Kaspersky conducts ICS digital forensics and incident response training course in China

Beijing, 23-27 December 2019: Kaspersky ICS CERT together with the China Industrial Control Systems Cyber Emergency Response Team (CIC) conducted a training course on digital forensics and incident response in industrial control systems. The participants were ICS cybersecurity professionals.

Kaspersky ICS CERT experts Vyacheslav Kopeytsev and Pavel Gritsenko led the training sessions.

CIC Vice Director He Xialong welcomed the participants during the opening ceremony. Gong Yafeng, member of the Industrial information security expert advisory committee and Li Yaobing, a CIC engineer delivered lectures on the first day of training.

Over the 5 days event the Kaspersky ICS CERT experts introduced the participants to techniques and methods for performing ICS digital forensics, as well as the required forensics tools.

During the theoretical sessions, the experts examined the specifics of ICS architecture and typical attack vectors. They also described the main stages of incident response in the ICS environment, including how to create an effective investigation plan, how to collect physical evidence and digital artifacts and then how to analyze them for signs of intrusion. In addition, the trainers explained how to prepare the organization for potential incidents, as well as how to formulate actionable recommendations after completing investigations to prevent incidents in the future.

The hands-on section of the course incorporated exercises designed to develop practical skills in conducting digital forensics on different kinds of digital artifacts: images of storage media, memory dumps, network traffic including industrial protocols, as well as data extracted from programmable logic controllers (PLCs).

The trainers supervised the participants as they mastered various methods and tools for collecting data both from workstations and from ICS devices. Digital forensics in the ICS world is complicated by the sheer number of systems that need to be analyzed and their geographic distribution, therefore a significant amount of time was devoted to working through these issues.

The participants completed a final exam which consisted of a lab based on real world investigations completed by Kaspersky ICS CERT experts. The exercise imitated all stages of an ICS digital forensics investigation.

The participants all appreciated the high level of technical knowledge and skills that they gained by the end of the training course.

This training is the first collaborative project launched as part of the strategic cooperation between Kaspersky and China ICS CERT after the signing of “Cyberspace Security Guardian Action 2020” at a ministry-level session of the Russia-China Working Group on ICT and Information Security in 2019. It has laid a good foundation for Russia and China to jointly train industrial information security professionals.

You can find details about Kaspersky ICS CERT cybersecurity training programs at Kaspersky Industrial Cybersecurity web page.