SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsICS/OT cyber defense can’t just be theory; it must be practiced.
With the ever-increasing number of attacks on industrial control systems (ICS) and operational technology (OT), generic cybersecurity tabletop exercises (TTXs) are not enough. Industrial organizations should instead implement ICS/OT-specific incident response TTXs, like the ones that directly align with the 5 ICS Cybersecurity Critical Controls. These exercises shouldn’t just mark off compliance checkboxes. Instead, they must serve as proactive, high return on investment (ROI) security investments that improve operational resilience, safety, and response readiness. Best of all, they are applicable across all critical infrastructure sectors.
So, what are the benefits and returns on investment for ICS/OT cybersecurity TTXs? Here is a list of the top benefits with near immediate value.
TTXs benchmark current defenses against real-world scenarios, revealing gaps in ICS/OT network visibility, threat detection, industrial-grade incident response, and engineering asset recovery. They reinforce the effectiveness of existing controls and incident response plans. Note, however, the real value is ensuring that engineering teams are deeply involved, and in many cases, are leading the way to make sure the scenario is engineering focused.
ICS/OT TTXs create shared understanding across engineering, cybersecurity, operations, and safety teams. They converge IT and OT teams, build trust, clarify roles, and enhance communication, especially in high-stakes, multi-team incident response efforts.
ICS-focused TTXs identify concrete improvements: enhancing network segmentation, tuning threat detection, updating access controls, or deploying protocol-aware network monitoring solutions. These exercises often lead to smarter investments and faster remediation timelines.
To ensure your ICS/OT TTXs are relevant, high-impact, and maximize ROI, they must be engineering focused. Incorporate into the scenarios your most targeted and mission-critical assets, such as:
These assets are central to industrial processes and frequently targeted by adversaries. Including them in TTXs ensures your exercises mirror the actual threat landscape and help harden your most critical systems against what is targeting your ICS/OT environment today.
ICS/OT cyber defense can’t just be theory; it must be practiced. ICS/OT-specific TTXs are where that practice begins. Start small. Involve the right teams, especially engineering. Target your most critical assets. Turn findings into action. And repeat the process at least annually. Key site, by key site.
In ICS/OT security, preparation is protection, and security supports safety.
Ready to take your ICS/OT security skills to the next level? Join me this fall for ICS515: ICS Visibility, Detection, and Response at SANS Orlando Fall 2025 starting October 27 and at SANS San Francisco Fall 2025 starting November 17.
In this hands-on course, I’ll walk you through how to identify your most critical assets—regardless of industry, gain real network visibility without disrupting operations, and detect both known vulnerabilities and stealthy adversary behaviors that threaten your process environment. Let’s strengthen the frontline of industrial defense together.
Be prepared for your next ICS/OT tabletop and so much more!
Dean Parsons, CEO of ICS Defense Force, has established comprehensive ICS security programs and leading industrial-grade incident responses across sectors like telecommunications and energy. He wrote the pivotal SANS ICS Cybersecurity Field Manuals.
Read more about Dean Parsons