Get unparalleled cyber security training from real-world practitioners in Boston. Save $200 thru 6/26.

ICS Cybersecurity for Managers New

Are you responsible for implementing an industrial control system (ICS) or an operational technology (OT) cybersecurity program? This course is for you whether you are a manager or a team member, or whether you work for corporate or at a site. We'll take you on a tour of the risks, concepts, terminology, standards, regulations, best practices, and jargon surrounding this important new field. You'll learn how to navigate through these complex considerations and apply effective structure and priorities to your implementation strategy and plan.

This course was developed and is taught by two highly experienced professionals: a former CISO of an oil and gas company, and the vice-president of industrial cybersecurity for an engineering and process safety services firm. The course is a "Reader's Digest" of what the instructors have learned over the last decade regarding effective management and implementation of an ICS/OT cybersecurity program. Throughout the course, they share practical advice and illuminating anecdotes about their experiences working with both large and small companies across a wide range of industries. You will leave with a set of techniques, tools, and templates to more confidently lead your company's ICS/OT cybersecurity program.

You Will Learn About:

  • History and Trends in ICS Cybersecurity
  • Regulations that Address ICS Cybersecurity
  • ICS Cybersecurity Standards
  • Building and Managing a Cybersecurity Program
  • Preparing and Implementing a Governance Strategy
  • Quantifying and Managing ICS Cybersecurity Risk
  • Integrating ICS Cybersecurity into Your Organization
  • Implementing Security Controls to Mitigate ICS Cybersecurity Risk
  • Monitoring ICS Environments for ICS Cybersecurity Threats and Vulnerabilities
  • Operationalizing ICS Cybersecurity


Why take this course?

Building an ICS cybersecurity program can sometimes seem quite overwhelming. It is difficult to sort through the priorities of your company's cyber-based risks. You have to wade through dozens of frameworks, regulations, standards, and industry best-practices, and then determine how to apply the requirements of hundreds of security controls throughout the organization. Where and how do you start? By completing this course, you will learn how to systematically, effectively, and pragmatically build your program from the ground up, step by step, continuously improving your security posture over time.



SANS Hosted are a series of classes presented by other educational providers to complement your needs for training outside of our current course offerings.

