301L ICS Cybersecurity Training (COURSE PILOT)

Actions Panel

Registrations are closed

This offering of the course is currently full. Please check the CISA ICS Training Calendar (www.us-cert.gov/ics/calendar) for upcoming class dates.

301L ICS Cybersecurity Training (COURSE PILOT)

In-person hands-on labs accompanying the 301v training on securing Industrial Control Systems (ICS) from cyber-attacks.

By ICS Training

When and where

Date and time

January 10, 2022 · 8am - January 13, 2022 · 5pm MST


To be announced

About this event

This instance of the class is a PILOT, meaning this is the first time running the updated class format. If you attend the pilot, expect extra time to be added to the class for feedback on the activities. The class will be limited to 30 participants.

The 301L is an instructor-led companion course to the 301V. This course provides hands-on training for understanding, protecting, and securing Industrial Control Systems (ICS) from cyber-attacks and includes a red team versus blue team exercise conducted within an actual Control Systems environment. Attendees will get an instructor-led hands-on experience with open-source operating systems and security tools such as Kali Linux and Security Onion. Attendees will also use their cyber skills along with tools covered in the 301V to solve a series of cyber escape rooms. In addition, the training provides the opportunity to network and collaborate with other colleagues involved in operating and protecting Control System networks.

Note: This course is not a deep dive into training on specific tools, Control System protocols, Control System vulnerability details or exploits against Control System devices. The 301L designation is simply a course number and has no reference to a “300 level” course.

This course consists of hands-on activities that are correlated with the five sessions covered in the 301V, followed by a series of cyber escape rooms, a red team versus blue team exercise, and a brief discussion of the lessons learned. It is expected that students come prepared having completed the labs that are part of the 301V. The 301L is not focused on classroom lecture and is considered more of a capstone to the 301V.


• Day 1 – Includes a welcome, a brief review of cybersecurity for Industrial Control Systems, and a process control attack demonstration. The morning also includes a discussion on the main differences between IT and OT networks, roles, responsibilities, and strategies for working together. Following the IT/OT discussion, is a lecture and hands-on activities dealing with wireless communications building on the topic discussion from the 301V. Hands-on activities in the afternoon are run in smaller groups as break-out sessions and focus on network discovery and mapping, network defense, detection, and analysis, and exploitation using Metasploit.

• Day 2 – The morning includes the continuation of the break-out sessions listed above. In the afternoon, the groups will participate in solving cyber escape rooms drawing on the topics and tools discussed in the 301V and 301L break-out sessions. The cyber escape rooms include a fun mix of cyber puzzles and traditional escape room puzzles. There will be a short debrief reviewing the skills and tools used in the cyber escape rooms following the completion of each cyber escape room.

• Day 3 – The morning includes the continuation of the cyber escape room activities. In the afternoon, trainees will be divided into Red and Blue teams and will receive training and instruction in preparation for the Red Team vs. Blue Team exercise.

• Day 4 – Includes a 7-hour hands-on exercise where trainees are either attacking (Red Team) or defending (Blue Team) IT and OT networks. The Blue Team is tasked with providing the cyber defense for a corporate environment, while maintaining the operation of a chemical batch mixing plant, and monitoring an electrical distribution substation SCADA system. After the exercise, there will be a brief round-table discussion of lessons learned to close out the training.


• Trainees must have previously participated in the virtual 301 (301V),and passed the assessment test with an 80% or better.

• Trainees should have practical knowledge and experience with ICS networks, software, and components. They should have a practical understanding of IT network basics and protocols such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP), as well as Media Access Control (MAC) and Internal Protocol (IP) addressing.

This course is presented at a facility in Idaho Falls, Idaho, USA configured specifically for the aspects of the course.

The 301L course is IACET accredited so attendees will be awarded Continuing Education Units (CEUs) and receive a certificate upon completion.

COVID-19 Information:

  • Proof of COVID-19 vaccination is required.
  • Masks are required to be worn throughout the training.
  • Attendees will be working in smaller groups where social distancing will NOT be possible.

Who Should attend:

Members of the industrial control systems community associated with IT and process control network operations and security (Operations Technology, OT), operations or management of critical infrastructure (CI) assets and facilities, as well as those who provide CI components and software development.

In effort to help reach our intended audience, registrations using public email domains such as gmail, hotmail, yahoo, icloud, etc. may NOT be accepted. Please register using a work, government, or military email account. Registration is subject to review by CISA and does not guarantee participation with the training event.

About the organizer

Organized by
ICS Training