Your Building Control Systems Have Been Hacked, Now What?
Tactics, Techniques and Procedures Workshop
This new workshop, sponsored by the National Institute of Building Sciences, is intended for building owners, facility managers, engineering, physical security, information assurance and other professionals involved with the design, deployment and operation of building control systems. It will provide a combination of classroom learning modules and hands-on laboratory exercises to learn how to detect, contain, eradicate and recover from a cyber event.
The workshop, taught by Michael Chipley, PhD, GICSP, PMP, LEED AP; Daryl Haegley, OCP, CCO; and Eric Nickel RCDD, CEH, CEP, is built around the Advanced Control System Tactics, Techniques and Procedures (TTPs) developed by the U.S. Cyber Command (USCYBERCOM), which provide detailed step-by-step guidance to respond to a cyber attack.
During the one-day workshop, attendees will use the Cyber Security Evaluation Tool (CSET), GrassMarlin, Glasswire and Belarc tools to create a fully mission-capable (FMC) baseline, which consists of documentation that characterizes the control system, such as the topology diagram, enclave entry points, user accounts, server/workstation documentation and network documentation.
Next, attendees will conduct footprinting and learn how to find building control systems exposed on the internet using Google Hacking, Shodan and WhiteScope discovery tools. Attendees will then build a Recovery Jump-Kit that contains the tools the control systems team and information technology (IT) team will need to restore a system to its last FMC state during mitigation and recovery. Using the Recovery Jump-Kit, attendees will then find and eradicate the malware using tools such as MalwareBytes and the Microsoft Internals suite, and learn how to perform data collection for forensics, which involves the acquisition of volatile and non-volatile data from a host, a network device and control system field controllers. Lastly, attendees will evaluate the cyber severity of the incident and prepare an incident report.
Attendees will need a laptop with administrative privileges to load software. Course content, tools and lab exercises will be provided on a CD at the beginning of the workshop.
For more information, see the Whole Building Design Guide Cybersecurity Reference page.
Students will need a laptop with administrative privileges to load software. Course content, tools and lab exercises will be provided on a CD at the beginning of the Workshop.
Because the Institute is offering this course for the first time, participants who attend the “trial run” of the workshop will receive a discounted rate of $300. That's 50% off the full registration price.
The Workshop is limited to 20 students.
Classroom: Advanced Cyber Tactics, Techniques, Procedures Concepts (Chapters 2 through 4)
Lab: Using the CSET and GrassMarlin tools to create Enclave, Network Architecture/Topology, and Component inventory
Classroom/Lab: Enclosure E and Appendix A: Create a Fully-Mission Capable (FMC) Baseline
Classroom/Lab: Enclosure F: Create a Jump-Kit
Lab: Introduction to Google Hacking, Shodan, VMWare, Kali Linux, SamuraiSTFU tools
Classroom: Enclosures A, B, and C: Detection, Mitigation, Recovery procedures
Classroom/Lab: Enclosure G: Data Collection For Forensics, Using the GlassWire, MalwareBytes, MS EMET and Sysinternals, and OSForensics tools
Classroom: Enclosure F: Cyber Severity Levels, Incident Reporting
Registration Cancellation Policy
Cancellations must be made in writing two weeks prior to the Workshop date for a 50% refund. You may elect to transfer your registration to a Workshop held at a later date without penalty. Substitutions of attendees must be made in writing within three days of the Workshop date. No refunds will be issued on cancellations received after the two week cutoff. No refunds will be issued for Conference no-shows. Qualified refunds will be issued following the event. Requests should be sent in writing via fax to 202-289-1092 or via email to firstname.lastname@example.org.