ICS418: ICS Security Essentials for Managers

  • In Person (2 days)
  • Online
12 CPEs
The ICS418: ICS Security Essentials for Managers course empowers leaders responsible for securing critical infrastructure and operational technology environments. The course addresses the need for dedicated ICS security programs, the teams that run them, and the skills required to map industrial cyber risk to business objectives to prioritize safety. ICS418 will help you manage the people, processes, and technologies necessary to create and sustain lasting ICS cyber risk programs while promoting a culture of safety, reliability, and security.

What You Will Learn

ICS security is an ever-changing field requiring practitioners to continually adapt defense strategies to meet new challenges and threats. To compound the issue, any security changes need to be thoroughly tested to maintain the safety and reliability of industrial operations.

Globally, "critical infrastructure" and "operators of essential services" represent hundreds of thousands - if not millions - of industrial organizations. Some of them are the lifelines to our modern society, like water, energy, food processing, and critical manufacturing - but every industrial facility deserves to know their process is secure and safe. With increased threats, new technology trends, and evolving workforce demands, it is vital for security managers in operational technology (OT) to be trained in techniques to defend their facilities and their teams.

The two-day ICS418 fills the identified gap amongst leaders working across critical infrastructure and OT environments. It equips new or existing managers responsible for OT/ICS, or converged IT/OT cybersecurity. The course provides the experience and tools to address industry pressures to manage cyber risk to prioritize the business - as well as the safety and reliability of operations. ICS leaders will leave the course with a firm understanding of the drivers and constraints that exist in these cyber-physical environments and will obtain a nuanced understanding of how to manage the people, processes, and technologies throughout their organizations.

You Will Be Able To

  • Articulate the value of ICS security and tie cyber risk to business risk decisions
  • Trend current and future technology changes to address business needs
  • Measure successes in industrial cyber risk management, complete with metrics for executives and boards
  • Use best practices to enable ICS security incident detection and response for their teams
  • Leverage external information, including threat intelligence, to guide their ICS security program
  • Provide governance, oversight, execution, and support across industrial facilities for ICS security initiatives and projects
  • Apply the differences between IT and ICS security for an effective control system cyber security program
  • Develop their security workforce to address gaps in hiring, training, and retention
  • Apply advanced techniques to help shape and shift their organization's culture of security

This Course Will Prepare You To

  • Develop ICS-specific cybersecurity programs and measure its impact across the organization
  • Use management and leadership skills to communicate your ICS security vision to executives and other leaders
  • Build (and keep) your ICS security team, using forecasting, capability modeling, and workforce planning
  • Assess the overall effectiveness of your organization's industrial cyber risk management program
  • Manage the various constraints across IT, OT, engineering, and physical security to improve your organization's culture

What You Will Receive

  • Access to Cyber42: Industrial Edition for management-based skills development with applicable business oriented decision making
  • Editable leadership drills designed for students to build new strategy and program elements and continuing their development long after the course ends

Syllabus (12 CPEs)

Download PDF
  • Overview

    Industrial control systems (ICS) security managers must be able to create and sustain cybersecurity programs with challenging constraints. These leaders must be able to manage industrial cyber risks, plan for evolving technologies, and incorporate ICS-specific security standards. On the first day, students will learn the differences between traditional information technology (IT) and operational technology (OT) systems, as well as the associated threats, vulnerabilities, and potential impacts from ICS-specific cyber attacks. Once these elements of industrial cyber risk are established, students will explore using industry best practices, guidelines, and standards to assess and measure ICS security programs.

    • Overview of ICS and Critical Infrastructure
    • Attack History & Modern Adversaries
    • Cybersecurity Risk, Impacts, Goals & Safety
    • ICS Technology Trends
    • IT and OT Security Differences
    • ICS Incident Response Management
    • Industrial Cyber Risk Management
    • ICS Policy, Frameworks, Regulations and Compliance
    • Strategy Planning & Tactical Priorities
  • Overview

    The second section of this course builds on the concepts around building an ICS security program and explores the workforce needs to manage the day-to-day tasks, planning, and reporting required to minimize cyber risk. Students will be equipped with a common understanding of the ICS security and safety culture, the skills required to perform various job functions, and both company-wide and team-specific security controls.

    • Governance, Oversight, Execution, and Support
    • Dedicated ICS Security Efforts & Measuring Value
    • Organization Roles & Responsibilities
    • Key Performance Indicators
    • Building & Maturing Effective ICS Security Teams
    • Building & Maturing ICS Cyber Defense Programs
    • ICS Security Awareness & Safety Culture
    • Executive Metrics and Communications


Students with backgrounds in IT, ICS, and/or management will do well with this course.

Students should also have:

  • A strong desire to lead people and manage processes to improve ICS security
  • Willingness to apply lab exercises and content to their unique industrial organization
  • The ability to stretch outside of their comfort zone

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.


  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.


  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

Now, more than ever, it is important to train and equip ICS security leaders with the skills and knowledge they need to protect critical infrastructure. This course is the culmination of decades of experience in building and managing OT/ICS security teams - and it is the course we wish was available to us when we started on our ICS security journey. We've drawn across our roles in different industrial sectors and teams - as former company executives, team leads, incident responders, and managers - to create a course empowering leaders facing the greatest challenge of our time: industrial control system cybersecurity. - Jason D. Christopher & Dean C. Parsons

Register for ICS418

Learn about Group Pricing

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.