ICS Security Summit & Training 2025

ICS310: ICS Cybersecurity Foundations

ICS Cyber Security needs to be performed across the system ICS life cycle; the earlier cyber security is validated the easier it is to operationalize controls and perform handover to operational asset teams.  Factory Acceptance Testing is a critical validation step that owner/operators need to perform with their vendor(s) to ensure functionality meets design specifications.  This workshop will explore from many perspectives:

The importance of FAT/SAT activities and how it contributes to Secure by Design

Common problems encountered during Factory Acceptance Testing and Site Acceptance Testing

How to Structure your organization and project FAT/SAT activities for success

How to co-develop with your vendor a robust testing strategy for your next FAT/SAT activity

Best practices to document, track and resolve testing gaps at the CSU ( Commissioning Start Up) and into operations.

At the 2023 SANS ICS Summit, we highlighted how the regulations passed during the previous year would dictate our ICS/OT for the next decade. This workshop builds on those concepts and further explores how to prepare your organization for both an increase in industrial cyber risk—and compliance risk. In this session, participants will:

1. Review “how we got here” with ICS cyber regulations, setting a foundational understanding and context for the friction between compliance risk and cyber risk.
2. Understand the latest trends in global regulatory requirements and how their ripple effect will impact every asset owner/operator, regardless of region or industry.
3. Get actionable next steps for how to “future-proof” industrial organizations based on the evolving regulatory landscape.

This is not your typical code vulnerabilities workshop but specifically we will go hunting through ICS code to find those vulnerabilities related to abusing the mechanical or process components. We will cover the basics of understanding some mechanical systems so you can add this domain to your assessment methodology. If you're going to do an ICS assessment, it shouldn't just cover the industrial control system components, OT servers and network components, but it should include the abuse cases of the mechanical devices and process systems. Defining abuse cases related to the mechanical systems are as important as understanding the risk to the applications that control them. If you don't understand the process or the machinery the industrial control system is controlling, then you're creating a false sense of security in your ICS environment. This session includes hands-on labs so we can work through this fascinating topic at a deeper level.

Many industrial organizations have dedicated a lot of effort to implementing secure network architectures to isolate and protect their OT networks. Despite the fact that most OT environments  typically have one or more Active Directories, complex remote access requirements, wireless networks, and an endless number of applications, systems, protocols, and devices that support or require authentication, the management and security of identities in these settings is often very immature. While secure networks are foundational to the security posture of these environments, the next frontier for organizations that want to further secure their industrial networks is the management and control of identity. 

In this session we will explore the management and control of human and machine identities in industrial settings. Attendees will gain insights into managing and integrating with Active Directory, strengthening remote access for employees and contractors, and addressing authentication challenges for industrial devices and protocols. We will also delve into use of PKI and certificates, and the best practices for enhancing identity security, including multi-factor authentication and least privilege access control. Real-world case studies will illustrate common challenges and key success factors. Join us for an informative and engaging session to elevate your organization's identity management and security strategies.

This workshop will demonstrate how to build or migrate towards a resilient ICS network architecture to be able to withstand today's operational requirements, cybersecurity challenges. It explores existing frameworks, such as IEC 62443, used as resources towards your architectural needs while demonstrating a field-tested design and implementation methodology that thoroughly identifies and balances the needs for both operation resilience and effective defense posture which are each measurable and maintainable throughout the lifecycle of the facility.

It highlights the possible consequences for the way of working for ICS staff & suppliers, dependencies on IT architecture, and risks from other networks, the Internet or adversaries. With all the unique and complex systems requiring seemingly complex security requirements, this workshop will provide a methodology on identifying zones, conduits and trust boundaries that can support current and future needs in the selection of effective security controls and countermeasures. It also demonstrates how an access matrix can provide an easy way of quickly determining what system(s) should be able to talk to other parts of the network, and the security measures required to facilitate. 

With the many security control options available, this workshop will outline the cost/benefits and concerns/considerations of the most common. Other possible mitigating measures and alternatives for certain systems or system types will be highlighted as well.

