homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Introduction to ICS Security Part 2
Stephen Mathezer
Stephen Mathezer

Introduction to ICS Security Part 2

An introduction to the Purdue Enterprise Reference Architecture (PERA), additional reference models, and best practices for secure ICS architectures.

July 16, 2021

The Purdue Model and Best Practices for Secure ICS Architectures

Canva_Design_-_Lead_Image_of_Blog.png


In Part One of this series, we reviewed the unique lineage of industrial control systems (ICS) and introduced some of the challenges in securing ICS. In Part Two, we will introduce readers to the Purdue Enterprise Reference Architecture (PERA), additional reference models and publications dedicated to ICS cybersecurity, and architectural and administrative best practices for securing these crucially important systems.

Recap: The Challenges of ICS Cybersecurity

In our overview of the “inherently insecure” nature of ICS, we identified the challenge of securing these systems with their high availability requirements and lack of intrinsic security features. Before operators and security practitioners wrestled with these challenges in Operational Technology (OT) environments, Information Technology (IT) administrators faced similar challenges. Administrators of first-generation IT networks addressed the challenge of security first at the perimeter, implementing the first firewall devices to segment their trusted local area network from untrusted wide area networks (and later, the Internet).

Securing ICS requires us to do the same thing: create a defensible environment. In this case, however, the IT/business network component of the organization represents the same untrusted zone to ICS/OT as the Internet represents to the IT network. Once again, segmentation is required, but along what lines? The Purdue Enterprise Reference Architecture helps answer that question.

Introduction to the Purdue Enterprise Reference Architecture

Created in the early 1990s at Purdue University, the goal of the Purdue Model was to define best practices for the relationship between industrial control systems and business networks (or to use the interchangeable terms, between OT and IT). In its first iteration, there were three components:

  • Purdue Enterprise Reference Architecture
  • Purdue Reference Model
  • Purdue Implementation Procedures Manual

Over time, the model grew to include guidance for physical systems architecture and introduced the six network levels of the environment, depicting the systems and technologies that reside at each level:

PURDUE LEVEL
DESCRIPTION
EXAMPLES

Level 5: Enterprise Networks

Corporate-level services supporting individual business units and users. These systems are usually located in corporate data centres.

Servers providing:

  • Enterprise Active Directory (AD)
  • Internal email
  • Customer Relationship Management (CRM) systems
  • Human Resources (HR) systems
  • Document Management systems
  • Backup solutions
  • Enterprise Security Operations Centre (SOC)

Level 4: Business Networks

IT networks for business users at local sites. Connectivity to Enterprise wide area network (WAN) and possibly local Internet access. Direct Internet access should not extend below this level.

  • Business workstations
  • Local file and print servers
  • Local phone systems
  • Enterprise AD replicas
IT/OT BOUNDARY (DMZ)

Level 3:

Site-Wide Supervisory

Monitoring, supervisory, and operational support for a site or region.

  • Management servers
  • Human-machine interfaces (HMIs)
  • Alarm servers
  • Analytic systems
  • Historians (if scoped for an entire site or region)

Level 2: Local Supervisory

Monitoring and supervisory control for a single process, cell, line, or distributed control system (DCS) solution. Isolate processes from one another, grouping by function, type, or risk.

  • HMIs
  • Alarm servers
  • Process analytic systems
  • Historians
  • Control room (if scoped for a single process and not the site/region)

Level 1: Local Controllers

Devices and systems to provide automated control of a process, cell, line, or DCS solution. Modern ICS solutions often combine Levels 1 and 0.

  • Programmable Logic Controllers (PLCs)
  • Control processors
  • Programmable relays
  • Remote terminal units (RTUs)
  • Process-specific microcontrollers

Level 0: Field Devices

Sensors and actuators for the cell, line, process, or DCS solution. Often combined with Level 1.

  • Basic sensors and actuators
  • Smart sensors/actuators speaking fieldbus protocols
  • Intelligent Electronic Devices (IEDs)
  • Industrial Internet-of-Things (IIoT) devices
  • Communications gateways
  • Other field instrumentation

Generally speaking, as you move down the hierarchy (from Level 5 to Level 0), devices have more access to critical processes but fewer intrinsic security capabilities. Devices at lower levels are therefore more reliant on network and architectural defenses, and those found in the upper levels, to protect them.

