The New ICS418 Course: Step Up, Step Over, In Place - ICS Security Essentials for Managers

SANS ICS418: ICS Security Essentials for Managers is an intense two-day course that provides techniques to address a manager’s biggest concern: keeping industrial processes secure.

NOTE: THE SECOND BETA RUN OF THIS COURSE IS NOW OPEN FOR REGISTRATION. REGISTER HERE.

Building Tomorrow's Leaders for Industrial Security

Industrial security has evolved rapidly over the past decade. Originally seen as an afterthought, industrial security is increasingly cited by executives and boards as a key ICS cyber risk to their organization. This is largely due to the prominence of real-world events, increased threats, and the tangible impacts of industrial cyber attacks—including stalled production, equipment damage, and even loss of life.

Over the past decade, SANS has specifically focused on providing ICS practitioners with hands-on learning that leverages actionable techniques and tools. The SANS ICS curriculum, which started in 2013 with ICS410: ICS/SCADA Security Essentials, today features four technical courses, each more advanced than the next. The course series culminates with the in-person ICS612: Cybersecurity in-Depth, which leverages an ICS test lab and network to defend based on real-world incidents.

All of these courses share a vision outlined by Mike Assante and the SANS ICS team to arm and train capable defenders with the skills needed to protect the essential services that enable our modern world to function:

A critical part of Mike’s vision is to develop leaders who can in turn enable technical practitioners, create a vision for ICS security, and measure the success of that vision across their team.

That is where ICS418 comes in. This new course blends ICS security essentials with advanced management techniques to train leaders, regardless of their background or prior experience with ICS, security, or engineering and operations.

Why This Course and Why Now?

ICS security is an ever-changing field that requires practitioners to continually adapt defense strategics to meet new challenges and threats. To compound the challenge, any security changes need to be 100% tested in order to ensure and maintain the safety and reliability of industrial operations.

The terms “critical infrastructure” and “operators of essential services” refer to countless industrial organizations across the globe. Some of them are lifelines for our modern society, such as water, energy, food processing, and critical manufacturing. Regardless of the field in which they operate, all industrial facilities must know that their processes are secure and safe. With increased threats, new trends in technology, and evolving workforce demands, it is vital that security managers in operational technology (OT) be trained in techniques to defend their facilities and their teams.

ICS418 fills the identified gap among leaders working across critical infrastructure and OT environments. It equips both new and experienced managers responsible for OT/ICS or converged IT/OT cybersecurity. The course provides the experience and tools to address industry pressures to manage cyber risk in a way that prioritizes the business side as well as the safety and reliability of operations. ICS leaders will leave the course with a firm understanding of the drivers and constraints in these cyber-physical environments and will gain a nuanced understanding of how to manage the people, processes, and technologies in their organizations.

Security Management Roles Targeted by ICS418

ICS418 is aimed at managers of personnel responsible for securing the day-to-day operations across an organization’s OT and ICS environments. This includes distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems. Managers of these teams often come from diverse backgrounds with a focus either on management skills, with minimal understanding of ICS environments, or on technical skills, with minimal management skills.

The course is designed to bridge the gap between those two skill sets by following the axiom that a “rising tide lifts all boats” when it comes to ICS security managers. The course addresses the needs of the full range of managers, including:

• • Traditional information technology (IT) security managers who must create, lead, or refine an ICS security program
• • Industrial engineers, operators, or ICS security practitioners promoted to a manager position to create, lead, or refine an ICS security program
• • Existing ICS security managers who need to further develop their leadership skills specific to industrial security

Security Management Goals of ICS418

Unlike IT systems, ICS and their corresponding industrial facilities require considerations beyond traditional cybersecurity controls. Within IT networks, the main security concerns may revolve around exfiltration of data (such as customer or employee records) or the destruction/unavailability of data (as in a ransomware attack). In OT environments, on the other hand, the loss or manipulation of visibility, control, or safety can lead to physical impacts in the tangible world. These sorts of scenarios highlight the importance of preventing and detecting cybersecurity incidents, but what can you do with devices that may be 30+ years old and are generally incapable of providing access controls, end point protection, or system hardening? How do you build a team of defenders who need to understand both security and engineering? What do you do when your organization spends more on its website than on industrial security?

ICS418 is designed to address these concerns —and many more. An ICS418 course graduate will be able to:

• Articulate the value of ICS security and tie cyber risk to business risk decisions
• Trend current and future technology changes to address business needs
• Measure successes in industrial cyber risk management, complete with metrics for executives and boards of directors
• Use best practices to enable ICS security incident detection and response for their teams
• Leverage external information, including threat intelligence, to guide their ICS security program
• Provide governance, oversight, execution, and support across industrial facilities for ICS security initiatives and projects
• Develop their security workforce to address gaps in hiring, training, and retention
• Apply advanced techniques to help shape and shift their organization’s culture of security

Takeaways Beyond the Course

It wouldn’t be a SANS class without considering what happens after the course is over—in this case, what we might call “Day 3.” That’s right: a two-day course where we address what to do next in the days and months after the course is finished. Beyond the hours of content, we have loaded ICS418 with extra material to apply to your current (and future) ICS security strategy. Bonus material includes handouts for forecasting, tools for ICS security assessments, and much more! You can take the applied guided discussions and labs and tailor them based on your unique operating environment—essentially a gift from SANS to the students and the larger ICS security community.