Workshop attendees will be challenged to provide their thoughts on different design choices for specific use cases such as a secure remote access, file transfer, network security monitoring, external dependent systems, response and recovery readiness, and support communication requirements between Cloud, IT and ICS teams. The workshop includes a tabletop exercise with example scenarios attendees will work through with a supplied worked solution.

This workshop will provide students with hands-on experience in conducting Open-Source Intelligence (OSINT) specifically for Industrial Control Systems (ICS) and Operational Technology (OT) environments. Unlike traditional OSINT techniques that focus on general corporate or IT infrastructure, this session will dive into identifying critical ICS/OT-related details, such as utility power grids, pipelines, airports, data centers, and industrial service providers. Participants will learn how to analyze publicly available information to map out potential targets, identify remote access methods, fingerprint VPNs, and locate data leaks that may contain sensitive information. Using only online resources attendees will explore real-world techniques to gather intelligence on external IP ranges, cloud storage exposures, vendor partnerships, and industry-specific risks.

 By leveraging sources such as industry mapping websites, vendor press releases, regulatory filings, and RFP documents, students will develop a structured OSINT methodology tailored to ICS/OT environments. The workshop will cover how to correlate power, telecom, and internet infrastructure, investigate AI-generated leaks, and apply OSINT techniques to understand their current OSINT exposure. Attendees will also gain insight into organizing findings into actionable intelligence for vulnerability assessments and penetration tests. Whether you're a security consultant, ICS administrator, or OT defender, this session will equip you with the skills needed to enhance your reconnaissance capabilities in industrial environments.

In this workshop, Jason Dely, Bryan Johns and Jeff Shearer will discuss the topic that is often avoided; “how do you know what to code?”. There are workshops that tell you “How to code” but never address “What to code”? The answer of “What to code” lies inside the machine or process designers head however they don’t have a formal method to describe to the programmer “here’s what I want you to code”. In this two-hour workshop session, you will have the opportunity in hands-on labs to work through “what to program” and then write a program to achieve those requirements. From this process we will also discuss the often-missed topic of Misuse Sequence of Operations cases that should be identified to protect the mechanical systems. This knowledge identifies and mitigates operational vulnerabilities that cause disruption and destruction of physical devices and machines.

Being able to perform OT Cyber Security Risk Assessments is becoming more essential with each year. Drivers to perform a risk assessment vary, it might be a regulatory requirement, internal justification for investment or simply to better understand your operational risk. Finding skilled resources to be able to perform a risk assessment and running one in your busy operational environment is extremely challenging. This workshop will include an interactive realistic ICS OT Cyber Security risk assessment to explore and enforce the following:

1. Rational and a high-level grounding on risk assessments
2. How to effectively prepare the documentation and people for a risk assessment  
3. Executing a risk assessment following the IEC 62443-3-2 Methodology (SUC, zones, using a RAM Matrix, assessing (un)-mitigated risks, etc.)
4. How to be realistic and tactical with control selection
5. Outline common mistakes and pitfalls that occur

USB Human Interface Device (HID) attacks continue to be a significant security challenge due to their ability to bypass standard defenses by impersonating trusted peripherals. While commercial tools like the USB Rubber Ducky have made these attacks well-known,  the barrier to entry has dropped dramatically with the availability of $4 microcontrollers.

This hands-on workshop will introduce attendees to the fundamentals of keyboard emulation attacks, how to program an RP2040-based microcontroller, and how to leverage it for both offensive security demonstrations and more benign automation tasks such as building a simple "mouse jiggler" to prevent system idle states.

Participants will walk away with a functional HID attack device they can use for security research, along with actionable insights on mitigating these threats in ICS environments.

In today’s increasingly complex operational technology (OT) and industrial control systems (ICS) environments, the ability to effectively monitor, troubleshoot, and detect anomalies is paramount to ensuring both productivity and security. Using in-room OT equipment, this workshop will explore the transformative potential of log aggregation across OT and ICS systems, showing how consolidating log data into a centralized platform creates a powerful “single pane of glass” that can streamline both operational troubleshooting and cybersecurity event detection.

