This document aims to present the "ICS Cybersecurity Training".
All product names mentioned in this document are trademarks of their respective manufacturers.
This document and the information contained here are confidential and proprietary of TI Safe. All property rights
(including, without limitation, trademarks, comercial secrets, etc.) evidenced by or included in attachments or
relative documents are solely for TI Safe. TI Safe provides restricted use of this material to explicitly authorized
employees, customers and business partners through the integrity and confidentiality maintenance agreement.
Unauthorized use, distribution, or reproduction will be considered a violation of property rights and civil or criminal
measures will be applied under applicable law.
This document is intended to be complete and clear. TI Safe shall not be liable for any damages, financial or
business losses resulting from omissions or imperfections contained herein. This document is subject to change
without advance notice. It is recommended to contact TI Safe for updates and / or additional information.
TI Safe provides different channels of communication with its customers, suppliers and associates:
Rio de Janeiro, Brazil
Estrada do Pau Ferro 480 , Bloco 1, Loja R, Pechincha
ZIP Code – 22743-051 – Rio de Janeiro, RJ – Brasil
Telefone: +55 (21) 3576-4861
São Paulo, Brazil
Rua Dr. Guilherme Bannitz, nº 126 - 2º andar
Cj 21, CV 9035 - Itaim Bibi – ZIP Code - 04532-060 - São Paulo, SP - Brasil
Telefones: +55 (11) 3040-8656
Av. Tancredo Neves nº 450 – 16º andar – Edifício Suarez Trade
ZIP Code – 41820-901 – Salvador, BA – Brasil
Telefone: +55 (71) 3340-0633
Av. da Liberdade 110, 1269-046 Lisbon, Portugal
Telefone: +351 21 340 4500
skype (somente voz): ti-safe
Certificate of documentation changes
Version Date Author Description
1.00 03.05.2009 Marcelo Branquinho Generation of the first document
1.01 09.10.2009 Marcelo Branquinho Review and update of inserted topics
1.02 10.13.2009 Marcelo Branquinho Content review for 20 hours
1.03 04.13.2010 Marcelo Branquinho OPC Security Inclusion
1.04 07.19.2011 Marcelo Branquinho Inclusion of new chapters based on information security
and practical demonstrations of attacks on networks and
1.05 07.26.2011 Marcelo Branquinho Conceptual review of the summary
1.06 07.28.2011 Marcelo Branquinho Conceptual review of the summary
1.07 07.30.2011 Marcelo Branquinho Conceptual review of the summary
1.08 08.03.2011 Marcelo Branquinho Conceptual review of the summary
1.09 08.06.2011 Marcelo Branquinho Conceptual review of the summary
1.10 08.10.2011 Marcelo Branquinho Conceptual review of the summary
1.11 08.12.2011 Marcelo Branquinho Conceptual review of the summary
1.12 08.16.2011 Marcelo Branquinho Conceptual review of the summary. Insertion of case
study for CSMS Framework.
1.13 09.06.2011 Marcelo Branquinho Conceptual review of the summary
1.14 04.04.2012 Marcelo Branquinho
e Jan Seidl
Review of several chapters with content addition and
technological update of the training.
1.15 06.027.2012 Marcelo Branquinho Added theoretical reference in the summary.
1.16 10.10.2012 Marcelo Branquinho Added content in the apostille and revised the sequence
of chapters. Chapter 12 created.
1.17 05.09.2013 Marcelo Branquinho Inserted content about one-way security gateways.
1.18 05.21.2013 Marcelo Branquinho Updated content standards with NERC-CIP.
1.19 06.11.2013 Marcelo Branquinho Inserted content about continuous monitoring.
1.20 08.12.2013 Marcelo Branquinho Included ANSI / ISA-100.11a standard and revised
security content in industrial wireless networks.
1.21 09.19.2013 Marcelo Branquinho Change in chapter order and lesson plan.
2.01 11.28.2017 Marcelo Branquinho Conceptual review of the summary according to
2.02 12.08.2017 Marcelo Branquinho New document layout.
2.03 12.11.2017 Marcelo Pessoa Review of indexing of apostille.
2.04 08.02.2018 Marcelo Branquinho English version revision
2.05 08.13.2018 Marcelo Branquinho Update with new contents.
