Industrial Control Systems (ICS) are critical components in various industries, managing and controlling physical processes such as manufacturing, energy production, and utilities. They integrate hardware, software, and networking to automate and optimize industrial operations.

Module 2 :
Difference between ICS and DCS (Distributed Control Systems)

• ICS (Industrial Control Systems): Encompasses a broader range of control systems used in industrial environments, including Distributed Control Systems (DCS), SCADA systems, and PLC-based systems. ICS manages processes across multiple industries.
• DCS (Distributed Control Systems): Specifically refers to control systems used in large-scale industrial processes where multiple autonomous controllers are distributed throughout the system. DCS often includes centralized supervisory control for process monitoring and management.

Module 3 :
Briefing of ISA99/IEC62443 and NIST 800-82

• ISA99/IEC62443: Standards that provide guidelines and best practices for securing Industrial Automation and Control Systems (IACS). They outline security requirements, control objectives, and implementation guidance tailored for ICS environments.
• NIST 800-82: NIST Special Publication that provides guidance on securing Industrial Control Systems (ICS), including recommendations for cybersecurity controls, risk management, and incident response.

Module 4 :
Briefing of PLC (Programmable Logic Controller) and RTU (Remote Terminal Unit)

• PLC (Programmable Logic Controller): A specialized digital computer used for automating electromechanical processes in industrial environments. PLCs execute control algorithms and manage devices based on user-defined logic.
• RTU (Remote Terminal Unit): Similar to PLCs, RTUs are deployed in remote locations to collect data from sensors and control devices. They interface with SCADA systems for monitoring and managing distributed assets and facilities.

Module 5 :
ICS Architecture

ICS architecture typically includes:

• Field Devices: Sensors, actuators, and instruments that interact directly with physical processes.
• PLCs/RTUs: Control units that execute control algorithms and manage communication with field devices.
• SCADA (Supervisory Control and Data Acquisition): Software for real-time monitoring, control, and data acquisition from remote devices.
• HMI (Human-Machine Interface): Graphical interface for operators to interact with the control system.
• Network Infrastructure: Communication channels (e.g., LAN, WAN) used for data transmission within the control system.

Module 6 :
ICS Protocols Overview

Modbus

• Introduction and Protocol Overview: Modbus is a widely used communication protocol in industrial automation for connecting electronic devices. It is known for its simplicity and widespread adoption in PLCs and RTUs.
• Reconnaissance (Active and Passive): Techniques for identifying Modbus devices on networks through scanning and analyzing traffic passively.
• Sniffing and Eavesdropping: Capturing Modbus communication to intercept and analyze data exchanges between devices.
• Baseline Response Replay: Mimicking normal Modbus traffic to evade detection or conduct reconnaissance without triggering alarms.
• Modbus Flooding: Overloading Modbus devices or networks with excessive requests to disrupt operations or cause denial-of-service conditions.
• Modifying Coil and Register Values of PLC: Unauthorized manipulation of Modbus coil and register values to control PLC operations or cause process malfunctions.

S7 Communication

• Introduction and Protocol Overview: S7 Communication is used in Siemens PLCs for programming, data exchange, and control functions. It supports various communication protocols like MPI, PROFIBUS, and PROFINET.
• Reconnaissance (Active and Passive): Techniques to identify Siemens S7 devices on networks and gather information about their configurations and vulnerabilities.
• Sniffing and Eavesdropping: Intercepting S7 communication to capture PLC program logic, data exchange, or control commands.
• Uploading and Downloading PLC Programs: Unauthorized access to upload or download PLC programs to manipulate control logic or introduce malicious code.
• Start and Stop PLC CPU: Unauthorized control over the operational state of PLC CPUs, affecting the entire industrial process.

AST Protocol

• Introduction and Protocol Overview: AST (Automation System Transport) protocol is used in industrial automation for data exchange and control functions between devices and controllers.
• Reconnaissance (Active and Passive): Techniques for identifying AST-enabled devices and networks through scanning and analyzing traffic passively.
• Retrieve Data from Controller: Extracting operational data or configurations from AST-enabled controllers using authorized or unauthorized methods.
• Modifying Data Over Controller: Manipulating data or configurations on AST controllers to affect industrial processes or gain unauthorized access.

DNP3 (Distributed Network Protocol version 3)

• Introduction and Protocol Overview: DNP3 is a protocol used in SCADA systems for communication between master stations and outstations (remote terminal units and PLCs).
• Reconnaissance (Active and Passive): Techniques for identifying DNP3-enabled devices on networks and understanding their operational configurations.
• Length Overflow Attack: Exploiting vulnerabilities in DNP3 implementations to overflow memory buffers and execute arbitrary code.
• Reset Function Attack: Manipulating DNP3 reset functions to disrupt communication or cause denial-of-service conditions.

Canbus

• Introduction and Protocol Overview: CANbus (Controller Area Network) is a protocol used in automotive and industrial applications for real-time control and communication between microcontrollers and devices.
• Reconnaissance (Active and Passive): Techniques for identifying CANbus devices and networks through scanning and analyzing traffic passively.
• Sniffing and Eavesdropping: Capturing CANbus communication to intercept and analyze data exchanges between devices.
• Replay Attack: Resending captured CANbus frames to execute unauthorized actions or manipulate device behavior.
• Packet Forging Attack: Crafting and injecting malicious CANbus packets to exploit vulnerabilities or compromise devices.

