50+ Cyber Security Courses at SANS 2020 in Orlando! Save up to $150 thru 3/4.

ICS Europe 2019

Munich, Germany | Mon, Jun 24 - Sat, Jun 29, 2019
This event is over,
but there are more training opportunities.

Summit Agenda

Download the full Summit Agenda

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates.

Sunday 23rd June 2019

Pre-Summit Meet and Greet
This optional session offers the opportunity to meet and network with your fellow attendees the night before the Summit kicks off. We highly recommend you attend if possible.


Practical Experience in Bridging the IT/OT Gap: how we do it at a large Premium Automotive Manufacturer

How the data is correlated and integrated to make cybersecurity decisions. Consider how those cybersecurity decisions or recommendations can impact operations. How the program can and will expand to drive additional operational decisions.

Kai Thomsen, SANS Instructor

Monday 24th June 2019
08:00-08:45 Registration and Coffee
This is another great opportunity to meet, greet and interact with your peers so come down early.

Welcome and Introduction by Summit Chair
Tim Conway, Technical Director - ICS and SCADA programs, SANS Institute


ICS Down! It's Go Time.
This presentation will focus on performing Incident Response in an ICS environment, including the challenges and pitfalls that a responder may encounter. It will include examples of challenges identified during a real-world IR our team was involved in.
Christopher Robinson, Principal Consultant, Industrial Control Systems, Cylance


Engineer's worst day - How Murphy could keep his production running
This talk explores how to define the security posture from the SOC perspective for any banking institution in a practical and holistic way. It is based on the deep analysis of threats and adversaries by studying their strategy, tactics and operations. We will increase the prevention, as well as facilitate detection at the earliest stages to expedite reaction to fraud incidents to minimize their impact.
Daniel Buhmann, Business Unit Manager Security Solutions, KORAMIS GmbH


Extending an IT SOC to include critical OT/ICS systems.

The perspective and a real use case study of Airbus as an asset owner’

Tobias Kiesling, Head of OT Security at Airbus CyberSecurity
Falk Lindner, Industrial Cyber Security Expertise Services Lead at Airbus Operations

10:45-11:15 Networking Break: Drinks and snacks will be served

CYBERSECURITY FOR THE INDUSTRY 4.0 from the perspective of the energy CERT
Cybersecurity for all of us is a one of the key element in a business. We are now in the era of the Industry 4.0 with a lot of fancy equipment, nice and very useful tools. But what about security and safety? Are we prepared for potential risk or cyberattack? From the perspective of energy CERT cooperation is one of the key element of effective and efficient reaction to a cyber attack. The exchange of information about threats, vulnerabilities, and attacks provides organizations with the ability to quickly respond. A mature organization should have positions or teams responsible for cooperation, and indeed many institutions have a professional computer emergency response team that has Cyber Threat Intelligence among its competencies. In this presentation we’ll talk about practical ways that cooperation and the exchange of information can be put in place help protect Industry 4.0 organizations from real danger and disasters especially in the energy sector.
Jarek Sordyl, Deputy Director of Cybersecurity PSE

11:50-12:25 Attack Bifurcation: Trends in ICS Intrusions
This talk will explore a bifurcation in attacks observed over the past three years in ICS intrusions: a significant and dramatic shift by adversaries toward “living off the land” techniques for initial intrusion and propagation in target networks; followed by the development and deployment of complex malware for final attack execution. Attendees will emerge from this discussion both better informed on the ICS threat environment, and better able to respond to current ICS adversaries. Ultimately, this talk will emphasize the need for greater host-based visibility and behavior-focused detection to complement existing industry emphasis on network-centric anomaly detection.
Joe Slowik, Principal Adversary Hunter, Dragos

Networking Luncheon
Lunch is served onsite to maximize interaction and networking among attendees.

Exclusive Lunchtime talk by Indegy.
Five Ways to Ensure the Integrity of Your Industrial Operations

In recent months, there has been unprecedented disruption to industrial operations. With a broader community (that now includes third parties) accessing your OT network on more IIoT enabled devices, attaining the right security posture is increasingly challenging. Failure to adjust to this new reality exposes your organization to greater risk.

