It Was Never Just the Main Stage: Reflections on the 2026 SANS ICS Security Summit

Every year when Rob M. Lee and I stand on stage in front of the SANS ICS Security Summit attendees, I'm reminded that this event has never been about the stage alone.

The presentations matter, of course. SANS brings together some of the brightest minds in industrial cybersecurity to share research, lessons learned, and hard-earned experience. But what makes this community special happens between the sessions; in the hallways, the workshops, the labs, the expo hall, and the conversations that continue long after the summit.

This year, alongside three days of main-stage presentations, we packed in SANS ICS courses, instructor-led workshops featuring live demonstrations and hands-on labs with real OT devices, a Solutions Expo showcasing the latest technology, and countless opportunities for practitioners to connect. As I listened throughout the week, four themes kept resurfacing. No single speaker owned them, and no single session defined them. Together, however, they painted a clear picture of where industrial cybersecurity stands today and where it needs to go next.

The Adversary's Plan Is Real, and It Is Patient

One of the clearest messages from this year's summit was that attacks against critical infrastructure are no longer hypothetical scenarios played out in tabletop exercises. Many speakers emphasized that unfriendly nation-states are actively positioning themselves for the future, learning environments, identifying weaknesses, and preparing options long before a conflict ever emerges.

Brian Harrell, CSO at FirstEnergy, called on attendees to move beyond the question of whether cyber attacks can create physical consequences and focus instead on what defenders should do when they assume an adversary may already be inside the environment. His message was clear: prevention remains important, but it is no longer enough. Organizations must actively hunt for threats, continuously validate assumptions, and remain vigilant against what he described as "security exhaustion," where overstretched defenders become numb to the signals that matter most.

Mark Bristow, SANS Principal Instructor and Director of the Cyber-Physical Systems division at MITRE reinforced this point when he described a massive tabletop exercise involving roughly 200 participants from 70 organizations across multiple cities. The exercise simulated a prolonged, multi-sector crisis where attacks occurred simultaneously across critical infrastructure sectors. The results showed how quickly incident response resources could become overwhelmed, how damaging data corruption can be compared to outright outages, and how dependent organizations are on communications systems they assume will always be available.

As Mark noted, many organizations still have not hit the "I believe" button when it comes to exercising and preparing for attacks that could occur. That may be one of the biggest challenges our community faces. We cannot prepare for threats we refuse to imagine.

Adam Robbie's OT threat research at Palo Alto Networks provided another reminder that the indicators are already visible. Analysis of more than 61,000 OT firewalls revealed attack patterns that are often predictable and detectable early in the intrusion lifecycle. The warning signs are there for organizations willing to look for them.

AI Cuts Both Ways

Artificial intelligence appeared throughout this year's summit, but probably not in the way people expected. The conversation was not simply about how to use AI. It was about understanding AI as both a dependency and a risk.

Amir Zaltzman of Claroty Team82 highlighted an important shift: as AI infrastructure becomes increasingly critical to business operations, the operational technologies that support that infrastructure become critical as well. His research demonstrated that the systems providing power and cooling to data centers can create attack paths that can disrupt the AI services organizations increasingly depend upon. The vulnerabilities have been addressed, but the lesson remains. Protecting AI requires protecting the physical and operational systems that keep it running.

At the same time, Teri Green of Elevate Energy focused attention on the growing challenge of "shadow AI." In many cases, the greatest risk is not the AI program an organization deploys, but the unsanctioned use of AI tools by employees, contractors, and vendors handling operational data. The technology is moving faster than governance, and many organizations are still working to close that gap.

Several speakers also explored the positive side of the equation. Blake Gilson of ExxonMobil outlined a practical approach to adopting AI in OT environments responsibly, while Terry McCorkle of PhishCloud demonstrated how AI can help security teams manage overwhelming volumes of data and alerts. Both reinforced the same principle: AI can be a powerful force multiplier, but only when humans remain firmly in control of operational decision-making.

Insecurity Is Often in the Design (and the Deployment)

One theme that came up repeatedly throughout the summit was that many of today's industrial security challenges do not stem from sophisticated exploits or previously unknown vulnerabilities.

In many cases, systems are behaving exactly as they were designed to behave.

Eric Forner of Armexa and Marco Ayala of ABS Consulting demonstrated this during their day-two keynote, showing how common industrial protocols can be leveraged to create significant operational risk. The issue was not a software flaw. It was a protocol designed for reliability and interoperability, long before cybersecurity became a primary concern.