Course Syllabus

CPE/CMU Credits: 6



1.1. ICS/SCADA Cybersecurity

1.2. ICS Systems Are Vulnerable

1.3. History of ICS Cybersecurity Incidents

1.3.1. Stuxnet

1.3.2. Shamoon

1.3.3. Ukraine Power Grid Attack 2015

1.3.4. Ukraine Power Grid Attack 2016

1.3.5. Notpetya ransomware Attacks 2017

1.3.6. Triton/Trisis Malware 2017

1.3.7. Current Events (placeholder for recent event)


2.1. What Is Cyber Risk?

2.2. Consequences of ICS Compromise

2.3. Cyber Threats

2.3.1. Cyber Threats - Who?

2.3.2. Cyber Threats - How?

2.3.3. Different Types of Malware

2.3.4. Attack Techniques

2.3.5. ICS-Specific Threats

2.3.6. ICS Threat Activity Groups

2.4. ACTIVITY #1 - Social Engineering

2.5. Cyber Vulnerabilities

2.5.1. Common Vulnerabilities in ICS Systems

2.5.2. Pathways into ICS Systems

2.5.3. Vulnerability Hunting

2.5.4. ICS-CERT

2.5.5. Vulnerability Databases

2.5.6. Summary of ICS Threats, Vulnerabilities and Impacts

2.6. ACTIVITY #2: Vulnerability Databases


3.1. Definitions

3.1.1. Information Security

3.1.2. Security Controls

3.2. US Cybersecurity Regulations

3.2.1. Electricity Sector

3.2.2. Nuclear Sector

3.2.3. Chemical Sector

3.2.4. Water Sector

3.2.5. Pharmaceutical Sector

3.2.6. Pipeline Sector

3.2.7. Other Sectors

3.3. Cybersecurity Regulations in other Countries


4.1. NIST Cybersecurity Framework

4.2. IT Cybersecurity Standards

4.2.1. ISO/IEC 27000

4.2.2. NIST 800-53

4.3. ICS Cybersecurity Standards

4.3.1. ISA/IEC 62443

4.3.2. NERC CIP

4.3.3. NIST 800-82

4.3.4. CIS Critical Controls for ICS

4.3.5. API 1164

4.4. ACTIVITY #3: NIST CSF+ Extended Framework


5.1. Strategy Models

5.1.1. CIS Top 20 Critical Controls

5.1.2. Australian Signals Directorate (ASD) Essential 8

5.1.3. DHS NCCIC Seven Strategies to Defend ICSs

5.1.4. Top 20 ICS Controls (NIST CSF / IEC 62443)

5.2. The Five Pillars Strategy Model

5.2.1. Why Is this important?

5.2.2. What Are The Five Pillars?

5.3. ACTIVITY #4: Five Pillars Questionnaire

5.4. Pillar 1: Governance

5.4.1. Business Justification

5.4.2. Culture and Commitment

5.4.3. Strategy and Plan

5.4.4. Budget and Team

5.4.5. Program Management

5.4.6. Policies

5.4.7. Training and Awareness

5.4.8. Performance Monitoring

5.5. ACTIVITY #5: Preparing a Governance Strategy

5.6. Pillar 2: Risk Management

5.6.1. Due Care and Due Diligence

5.6.2. Risk Strategy and Policy

5.6.3. Cybersecurity Insurance

5.6.4. Risk Assessment

5.6.5. Business Impact Analysis

5.6.6. Risk Mitigation Planning

5.7. ACTIVITY #6: Preparing a Risk Management Strategy

5.8. Pillar 3: Security Integration

5.8.1. Brownfield Considerations

5.8.2. Greenfield Considerations

5.8.3. Operations Integration

5.8.4. Engineering Integration

5.8.5. IT Integration

5.8.6. HR and Legal Integration

5.8.7. PSM and EH&S Integration

5.8.8. Procurement Integration

5.8.9. Regulatory Integration

5.8.10. Supply Chain Integration

5.9. ACTIVITY #7: Preparing a Security Integration Strategy

5.10. Pillar 4: Security Implementation

5.10.1. Technical Controls

5.10.2. Standards and Procedures

5.10.3. Network Segmentation

5.10.4. System Hardening

5.10.5. Access Control

5.10.6. Verification and Testing

5.11. ACTIVITY #8: Preparing a Security Implementation Strategy

5.12. Pillar 5: Security Operations

5.12.1. Continuous Monitoring

5.12.2. Business Continuity/Disaster Recovery

5.12.3. Threat Intelligence

5.12.4. Security Event Monitoring

5.12.5. Change/Configuration Management

5.12.6. Anomaly Detection

5.12.7. Backup and Recovery

5.12.8. Asset Management

5.12.9. Vulnerability Management (and Patch Management)

5.12.10. Incident Response Plan

5.12.11. Security Tools Management

5.13. ACTIVITY #9: Preparing a Security Operations Strategy


6.1. Summary

6.2. Q & A

6.3. Complete Feedback Forms

Additional Information

Laptops need a browser and be capable of connecting to the wireless network.

If you have additional questions about the laptop specifications, please contact

Why Take This Course?

Building an ICS cybersecurity program can sometimes seem quite overwhelming. It is difficult to sort through the priorities of your company's cyber-based risks. You must wade through dozens of frameworks, regulations, standards and industry best-practices, and then determine how to apply the requirements of hundreds of security controls throughout the organization. Where and how to start? By completing this course, you will learn how to systematically, effectively and pragmatically build your program from the ground up, step-by-step, continuously improving your security posture over time.

  • Course manual
  • Activity handouts
  • Example templates

Author Statement

We authored this course to address two important gaps in ICS cybersecurity training:

1. Program Managers. Although there are numerous courses available that are targeted to technical staff, few are targeted specifically toward managers responsible for developing, managing, operationalizing and institutionalizing ICS cybersecurity programs.

2. Limited Time. Not everyone has the bandwidth to devote 4-6 days for an intensive training class. Accordingly, this class compresses the most relevant and salient knowledge into a single day.

- John Cuisamo and Paul Rostick, aeSolutions

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

1 Training Result

*Course contents may vary depending upon location, see specific event description for details.