2.06 02.09.2019 Marcelo Branquinho Update with new contents.
ICS Cybersecurity Training
Reasons for the creation of "ICS Cybersecurity Training".
• There was no other similar training in Latin America
• Professional experiences in developing and deploying solutions for ICS Cybersecurity already waved
vulnerabilities in critical infrastructures, and training would disseminate this culture.
The course fills a market segment that has great demand from industries whose infrastructures are critical to the
This is the first Latin American Traning, with Portuguese and English versions, to teach the application of the
good practices of ANSI/ISA 99 and ISA-IEC 62443 standards for the cyber security of industrial systems and
networks. Fulfills all ISA requirements (details at http://www.isa.org/) for ICS cybersecurity.
Educate professionals to be capable of identifying risks in industrial networks, as well as recommend the main
countermeasures for them, according to the main international security standards and the ICS.SecurityFramework
methodology developed by TI Safe.
To capacitate professionals to design and deploy the CSMS (Cyber Security Management System) in critical
infrastructure automation networks.
IT or OT professionals with knowledge of operating systems, network protocols, programming languages,
hardware and software. Desirable knowledge in information security and Industrial Control Systems (ICS). English
language proficiency is recommended for watching videos and reading training support material.
Field of activity
Workload and course duration
The course is available in a 20 hours format, divided into 5 periods of 4 classroom hours each.
In the preparation of the apostille and materials presented in the training were used technical contents from
several sources of research that are part of the recommended bibliography:
• “Segurança de Automação Industrial e SCADA”, written by TI Safe Team – Elsevier publisher
• “Securing SCADA Systems”, written by Ronald L. Krutz – Wiley publisher.
• “Techno Security's Guide to Securing SCADA” written by Jack Wiles, Ted Claypoole, Phil Drake, Paul
A. Henry, Lester J. Johnson Jr, Sean Lowther, Greg Miles e James H. Windle – Syngress publisher.
• “Protecting Industrial Control Systems from Electronic Threats”, written by Joseph Weiss. Momentum
• “The Stuxnet Computer Worm and ICS Security”, written by Jackson C. Rebane. Nova Publisher.
• “Inside Cyber Warfare”, written by Jeffrey Carr. O´Reilly publisher.
• “Cyber War: The Next Threat to National Security and What to Do About It”, written by Richard A.
Clarke e Robert Knake. Ecco publisher.
• “Cyberpower and National Security (National Defense University)”, written by Franklin D. Kramer, Stuart
H. Starr e Larry Wentz. NDU Press publisher.
• “A Arte de Enganar”, written by William L. Simon, Kevin Mitnick, Makron Books publisher.
This comprehensive bibliography includes the same technical benchmarks used in the official ICS cybersecurity
training programs of the major North American cyber defense institutes and is based on the recommended content
for training and awareness plans of the ISA/IEC 62443 standard.
The training apostilles were prepared in Portuguese and English and distributed in digital format (PDF file). They
are constantly updated and improved. In addition to the mentioned bibliographical references, we have the
important support of the leading companies in the ICS Cybersecurity arena to ensure that we have the insights
on the latest industrial systems defense technologies used today.
Picture: Module 1 cover sheet
One week before the start date of each training, TI Safe will send the data so that enrolled students can download
the apostille and supporting material from the Internet. It is up to each student to print the apostille or take their
laptop or tablet to classes with the apostille in digital format. TI Safe respects the environment and natural
resources and follows strictly the principles of its environmental policy, so it does not print or recommend the
printing of digital files.
Practical Classes and Technical Demonstrations
During the training will be held practical classes and technical demonstrations of attacks and defenses against
simulated automation networks.
For the demonstration of attacks against industrial networks we counted on simulators of automation networks
industrial plants shown in the figure below:
Figure: Industrial Network Simulators used in the ICS Cybersecurity Training
Goals and Contents
Module Goals Contents
Module 1 - Introduction
Presentation of training objectives rules,
instructors and students.
• Brief presentation of
instructors and students.
• Presentation of the training
agenda and objectives,
bibliography and supporting
• About TI Safe.
