Training Details

New generation malware and attacks have been targeting ICS and systems causing huge monetary and human life losses. ICS system still vulnerable in nature because it’s poorly understood. Penetration testing on ICS systems is a very niche field which requires in-depth knowledge and has a huge dependency in terms of the Hardware availability.

In this course, will concentrate on methodologies to conduct penetration testing of commercial Hardware devices such as PLCs as well as simulators and also provide an excellent opportunity for participants to have hands-on experience on Penetration Testing of these devices and systems. This course also focused on hardware analysis of the embedded system and fuzzing techniques over ICS protocol to identify 0-day vulnerabilities. The ICS setup will simulate the ICS infrastructure with real-time PLCs and SCADA application. In the end, of course, there will be ICS CTF and some GOODIES to give away for the winners.

Throughout the course, we will use Astra-ICS, a VM created by us specifically for ICS and IoT penetration testing. It has most of the required tools for ICS and IoT security analysis. We will also distribute VulICS, a vulnerable embedded sensor made in-house for hands-on exercises.

The “Practical Industrial Control System (ICS) Hacking” course is aimed at security professionals who want to enhance their skills and move to/specialize in ICS security. The course is structured for beginner to intermediate level attendees who do not have any experience in ICS, reversing or hardware.


Who should take this course

  • Penetration Testers tasked with auditing ICS
  • Government officials from defensive or defensive units
  • Red team members tasked with compromising the ICS infrastructure
  • Embedded security enthusiasts
  • SCADA and PLC programmers
  • Anyone interested in ICS security



  • Basic knowledge of Linux OS
  • Basic knowledge of programming (C, Python) would be a plus



  • Laptop with at least 40GB free space
  • 4+ GB minimum RAM (2+GB for the VM)
  • External USB access
  • Administrative privileges on the system

Course Outline

  1. Briefing of ICS
  2. Difference between ICS and DCS
  3. Briefing of ISA99/IEC62443, NIST 800-82
  4. Briefing of PLC and RTU
  5. ICS Architecture
  6. PLC Wiring
  7. PLC Programming
  8. ICS Protocols Overview
    1. Modbus
      • Introduction and protocol overview
      • Reconnaissance (Active and Passive)
      • Sniffing and Eavesdropping
      • Baseline Response Replay
      • Modbus Flooding
      • Modifying Coil and register values of PLC
      • Rogue Interloper (PLC)
    2. S7 Communication
      • Introduction and protocol overview
      • Reconnaissance (Active and Passive)
      • Sniffing and Eavesdropping
      • Uploading and downloading PLC programmes
      • Start and Stop PLC CPU
    3. DNP3
      • Introduction and protocol overview
      • Reconnaissance (Active and Passive)
      • Length Overflow Attack
      • Reset Function Attack
      • Rogue Interloper (PLC)
    4. Canbus
      • Introduction and protocol overview
      • Reconnaissance (Active and Passive)
      • Sniffing and Eavesdropping
      • Replay Attack
      • Packet Forging Attack
    5. Gateway – 2g/3g/4g
      • Introduction
      • IMSI Catcher
      • 3g/4g downgrading attack
      • Jamming attacks
      • Intercepting communications over fake BTS
      • SMS Fuzzing
      • SMS Forging Attack
    6. Zigbee (802.15.4)
      • Introduction and protocol overview
      • Reconnaissance
      • Sniffing and Eavesdropping
      • Replay Attacks
      • Packet Forging Attacks
      • Jamming Attacks
      • Dissociation Attacks
  9. Hardware Analysis
    1. I2C
      • Introduction
      • I2C Protocol
      • Interfacing with I2C
      • Manipulating Data via I2C
      • Sniffing run-time I2C communication
    2. SPI
      • Introduction
      • SPI Protocol
      • Interfacing with SPI
      • Manipulating data via SPI
      • Sniffing run-time SPI communication
    3. UART
      • What is UART
      • Identifying UART Interface
      • Accessing sensor via UART
  10. Debugging with JTAG
  11. Fault Injection
    1. Clock Glitching
      • To bypass bootloader
      • To bypass CRP (Code Read Protections
    2. VCC Glitching