Serial/Coupler Servers

• Introduction: Serial/Coupler servers are used to convert serial data from industrial devices into Ethernet data for communication across networks.
• Application Attacks: Exploiting vulnerabilities in serial/coupler server implementations to gain unauthorized access or disrupt communication.
• Hardware Attack: Physical manipulation or tampering with serial/coupler servers to compromise data integrity or device functionality.

Industrial MQTT

• Introduction: MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol used in IoT and industrial automation for efficient communication between devices and servers.
• Protocols Details: Overview of MQTT communication flows, message formats, and quality of service levels (QoS).
• Recon and Enumeration of Topics: Identifying MQTT topics used for data exchange between devices and servers to understand communication patterns.
• Reverse Engineering of Communication: Analyzing MQTT message payloads and protocols to extract meaningful data or manipulate communication flows.
• DOS Attacks: Conducting Denial-of-Service attacks against MQTT brokers or devices to disrupt communication and cause service unavailability.

Zigbee (802.15.4)

• Introduction and Protocol Overview: Zigbee is a wireless communication protocol used in IoT and industrial automation for low-power, short-range wireless networking.
• Reconnaissance: Identifying Zigbee devices, network topologies, and communication patterns to understand potential attack vectors.
• Sniffing and Eavesdropping: Capturing and analyzing Zigbee communication to intercept sensitive data or commands transmitted between devices.
• Replay Attacks: Resending captured Zigbee frames to execute unauthorized actions or manipulate device behavior.
• Packet Forging Attack: Crafting and injecting malicious Zigbee packets to exploit vulnerabilities or compromise devices.
• Jamming Attacks: Emitting interference signals to disrupt Zigbee communication and cause denial-of-service conditions.
• Dissociation Attacks: Forcing Zigbee devices to disconnect from their network, disrupting communication and potentially causing operational disruptions.

Module 7 :
Hardware Analysis

Basics of Electronics

• Understanding Electronic Components: Overview of fundamental electronic components used in industrial devices and systems.

PCB Reverse Engineering and Component Identification

• PCB Reverse Engineering: Techniques for reverse engineering printed circuit boards (PCBs) to understand circuit layouts, components, and connections.

I2C (Inter-Integrated Circuit)

• Introduction: I2C is a serial communication bus used for connecting microcontrollers and peripheral devices.
• I2C Protocol: Overview of I2C communication protocol, including data transfer modes and addressing.
• Interfacing with I2C: Techniques for interfacing with I2C devices to analyze and manipulate data exchanges.
• Manipulating Data via I2C: Modifying data on I2C buses to manipulate device behavior or extract sensitive information.
• Sniffing Runtime I2C Communication: Capturing and analyzing real-time I2C communication to intercept commands or data between devices.

SPI (Serial Peripheral Interface)

• Introduction: SPI is a synchronous serial communication interface used for connecting microcontrollers and peripheral devices.
• SPI Protocol: Overview of SPI communication protocol, including data transfer modes, clocking, and signaling.
• Interfacing with SPI: Techniques for interfacing with SPI devices to analyze and manipulate data exchanges.
• Manipulating Data via SPI: Modifying data on SPI buses to manipulate device behavior or extract sensitive information.
• Sniffing Runtime SPI Communication: Capturing and analyzing real-time SPI communication to intercept commands or data between devices.

UART (Universal Asynchronous Receiver-Transmitter)

• Introduction: UART is a serial communication protocol commonly used for asynchronous communication between microcontrollers and devices.
• Identifying UART: Techniques for identifying UART interfaces on devices and systems for debugging or exploitation purposes.
• Automated Identification: Automated tools and methods for identifying

UART interfaces efficiently

• Manual Identification: Manual techniques and hardware/software tools for identifying UART interfaces.
• Debugging Over UART: Using UART for debugging purposes, including accessing bootloaders, console output, and device firmware.

Module 8 :
JTAG (Joint Test Action Group) / SWD (Serial Wire Debugging)

• Introduction: JTAG and SWD are hardware interfaces used for debugging and testing embedded systems and microcontrollers.
• Identifying JTAG/SWD: Techniques for identifying JTAG and SWD interfaces on devices and systems for debugging or exploitation purposes.
• Automated Identification: Automated tools and methods for identifying JTAG and SWD interfaces efficiently.
• Manual Identification: Manual techniques and hardware/software tools for identifying JTAG and SWD interfaces.
• Debugging Over JTAG/SWD: Using JTAG or SWD interfaces for debugging purposes, including accessing memory, dumping firmware, and manipulating device behavior.

Module 9 :
Firmware Reversing

• Identifying Compression and Types: Recognizing and decompressing firmware images to access and analyze embedded software and configurations.
• Firmware Analysis: Reverse engineering firmware to understand functionality, vulnerabilities, and communication protocols used by embedded devices.
• Simulating Firmware: Emulating firmware environments to replicate device behavior, test vulnerabilities, and validate security controls.