Join us for a revealing look at the top five things you need to know to help reduce the threats and risk that have found their way into industrial operations. This session will cover what you need to consider, options for how you can implement industrial security, and where you will see reduced costs and an increase in the efficiency of your industrial operations.

13:25-14:00 Using ICS/SCADA Honeypots - the right way!
Fake devices or networks (Honeypots) has been around for decades, but very few asset owners are actual using the technology. Why? The presentation will demonstrate the value of using Honey-pots in industrial networks and provide practical guidance on planning, preparing and deploying such devices. This presentation is built on 5 years of an intense working experience with deception technologies and will include a live- stage demo to inspire the attendees. This will allow attendees to consider engaging with honeypots into an arsenal of defence lines and be prepared when the bad guys knocks on the door.
Mikael Vingaard, Preparedness Manager, Energinet
14:00-14:35 Assessing [Industrial Cybersecurity] Assessments
This talk will analyse the different "parameters" that can be considered in the scope of any industrial cybersecurity assessment such as independence, safety, risk, vulnerabilities, 'penetration testing', cybersecurity testing in FAT, iFAT and SATs) and compare how the different players in the market usually approach them.
Samuel Linares, Managing Director - Europe & Latin America ICS Security Lead for Resources, Accenture
14:35-15:10 Building a national cyber security strategy
Denmark has started a Cyber security project for all the critical infrastructure that add on-top of the NIS directive. The government has given 1.5 billion DKK to the national cyber security program. This program includes a cyber security project for all the critical sectors in the NIS directive. In this session I will present how the how the Danish Energy Agency developed the cyber security strategy for the energy sectors in cooperation with representatives from the Energy sectors companies, and why this was important. In addition the session will also cover:
• Why NIS directive is only the start
• How and why Denmark made a cyber security strategy with joint cooperation
• What are the benefits for the energy companies and the government
• What and why is the initiatives (actions) in the strategy.

Søren Egede Knudsen, Chief Advisor, Danish Energy Agency
15:10-15:35 Networking Break: Drinks and snacks will be served

Key Takeaways from the New SANS 2019 State of OT/ICS
Cybersecurity Market Survey

Doug Wylie, Industry Practice Director, SANS
Jason Dely, ICS Practice Director and SANS ICS515 instructor, Cylance

15:50-16:25 Securing Large-Scale Industrial Networks
A real-world case study will present Europe’s largest manufacturing site mega-operational network: how its architecture developed, how the large network topology differs from that of small networks and what happens inside large- scale networks in terms of connectivity and traffic. The talk will further explain what vulnerabilities have been detected even in segmented areas of the network and what security tools and strategies have been adopted to eliminate them. Further, I’ll show how full and on-going OT network visibility has been achieved through continuous monitoring of 100% of the operational network traffic, and why it's critical to support the magnitude of assets and traffic of large-scale networks. Ultimately, our audience will learn about best ways to cost- effectively design and build future-proof, secure OT networks, no matter their size and complexity.
Ofer Shaked, Co-Founder & Chief Technology Officer, SCADAfence
16:25-17:00 OT Security Requirements vs. Real Life stories
Every day there is a lot learned on the front-lines from those who build, maintain and must protect today’s ICS. Sharing these experiences is valuable to help others better meet their objectives and avoid common pitfalls. The black and white approach to choosing between speed of implementation and security of end-result still today leads to embarrassing cases of risk negligence. This talk will double click on several real-life examples of how security is unnecessarily weakened, seemingly for the sake of OT system’s functionality and will explain how to marry the two.
Łukasz Maciejewski, Security Manager, Accenture
17:00-17:30 Closing Remarks by Summit Chair
Tim Conway, Technical Director, ICS and SCADA programs, SANS Institute

Monday 24 June - Evening Social Event

BBQ on the terrace for all attendees.

Social events and informal networking activities are hosted after the Summit. Sponsored by Nozomi Networks

Nozomi Networks Logo