ICS418: ICS Security Essentials for Managers

  • In Person (2 days)
  • Online
12 CPEs

The ICS418: ICS Security Essentials for Managers course empowers leaders responsible for securing critical infrastructure and operational technology environments. The course addresses the need for dedicated ICS security programs, the teams that run them, and the skills required to map industrial cyber risk to business objectives to prioritize safety. ICS418 will help you manage the people, processes, and technologies necessary to create and sustain lasting ICS cyber risk programs while promoting a culture of safety, reliability, and security.

What You Will Learn

ICS security is an ever-changing field requiring practitioners to continually adapt defense strategies to meet new challenges and threats. To compound the issue, any security changes need to be thoroughly tested to maintain the safety and reliability of industrial operations.

Globally, "critical infrastructure" and "operators of essential services" represent hundreds of thousands - if not millions - of industrial organizations. Some of them are the lifelines to our modern society, like water, energy, food processing, and critical manufacturing - but every industrial facility deserves to know their process is secure and safe. With increased threats, new technology trends, and evolving workforce demands, it is vital for security managers in operational technology (OT) to be trained in techniques to defend their facilities and their teams.

The two-day ICS418 fills the identified gap amongst leaders working across critical infrastructure and OT environments. It equips new or existing managers responsible for OT/ICS, or converged IT/OT cybersecurity. The course provides the experience and tools to address industry pressures to manage cyber risk to prioritize the business - as well as the safety and reliability of operations. ICS leaders will leave the course with a firm understanding of the drivers and constraints that exist in these cyber-physical environments and will obtain a nuanced understanding of how to manage the people, processes, and technologies throughout their organizations.

You Will Be Able To:

  • Articulate the value of ICS security and tie cyber risk to business risk decisions
  • Trend current and future technology changes to address business needs
  • Measure successes in industrial cyber risk management, complete with metrics for executives and boards
  • Use best practices to enable ICS security incident detection and response for their teams
  • Leverage external information, including threat intelligence, to guide their ICS security program
  • Provide governance, oversight, execution, and support across industrial facilities for ICS security initiatives and projects
  • Apply the differences between IT and ICS security for an effective control system cyber security program
  • Develop their security workforce to address gaps in hiring, training, and retention
  • Apply advanced techniques to help shape and shift their organizations culture of security

This Course Will Prepare You To:

  • Develop ICS-specific cybersecurity programs and measure its impact across the organization
  • Use management and leadership skills to communicate your ICS security vision to executives and other leaders
  • Build (and keep) your ICS security team, using forecasting, capability modeling, and workforce planning
  • Assess the overall effectiveness of your organization's industrial cyber risk management program
  • Manage the various constraints across IT, OT, engineering, and physical security to improve your organization's culture

What You Will Receive

  • A SANS ICS418 Windows Virtual Machine which will be utilized during course labs to demonstrate various techniques in ICS cyber program assessments
  • Access to Cyber42: Industrial Edition for management-based skills development with applicable business oriented decision making
  • Editable leadership drills designed for students to build new strategy and program elements and continuing their development long after the course ends

Syllabus (12 CPEs)

Download PDF
  • Overview

    Industrial control systems (ICS) security managers must be able to create and sustain cybersecurity programs with challenging constraints. These leaders must be able to manage industrial cyber risks, plan for evolving technologies, and incorporate ICS-specific security standards. On the first day, students will learn the differences between traditional information technology (IT) and operational technology (OT) systems, as well as the associated threats, vulnerabilities, and potential impacts from ICS-specific cyber attacks. Once these elements of industrial cyber risk are established, students will explore using industry best practices, guidelines, and standards to assess and measure ICS security programs.

    • Overview of ICS and Critical Infrastructure
    • Attack History & Modern Adversaries
    • Cybersecurity Risk, Impacts, Goals & Safety
    • ICS Technology Trends
    • IT and OT Security Differences
    • ICS Incident Response Management
    • Industrial Cyber Risk Management
    • ICS Policy, Frameworks, Regulations and Compliance
    • Strategy Planning & Tactical Priorities
  • Overview

    The second section of this course builds on the concepts around building an ICS security program and explores the workforce needs to manage the day-to-day tasks, planning, and reporting required to minimize cyber risk. Students will be equipped with a common understanding of the ICS security and safety culture, the skills required to perform various job functions, and both company-wide and team-specific security controls.

    • Governance, Oversight, Execution, and Support
    • Dedicated ICS Security Efforts & Measuring Value
    • Organization Roles & Responsibilities
    • Key Performance Indicators
    • Building & Maturing Effective ICS Security Teams
    • Building & Maturing ICS Cyber Defense Programs
    • ICS Security Awareness & Safety Culture
    • Executive Metrics and Communications


Students with backgrounds in IT, ICS, and/or management will do well with this course.

Students should also have:

  • A strong desire to lead people and manage processes to improve ICS security
  • Willingness to apply lab exercises and content to their unique industrial organization
  • The ability to stretch outside of their comfort zone

Laptop Requirements

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course. It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules. You also must have 8 GB of RAM or higher for the VM to function properly in the class, in addition to at least 60 gigabytes of free hard disk space.

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 2.4 GHz CPU minimum or higher
  • USB Port
  • 8GB RAM or higher
  • 60 GB free hard drive space
  • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • VMWare Workstation, Fusion, or Player, as stated above
  • Wireless Ethernet 802.11 B/G/N/AC

Do not bring a laptop with sensitive data stored on it. SANS is not responsible if your laptop is stolen or compromised.

By bringing the right equipment and preparing in advance, you can maximize what you will learn and have a lot of fun.

Your course media will now be delivered via download. The media files for class can be large, some in the 10 - 20 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"Now, more than ever, it is important to train and equip ICS security leaders with the skills and knowledge they need to protect critical infrastructure. This course is the culmination of decades of experience in building and managing OT/ICS security teams - and it is the course we wish was available to us when we started on our ICS security journey. We've drawn across our roles in different industrial sectors and teams - as former company executives, team leads, incident responders, and managers - to create a course empowering leaders facing the greatest challenge of our time: industrial control system cybersecurity." - Jason D. Christopher & Dean C. Parsons

Register for ICS418