NEW Managing Security Vulnerabilities: Enterprise and Cloud Course in Boston. Save $300 thru 2/26

ICS Security Summit & Training 2018

Orlando, FL | Sun, Mar 18 - Mon, Mar 26, 2018
This event is over,
but there are more training opportunities.

ICS456: Essentials for NERC Critical Infrastructure Protection

Wed, March 21 - Sun, March 25, 2018

The ICS456 class has extended hours on Day 1. The class will run from 9:00 am to 6:30 pm on Day 1.

The instructors are awesome, material & labs great. After 15 years of SANS courses, this is #1.

Jerry Ryome, LLNL

This course is amazing. For me it was perfect timing to help me better serve my clients in P&U sector.

Darryl Johnson, E&Y

The Essentials for NERC Critical Infrastructure Protection 5-day course empowers students with knowledge of the "what" and the "how" of the version 5/6 standards. The course addresses the role of FERC, NERC and the Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems and helps asset owners determine the requirements applicable to specific implementations. Additionally, the course covers implementation strategies for the version 5/6 requirements with a balanced practitioner approach to both cybersecurity benefits, as well as regulatory compliance.

Our 25 hands-on labs range from securing workstations to digital forensics and lock picking.

Course Syllabus

Tim Conway
Wed Mar 21st, 2018
9:00 AM - 6:30 PM


A transition is underway from NERC CIP programs that are well defined and understood to a new CIP paradigm that expands its scope into additional environments and adds significantly more complexity. In day 1 students will develop an understanding of the electric sector regulatory structure and history as well as an appreciation for how the CIP Standards fit into the overall framework of the reliability standards. Key NERC terms and definitions related to NERC CIP are reviewed using realistic concepts and examples that prepare students to better understand their meaning. We will explore multiple approaches to BES Cyber Asset identification and learn the critical role of strong management and governance controls. The day will examine a series of architectures, strategies, and difficult compliance questions in a way that highlights the reliability and cybersecurity strengths of particular approaches. Unique labs will include a scenario based competition that helps bring the concepts to life and highlights the important role we play in defending 'the grid.'

CPE/CMU Credits: 7

  • Regulatory History and Overview
  • NERC Functional Model
  • NERC Reliability Standards
  • CIP History
  • Terms and Definitions
  • CIP-002: BES Cyber System Categorization
  • CIP-003: Security Management Controls

Tim Conway
Thu Mar 22nd, 2018
9:00 AM - 5:00 PM


Strong physical and cyber access controls are at the heart of any good cybersecurity program. During day 2 we move beyond the "what" of CIP compliance to understanding the "why" and the "how." Firewalls, proxies, gateways, IDS and more - learn where and when they help and learn practical implementations to consider and designs to avoid. Physical protections include more than fences and you'll learn about the strengths and weaknesses of common physical controls and monitoring schemes. Labs will re-inforce the learnings throughout the day and will introduce architecture review and analysis, firewall rules, IDS rules, compliance evidence demonstration, and physical security control reviews.

CPE/CMU Credits: 6

  • CIP-005: Electronic Security Perimeter(s)
  • Interactive Remote Access
  • External Routable Communication and Electronic Access Points
  • CIP-006: Physical Security of BES Cyber Systems
  • Physical Security Plan
  • Visitor Control Programs
  • PACS Maintenance and Testing
  • CIP-014: Physical Security

Tim Conway
Fri Mar 23rd, 2018
9:00 AM - 5:00 PM


CIP-007 has consistently been one of the most violated Standards going back to CIP version 1. With the CIP Standards moving to a systematic approach with varying requirement applicability based on system impact rating, the industry now has new ways to design and architect system management approaches. Throughout day 3, students will dive into CIP-007. We'll examine various Systems Security Management requirements with a focus on implementation examples and the associated compliance challenges. This day will also cover the CIP-010 requirements for configuration change management and vulnerability assessments that ensure systems are in a known state and under effective change control. We'll move through a series of labs that reinforce the topics covered from the perspective of the CIP practitioner responsible for implementation and testing.