By bringing together critical data from a wide array of OT and ICS components—ranging from SCADA systems and Network switches to PLCs and sensors—production engineers and managers will learn how to leverage a unified logging infrastructure to quickly diagnose production issues in real time. By leveraging logs from security tools in parallel, this approach enhances security visibility, enabling teams to detect anomalies or potential threats in their systems before they can escalate into significant issues.

For security event detection techniques, the workshop will demonstrate basic techniques using open-source tools as well as advanced techniques using Behavioral Alerting Sets for Control Systems (BAS/CS) an alerting framework created by the Johns Hopkins University Applied Physics Laboratory.  The workshop is designed to be implemented by existing commercial and open-source solutions to improve the detection of advanced cyberspace adversaries.

Historically, the ICS/OT community has emphasized preventing threat actors from breaching parameter controls and entering the lower levels of the environment. Although these efforts were valiant, they ultimately failed, leading to ever-increasing security breaches. SANS ICS leadership developed the Five Critical Controls to provide asset owners and operators a strategy and focus on implementing controls that would have prevented or significantly reduced the impact of the compromise. Control 1, an ICS-focused Incident Response Plan (IRP), covers system integrity and recovery capabilities. Unfortunately, even in an ICS-focused IRP, the workshop authors have seen that little attention is given to Disaster Recovery (DR) capabilities and how to properly bring an ICS asset back online after a system failure or compromise. 

This workshop aims to demystify (and further develop in an engineering-centric way) the often single sentence of an IRP stating “recovery affected systems.” It will help asset owners and operators develop a workable strategy for systematic recovery, reconstitution, and operational resumption. The workshop will  work through a moc scenario of a refinery utilities operation and discuss the steps involved in developing a DR plan, including: 

1. Specifying disaster criteria
2. Identifying cyber-specific loss scenarios that cause those disasters
3. Specifying  recovery team responsibilities starting from the activation phase followed by recovery and reconstitution
4. Identifying automation and control system function recovery priority
5. Performing a dependency analysis of recovery priority  
6. Documenting reconstitution steps to correct for any data deviation that has been introduced during recovery
7. Developing assurance and handover qualifications for process restart 

Students will be able to leverage the discussed scenario and handouts to improve upon their own IRP and DR plans or have the capability to begin developing those documents if they don’t exist upon returning to work.  

Are you prepared to take charge during a cyber crisis that threatens the backbone of the electrical industry? In this high-stakes interactive exercise, you’ll step into the role of a Crisis Management Team (Fusion Team) and navigate the complexities of a simulated cyberattack targeting a major power enterprise.

As the scenario unfolds, you’ll be challenged to make swift, strategic decisions to mitigate disruptions to critical infrastructure, protect operational technology (OT) and information technology (IT) systems, and ensure grid reliability under pressure.

This exercise is designed to test your response to today’s most sophisticated cyber threats, reinforcing the importance of a well-rehearsed incident response plan and the leadership skills required for success in the electrical sector.

Led by experienced facilitators with deep industry expertise, this simulation provides a hands-on opportunity to identify gaps in your crisis strategy, enhance cross-functional collaboration, and benchmark best practices with industry peers. Are you ready to power through the chaos? Buckle up—this crisis moves fast!

Discover how Idaho National Laboratory's integrated approach to cyber resilience is transforming the landscape of control system security. This workshop unveils the powerful synergy between three critical frameworks:

Critical Function Assurance (CFA): Understanding WHY - Identify and prioritize the functions that are essential to your organization's mission

Cyber-Informed Engineering (CIE): Defining WHAT - Architect systems with built-in cyber resilience from the ground up

Consequence-driven Cyber-informed Engineering (CCE): Implementing HOW - Apply methodical approaches to protect against and mitigate high-consequence cyber attacks

Join us to learn how these complementary methodologies work together to create robust, resilient control systems that can withstand evolving cyber threats. Whether you're an engineer, security professional, or system architect, you'll gain practical insights into implementing these frameworks in your organization.

