Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

ICS515: ICS Visibility, Detection, and Response

ICS515Industrial Control Systems Security
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Robert M. Lee
Robert M. Lee
Register NowCourse Preview
ICS515: ICS Visibility, Detection, and Response
Course created by:
Robert M. Lee
Robert M. Lee
Register NowCourse Preview
  • GIAC Response and Industrial Defense (GRID)

    Learn about certification

  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 25 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Jump to:

Acquire critical visibility, detection, and response capabilities to protect ICS/OT environments against sophisticated threats while ensuring the safety and reliability of operations.

Featured Quote

ICS515 is so relevant to my day to day that I feel like I can't take notes fast enough. This is so critical for the ICS and OT community.
Ali CorlExelon

Course Overview

This ICS incident response course equips security professionals with practical skills to secure industrial environments. Through hands-on exercises using real industrial equipment, you'll learn to gain network visibility, identify assets, detect threats, and respond to incidents in critical infrastructure and other environments that rely on ICS/OT systems. The curriculum covers advanced defensive techniques against sophisticated threats like STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON, FROSTYGOOP, EKANS, and PIPEDREAM. You'll work with a real programmable logic controller (PLC) kit, sector simulation board, and virtual machines that you keep post-course to continue skill development. Leveraging industry frameworks , you'll develop repeatable methodologies to secure industrial environments.

What You'll Learn

  • Implement ICS-specific threat detection strategies
  • Apply network security monitoring for OT environments
  • Perform incident response in operational technology
  • Extract intelligence from ICS threat analysis
  • Build effective cybersecurity for industrial systems

Business Takeaways

  • Improve visibility into ICS/OT asset inventories
  • Reduce risk of operational disruption from cyber threats
  • Enhance detection capabilities for ICS-specific attacks
  • Develop effective OT incident response procedures
  • Increase resilience against targeted industrial threats
  • Bridge security gaps between IT and OT environments
  • Apply intelligence-driven approaches to ICS security

Meet Your Author

Robert M. Lee
Robert M. Lee

Robert M. Lee

Fellow

A former U.S. Air Force cyber warfare officer, Robert led the NSA’s first mission targeting threats to industrial infrastructure. Now at Dragos, he spearheads global defense of critical systems, shaping national policy and industry threat response.

Read more about Robert M. Lee

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in ICS515: ICS Visibility, Detection, and Response.

Section 1ICS Cyber Threat Intelligence

Learn to leverage threat intelligence to analyze threats, extract indicators of compromise, document tactics, techniques, and procedures, and guide security teams to protect industrial environments.

Topics covered

  • Case Study: STUXNET
  • Introduction to ICS Active Defense
  • Cyber Threat Intelligence Primer
  • ICS Cyber Kill Chain
  • Threat Intelligence Consumption

Labs

  • Building a Programmable Logic Controller
  • Structured Analytical Techniques
  • Analysis of Intelligence Reports
  • ICS Information Attack Space
  • Maltego and Shodan Heatmap

Section 2Visibility and Asset Identification

Understand the networked environment to build comprehensive asset inventories and develop effective collection strategies for both industrial operations and security operations.

Topics covered

  • Case Study: Bhopal Disaster
  • Asset Inventories
  • Collection Management Frameworks
  • ICS Network Visibility
  • IT Discovery Protocols

Labs

  • Operating the Process
  • ICS Traffic Analysis
  • ICS Protocol Analysis
  • ICS Network Mapping

Section 3ICS Threat Detection

Develop detection strategies to remain resilient against targeted and untargeted threats, with focus on safely conducting threat hunting and analyzing attack patterns in industrial environments.

Topics covered

  • Case Study: German Steelworks Attack
  • ICS Threat Hunting
  • Threat Detection Strategies
  • Case Study: SANDWORM
  • ICS Network Security Monitoring

Labs

  • Detecting Stage 1 Intrusions
  • Investigating Stage 2 Compromises
  • Traffic Analysis of Control Manipulation
  • Validating System Logic Changes
  • Logic Manipulation of Control Elements

Section 4Incident Response

Learn to safely perform ICS incident response with focus on acquiring digital evidence while scoping threats and their operational impact, using forensic techniques tailored for industrial environments.

Topics covered

  • Case Study: SANDWORM - Ukraine 2015
  • ICS Digital Forensics
  • Preparing an ICS Incident Response Team
  • Case Study: ELECTRUM and CRASHOVERRIDE
  • Initial Compromise Vectors

Labs

  • Acquisition in an Operational Environment
  • PLC Logic and Protocol Root Cause Analysis
  • Analyzing Phishing Emails
  • HMI Memory Forensics
  • Process Triage

Section 5Threat and Environment Manipulation

Extract information from threats through malware analysis to reduce the effectiveness of threats and create shareable threat intelligence for improved defensive posture.

Topics covered

  • Case Study: XENOTIME - TRISIS
  • ICS Threat Manipulation Goals
  • Environment Manipulation Considerations
  • Threat Analysis and Malware Triaging
  • YARA

Labs

  • Logic Analysis for Root Cause Analysis

Section 6Capstone Day, Under Attack!

A full-day technical challenge where students apply all learned skills to analyze packet captures, logic, memory images, and more from compromised ICS ranges and equipment, simulating real-world scenarios.

Things You Need To Know

Relevant Job Roles

All-Source Analyst (DCWF 111)

DoD 8140: Intelligence (Cyberspace)

Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us

GIAC Certification Attempt

Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.

OnDemand Course Access

When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.

Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Robert M. Lee
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $9,230 USD*Prices exclude applicable local taxes
    Registration Options
    Self-Paced
  • Location & instructor

    Huntsville, AL, US & Virtual (live)

    Instructed by Mark Bristow
    Date & Time
    Fetching schedule..View event details
    Course price
    $9,230 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Kai Thomsen
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,630 EUR*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Peter Jackson
    Date & Time
    Fetching schedule..View event details
    Course price
    $9,365 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Brisbane, QLD, AU & Virtual (live)

    Instructed by Peter Jackson
    Date & Time
    Fetching schedule..View event details
    Course price
    A$14,045 AUD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
  • Location & instructor

    Oslo, NO

    Instructed by Kai Thomsen
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,630 EUR*Prices exclude applicable local taxes
    Registration Options
    In-Person
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Lesley Carhart
    Date & Time
    Fetching schedule..View event details
    Course price
    ¥1,404,750 JPY*Prices exclude applicable local taxes
    Registration Options
    Virtual
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Dean Parsons
    Date & Time
    Fetching schedule..View event details
    Course price
    $9,230 USD*Prices exclude applicable local taxes
    Registration Options
    In-PersonVirtual
Showing 8 of 17

Learn Alongside Leading Cybersecurity Professionals From Around The World

  • Slide 1 of 3
    Very good for any ICS program, security-focused or not.
    Jeremy ThomasU.S. Federal Department
  • Slide 2 of 3
    Very good focus on the OT/ICS side & integrated into class.
    Josh TanskiMorton Salt
  • Slide 3 of 3
    This course was like a catalyst. It not only boosted my knowledge about the threats facing ICS environments and provided me with a framework to actively defend these threats, it also inspired me to learn more.
    Srinath KannanAccenture
Slide 1 of 0

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources