ICS/SCADA SECURITY TRAINING - RedAlert Lab with Real TestBed - DCSG2026

Name of Training: ICS/SCADA Security Training
Trainer(s): Hae-eun Ocean Moon, Rana Jose, Sunghun Do, and Sunho Marvin Lee 
Dates: April 26-27, 2026
Time: TBD
Venue: Marina Bay Sands
Early Bird Cost (GST included): $4,186 USD / equivalent to $5,400 SGD 

Early bird price valid until February 8, 2026.

Short Summary:

This intensive two-day course provides a deep, hands-on exploration of ICS/SCADA security, covering OT architectures, attack surfaces, RF threats, PLC behavior, and key industrial protocols. Participants will learn investigation-driven techniques for analyzing ICS vulnerabilities, interpreting real-world attack scenarios, and safely executing controlled simulations in a realistic industrial environment. 

Course Description:

This intensive 2-day program provides practitioners with a comprehensive and hands-on exploration of ICS/SCADA security, focusing on OT architectures, protocol behavior, RF attack surfaces, PLC operations, and realistic industrial threat scenarios. Through guided analysis of vulnerabilities, practical exploitation exercises, and controlled simulation environments, participants gain a complete understanding of how modern industrial systems can be targeted, analyzed, and protected.

Learners will engage directly with ICS networks, PLC/HMI interactions, industrial communication protocols, wireless control channels, and common OT attack vectors through structured labs. By the end of the course, participants will be able to analyze ICS vulnerabilities, interpret complex industrial attack traces, manipulate PLC logic within a safe environment, and apply investigation-driven defensive strategies suitable for real critical-infrastructure environments. 

Course Outline: 

Day 1 – ICS/SCADA Foundations & PLC Operations 

Session 1 — ICS/SCADA Overview 

• Overall trends in OT/ICS security 
• Architecture of ICS/SCADA and typical attack scenarios 
• Introduction to the Purdue Model 
• Key differences between IT security and OT/ICS environments

Session 2 — Radio Frequency Attack (Part 1) 

• RF attack overview in industrial systems 
• Wireless signal detection
• Introduction to RF analysis tools 

Session 3 — PLC Basics (Part 1) 

• PLC simulation fundamentals
• Ladder logic fundamentals for runway control systems (Runway Module 1) 

Session 4 — PLC Basics (Part 2) 

• Building an HMI simulation and linking with a PLC
• Operating a runway control scenario using HMI 

Session 5 — PLC Basics (Part 3) 

• Extended ladder logic practice (Runway Module 2) 
• Introduction to industrial control protocols (Modbus, OPC, UA) 

Day 2 – ICS Vulnerability Analysis & Offensive Techniques 

Session 6 — ICS Vulnerability & Attack (Part 1)  

• Overview of fuzzing techniques for ICS protocols 
• Introduction to exploit development concepts
• Case studies of real-world ICS attacks 

Session 7 — ICS Vulnerability & Attack (Part 2)  

• Advanced fuzzing workflows 
• Additional real-world ICS/SCADA attack case studies 

Session 8 — PLC Attack Advanced (Part 1)  

• Industrial communication protocols 
• ICS network architecture fundamentals 
• PLC ↔ HMI packet flow and analysis 

Session 9 — PLC Attack Advanced (Part 2) 

• Analysis of control-specific protocols 
• Protocol manipulation and modification scenarios 
• Malware-style behavior injection in test environments 

Session 10 — Radio Frequency Attack (Part 2)  

• RF-based attack simulation on crane control systems
• Replay attack demonstration and analysis 

Difficulty Level:

Intermediate to Advanced

Intermediate Definition - The student has education and some experience in the field and familiarity with the topic being presented. The student has foundational knowledge that the course will leverage to provide practical skills on the topic.

Advanced Definition - The student is expected to have significant practical experience with the tools and technologies that the training will focus on.

Suggested Prerequisites:

• Understanding of core information security concepts 
  
• Basic proficiency with Linux OS (Kali preferred) 
  
• Fundamental Python programming (scripting, control flow) 
  
• Basic knowledge of network vulnerability assessment

What Students Should Bring:

• A laptop (16GB RAM and 250gb storage recommended for VM)
• VMWare Workstation (Pre-installation recommended) 
  

What the Trainer Will Provide:

• Textbook
• All VM images and protocol analysis packages 
• Testbeds with the Real World Scenarios for the Handson Exercises
  • RA-T Runway 
  • RA-T Crane 
  • RA-T SFPCS 
  • RA-T SmartCity 
  • HackRF, P4wnP1 
  • Teensy 

Trainer(s) Bio:

Haeeun Ocean Moon is a senior ICS/SCADA and IoT security researcher specializing in zero-day vulnerability discovery, embedded device analysis, and industrial protocol security. He began his career with top competitive achievements, including DEF CON CTF Finals (2009, 2013), CODE BLUE Hack2Win championships (2015, 2017), and STUD S3 victories (2017, 2019), before transitioning into advanced OT-focused research and instruction. Since 2016, he has served as a lead trainer for NSHC’s ICS/SCADA and IoT exploitation courses and contributed to major competitions such as MOTIE CTF (2019–2021) and DSTA CDDC CTF (2019–present). Haeeun is also a core organizer of the DEF CON ICS CTF in Las Vegas (2018–2019, 2021–2025) and has delivered ICS/OT training for government agencies in Singapore. He currently leads NSHC’s global zero-day research initiatives in ICS and IoT systems.

Rana Jose is an information security researcher and instructor specializing in emerging security technologies and critical infrastructure protection. From 2015 to 2018, he served as a researcher and lecturer at Sultan Qaboos University, publishing work at national and international conferences and delivering training for inter-governmental agencies including the IAEA. Since joining NSHC in 2019, he has focused on offensive security research, OT cyber-range development, and global ICS/SCADA training initiatives across South Korea, Singapore, and Oman. Rana is part of the organizing team for the DEF CON ICS/SCADA CTF in Las Vegas (2021–present) and the DSTA CDDC CTF (2019–present), and has spoken at events including Black Hat MEA, Hack In The Box CyberWeek, AISA, and multiple academic security conferences. He holds an MSc in Information Systems and a BSc (Hons) in Information Technology. 

Sunho (Marvin) Lee is an ICS/SCADA hardware and embedded systems specialist with expertise in designing operationally realistic industrial testbeds used for vulnerability research and hands-on training. Since 2016, he has been an instructor for NSHC’s ICS/SCADA and IoT exploitation trainings and has contributed to multiple security competitions, including ICS/SCADA CTF (2019), MOTIE CTF (2019–2021), and DSTA CDDC CTF (2019–present). Sunho has been a key organizer of the DEF CON ICS CTF in Las Vegas (2021–present), developing large-scale dioramas and test environments that replicate real industrial operations. His current work centers on leading NSHC’s “RedAlert” ICS/SCADA testbed development, creating advanced environments for protocol analysis, PLC/HMI interaction, and RF-based industrial attack simulations. 

Sunghun Do is an instructor specializing in foundational PLC and HMI operations within ICS/SCADA environments, delivering numerous training sessions for participants in both Korea and Singapore. His teaching focuses on helping learners understand core industrial control concepts through practical, simulation-based exercises that emphasize PLC logic flows, HMI interaction, and the operational basics of industrial automation systems. He contributes to NSHC’s ICS/SCADA training programs by guiding students through essential hands-on modules that build the baseline skills required for more advanced OT security analysis. 

Registration Terms and Conditions: 

Trainings are refundable before March 27, 2026, minus a non-refundable processing fee of $250.

Between March 27, 2026 and April 21, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after April 21, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.