Their message was captured in a phrase that stuck with me: secure by deployment. Many security features already exist within modern industrial technologies, but they frequently remain disabled, misconfigured, or underutilized. Protections that ship turned off are useless until organizations implement them.

Tyler Webb of Dragos explored another variation of this challenge, demonstrating how adversaries can conceal malicious activity within legitimate, standards-compliant traffic. Rather than exploiting a vulnerability, attackers may simply leverage built-in capabilities that defenders are not actively monitoring. As Tyler noted, however, identifying these techniques also allows vendors and asset owners to improve visibility and defenses. In at least one case, equipment commonly deployed in industrial environments was not susceptible to the demonstrated approach. This is an encouraging reminder that progress is being made.

The architecture-focused sessions reinforced the same lesson from a defensive perspective. Speakers from Cisco, Raytheon, Enbridge, MITRE, and DNV explored practical approaches to segmentation, designing systems to limit potential consequences, architectural assessment, and organizational governance. While the topics varied, the conclusion was consistent: resilient systems emerge when engineering, operations, and security work together from the start to support safe and reliable operations.

Resilience Over Prevention, Spoken in the Language of the Business

One idea that connected nearly every discussion at the summit; the growing recognition that resilience, not prevention, is becoming one of the defining challenges for industrial cybersecurity.

Luis Luque of Accenture spoke to this shift during the day-three keynote. Drawing from thousands of engagements, he presented data showing that most organizations still struggle to effectively protect cyber-physical systems. His recommendation was not to give up on prevention, but to recognize its limits. Incidents will happen. The question is how effectively organizations can respond, recover, and continue operating when they do.

One concept that stood out was the idea of defining a "minimum viable business," i.e., the essential operations that must continue regardless of the circumstances. Many organizations invest heavily in preventing disruptions, while only a few can clearly point to which functions are truly mission-critical, which can be deferred, and how recovery would occur if key systems became unavailable.

Just as important was Luis's reminder that cybersecurity leaders must learn to communicate in the language of operations and business outcomes. Reliability, uptime, safety, production, pressure, and flow are the metrics that matter most to operational leaders. Security initiatives gain traction when they connect directly to those priorities.

Several other sessions reinforced this perspective. Donovan Tindill of DeNexus quantified the financial realities of downtime and demonstrated why recovery continues to lag behind improvements in detection. Christopher Cotter of Avangrid discussed building an OT security program around SANS’s Five ICS Cybersecurity Critical Controls. Stephen Green of Waste Management shared practical lessons from modernizing OT security without compromising safety or operational continuity.

Together, these discussions pointed toward the same conclusion. Prevention is essential, but it is increasingly becoming table stakes. Resilience, recovery, and operational continuity are where organizations must continue to invest.

It Was Never Just the Main Stage

As valuable as the presentations were, what made these themes resonate was the community gathered around them.

The same practitioners discussing protocol security during their presentations were testing ideas in workshops, sharing lessons in the expo hall, and continuing conversations over dinner. The courses honed technical skills. The labs provided hands-on experience with real OT technologies. The networking created opportunities to learn from peers facing many of the same challenges.

Most importantly, these interactions strengthened the relationships that matter when incidents occur. Resilience is not built solely through technology. It is built through people; through operators, engineers, defenders, and leaders who understand their systems and trust one another enough to share what they have learned.

If there was one lesson I carried away from this year's summit, it was that the challenge in front of us is bigger than any one technology, vendor, framework, or organization. The threats are becoming more sophisticated, but so is the community defending against them.

That is why the conversations in the hallways matter as much as the talks on stage. When the next challenge arrives, and it will, it will not be solved by a single company. It will be solved by the people who showed up, shared what they know, and strengthened the community together.

The strongest defense of critical infrastructure has always been its people behind it. This year's summit highlighted that sharing knowledge, building relationships, and learning from one another remain among our greatest strengths as a community. And this year was special for me as I celebrated my 50th birthday, and this community did their best to remind me that I was surrounded by family on that day! Whether you joined us this year or are considering attending for the first time, I encourage you to stay connected and continue the conversation with us.

Explore upcoming SANS ICS Summits, training events, and community opportunities to see what's next for industrial cybersecurity.

Thank you for making the trip. I'll see you again next year.