Black Hat USA Registration Black Hat USA Registration Black Hat USA Briefings Black Hat USA Briefings Black Hat USA Training Black Hat USA Training Black Hat USA Schedule Black Hat USA Schedule Black Hat USA Sponsors Black Hat USA Sponsors Black Hat  USA Special Events Black Hat  USA Special Events Black Hat USA Venue Black Hat USA Venue

On This Page

ICS for Pentesters – Finding and Exploiting Industrial Control Systems on Enterprise Networks

Billy Rios & Terry McCorkle | July 27-28 & 29-30



Ends May 31



Ends July 24



Ends July 30


Industrial Control Systems (ICS) are a poorly understood technology, yet are common to many enterprise networks. The power management systems that run your corporate campus, the badging system that unlocks the doors to the most sensitive areas of your enterprise, and the HVAC systems that cool your critical datacenter are all considered ICS.

In this class, students will be introduced to the basics of ICS and the components that they are likely to encounter while performing penetration tests and red team assessments for the Fortune 1000. Software and hardware components, including Human Machine Interface (HMI), Programmable Logic Controllers (PLC), and other ICS supporting components will be covered in detail. A deep dive into common vulnerabilities and configurations that exist in ICS deployments will be covered in detail. The instructors will also cover techniques for discovering ICS on enterprise networks as well as the precautions that must be taken while performing an ICS focused assessment. Students should expect to spend a significant amount of the classroom time in a custom developed ICS lab environment, using the techniques they learned in class. Students will also have the opportunity to experience working with live PLCs and performing simulated penetration tests which ultimately lead to the compromise real ICS.


Basic penetration testing experience is required. Intermediate/Advanced penetration testing experience is desired, but not required. The course assumes students will have little or no experience working with ICS components.

Who Should Take This Course

What Students Will Be Provided With

Virtual Machines, required security tools (on USB), access to Programmable Logic Controllers (Siemens S7), access to HMI software (Siemens MicroWin), access to virtualized enterprise network

What Students Should Bring


Will your students need a laptop?

  1. Fully functional laptop with a functional USB drive and WiFi
  2. At least 8 gigs of free hard drive space on the laptop
  3. At least 4 gigs of ram on the laptop
  4. The ability to install security tools on the host system (typically means administrative rights on the laptop)
  5. Latest version of VMware Player, VMware Workstation or VMware Fusion installed on the laptop



Billy Rios is currently a Technical Director at Cylance. Before Cylance, Billy was a Team Lead for Google where he studied emerging security threats and technologies. Billy was one of the primary security engineers for Google Plus, the new social network by Google. Prior to Google, Billy was a Security Program Manager at Microsoft where he helped secure several high profile software projects including Internet Explorer and Microsoft Online. Prior to these roles, Billy was a penetration tester for various consulting firms.

Before his life as a penetration tester, Billy worked as an Information Assurance Analyst for the Defense Information Systems Agency (DISA). While at DISA, Billy helped protect Department of Defense (DoD) information systems by performing network intrusion detection, vulnerability analysis, and incident handling, Before attacking and defending information systems, Billy was an active duty Officer in the United States Marine Corps where he served as an OIC, Platoon Commander, and Company Executive Officer.

Billy is an accomplished public speaker and published author. He has authored and contributed to several books, most notability: “Hacking: The Next Generation” and “Inside Cyber Warfare: Mapping the Cyber Underworld”, both published by O'Reilly Media. Billy has also presented at such prestigious security conferences as Black Hat, RSA, NATO CCDCOE, Microsoft’s Blue Hat, DEFCON, ToorCon Seattle, and HITB Security conference. Billy is cited in numerous security advisories for research on attacking Industrial Control Systems, URI and protocol handlers, content ownership issues (such as the GIFAR attack), DNS rebinding attacks (against Flash and the Java Virtual Machine), and was previously credited for discovering vulnerabilities in Microsoft Windows and Adobe PDF Reader.