2025 SANS ICS Security Summit Recap: Cultivating Community and Resilience for our 20th Anniversary

Now a few weeks removed from the 2025 SANS ICS Security Summit, I’ve had a chance to step back and reflect on what made the experience this year so impactful. It marked our Summit’s 20th anniversary, and with that milestone came a deep sense of community and family. For many, it was their first time attending a SANS Summit of any kind. Yet, I repeatedly heard similar feedback:

“This feels like I am already home.”

I noticed a striking openness among attendees. Conversations didn’t hinge on credentials, titles, or who worked for which vendor. People came to offer insights and help each other defend their operational environments from malicious attacks. At industry conferences, silos created by security clearances, compliance mandates, business competition, and vendor loyalty often prevent important conversations from happening. However, I have seen and experienced these silos smashed at the SANS ICS Summit year after year. The event draws a community of practitioners who are hungry to share information, learn from industry peers, and find resources that they can apply upon returning to work.

That is why SANS Summits are more than a venue for panels and PowerPoints. There was a shared understanding amongst everyone involved that the stakes have shifted, and that the way we train, communicate, and build readiness needs to evolve with them. We didn’t debate hypothetical attack paths and theoretical worst-case scenarios. We analyzed the ramifications of real-world threats to ICS process environments, safety, critical infrastructure, and business continuity. Case studies on ransomware impacting operational environments and production losses. Outsourced systems complicating response and recovery. Nation-state activity shaping how operators think about risk—not just at the network level, but from an organizational standpoint. And how geopolitical conflicts are part of the daily calculus for boardrooms, plant managers, and incident responders alike.

There’s no silver bullet or single framework that will eradicate ICS security risk forever. In turn, our focus wasn’t on finding the perfect solution. It was about determining the next best step for building organization-specific operational resilience in the face of evolving threats. If you missed the Summit this year, below is a rundown of some of the top highlights from the week.

Hands-On Workshops: A New Summit Format Built Around Action

This year, we made a deliberate effort to reimagine how the Summit provided tangible value for attendees. The goal was to deliver actionable insights that anyone could apply on their first day back at work. So, rather than filling an agenda dominated by presentations alone, we unveiled a new format centered around what many attendees come seeking most: practical, hands-on experience.

The new format expanded the event to three days, with two full days dedicated entirely to interactive workshops where attendees were actively building transferable skills. Sessions were organized by experience level and professional role, ensuring value for everyone from newcomers to long-time operators and executive leaders.

Those new to the ICS field had access to a full-day ICS310: ICS Cybersecurity Foundations workshop, led by the course's three co-authors: Jeff Shearer, Robert M. Lee, and me. Each of us brought distinct viewpoints around system integration, utility operations, and threat intelligence, which helped participants see where they might fit in the ICS security landscape and what paths they could pursue next.

For seasoned practitioners, workshops focused on the technical trenches of securing operational technology: architecture design, site acceptance testing, and incident response. These sessions tackled the day-to-day realities of ICS lifecycle risks, showing how to strengthen defenses even in resource-constrained environments.

During the leadership segments, attendees explored emerging regulatory frameworks and governance concerns that are quickly becoming corporate priorities. One standing-room-only session on ICS regulation drew nearly 150 people, underscoring how quickly executive interest in industrial cyber resilience is rising.

A commitment to realism unified all three tracks. Many sessions intentionally addressed well-documented ICS constraints: small budgets, small teams, and legacy infrastructure. Free tools were highlighted, and some of the hands-on workshops allowed attendees to experience some of the labs directly. Practical workarounds were taught. The emphasis wasn’t on abstract “best practices” but on what works now, in real ICS/OT environments, with the resources people have today.

If the workshops had a mantra this year, it was this: You don’t need perfection to make progress. But you do need a plan—and a place to start.

Summit Talk Snapshots: Real Incidents, Real Solutions

The third day of the Summit shifted from workshops to real-world lessons shared on the main stage. The talks were grounded in the decisions, compromises, and outcomes that shape ICS security in practice.