At this point, it’s important to note that PERA was never intended to be a cybersecurity reference model. It was conceived to depict best practices for managing the segmentation between the enterprise and industrial segments of networks in industrial sectors. Nevertheless, it has remained prevalent as a conceptual framework in IT/OT security because it shows where security measures can be added.

A key aspect of PERA is the boundary point between the ICS/OT systems represented at Levels 0-3 and the IT systems of the enterprise network at Levels 4 and 5. Historically, the way administrators protected the ICS systems was by minimizing, or even eliminating, any interconnects between the two environments. Subsequently, the boundary between OT and IT was often referred to as the “air gap” for architectures in which no interconnect existed between the two. As demands for more data from the OT side have increased, administrators have had to connect these two levels through firewalls that carefully control access with demilitarized zones (DMZs). The firewalls mediate all communication between IT and OT, with the goal of eliminating direct communication between the two environments.

Debating Purdue's Role in ICS Cybersecurity

A popular saying in cybersecurity circles is: “all models are wrong, but some are useful.” This certainly applies to the Purdue Model, which undoubtedly has limitations when considering how technology has evolved since the 1990s, prompting business goals and risk tolerances to change as well. As discussed in Part One of this series, technological advances and cost efficiencies have motivated organizations to pull more data from their ICS systems (residing in Levels 0-3 of PERA). For example, remote connections into ICS can lower both operator labour costs and response times. Additionally, information from ICS enables key business functions such as trending, optimization, and billing, helping to drive efficiencies but at the same time increasing ICS exposure to attack.

Some critics contend that PERA envisions the control system network as being separate from everything else, and that the increased demands for real-time OT data and the incorporation of cloud-based systems and services dispels the notion of a completely closed-off system with a rigid hierarchy. An excellent discussion on this topic took place at the 2019 S4 conference featuring Joel Langill and Brad Hegrat, viewable here. The topic of the discussion was “Is the Purdue Model Dead,” and Mr. Hegrat took the position that the Purdue model is essentially dead because “convergence killed it1.” On the other side of the debate, Mr. Langill acknowledged that while “the architecture, from a network perspective, is probably dead,” the model was among the first to show “how these pieces are supposed to be layered and interoperate,” and “if we lose sight of that, we’re going to lose sight of why we created hierarchy in the first place2.” Langill contended that while the model was never conceived as a security reference architecture, it nonetheless incorporates some risk ideas that help security practitioners understand how information flows organizationally and thereby helps identify and address potential attack vectors.

While the presumed “air gap” between IT and OT (between Levels 3 and 4 of the hierarchy) rarely applies to present-day architectures, the core components of industrial environments have not changed; they still include equipment with sensors and actuators connected to controllers that relay their data up a chain of systems in the organization. Additionally, while the advent of Cloud technologies may blur the lines geographically, the Purdue Model always segmented networks by function, which can still be applied to OT/IT environments with significant Cloud integration.

Both sides of the debate make valid points, but the consensus at the SANS Institute is that PERA remains a useful conceptual framework because it was among the first to classify control system components according to a well-defined taxonomy. Even if its hierarchical layers can no longer be uniformly applied to modern architectures, sorting ICS and IT devices and systems into distinct functional layers helps administrators and security practitioners determine where to apply security measures effectively.

The SANS ICS410 Reference Model

Expanding on the Purdue Model and some of the ICS cybersecurity frameworks that we will discuss in the next section, SANS created the ICS410 Reference Model for ICS410: ICS/SCADA Security Essentials. The ICS410 model is a publicly available, foundational reference architecture that adds explicit enforcement boundaries to the Purdue Model, helping to situate ICS devices and cybersecurity controls in a secure network architecture.