Module 2 - Risks
Overview of a SCADA system, its
elements, protocols and typical
Definition of critical infrastructures, their
importance and presentation of recent
Presentation of the types of attackers, the
market that feeds the cyber attacks and
the main challenges for implementation
of cyber security in critical infrastructures
Presentation of techniques for the
elaboration of risk analysis in industrial
networks according to ISA/IEC-62443
standard and the TI Safe´s
• Overview of an ICS
• Industrial control systems
architecture. The Purdue
• Industrial networks
• SCADA systems
• Industry 4.0
• What are Critical
• Cyber warfare – the 5th
dimension of war
• Characteristics of the new
• The cybercrime market
• Vulnerabilities in industrial
• History of cyber attacks to
• Malware, the main hacker´s
• Cyber security challenges for
industrial control systems
• Basic concepts
• Risk Scenarios
• Classification of critical
• Classification method
• Risk analysis
• Controls evaluated in static
• Physical security analysis
• Dynamic analysis
• Example of Risk Analysis
Report (ACME company)
Module 3 - Planning
Presentation of methods for the
development of an Industrial Cyber
• Considerations for a
• Planning for deployment of
countermeasures in an
• ICS Cybersecurity Plan
example (ACME Company)
Module 4 - Controls
Governance and Monitoring:
Presentation of the main international
standards that guide the implementation
of cybersecurity policies in industrial
networks. Basic concepts for the
development of a business continuity
Presentation of Firewalls, VPNs,
unidirectional security gateways and
strategies for security in industrial WiFi
Industrial Network Protection:
Details of the defense in depth strategy
recommended by ANSI/ISA-99 / ISA
62443 and presentation of the zones and
Presentation of cyber security solutions
used for industrial network protection.
Presentation of the weaknesses of
solutions traditionally used for malware
protection in automation networks.
Malware control in OT networks and
presentation of modern solutions to
prevent malware attacks.
Presentation of threats to access to
computer networks and the weaknesses
of remote access to industrial networks.
Presentation of solution for second factor
of authentication in systems and
Education and Awareness:
Presentation of concepts to build an
education and awareness plan aiming at
establishing the culture of cyber security
for automation networks.
• Reference standards
• The ANSI/ISA 99 | ISA/IEC
• The NIST 800-82 Guide
• The NERC-CIP standard
• Industrial Internet Consortium
• Automation security policies
• Business Continuity Plan
• Firewall architectures and
• Next generation firewalls
• Unidirectional security
• Industrial WiFi security
• Why do security solutions fail?
• Direct attacks on the control
• Zones and Conduits Model
• Network segmentation with
NGFW and services
• Industrial firewalls.
• Zero Trust Architecture
• Inventory and asset visibility
with Machine Learning
• Considerations about the use
of antivirus and patches in
• Blacklisting x Whitelisting
• Example of solution for
protection against malware
infections in automation
• Threats to access control
• Access Control: Concepts,
• Main authentication
• Remote access to industrial
networks and SCADA
• Example of solution for second
authentication factor in remote
access to industrial networks.
• Education and awareness plan
• Training and certifications
available on the market
• Awareness-raising methods
• Main international events
Module 5 - Monitoring
Presentation of methods for the
implementation of continuous monitoring
in automation plants, including SIEM
technologies and managed security
Presentation of new technologies for ICS
• Continuous monitoring and
• What to monitor in an
• Basics and benefits of using
an SIEM tool
• Internal Monitoring Center
• Challenges for implementing a
• TI Safe ICS-SOC
• Trends in industrial cyber
Module 6 - Pratices
Ensure that the student has contact with
the main hacking techniques and also the
ICS Cybersecurity countermeasures
presented during the training.
• Initial setup of simulators and
attacker machine on Kali Linux
• Web Target Scanning with
• Port scanning and services
• Scan PLC variables using
• Internal DoS Attack against
• DoS Attack against IIoT
• Attack throught the values
manipulation of PLC control
• Development of Ciberweapon
for remote control
• Attack on the PLC via
cyberweapon in PDF
• Demonstrations and practices
of cyber security
• Demonstration of malware
control solution for USB
• Demonstration of Malware
industrial endpoint protection
• NGFW Log Inspection Demo
• Demonstration of Industrial
Network Protection solution
with Machine Learning
• Demonstration of Industrial
Intelligence using SIEM Tool