ICS418 Course Layout

We have filled this course to the brim with a combination of technical and managerial skill development tailored specifically for industrial organizations. Broken into two days, ICS418 is designed to “short circuit” the needed skills for ICS security leaders both in terms of covering topics specifically relevant to ICS, as well as developing abilities to manage people, processes, and technologies.

Day 1: Developing and Sustaining ICS Security Programs

• The course starts with a level-setting on the capabilities and risks associated with industrial control systems. The course day is equally mapped between managers new to ICS and experienced ICS professionals looking to sharpen their edge on current technology trends, threats, and vulnerabilities. With a clear foundation of what skills are required, students will get hands-on experience with unique tools designed to demonstrate unique industrial cyber risks, while also highlighting the need to manage and sustain our security efforts.

Day 2: Leading ICS Security Teams

• Building on the topics of what is required for a successful ICS security program, the second day dives into overall governance, oversight, execution, and support of those topics—including how to hire, train, and retain skilled ICS security teams. Unlike industrial equipment, people have feelings (and dreams and ambitions), and leaders must enable their teams to be successful. Based on the popular techniques in the SANS Management curriculum, day 2 of ICS418 blends the “best of” SANS tailored to unique concerns in OT environments.

Labs

• As with all SANS courses, ICS418 students will not be attending a “death by PowerPoint” training session. The course has a half-dozen hands-on labs with real security applications that involve leveraging practical techniques. By merging technical with managerial topics, we’re also introducing more than 10 “leadership drills” that provide handouts and worksheets students can use to tailor their learning experience based on their unique operational needs.

Industrial Cyber 42

• Those familiar with the Cyber42 cybersecurity leadership simulation game (https://www.sans.org/blog/cyber42/) may have learned about it when taking SANS Management courses. SANS has extended this awesome tool for ICS418 by introducing Cyber42: Industrial Edition, which borrows many features from the traditional Cyber42. The scenarios are specific to industrial control systems, and of course safety is added to the mix of industrial cyber incidents. In Industrial Cyber43, the object of the game is to finish with the highest safety culture.
• Beyond ICS418, OT/ICS professionals or teams can participate in various forms of Industrial Cyber42 via “Game Days” at various times throughout the year. Different scenarios of Industrial Cyber42 can also be explored through the SANS Ranges (https://www.sans.org/cyber-ranges/) for private OT/ICS Game Days to suit your facility’s needs.

Are You Ready to Lead ICS Security? 

Then join us for ICS418! REGISTRATION IS NOW OPEN FOR BETA 2 - TAKING PLACE APRIL 4 & 5, LIVE ONLINE.

ICS418 Course Authors

Certified ICS SANS Instructor for ICS515: ICS Visibility, Detection, and Response	Certified ICS SANS Instructor for ICS456: Essentials for NERC Critical Infrastructure Protection
Dean brings over 20 years of technical and management experience to the classroom. He has worked in both information technology and industrial control system (ICS) cyber defense in critical infrastructure sectors such as telecommunications, electricity generation, transmission, distribution, and oil and gas refineries, storage, and distribution. Dean is an ambassador for defending industrial systems and an advocate for the safety, reliability, and cyber protection of critical infrastructure. His mission as an instructor is to empower each of his students, and he earnestly preaches that “Defense is Do-able!” Over the course of his career, Dean’s accomplishments include establishing ICS security programs for critical infrastructure sectors, building and managing converged IT/OT incident response and threat hunt teams, and conducting ICS cyber defense assessments.	In his role at Dragos, Jason Christopher focuses on ICS monitoring technology, threat intelligence, and incident response. Previously he was the Chief Technology Officer for Axio. His experience includes providing technical leadership on security and resilience issues, and developing technology platforms for security metrics and benchmarking. Prior to Axio, Jason led cybersecurity metrics and information assurance research at the Electric Power Research Institute. He has also served as the technical lead for cybersecurity capability and risk management at the U.S. Department of Energy, where he managed the Cybersecurity for Energy Delivery Systems Operations Program that included the Cybersecurity Capability Maturity Model and other collaborative efforts.

Author's Statement

“Now, more than ever, it is important to train and equip ICS security leaders with the skills and knowledge they need to protect critical infrastructure. This course is the culmination of decades of experience in building and managing OT/ICS security teams -- and it is the course we wish was available to us when we started on our ICS security journey. We’ve drawn across our roles in different industrial sectors and teams-- as former company executives, team leads, incident responders, and managers-- to create a course empowering leaders facing the greatest challenge of our time: industrial control system cybersecurity.”

– Jason D. Christopher & Dean C. Parsons