Screen_Shot_2021-07-13_at_10.57.49_AM.png
ICS410 Reference Model


In general, the ICS410 Reference Model offers the following advantages:

  • Introduces the concept of multiple cells/lines/processes in templated fashion and scaled across multiple sites.
    • This helps extend the Purdue Model to different ICS applications, from large site (e.g., plant, mine, manufacturing), to regional/distributed networks (e.g., electric, oil/gas, water).
  • Includes controls encompassing Wide Area Network (WAN) communication
  • Includes safety systems

The ICS Reference Model also offers more details on the enforcement boundaries between network segments by:

  • Subdividing some of the Purdue Levels (for example, Level 3 is divided into sub-segments for management servers, HMIs, engineering workstations, testing/staging systems, cybersecurity operations, remote access, and more)
  • Defining multiple DMZs and requiring all connections between IT and OT to terminate in a DMZ (i.e., push one way, pull the other).
    • The Purdue Model does not include DMZs, even though they are commonly used in practice.
  • Introducing minor enforcement boundaries between Levels 2 and 3 that protect:
    • Level 2 devices in different cells/lines/processes from each other.
    • Level 2 devices and below from a malicious actor who has made it past the upper-level controls and into the OT environment.
    • Level 3 systems from malicious actors leveraging physical access at lower levels.
  • Making enforcement boundaries explicit, which create natural choke points where additional security controls can be applied.

Finally, the ICS410 Reference Model offers clear guidance for securing remote access, a critical capability.

As with other frameworks and reference models, the ICS410 Reference Model will require updates to accommodate the new devices and communication paths necessitated by increasing cloud connectivity and additional IIoT devices in ICS networks.

Review of ICS Cybersecurity Standards

If PERA laid the foundation for ICS cybersecurity with effective taxonomy and classification, then a series of other frameworks and publications have built upon that foundation with guidance specifically geared toward securing industrial control systems. Examples include:

  • NIST Cybersecurity Framework (CSF)
  • NIST 800-82 (Guide to Industrial Control Systems Security)
  • ISA 99.02.01/IEC 62443: Security for Industrial Automation and Control Systems

Along with industry specific guidance in:

  • North American Electric Reliability Corporation's Critical Infrastructure Protection (NERC CIP)
  • Transport Security Administration (TSA) Pipeline Security Guidelines
  • Cybersecurity & Infrastructure Security Agency (CISA) Critical Infrastructure Sectors Guidance

Published by the National Institute of Standards and Technology (NIST), the NIST CSF is central to much of the U.S. government’s guidance for critical infrastructure protection. This is evinced in the NIST CSF’s formal title: “Framework for Improving Critical Infrastructure Cybersecurity.” Similarly, the TSA provides guidance for pipeline operators using categories aligned to the CSF3.

The influence of the Purdue model on these guidelines and publications is evident in how they all promote effective segmentation and segregation of systems in the industrial network environment and require security controls at the boundaries between them. NIST 800-82, for example, articulates this concept as follows:

When designing a network architecture for an ICS deployment, it is usually recommended to separate the ICS network from the corporate network. The nature of network traffic on these two networks is different: Internet access, FTP, e-mail, and remote access will typically be permitted on the corporate network but should not be allowed on the ICS network. Rigorous change control procedures for network equipment, configuration, and software changes may not be in place on the corporate network. If ICS network traffic is carried on the corporate network, it could be intercepted or be subjected to a DoS attack. By having separate networks, security and performance problems on the corporate network should not be able to affect the ICS network4.

The standards cited here all share many core concepts including:

  • Asset management and classification, including definition of critical assets and their roles in the framework.
  • Building and maintaining a security program including risk assessment and management.
  • Secure network and system architecture principles, emphasizing segregation.
  • Incident response.
  • Identity, access management, authentication, and authorization.
  • Data and information protection.
  • Secure configuration, vulnerability management, and patching.
  • Security event monitoring.
  • Practical application of controls.

In our final section, we will expand on some of these concepts and examine how to convert these guiding tenets into specific administrative tasks.

Applying the Principles: Best Practices for Modern ICS Cybersecurity Architectures

As we discussed in Part One of this series, it can be difficult to secure ICS networks for many reasons including the need for continuous and deterministic operations, interoperability in multi-vendor environments, the variety and age of devices, and their lack of intrinsic security capabilities. As a result of these constraints, the best opportunity to secure ICS environments is with strong architectural defenses which start at the network layer and feature prominently in the guidance provided by the standards and frameworks mentioned above.

A strong network architecture improves ICS security and provides a foundation on which additional security measures can be implemented over time. The Purdue Model, NIST SP800-82, IEC 62443, and the SANS ICS410 Reference Model all place a heavy emphasis on network segmentation and the control of communication between segments.

