Organizations are now dedicating resources to protecting their Industrial control systems (ICS) assets, which include supervisory control and data acquisition (SCADA) programs, against intentional or accidental security threats. ICS security has plenty of challenges. Several of them owe their existence to the ongoing convergence of information technology (IT) and operational technology (OT). People and technology must work together to develop security controls that they can implement, build upon, enforce, modify and improve.

From experience we see that threat modeling as a discipline fits really well in ICS and OT environments, to design and secure connected systems in a way that is aligned with typical operational technology challenges.

In order to minimize that gap we have developed a 1 day course with practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following:

• Diagramming remote support applications, sharing the same REST backend
• STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
• Threat mitigations in a pharmaceutical manufacturing facility
• Modeling attack trees against a nuclear facility

After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years, we released this advanced threat modeling training at Black Hat USA 2018. Some feedback from our Black Hat training attendees:

• “Toreon delivered! One of the best workshop instructor’s I’ve ever had.”
• “Very nice training course, one of the best I ever attended.”
• “I feel that this course is one of the most important courses to be taken by a security professional.”
• “The group hands-on practical exercises truly helped.”

Audience:

Staff involved in securing control systems, critical infrastructure, automation and smart-grid.

Audience should expect for the training:

• A solid foundation to apply threat modeling in the field of ICS and OT
• Hands-on exercises take up at least 50% of the training in interactive challenges covering real cases.

Key Takeaway:

Structured method to do risk assessments in an ICS environment

Course Outline

Threat modeling introduction

• Threat modeling in ICS and OT
• What is threat modeling?
• Why perform threat modeling?
• Threat modeling stages
• Different threat modeling methodologies
• Communicate a threat model

Diagrams – what are you building?

• Understanding context
• Doomsday scenarios
• Data flow diagrams
• Trust boundaries
• Hands-on: Diagram remote support applications, sharing the same REST backend

Identifying threats – what can go wrong?

• STRIDE introduction
• Spoofing threats
• Tampering threats
• Repudiation threats
• Information disclosure threats
• Denial of service threats
• Elevation of privilege threats
• ICS and OT Attack libraries
• Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service

Addressing each threat

• Mitigation patterns
• Authentication: mitigating spoofing
• Integrity: mitigating tampering
• Non-repudiation: mitigating repudiation
• Confidentiality: mitigating information disclosure
• Availability: mitigating denial of service
• Authorization: mitigating elevation of privilege
• ICS and OT mitigations
• Hands-on: Threat mitigations in a pharmaceutical manufacturing facility

ICS-OT threat modeling

• Typical steps and variations
• Validation threat models
• Effective threat model workshops
• Communicating threat models
• Updating threat models
• Threat models examples: automotive, industrial control systems, IoT and Cloud
• Hands-on: Modeling attack trees against a nuclear facility

Threat modeling resources

• Open-Source tools
• Commercial tools
• Threat modeling resources

Student package:

The course students receive the following package as part of the course:

• Hand-outs of the presentations
• Work sheets of the use cases,
• Detailed solution descriptions of the use cases
• Template to document a threat model
• Template to calculate risk levels of identified threats
• Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course

Threat Modeling – Real Life Use Cases

As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work.

The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on:

• Diagramming remote support applications, sharing the same REST backend
• STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service
• Threat mitigations in a pharmaceutical manufacturing facility
• Modeling attack trees against a nuclear facility

After each hands-on workshop, the results are discussed, and the students receive a documented solution.

The students should bring their own laptop or tablet to read and use the training handouts and exercise descriptions.