CPE/CMU Credits: 6

  • CIP-007: System Management
  • Physical and Logical Ports
  • Patch Management
  • Malicious Code Prevention
  • Account Management
  • CIP-010: Configuration Change Management and Vulnerability Assessments
  • Change Management Program
  • Baseline configuration methodology
  • Change management alerting / prevention

Tim Conway
Sat Mar 24th, 2018
9:00 AM - 5:00 PM


Education is key to every organization's success with NERC CIP and the students in ICS 456 will be knowledgeable advocates for CIP when they return to their place of work. Regardless of their role, each student can be a valued resource to their organization's CIP-004 training program, the CIP-011 information protection program. Students will be ready with resources for building and running strong awareness programs that reinforce the need for information protection and cybersecurity training. In day 4 we'll examine CIP-008 and CIP-009 covering identification, classification communication of incidents as well as the various roles and responsibilities needed in an incident response or a disaster recovery event. Labs in day 4 will introduce tools for ensuring file integrity and sanitization of files to be distributed, how to best utilize and communicate with the E-ISAC, and how to preserve incident data for future analysis.

CPE/CMU Credits: 6

  • CIP-004: Personnel & Training
  • Security Awareness Program
  • CIP Training Program
  • PRA Evaluation Process
  • CIP-011: Information Protection
  • Information Protection Program
  • Data Sanitization
  • CIP-008: Incident Reporting and Response Planning
  • Incident Response Plan/Testing
  • Reporting Requirements
  • CIP-009: Recovery Plans for BES Cyber Systems
  • Recovery Plans
  • System Backup

Tim Conway
Sun Mar 25th, 2018
9:00 AM - 5:00 PM


On the final day students will learn the key components for running an effective CIP Compliance program. We will review the NERC processes for standards development, violation penalty determination, Requests For Interpretation, and recent changes stemming from the Reliability Assurance Initiative. Additionally we'll identify recurring and audit related processes that keep a CIP compliance program on track: culture of compliance, annual assessments, gap analysis, TFE's, and self-reporting. We'll also look at the challenge of preparing for NERC audits and provide tips to be prepare to demonstrate the awesome work your team is doing. Finally, we'll look at some real-life CIP violations and discuss what happened and the lessons we can take away. At the end of day 5 students will have a strong call to action to participate in the on-going development of CIP within their organization and in the industry overall as well as a sense that CIP is doable! Labs in day 5 will cover DOE C2M2, audit tools, and an audit focused take on 'blue team - red team' exercise.

CPE/CMU Credits: 6

  • CIP Processes for Maintaining Compliance
  • Preparing for an Audit
  • Audit Follow Up
  • CIP Industry Activities
  • Standards Process
  • CIP of the Future

Additional Information

"This is best-in-class NERC CIP training. The courseware provides valuable compliance approaches and software tools for peer collaboration to build consent on implementation." - Jeff Mantong, WAPA

"An excellent course that identifies CIP implementation through audit response." - Kevin Money, Iroquois Gas

"Best CIP training I've ever had in all my years of the CIP program." - Michael Veillon, Cleco

"Great class. I would like to send my entire staff." - Erik Weinmeister, Nebraska Public Power District

"Valuable information in a classroom setting you can't get anywhere else." - Tiffany Applegate, Western Area Power Administration (WAPA)

"Excellent information - very helpful to our program." - Melanie Thigpen, GE

"This is a course that has been needed for a long time." - Mike Weld, Burns & McDonnell

NOTE: It is critical that students have administrator access to the operating system and all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

  • 64-bit system
  • Laptop with Windows 7 or higher installed on the host or in a Virtual Machine
  • Laptop with at least one USB port
  • Laptop must include Wireless capabilities
  • Latest VMware Player (11 or higher) or VMware Workstation (11 or higher)
  • Ability to disable all security software on your laptop, including antivirus and/or firewalls
  • At least 100 GB of hard-drive space
  • At least 6 GB of RAM (8 GB recommended)

If you have additional questions about the laptop specifications, please contact

Individuals with CIP responsibilities in the following areas:

  • IT and OT (ICS) cybersecurity
  • Field support personnel
  • Security operations
  • Incident response
  • Compliance staff
  • Team leaders
  • Governance
  • Vendors / Integrators
  • Auditors