Just as perimeter firewalls are universally deployed to protect enterprise environments from internet-based attacks, ICS environments should have protection at their many enforcement boundaries. Although industrial processes are at lower levels in the Purdue Model, the most sensitive data and points of control are typically at Level 3, which is also where most attackers first access the ICS network from the business network.

Fundamentally, ICS systems should use dedicated infrastructure that is completely independent of the business network. With effective segmentation in place, a firewall between Levels 3 and 4 can control network communication into and out of the ICS network. This firewall should block all communication in and out of the ICS network and explicitly permit only the minimum required communication.

Attacks can also originate from remote sites, especially in widely distributed environments. For this reason, a secondary enforcement boundary should be configured between Levels 2 and 3 to protect management systems from attacks from the field, and to protect individual field sites from each other. These enforcement boundaries are often implemented using router access-lists to avoid having critical process communication pass through firewalls that could impede legitimate communication.

Screen_Shot_2021-07-13_at_12.00.27_PM.png
Recommended enforcement boundaries for sensitive data at Level 3


There are many different types of systems required for full functionality of an ICS network including operator workstations, HMIs, engineering workstations, management servers, database servers, historians, alarm servers, and many other specialized systems. Each system has a well-defined role and requires specific network access to other systems. Therefore, each level should be further segmented into multiple networks where systems with common roles can reside with an enforcement boundary controlling their communication with the rest of the network.

Multiple DMZs, each with a dedicated purpose, should be created to facilitate communication between the ICS network and the business network. Remote access, cloud access, and Internet access can also be mediated through dedicated DMZs. The implementation and configuration of DMZs will be explored in more detail in a future blog post.

Not only do enforcement boundaries control the communication between different classes of systems, but they also serve as natural network “choke points” where network traffic can be monitored and saved for later analysis. The logs generated by firewalls, combined with raw packets captured from the network, are a rich source of information. Since ICS networks are relatively static, a baseline of “normal” communication can be created and then used to detect anomalies and threats.

A detailed break-down of a complete network architecture is beyond the scope of this blog, however there are several important best practices to follow:

  • The Internet should not be accessible below Level 4.
  • Operations staff may have a separate, dedicated business computer for access to services such as email, Internet, and printing.
  • Active Directory (AD) can be implemented to help manage control networks, but any such AD deployment should be completely independent of the business AD. Domain Controllers and other AD servers should be placed in Level 3.
  • Enforcement boundaries should be employed as shown in the ICS410 Reference Model.
  • Firewalls should block all communication by default, permitting only the communication that is required.
  • All access to the ICS network should require additional layers of authentication, including multi-factor authentication.
  • A secure mechanism should be provided to transfer files in and out of the ICS network while checking them for malware.
  • ICS systems should have dedicated infrastructure such as anti-virus and patching systems that are not dependent on the business network.
  • All communication in and out of the control network should be monitored and logged.

As more and more vendors leverage cloud-based management systems, practitioners need to evolve their ICS architectures. Devices that must communicate with the Cloud should be placed in separate, dedicated zones that restrict their network access to only their cloud-based controllers and the on-premises systems that they must communicate with.

The guidance offered here presents only a fraction of ICS cybersecurity best practices. There are several controls beyond architecture standards for security practitioners to consider as well, and with new functionality demands and new technologies continuously entering the equation, the field of ICS cybersecurity will keep evolving. Nevertheless, the venerable Purdue Model has stood the test of time, offering ideas about risk and a common vocabulary that inform many of the publications and models gaining traction today.

As our series on ICS cybersecurity continues, we’ll delve deeper into specific security measures including best practices for implementing and configuring demilitarized zones at enforcement boundaries.


Glossary of Terms

Customer Relationship Management (CRM)

A CRM system is a central repository in which businesses can store customer and prospect data, track customer interactions, and share this information with colleagues. It allows businesses to manage relationships with customers, thereby helping the businesses grow.

Security Operations Center (SOC)

A dedicated, centralized site where enterprise information systems (web sites, applications, databases, data centers and servers, networks, desktops, and other endpoints) are monitored, assessed, and defended.

Human-Machine Interface (HMI)

A Human-Machine Interface (HMI) is a feature or component of a certain device or software application that enables humans to engage and interact with machines. In ICS, HMIs are typically screens or touchscreens that connect users to machines, systems, or devices.

Programmable Logic Controller (PLC)

A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing.

