Industrial Control Systems (ICS) are rapidly evolving. Modern plants mix legacy PLCs with software-based controllers, cloud services, Zero-Trust networks, and IIoT — creating new attack paths and new defense challenges.
In this fully hands-on 4-day training, you’ll learn by doing: programming PLCs in ladder, analyzing and exploiting ICS protocols (Modbus, S7, OPC-UA, MQTT), breaking engineering services, assessing Windows/AD assets in OT networks, attacking and hardening soft-PLCs, and navigating cloud-connected architectures including AWS.
You’ll apply everything through two guided Capture-the-Flags: one simulating a traditional on-prem industrial network, and one built around modern, cloud-integrated ICS. Expect end-to-end scenarios including Active Directory compromise, protocol manipulation, PLC logic attacks, cloud privilege escalation, and cyber-physical impact on simulated processes.
Whether you’re a pentester, defender, or ICS engineer, you will leave with actionable skills to assess and secure real industrial environments, modern or legacy.
Full abstract
Course Industrial Control Systems (ICS) are rapidly evolving. What used to be isolated environments built around proprietary hardware are now increasingly connected: cloud workflows support industrial analytics, hybrid and soft-PLCs run on general-purpose compute, Zero-Trust and SD-WAN reshape networks, and IIoT devices bridge operations with business systems. These advancements create efficiency but also new cyber risk.
This fully hands-on 4-day training is designed to teach students how to understand, assess, exploit, and defend both traditional and modern ICS architectures. Rather than focusing on narrow expertise, this course gives you end-to-end skills: from PLC logic to Active Directory pivots to cloud-integrated industrial compromise with physical-world consequences.
Whether you are a security tester, blue-team operator, incident responder, or ICS/SCADA engineer, you will leave the training ready to operate effectively in real industrial environments.
Moreover, the training doesn’t stop on the last day! Each participant will receive a 30-day access to our “ICS cybersecurity academy” elearning portal, which allows to watch the training content in video, as well as perform all the exercises on a cloud platform.
By the end of the training, students will be able to:
✔ Understand how industrial processes operate and how PLCs, SCADA/DCS, sensors, and field equipment interact
✔ Compare IT and OT risk models and identify ICS-specific threat vectors
✔ Program and analyze PLC logic and identify insecure coding patterns
✔ Analyze and manipulate industrial protocol traffic such as Modbus, S7, MQTT, and OPC-UA
✔ Identify weaknesses in PLC engineering services and exposed interfaces
✔ Secure and attack soft-PLC environments and edge devices
✔ Assess and exploit weaknesses in Windows and Active Directory systems used in industrial networks
✔ Understand cloud adoption in ICS and exploit AWS misconfigurations relevant to IIoT and OT
✔ Execute full kill-chain scenarios against both legacy and modern ICS setups up to cyber-physical attacks and understand operational constraints of testing ICS
✔ Validate detection capabilities using MITRE CALDERA and ICS-focused monitoring stacksoutline
Training outline
DAY 1 — Foundations of Industrial Systems & Hands-On PLC Work
- Module 0 — Introduction to the Training (Agenda, resources, logistics)
Students gain orientation, understand lab environments, guidance, and expectations for a deeply practical program. - Module 1 — Introduction to ICS (ICS architectures, components & vulnerabilities)
Learners explore how industrial systems are built, why availability and safety dominate OT priorities, common component roles (PLCs, SCADA, historians, sensors), and real-world vulnerabilities found across 60+ facilities. - Module 2 — Programming PLCs (Hands-on ladder programming)
Participants program a simulated PLC in ladder logic to control a physical-process simulation. - Module 3 — Modern & Legacy ICS Protocols (Modbus, S7, OPC-UA, MQTT + PCAP & exploitation)
Students analyze industrial traffic with Wireshark, craft packets, authenticate (or bypass) security features, and use client tools to understand how insecure protocols can be used. - Module 4 — Advanced PLC Security (Attacking PLC services & engineering protocols)
A deeper look into PLC operating systems, middleware, and administrative backplanes, including exploitation of insecure web/FTP/SNMP interfaces and manufacturer-specific protocol weaknesses. - Module 5 — Soft & Hybrid PLCs / Edge Devices (Soft-PLC compromise & hardening)
Students explore the growing trend of PLC functions deployed on Linux/Windows, attack OS layers beneath control applications, and harden exposed runtime environments. - Module 6 — SCADA & DCS Supervision (Configuring SCADA, finding weak points & extracting data)
Students configure a SCADA system to control PLCs and focus on application-layer vulnerabilities.
DAY 2 — ICS Supervision, Active Directory & Cloud-Driven Industrial Architectures
- Module 7 — Assessing ICS Environments (Pentesting methods adapted to operational constraints)
A methodology module covering safe testing practices, prioritization strategies, and execution of vulnerability scans while limiting production disruption risks. - Module 8 — Windows & Active Directory in ICS (Credential abuse, AD enumeration, OT pivoting)
Students execute Windows/AD reconnaissance and exploitation, showing how IT compromises quickly become OT compromises when credentials, shares, or GPOs expose ICS access. - Module 9 — Modern ICS Architectures & Services (ZTNA, SD-WAN & IAM-driven security)
Introduction modules to the modern technologies now deployed in ICS and how they impact the threat model. - Module 10 — Cloud Security for ICS (AWS misconfig assessment & privilege escalation)
Students operate directly in AWS using the CLI and real workloads relevant to industrial operations, learning cloud pivoting strategies and common cloud misconfigurations.
DAY 3 — Secure PLC Coding & Legacy ICS Full-Chain CTF
- Module 11 — PLC Code Security (Secure coding & process-aware monitoring logic)
Students learn why logic can impact cybersecurity, identify dangerous constructs in ladder, and implement simple anomaly detection logic inside the PLC itself. - Module 12 — Legacy ICS CTF (Full on-prem ICS intrusion mission from IT to OT)
The class executes a guided but realistic ICS attack scenario, starting from a corporate network and finally impacting a process simulation. Each student has its own CTF environment and can also attack the physical setup.
DAY 4 — OT Detection Evaluation & Modern ICS Cloud-Connected CTF
- Module 13 — Automated Testing Using CALDERA (Validating OT detection & monitoring)
Students learn which OT threats monitoring tools fail to detect, then use CALDERA to generate safe detection signals on monitoring stacks (Malcolm & Wazuh) to evaluate detection maturity. - Module 14 — Modern Cloud-Connected ICS CTF (Cloud → IIoT pivoting and cyber-physical impact)
The class executes another guided but realistic ICS attack scenario, this time focusing on modern technologies. Students start from the Internet, without prior information, and impact a model ICS setup.
Target audience
This training aims at bridging the gap between IT and ICS: it is designed to allow OT professionals to understand the security challenges of ICS with an offensive mindset, while allowing IT professionals to discover the world of Industrial Control Systems and adapt their cybersecurity knowledge to this new world.
The training is heavily hands-on. While no ICS or pentest knowledge is required, it is recommended for attendees to have basic networking and computers skills (using virtual machines, the command line, understanding TCP/IP…).
Pricing and registration
Pricing and registrations are not available yet.