Hardwear.io Security Trainings and Conference USA 2026

  • 26th – 30th May 2026
  • Santa Clara Marriott, USA
Share:
Intermediate

Assessing and Exploiting PLCs

Training Objectives

This is not your traditional SCADA/ICS/IIoT security course! How many courses send you home with a PLC and non-expiring software to program it?!? This course teaches hands-on penetration testing techniques used to test PLCs, including their logic, field buses, network protocols, and proprietary maintenance interfaces. Skills you will learn in this course will apply directly to any current or past PLC in the industry. In fact these techniques can be used on practically any industrial controller, IoT, IIoT, or medical device. This course is structured around the formal penetration testing methodology created by ControlThings LLC and their opensource suite of tools found at https://www.ControlThings.io.

Key Learning Objectives

The whole class is structured around the process of performing penetration tests, using software and hardware provided in class, with the instructor conducting the tests on the projector alongside attendees. The lecture is interspersed between those penetration testing tasks. * Attendees will be able to explain which assessment actions are likely to have negative impacts on the safety and reliability of commissioned industrial controllers when tested in production environments. * Attendees will be able to perform deep-level penetration tests on Industrial Controllers in lab environments using the free and open-source tools in the ControlThings Platform. * Attendees will be able to exploit several hardware, network, serial, and user interface.

Detailed Description

Course Module Outlines
Overview of the Course and Control System Architectures
  • Examples of when to use these assessments
  • Overview of methodology
  • ICS Processes
    • Control system architectures
    • PLCs, RTUs, and IEDs
    • Understanding RTOS
    • Industrial and non-Industrial
    • What is IIoT, and how does it differ from IoT
    • Field devices, buses, and loops
  • ICS Site-wide and Region-wide Supervisory
    • Plant neworks
    • SCADA networks
    • Purdue model and IEC 62443
Assessing and Exploiting Controller Logic
  • Examples of when to use
  • Overview of methodology
  • Understanding controller logic
    • Exercise: Understanding tags
    • Exercise: Understanding ladder logic
    • Exercise: Understanding sequential function charts
  • Velocio PLCs vs other PLCs
    • Exercise: Programming a PLC
    • Exercise: Debugging a PLC
  • Testing business logic flaws
    • Exercise: Leveraging the HMI for proof of concept attacks
Assessing and Exploiting Control Protocols
  • Examples of when to use
  • Overview of methodology
  • Traffic Capture
    • Communication mediums vs communication protocols
    • Serial communications like RS-232, TIA-422, and TIA-485
    • Fieldbus Protocols and Protocol Families
    • Understanding USB and serial interfaces on Windows
    • Methods to capture serial traffic in Windows and Linux
    • Exercise: Capturing serial traffic
    • Exercise: Manual decode of Modbus RTU
    • Understanding the common 1-off address issue of ICS protocols
    • Exercise: Using Wireshark to decode Modbus RTU
  • Endpoint and Flow Analysis
    • Common TCP/IP-based ICS protocols
    • Exercise: Using Wireshark for endpoint and flow analysis
    • Exercise: Using GrassMarlin
  • Known Protocol Analysis
    • Deep dive into Modbus TCP
    • Exercise: Analyzing Modbus TCP captures
    • Exercise: Using Zeek with Modbus TCP
    • Exercise: Using strings on control protocols
    • Overview of ProfiNet, EnternetIP/CIP, OPC, DNP3, IEC 104, IEC 61850, ICCP
  • Unknown Protocol Analysis
    • Exercise: Finding unknown protocols with Wireshark
    • Exercise: Entropy analysis of network payloads
    • Exercise: Using GrassMarlin on unknown protocols
  • Protocol Enumeration
    • The severe lack of availability of ICS protocol tools
    • Repurposing an engineer’s troubleshooting tools
    • Exercise: Using Python to interact with Modbus RTU on our PLC
    • Exercise: Enumeration with ctmodbus on our PLC
    • Understanding data types and 2’s complement
  • Protocol Fuzzing
    • Reasons to avoid fuzzing protocols on embedded devices
    • Exercise: Writing protocol fuzzers with boofuzz
    • Exercise: Fuzzing Modbus TCP on our PLC
    • Exercise: Manual fuzzing with ctmodbus
  • Protocol Exploitation
Assessing and Exploiting Proprietary Serial Protocols
  • Examples of when to use
  • Overview of methodology
  • Functional analysis
    • Using ICS vendor maintenance software and hardware
    • Exercise: Functional analysis of PLC’s vendor tools
  • Communication capture
    • Capturing USB with hardware, software, and virtualization layers
    • Understanding USB and serial interfaces on Windows
    • Exercise: Capture of our vendor tool interactions with our PLC
  • Capture analysis
    • Exercise: Analysis of our vendor’s proprietary protocol
    • Exercise: Reverse engineering our vendor’s proprietary protocol
    • Exercise: Using Wireshark’s column, comment, and coloring rules for RE
  • Testing harness creation
    • Exercise: Creating serial connections with Python
    • Exercise: Using ctserial to impersonate our vendor tools
  • Endpoint fuzzing
    • Exercise: Using ctserial for manual fuzzing on our PLC
  • Exploitation