Remote Terminal Units (RTU)

Typically deployed in industrial environments, a remote terminal unit (RTU) is a multipurpose device used for remote monitoring and control of various devices and systems for automation. It serves a similar purpose to programmable logic circuits (PLCs) but to a higher degree. An RTU is considered a self-contained computer because it shares the same core components: a processor, memory, and storage. Subsequently, it can be used as an intelligent controller or master controller for other devices that, together, automate an industrial process.

Intelligent Electronic Device (IED)

Found everywhere industrial control systems such as such as supervisory control and data acquisition (SCADA) or distributed control systems (DCS) are used, IEDs are devices added to ICS to enable advanced power automation. IEDs are a part of the power regulation used in many industrial processes like control circuit breakers, capacitor bank switches and voltage regulators. These settings are controlled by way of a settings file. The creation and testing of the file are part of the largest tasks involved in IEDs.

Industrial Internet-of-Things (IIoT)

The sensors, instruments, machines, and other devices that are networked together and use Internet connectivity to enhance industrial and manufacturing business processes and applications.


Sources

1 Peterson, Dale. Unsolicited Response Podcast: Is the Purdue Model Dead (S4 2019 Main Stage Panel Discussion). https://dale-peterson.com/2019/02/11/is-the-purdue-model-dead/. February 11, 2019.

2 Peterson, Dale. Unsolicited Response Podcast: Is the Purdue Model Dead (S4 2019 Main Stage Panel Discussion). https://dale-peterson.com/2019/02/11/is-the-purdue-model-dead/. February 11, 2019.

3 As a result of the ransomware incident suffered by Colonial Pipeline, the TSA issued Security Directive Pipeline-2021-01 requiring pipeline owner/operators to assess their current practices against the guidelines, identify gaps and remediation measures, and report these to the TSA.

4 Stouffer, Keith; Falco, Joe; Scarfone, Karen; Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, June 2011.


Introduction to ICS Security Series:

Read Part 1 here.

Read Part 3 here.


About Stephen Mathezer & ICS410

Check out Stephen's bio, ICS contributions, and upcoming ICS410 course teaches here.

Learn more about SANS ICS410: ICS/SCADA Security Essentials course here

    Share:
    TwitterLinkedInFacebook
    Copy url Url was copied to clipboard
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Cote D'ivoire
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Eswatini
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    North Macedonia
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania, United Republic Of
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City State
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Tags:
    • Industrial Control Systems Security

    Related Content

    Blog
    Industrial Control Systems Security
    May 19, 2025
    Culture Over Checklists: How NextEra Is Rethinking NERC CIP with People at the Center
    When people ask me what makes a successful NERC CIP program, my answer is always the same: it’s not just about compliance, it’s about culture. You can meet every regulatory requirement and still be vulnerable. You can pass every audit and still lack resilience. The organizations that stand out—the...
    370x370_Jason-D-Christopher.jpg
    Jason D. Christopher
    read more
    Blog
    emerging threats summit 340x340.png
    Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
    May 14, 2025
    Visual Summary of SANS Emerging Threats Summit 2025
    Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
    No Headshot Available
    Alison Kim
    read more
    Blog
    Blog - Cloudy with a Chance of_340 x 340.jpg
    Industrial Control Systems Security
    May 13, 2025
    Cloudy with a Chance of Industrial Cyber Threats, Part 1
    Cloud in ICS/OT can enable scalable data storage, remote monitoring, analytics, disaster recovery, & industrial process control capabilities.
    DeanParsons_340x340.png
    Dean Parsons
    read more
    • Company
    • Mission
    • Instructors
    • About
    • FAQ
    • Press
    • Contact Us
    • Careers
    • Policies
    • Training Programs
    • Work Study
    • Academies & Scholarships
    • Public Sector Partnerships
    • Law Enforcement
    • SkillsFuture Singapore
    • Degree Programs
    • Get Involved
    • Join the Community
    • Become an Instructor
    • Become a Sponsor
    • Speak at a Summit
    • Join the CISO Network
    • Award Programs
    • Partner Portal
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Cote D'ivoire
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Eswatini
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    North Macedonia
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Saudi Arabia
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania, United Republic Of
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City State
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
    • Privacy Policy
    • Terms and Conditions
    • Do Not Sell/Share My Personal Information
    • Contact
    • Careers
    © 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn