The ENCS operations training teaches analysts how to detect vulnerabilities and incidents in OT systems. The training is based on the 2017 member project on OT security monitoring. The training makes all the information from the project available in a two day training. In this way,  anyone can quickly get the latest knowledge on OT security monitoring.

Who should attend the security operations training?

The training is for anyone who monitors OT systems to detect vulnerabilities and incidents. This includes:

  • OT engineers and system administrators specializing in security
  • IT SOC or CSIRTs analysts with a responsibility for OT

What will I learn in the training?

You will learn how to detect vulnerabilities and incidents in OT systems by:

  • choosing monitoring use cases to counter the biggest security risks
  • choosing the right sensors and data sensors to cover the whole OT domain
  • reading vulnerability scan and reports, and determining mitigations
  • analysing alerts and possible incidents
  • configuring and using the new security sensors developed for OT

What is the training program?

The training program consists of the following modules:

1) Risk-based detection strategy

  • Learn what use cases can be applied in OT systems
  • Learn how to select use cases based on risks
  • Apply the risk-based selection to a SCADA system

2) Vulnerability management

  • Learn how to structurally manage vulnerabilities to make sure they are really fixed
  • Learn how to find vulnerabilities on individual hosts
  • Learn how to find vulnerabilities in network architectures
  • Learn how to prioritize vulnerabilities based on real-world examples
  • Learn how to find fixes and mitigations that work in OT systems (including legacy systems)

3) Misuse detection

  • Learn how to use IT intrusion detection sensors in OT
  • Learn how to analyze deep-packet inspection alerts on malformed packets

4) Access monitoring

  • Learn how to analyze logs for unusual access
  • Learn how to set up flow white-listing
  • Learn how to analyze alerts for new hosts and connections

5) Reviewing action logs

  • Learn how to analyze logs for unusual maintenance actions (e.g. someone installing backdoors)
  • Learn how to configure and use deep-packet inspection to detect unusual actions in SCADA systems

6) Bringing it all together

  • Analyze how the different use cases would have detected the attacks in Ukraine in 2015 and 2016, and the Industroyer malware
  • Practice hands-on with detecting a similar attack
  • Learn how to correlate information from the different use cases learned in earlier modules

The training emphasizes hands-on practice. Participants practice with realistic traffic captures or log files.

Training location & dates


Training duration

The training consists of two days.

Day 1: 10:00 – 17:00
Day 2: 09:00 – 15:00

On the evening of day 1 there is a dinner to allow for networking.

Knowledge before training

You are expected to have knowledge about TCP/IP networking and Wireshark. Some Linux knowledge, and knowledge about the IEC 104 and IEC 61850 protocols is useful, but not mandatory.

Laptop required: participants are expected to bring their own laptop with Wireshark installed.

Costs of training

For ENCS members, the costs are 1,500 euros per participant. For non-members, the costs are 2,000 euros per participant.  The dinner on Day 1 is included in the training price.

More info? or Register?

click here