DeepSec 2019 Training: Pentesting Industrial Control Systems – Arnaud Soullie

In this intense two day training at DeepSec, you will learn everything you need to start pentesting Industrial Control Networks [also called Industrial Control Systems (ICS)].

We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. And we will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them.

The training will end with an afternoon dedicated to a challenging hands-on exercise: The first [Capture The Flag] CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

We asked Arnaud a few more questions about his training.


Please tell us the top 5 facts about your training.

  • Industrial Control systems are everywhere
  • They are mostly insecure…
  • …and it is not really getting better…
  • You need to understand these specific systems if you want to hack into ICS
  • Understanding how to hack things is a great way to understand how to secure them

How did you come up with it? Was there something like an initial spark that set your mind on creating this training?

There are very few ICS security trainings at the moment, and they are mostly focused on defense and threat hunting. I strongly believe that it is valuable to have a pragmatic vision of offence to be better at defence, that is why I created this pentesting ICS training!

I also wanted people to work on realistic scenarios, that’s why the training ends with a half-day dedicated to a Capture-the-Flag using real ICS devices.

Why do you think this is an important topic?

We do not realize it, but Industrial Control Systems are everywhere, from your built-in heating system to nuclear power plants. Almost all critical infrastructures, vital for the countries, rely somehow on ICS.

The security level of these networks and components is still very low, despite awareness slowly raising the past fews years, so we need your help to assess and secure it!

Is there something you want everybody to know – some good advice for our readers maybe?

Please do not succumb to the hype. Start with the basics, build a security culture with people from operations. This new appliance is probably not gonna save you 😉

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?

All industries already perform extensive risk management, let’s help them include cybersecurity threats and I’m sure the security level will improve.

Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 9 years, he has been performing security audits and pentest on all type of targets. He specializes in Industrial Control Systems and Active Directory security. He has spoken at numerous security conferences on ICS topics : BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON…
He is also the creator of the DYODE project, an open-source data diode aimed at ICS.

Tags: , , , ,

Leave a Comment