OT Cybersecurity

WORKSHOP PORTAL

Welcome to the Lab.

Access your virtual machines, architecture simulations, and mission-critical resources for the Industrial Control Systems security workshop.

Get Resources Launch Purdue Lab

Pre-Workshop

Required

Pre-Assessment

Evaluate your current understanding of ICS protocols and security concepts.

Start Assessment
10 GB

Control Things VM

Customized environment with Modbus, DNP3, and analysis tools pre-loaded.

Download .OVA

Day 1: Discovery & Basics

Interactive Lab

Purdue Levels & Assets

Master network segmentation by dragging 22 ICS assets into their correct IEC 62443 Security Zones.

Launch Interface

Slide Notes

Protocols & Architecture

Open PDF

Exercise Guide

Asset Discovery Labs

Open Guide

Case Study

Ukraine Grid Attack

Interactive PDF

Day 1 Final Quiz

Verify your knowledge

Take Quiz

Day 1 Feedback

Share your thoughts

Give Feedback

Day 2: Analysis & Defense

Threat Intelligence

MITRE ATT&CK for ICS

Map adversary techniques to their corresponding Tactics. Learn how attackers move through OT networks.

Start Analysis

Day 2 Slides

Open PDF

Exercise Guide

Open Guide

Day 2 Quiz

Start Quiz

Workshop Feedback

Share Thoughts

Threat Hunting

Open Activity

Modbus Simulation

Launch Sim
Exit Lab

Purdue Levels & Assets

LEVEL 4: ENTERPRISE BUSINESS
LEVEL 3.5: INDUSTRIAL DMZ
LEVEL 3: OPERATIONS
LEVEL 2: SUPERVISORY CONTROL
LEVEL 1: BASIC CONTROL
LEVEL 0: PROCESS

Component Tray

Correct
0
Wrong
0
Exit Lab

MITRE ATT&CK for ICS

INITIAL ACCESS
PERSISTENCE
LATERAL MOVEMENT
IMPACT

Techniques

Drag to Tactic
Exit Analysis

Classified Analysis

INCIDENT: UKRAINE-GRID-2015

Intelligence Feed
Key Statistics
Impact
225k
Customers
Duration
6 hrs
Outage
MARCH 2015 PHASE 1

Initial Compromise

Adversaries gained access to the IT networks of three power distribution companies via spearphishing emails. The emails contained malicious Microsoft Office documents that installed BlackEnergy 3 malware when macros were enabled.

SUMMER 2015 PHASE 2

Reconnaissance & Pivot

Attackers harvested credentials (using Mimikatz) to move laterally from the Enterprise IT network into the Operational Technology (OT) network.

They discovered the SCADA systems and established VPN access to the ICS environment, allowing them to control breakers remotely without malware.

DEC 23, 2015 - 15:30 ATTACK

The Attack Execution

1. Breaker Operation Attackers used the legitimate HMI software (via VNC/RDP) to remotely open breakers at 30 substations, visually interacting with the screens like an operator would.
2. Firmware Modification Malicious firmware updates were pushed to Serial-to-Ethernet gateways, "bricking" them to prevent remote recovery by legitimate operators.
3. System Destruction KillDisk wiper malware was executed, erasing master boot records of operator workstations to delay restoration.
4. Denial of Voice A TDoS (Telephony Denial of Service) attack flooded the utility call centers to prevent customers from reporting the outage.