From Flight Training to Industrial Control Systems Cybersecurity: Lessons from SANS ICS612

ICS practitioners can immediately apply the knowledge gained from the SANS ICS612 training in real‑world situations.

Landing an Aircraft

A factory CEO, referred to as Bill, wants his key team members to truly understand the pressure his operations team faces daily to meet production goals, and to grasp the difference between "make it happen" and "watch it happen," as well as the gap between believing they have a skill and actually knowing they have it.

To teach this lesson, Bill purchased a one‑hour flight lesson for his ten senior employees.

He explains that without background or prior experience, guiding someone through a task is difficult; effective guidance requires resetting expectations, deliberately exposing learners to relevant experiences, and supervising them as they tackle realistic scenarios. Flying a plane exemplifies this: while a coach can give instructions, the student must have enough skill and experience to correct mistakes and land the aircraft, otherwise the coach must take over.

The story demonstrates that even an experienced flight instructor cannot guide a student through a complex scenario like landing if the student lacks experience, mirroring the need for hands‑on experience in industrial control systems.

Relevant experience is obtained by first understanding how a plant or factory is built and organized to produce a profitable product. A plant consists of OEM‑provided equipment integrated to control processes, ranging from toothpaste production to gasoline refining.

Modern plants are increasingly connected via network security, adding cybersecurity skills to the required toolkit.

OEMs typically create specialized mechanical or design solutions based on their expertise, but each lacks the other's specialized knowledge. Operators must learn how to operate, maintain, and troubleshoot equipment, and OEM training may cover coding or valve sizing, while operator training focuses on practical adjustments and fault handling.

The importance of relevant experience is highlighted: understanding how control valves respond to physical size, how to set control points, and how machines react to those settings is crucial for both OEMs and operators.

ICS Cybersecurity Deep Dive

The SANS ICS612 course aims to provide students with hands‑on labs that give relevant experience in operating, maintaining, monitoring, and troubleshooting industrial assets, as well as defending and attacking them.

Real‑time embedded control systems such as PLCs

Digital and analog I/O subsystems

Protocol‑based "smart" sensors and valves (e.g., Ethernet/IP, HART, DeviceNet, Profibus)

Process visibility elements like EOI, HMI, and sometimes SCADA

Process data storage (Historian or local trend databases)

Network devices (Ethernet/IP, Modbus, Profibus, etc.)

Security controls such as firewalls and monitoring systems

These categories help identify the main areas of training needed in industrial environments.

Students build a working coffee‑factory environment using PLCs, network I/O, EOI, HMI servers, Historian servers, and remote‑connection technologies, allowing them to explore each component within a comprehensive "system‑of‑systems" model.

The course includes attack labs that expose vulnerabilities of each asset, teaching both defensive and offensive skills. On day five, students collaborate to restore a simulated coffee factory, experiencing real‑world fault diagnosis, equipment failures, and the confidence gained from solving such problems.

Bill’s flight lesson analogy reinforces that knowledge alone is insufficient; practical experience transforms perceived knowledge into true competence.

For more information, the original article links to the SANS ICS612 course page and various community resources.