Executive audiences (c-suite, board of directors, and government leadership) are well suited to have conversations on OT cyber risks such as the threats facing our global infrastructure. To have these conversations it’s important to align on language, outcomes, and resourcing needs. This workshop will be an interactive (I.e. come armed with questions) session starting with an understanding of what’s changed, where we’re going, and using the SANS ICS 5 critical controls to speak to an executive audience. Participants will leave better empowered to answer the age old question “are we under spending or over spending on cybersecurity.” 

Head over to Epcot, explore the park, then meet up at Isle de France at 7:30pm where you’ll be able to connect with Summit speakers, SANS instructors, and your

fellow attendees. There will be dessert, stunning waterfront views, and a private spot to watch the fireworks show.

**Epcot tickets will be provided to registered summit attendees

In this talk, attendees will:

1. Know what the first principles of ICS security are and why they are first principles
2. An understanding of how the critical 5 were put into action in a real-world example
3. How to make progress on the “critical five” by living off of the land or at minimal expense
4. Know what the pitfalls and success were from an implementation of the Five Critical Controls for ICS/OT Cybersecurity

The presenters will discuss their 3-year research study about the unique ICS vulnerabilities for Taiwan's communication infrastructure. The study included conducting several war games for the Department of Defense, to include one conducted in Taipei in April of 2025. Presenters will provide the Unclassified Game Report and will teach practitioners about the national level policy issues that will plague operational and tactical solutions. 

The SANS ICS 5 Critical Controls provides excellent guidance for owners and operators in helping to not only defend their environments, but to build and improve their ICS/OT cyber security programs over time.  Unfortunately, not every environment has the resources to implement them effectively or might not even know where the best place is to start.  This presentation helps owners and operators know where to start and how to build the SANS ICS 5 Critical Controls using ChatGPT, and other GenAI tools, to implement and automate essential aspects of the controls to further defend their environments.  Examples highlighted, along with documented walkthroughs provided, including building engaging, realistic ICS/OT tabletop exercises, building industrial protocol honeypots for detection and other ways for GenAI to implement the controls to better defend the world at large.

Today's control and monitoring systems for process plants are key solutions for business continuity in industry. Unfortunately, in recent years there has been a clear trend of increasing discovered security vulnerabilities in such solutions on an annual basis. This applies not only to classic operating systems, but also to specific RTOS (Real-Time Operating System) class programmable logic controllers, which are at the heart of OT/SCADA systems, or key engineering and SCADA applications. The very high dynamics in the discovered vulnerabilities of these components forces manufacturers of industrial solutions to release more and more new versions of such software that mitigate the discovered vulnerabilities. Unfortunately, practice and day-to-day experience with the process of managing such vulnerabilities and security updates shows that uploading software updates for industrial devices mitigates some risks, but in turn generates others. Sometimes this also leads to completely unexpected situations.

When ICS malware research first started, ICS Malware as a concept was straightforward, and a formal definition of ICS Malware was unnecessary. The community wasn’t debating whether malware like TRISIS or Stuxnet were ICS Malware. As ransomware, hacktivism, and other threat group activity grew, new malware emerged that challenged our informal notion of ICS Malware and complicated identifying it. Malware such as EKANS, CosmicEnergy, AcidPour, and Fuxnet caused our Intel analysts to debate what should be considered ICS Malware. When we reported on the FrostyGoop Modbus TCP malware, we realized that the broader ICS community was likewise thinking about the concept as we received questions like “Why is FrostyGoop ICS Malware, but not Metasploit’s Modbus module?” 
Recognizing these gaps in understanding, we created a definition of ICS Malware based on historical data and our own experience. The definition captures three key properties of ICS malware and provides a framework for distinguishing it from other kinds of software. In this talk, we’ll recount how malware like EKANS and COSMICENERGY shifted our thinking about ICS Malware and led to the creation of an ICS Malware Definition. We’ll explain the definition, and, with recent discoveries like IoT Exploit Tool and IOControl, we’ll walk through how we use the properties of the definition to identify ICS Malware. Lastly, we’ll discuss how we treat this process as an intelligence assessment and how to use this definition to interpret and prioritize reports on malware affecting OT.