Day 1

  • Virtual Machine Setup - Windows, Kali Linux, and Security Onion VM will be utilized throughout the 5-day course
  • Checkpoint exercise - ensure familiarity with NERC website for locating standards, entity registrations, Functional Model, Glossary of Terms
  • Protocol Primer - uses Wireshark to analyze packet captures
  • Analysis of Facility Environments - walk through assets owned by fiction company to determine in-scope assets and approaches to generation segmentation
  • CSET Facility Assessment - utilizes the ICS-CERT's Cybersecurity Evaluation Tool (CSET) to perform a self-assessment on model network compared to industry standards including NERC CIP
  • Kaspersky Industrial Protection Simulation (KIPS) - Electric sector "make your own adventure" simulation that challenges students to secure and ensure on-going operations of a fictional combined cycle gas turbine power plant

Day 2

  • Wireshark Analysis and Network Visualization - Utilizes Wireshark to analyze real packet captures from an ICS environment and introduction to the Dragos Security CyberLens tool which can be used to passively discover ICS assets and visualize their network placement and communications
  • Firewall Rule Development and Analysis - utilizes the Common Open Research Emulator (CORE) to emulate a live network and to understand the effect of firewall rules on the network communications
  • ICS Signatures and Alerting - Utilizes Squil (pronounced squeal) network security monitoring tool to create event driven IDS alerts when replaying pcap packet captures from an ICS environment
  • Breach of Physical Controls - learn the basics of lock picking with your very own clear padlock and pick tool set
  • Physical Security Review and Response Exercise - analysis of physical security camera images and perimeter access logs to identify potential security and compliance problems

Day 3

  • Windows System Assessment - utilize a number of tools including Windows Baseline Security Analyzer, NetStat and Windows Firewall Configurator to analyze the security posture of a provided Windows VM
  • Validating Findings and Demonstrating Impact - Utilizes the provided Kali Linux VM and red-team favorite tools such as Cain & Able, remote desktop, and Metasploit Framework to gain unauthorized access to the Windows VM demonstrating the risks of insecure configuration
  • System Hardening - Learn from the red-teams action and use a number of native Windows tools to harden the Windows VM and preventing future exploitation
  • System Log Management - Use Splunk Enterprise to analyze a Windows event log to identify events of interest
  • Basic Change Management from the Command Line - Utilize hashing techniques and Tripwire to identify system file and configuration changes
  • Vulnerability Assessment Tool Capability - Gain familiarity with Nmap, SNMP and OpenVAS vulnerability scanning framework

Day 4

  • Information Leakage Awareness - You walk through crating a Shodan account and utilizing it to discover all sorts of interesting internet-connected devices
  • Steganography Lab - Use the S-Tools application to conceal and identify data hidden in plain site to understand the risk of data exfiltration in your environment
  • Yara Introduction - Learn the basics of Yara, the "Pattern Matching Swiss Knife for Malware" utilizing indicators of compromise (IOC's) to detect malware in memory images
  • Incident Response TTX - Walk through a tabletop exercise that you can take back to your organization for play with your larger team to test incident response capability and security policy/plan effectiveness
  • Forensic Data Preservation - Use FireEye's free Redline tool to learn how to collect and analyze forensic data and FTL Imager tool to create a system image for data preservation

Day 5

  • Auditor Tools - NERC CIP auditors are utilizes NP-View to analyze your environment and you should too! In this lab you'll analyze firewall configurations for an example electric entity to determine an visualize network communications
  • Power Shell - Learn the basics and get an appreciation for the power of PowerShell for task automation and configuration management
  • Auditor / Defender - Whether you play the role of auditor or audited entity, this exercise will challenge your NERC CIP knowledge and ability to present material to tell compelling story of compliance

"The lecturers have an intimate knowledge of cybersecurity and the CIP standards and are able to answer the questions posed by students, including the highly technical and detail-oriented." - Aaron Clark-Ginsberg, U.S. Department of Homeland Security Cybersecurity Postdoctoral Scholar at Stanford. Read the full review at

Author Statement

The SANS ICS456: NERC Critical Infrastructure Protection Essentials course was developed by SANS ICS team members with extensive electric industry experience including former Registered Entity Primary Contacts, a former NERC officer, and a Co-Chair of the NERC CIP Interpretation Drafting Team. Together the authors bring real-world, practitioner experience gained from developing and maintaining NERC CIP and NERC 693 compliance programs and actively participating in the standards development process.