Skip to main content
Arnaud Soullie - Pentesting Industrial Control Systems - $2,100 (early $1,900)
Arnaud Soullie - Pentesting Industrial Control Systems - $2,100 (early $1,900)

Arnaud Soullie - Pentesting Industrial Control Systems - $2,100 (early $1,900)

Trainer bio:
Arnaud Soullié (@arnaudsoullie) is a manager at Wavestone. For 13 years, he has been performing security audits and pentest on all types of targets. He specializes in Industrial Control Systems. He has spoken at numerous security conferences on ICS topic: BlackHat Europe, BruCon, 4SICS, BSides Las Vegas, DEFCON... He is also the creator of the DYODE project, an open­source data diode aimed at ICS. He has been teaching ICS cybersecurity since 2015 (BlackHat US, BlackHat Asia, CS3SHTLM, Hack in Paris, Deepsec…)

Trainer social media links: @arnaudsoullie

Full description of the training:
On this intense 2-day training, you will learn everything you need to start pentesting Industrial Control Systems!

We will start with the basics of Industrial Control Systems (components, architectures, communications…) to help you understand how it works.

We’ll then use the custom designed WhiskICS virtual training kit to learn how to program a PLC and connect it to a SCADA system, then attack our own system to understand its weaknesses.

The training continues on the second day with a challenging hands-on exercise: The first CTF in which you capture a real flag! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms.

This training is heavily based on hands-on exercises, and the outline of the training is the following:



Introduction to Industrial Control Systems (A brief history of ICS, architectures, ICS components and their roles, IT vs OT, common ICS vulnerabilities)

Automation basics & programming PLC (programming the “WhiskICS” student kit in ladder logic)

ICS protocols (packet capture analysis and sending requests to PLC and simulators for some common ICS protocols: Modbus, S7, OPC-UA)

Focus on PLC security (deep-dive on PLCs, how they work, specific & non documented features…)


Capture The Flag (all day dedicated to an end-to-end pentest from corporate Active Directory to PLCs! )

Moreover, each attendee will get a 30-day full access to our elearning and online labs.

Short description of what the student will know how to do, after completing the class:

  • Understand the specificities of Industrial Control Systems
  • Know the tools and techniques to attack Industrial Control Systems
  • Know the risks associated with pentesting in these environments and how to limit them

     Outline of the class:
  • Day 1
    • Introduction to Industrial Control Systems
      • A brief history of ICS
      • Vocabulary
      • The CIM model
      • Classic architectures
      • ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles
      • OT vs IT 
      • Common ICS vulnerabilities
      • Hacking the process vs hacking the system
    • Creating your own virtual ICS environment
      • Introduction to automation (PID loop…)
      • Basic steps of programming a PLC
      • LAB: we’ll create our own training environment by programming a PLC simulator in “ladder logic” and “SFC” that will be connected to a process simulation environment allowing each attendee to test and debug its code until the process works as intended (a simplified whisky distillation process)
    • ICS protocols
      • General presentation of ICS protocols (fieldbus, supervision, data exchange)
      • LAB: exercises on analysis of network packet capture (modbus/tcp, S7, OPC-UA)
      • LAB: Exchange data with the PLC simulator using modbus clients, S7 as well as OPC-UA client
    • Focus on PLC security
      • Presentation of PLCs internal architecture
      • Discussion about OS and middleware (codesys)
      • Presentation of vulnerabilities on standard interfaces (web, ftp, snmp…)
      • LAB: Identify & exploit exposed interfaces on the PLC simulator
      • Presentation of Modbus function code 90
      • LAB: Use of specific exploits against our PLC simulator
  • Day 2 : Full-day CTF
    • The CTF will be guided, which means that hints and solutions will be provided to students throughout the day so that everyone gets all the flags at the end of the day, and the first one gets a surprise prize.
    • Students will be helped to:
      • Perform some Windows pentesting
      • Pivot to an ICS network
      • Identify industrial components
      • Attack PLCs and SCADA systems to capture the flag on a simulated environment
      • The cloud environment will also have access to the physical version of the CTF installed in the training room, with a real model train and robotic arms :)

Technical difficulty of the class (Beginner, Intermediate, Advanced): This training is aimed at beginner/intermediate students

Suggested prerequisites for the class: Students need to be able to work with Windows and Linux systems (including basic command line usage), and have an understanding of TCP/IP networking. A first pentesting experience is a plus, but is not required. 

Items students will need to provide: Students need to come with a laptop capable of connecting to the WiFi and with a modern web browser. Each student will get its own environment in the cloud for the lab sessions and for the CTF.


DATE: August 12th-13th, 2024

TIME: 8am to 5pm PDT

VENUESahara Las Vegas

TRAINER: Arnaud Soullie

- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included

Registration terms and conditions:

Trainings are refundable before July 1st, the processing fee is $250.

Trainings are non-refundable after July 10th, 2024.

Training tickets may be transferred. Please email us for specifics.

Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.

By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.