Establishing and maintaining a strong ICS cybersecurity program can be a complex, ongoing challenge. In this session, Blake Gilson from ExxonMobil will share actionable insights gained from his program development role on successfully starting and sustaining an ICS cybersecurity program.
Attendees will learn how to:

By the end of this session, attendees will have an additional tools in their toolkit for maintaining successful ICS cybersecurity program, with a focus on leadership engagement, risk management, and organizational resilience.

I've heard the criticism that the CCE methodology is for 'highly mature' organizations and shouldn't be pursued until everything else is in place. I've found, on the contrary, that the CCE methodology can be a mechanism to help prioritize cyber countermeasures on your path to maturity and comes with a number of other benefits along the way!
With a simple professional services agreement in place, you can jump-start this process and shortcut the first two steps of the process. It's also highly scalable, allowing you to start off small with huge benefits, then gradually mature it into a holistic program. Additionally, there are numerous resources at your disposal for support. 
Attendees should walk away from this talk feeling confident that through relationship-building, system assessments and threat based modeling, they have a methodology to build a roadmap to greater security, better understanding of their OT environments and able to tell a story to senior leadership that they are prioritizing the most critical issues facing their organization. 

This presentation tackles the often-contentious topic of threat detection in industrial control systems (ICS) head-on, addressing criticisms that frame it as a fear-driven industry distracting from fundamental security practices. We directly confront the notion that focusing on detection implies a neglect of preventative measures or an exaggeration of the threat landscape. Through a pragmatic, engineering-minded lens, this session argues that robust threat detection is not a separate entity, but an indispensable component of a mature and effective industrial cybersecurity program.  We will also detail how threat detection plays a pivotal role in regulatory compliance such as NERC CIP-015 – Cyber Security – Internal Network Security Monitoring (INSM).
We begin by dissecting common arguments against prioritizing ICS detection, including the assertion that attackers are largely incompetent and that focusing on basic security flaws is sufficient. We then present a compelling counter-narrative rooted in the evolving reality of the OT threat landscape. Drawing on recent vulnerability disclosures, including the exploitation of vulnerabilities in foundational security controls like firewalls, we illustrate how even well-segmented networks can be compromised. The persistent and increasing threat of ransomware, with statistics highlighting approximately 50 weekly attacks against industrial companies, further underscores the necessity of identifying malicious activity that bypasses preventative measures. 
The presentation delves into the practical implications of the shrinking attacker dwell time, highlighting data that demonstrates the critical need for rapid detection to minimize impact. We address the challenges of implementing effective detection monitoring, particularly the inevitable reality of false positives. Attendees will gain a nuanced understanding of different types of false positives (technical, contextual, etc.) and learn actionable strategies for their management and mitigation, turning potential noise into valuable signals.
We will also demonstrate threat detection in foundational to established frameworks like the SANS ICS 5 Critical Controls. We explore how visibility and network monitoring (Controls 1 & 2) form the bedrock of detection, while detection itself serves as a crucial validation point for hardening (Control 3) and a trigger for effective incident response (Control 5). The presentation culminates in a discussion of practical steps and technologies for enhancing detection capabilities within OT environments, providing attendees with tangible strategies they can implement upon returning to work.
Attendees will leave this session with:
-A balanced perspective on the role of threat detection in ICS security, understanding its necessity alongside preventative measures.
-A clear understanding of the evolving threat landscape, regulatory landscape and why relying solely on prevention is insufficient.
-Actionable insights into managing and mitigating false positives, enabling more efficient and effective detection programs.
-A practical understanding of how threat detection aligns with and supports the SANS ICS 5 Critical Controls.

-A renewed understanding of the urgency of rapid detection in the face of decreasing attacker dwell times.
This presentation is designed for OT security practitioners, engineers, and managers seeking a realistic and actionable approach to building resilient industrial cybersecurity programs. It moves beyond the rhetoric and provides concrete insights into making detection a vital and valuable component of your security strategy.