Who Should Attend?

This course is designed for intermediate-level security professionals, be they engineers, technicians, analysts, managers, or penetration testers.

Prerequisites

Basic penetration testing experience is desirable, but not required. It is assumed that attendees will have no knowledge of ICS, Smart Grid, SCADA, or critical infrastructure.

Recommended Attendee Preparation before the Course

For those with little or no ICS experience, these Wikipedia articles provide a brief introduction to the concepts and history of control systems that will be helpful to know for class.

  • https://www.youtube.com/controlthings (Playlists of Basic ICS Concepts)
  • https://en.wikipedia.org/wiki/ICS
  • https://en.wikipedia.org/wiki/SCADA
  • https://en.wikipedia.org/wiki/Fieldbus
  • https://en.wikipedia.org/wiki/Distributed_control_system
  • https://en.wikipedia.org/wiki/Programmable_logic_controller

NIST 800-82 is a great introduction to industrial control systems, the security issues surrounding them, and basic cyber defenses

  • http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

Since this course will be getting very deep into the technical weeds of communications, it would be helpful to have a basic understanding of the following encoding methods: ASCII, Unicode, UTF-8, UTF-16, and UTF-32

  • http://kunststube.net/encoding

Software & Hardware Requirements

Attendee Laptop Requirements

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system that meets all the course’s requirements.

Laptop requirements include the following:

  • 64-bit processor with 64-bit operating system
  • VT or other 64-bit virtualization settings enabled in your BIOS to run 64-bit VMs
  • At least sixteen (16) GB of RAM, recommend sixteen (32) GB or more if possible
  • At least fifty (50) GB of free hard drive space
  • At least 1 USB-A port on your laptop or a USB-A to USB-C adapter (not a USB hub)
  • Intel VT or AMD-V virtualization hardware extensions are ENABLED in BIOS
  • Windows 10/11 running on your host laptop or available inside a VM that you bring
  • Virtualization software must be installed and tested with the ControlThings Platform VM BEFORE CLASS BEGINS!
  • Windows Users: A Recent version of VirtualBox, VMware Player, or VMware Workstation
  • Intel Mac Users: A Recent version of VirtualBox or VMware Fusion
  • Apple silicon Macs ARE NOT SUPPORTED!
  • Linux Users: A Recent version of Libvirt, VirtualBox, or VMware Workstation
  • NOTE: Download the VM at https://www.controlthings.io/platform
  • IMPORTANT: Access to a local account with administrative permissions that can install software and disable any security services that interfere with course exercises
  • IMPORTANT: Access to and ability to change BIOS settings if needed in class

Additional laptop configuration will be provided to attendees via email approximately one week before the course begins. Attendees should spend 1-2 hours completing the laptop configurations before class begins.

What You Get

The following items (or rough equivalents, depending on availability) are provided to each attendee to use in class and keep after course completion:

  • Velocio Ace 1600 PLC (Programmable Logic Controller)
  • vBuilder software to program the PLC to keep (non-expiring)
  • vFactory software to program an HMI for the PLC (non-expiring)

Training Details

  • Date: 26th to 28th May 2026
  • Time: 9:00am to 5:00pm PDT
  • Venue: Santa Clara Marriott
  • Level: Intermediate
Register Now

About Trainer

Todd Keller

Todd Keller is a husband and a father to a couple of hackers-in-training. He’s spent over a decade diving into the world of hardware security, working as a control system pentester, hardware hacker, CTF enthusiast, and security researcher. Whether he’s breaking into industrial systems or tinkering with hardware, he’s been at the intersection of security and technology for more than fifteen years.