Taiwan Digital Blockade: What War Gaming Taught Us About Defending an Island from ICS Attacks

Nina Kollars, Research Professor, U.S. Naval War College

Jason Vogt, Assistant Professor, U.S. Naval War College

This session provided a captivating geopolitical analysis focused on China’s anticipated cyber actions toward Taiwan and the global implications of a potential blockade. It almost felt more like a classified intelligence briefing than a public talk. You could feel the weight in the room. It was clear, specific, and a call to action.

Ransomware Case Study: When You Wish Upon a Star

Alan Waggoner, Information Systems & Security Manager, Siemer Milling Company

Alan delivered one of the most impactful sessions I’ve seen at any summit. He shared a detailed walkthrough of a ransomware incident that halted production at the Siemer Milling Company flour mill. What made it especially powerful wasn’t just the technical detail. It was personal accountability—he spoke openly about architectural decisions that shaped the outcome, and the pressure of leading recovery.

Inside a New OT/IoT Cyberweapon: IOCONTROL

Noam Moshe, Vulnerability Researcher, Claroty Team82

Noam presented new findings on IOCONTROL, a recently identified strain of ICS-focused malware. These kinds of discoveries don’t come often—there are fewer than a dozen known families that directly target industrial systems. His talk helped ground the threat in specifics, giving attendees a clearer picture of where adversaries are innovating and how our detection efforts need to keep pace.

Training a TAIGR to Protect our Power

Andy Bochman, Senior Grid Strategist & Infrastructure Defender, DOE/Idaho National Lab

Andy brought a thoughtful perspective from the national lab community on how artificial intelligence may reshape the ICS threat landscape. His talk struck a balance between realism and foresight, exploring how automation, synthetic data, and adversarial AI might change both how attacks are launched and how defenders respond.

Other sessions focused on the five ICS critical controls, pragmatic ICS threat detection, articulating ICS risk, and more. Altogether, they collectively reinforced the Summit's emphasis on actionable insights and real-world applications in ICS cybersecurity. For additional details on the full list of 2025 ICS Security Summit talks, check out this visual summary blog.

Tying it Together: From the Summit to the Studio

Many of the themes we covered at the Summit echoed what I discussed during a recent episode of the SANS Cyber Leaders Podcast with James Lyne and Ciaran Martin. The podcast had a similar goal: to help people recalibrate how they think about cyber risk in operational environments and what they can realistically do about it.

The ICS complacency gap was one of the central points of the episode. It’s easy to let OT security take a backseat to IT security when incidents feel less frequent. But that is exactly what makes operational environments so vulnerable. During the Summit, we didn’t need to convince anyone that ICS threats demand attention. Conversations had already moved on to resourcing, staffing, architecture, and recovery. It was a sign of progress, but also a reminder that complacency can creep back in if we’re not intentional about pushing forward.

On the podcast, we also discussed the differences between large and small ICS operators—something that showed up in many hallway conversations throughout the Summit. It isn’t enough to say “secure your ICS network” when the person hearing that advice is part of a small team operating legacy systems with no budget. That is why our workshops emphasized free tools, practical workarounds, and clear priorities to align with the realities of our attendees.

Thirdly, James and Ciaran were in total alignment on the importance of ensuring ICS security is treated as a business-critical imperative. This was a key theme during the Summit, and the strong attendance at our leadership workshops showcased that awareness is rising across the executive level. Whether you’re a plant operator, a CISO, or a board member, organizational leaders play an integral role in protecting the systems that make, move, and power our world.

If you haven’t had a chance to listen to the podcast yet, I’d encourage you to do so. It’s a continuation of many of the same Summit themes, and a conversation I hope offers value as we all look ahead to what’s next. You can find a link to the July 11 episode here.

See You Next Year?

It’s already time to start planning for next year! Mark your calendars on June 8-10, 2026 for another community-driven SANS ICS Security Summit. More details on the event will be released in the coming months.

Looking to widen your areas of expertise? Consider attending additional SANS summits to build critical skills and expand your access to the SANS community. View the full list of upcoming summits here.