Threat Hunting in Industrial Control System Environments with Open Source Tools

Course Description

Industrial Control System environments contain purpose-driven network and hosts devices related to the production goal of the industrial environment. Due to the unique nature of production environments, IT approaches to threat hunting do not map well to OT environments. Within this workshop, we will share our approach to hunting in industrial control system environments using only open source tools.

Course contents

We will first discuss hunting strategy relevant to oil refineries, power generation facilities, and wind farms. We will compare and contrast strategies we have found useful to threat hunt in each environment. We will then move to the hands-on portion of the course where we will show how to implement the planned strategies using packet captures and host files from our industrial control system range. We will show how to focus threat hunting on protocols found in both IT and OT networks to include DNS, HTTP, and SMB as well as how to tackle protocols found only in ICS environments.

The first day of the course will consist of an overview of hunting, the relevance of hunting to industrial environments, how to plan a hunt, and then move into a series of guided exercises focused on hunting in IT protocols specific to protocol usage in OT environments. The second day of the course will consist of all guided exercises focused on finishing up hunting in traditional IT protocols and move to strategies for
hunting in industrial specific protocols to include Modbus, IEC 104 and DNP3. At the end of the course; students will leave with both a sound understanding of strategy and proven threat hunting techniques for industrial environments.

Target audience

  • Industrial Control System Incident Responders and Threat Hunters
  • Anyone interested in learning more about threat hunting in ICS environments!


  • General familiarity with open source security tools including Bro IDS, Snort
  • General familiarity with Elasticsearch and Kibana
  • Industrial protocol and device knowledge is a plus but not necessary

Hardware/Software Requirements

Laptop with VMWare VirtualBox, or similar virtualization software capable of importing an OVA

Trainer Biography

Daniel Michaud-Soucy is a Principal Threat Analyst, Threat Operations Center at the industrial cyber security company Dragos, Inc. where he provides threat hunting and assessment services within a variety of industrial environments. Daniel previously worked for Sempra Energy on RD&D tasks revolving around machine to machine automated threat response, data aggregation, advanced threat detection and secure system interfaces for ICS/SCADA. Daniel also worked with Red Tiger Security performing cyber vulnerability assessments and penetration tests on oil & gas, electrical power, water treatment and pharmaceutical ICS/SCADA environments. Daniel also co-authored and co-taught the Red Tiger Security “SCADA Security Advanced Training” class between 2010 and 2015 training hundreds of professionals around the world.

Twitter: @danms0

Marc Seitz is a Threat Analyst, Threat Operations Center, at the industrial cyber security company Dragos, Inc. where he coordinates industrial control system cyber test lab functions as well as performing threat hunting services in ICS networks. Marc is a specialist in designing and implementing innovative simulated industrial environments to provide a safe and realistic training and attack simulation experience for internal and external analysts. He also conducts onsite vulnerability assessments and threat hunting services for customers in a variety of verticals.

Twitter : @SubtleThreat