Kai Thomsen

Kai has worked in a wide range of IT security roles for more than 15 years, with particular expertise in industrial control systems (ICS) and incident response. Currently, he is the Director of Global Incident Response Services at Dragos, Inc., where he leads a team of ICS incident responders and threat hunters. Kai is a Certified Instructor for the SANS course ICS515: ICS Active Defense and Incident Response and holds the GIAC Response and Industrial Defense (GRID) certification. Kai has handled many ICS incident response cases throughout his career. Of particular note is his work relating to the unprecedented Stuxnet malware incident in 2010. He has a master's degree in computer science, as well as a master’s in English and American literature from the University of Siegen. Kai was the 2019 recipient of the SANS ICS Cybersecurity Difference Maker Award in the Europe, Middle East and Africa Region.

More About Kai

Profile

Long before he got into ICS security, Kai was always interested in computers, especially when he understood how they interacted with the real world. This interaction led him to a career in cybersecurity. Kai worked for 12+ years in the steel industry at the engineering company SMS Group, where he designed and implemented defensible LANs for enterprise and ICS environments in-house, as well as for customer industrial plants. While working in the steel industry, Kai also delved into Network Security Monitoring and Digital Forensics and Incident Response (DFIR), building security monitoring solutions for company and customer sites and performing incident response in Europe, Asia, and the United States.

After developing invaluable security skills in the steel industry, Kai moved to the auto sector and was the Senior DFIR Analyst at premium automaker Audi AG. He played a key role in establishing a modern cyber defense team at Audi AG to protect the enterprise, its ICS, and its connected car infrastructure. His leadership led to the creation of IT continuity processes, methods, and organization at Audi.

In early 2020, Kai took on his most challenging and rewarding role as Director of Global Incident Response Services at Dragos, Inc., where he leads a team of ICS incident responders and threat hunters. Dragos Founder and CEO, Robert M. Lee is the author of the ICS515: ICS Active Defense and Incident Response course that Kai teaches for SANS. Kai notes that his Dragos team is able to directly apply the same methods and techniques he teaches in ICS515, giving him immediate feedback on what works and what needs improvement. In turn, this allows him to impart the most current methodologies and practices to his ICS515 students.

Kai is acutely aware of the need for experts in ICS security, as he has witnessed firsthand serious ICS security incidents one after the other during his career. There are far too few practitioners in the field to handle these risks, which is why Kai wants to pass on his knowledge to students in order to recruit more people into the field. Kai feels that the best contribution he can make to the industry is to train students who then successfully manage incidents because of what they learned in his class.

Feedback from ICS515 students confirm that Kai is getting the job done. As one former in ICS515 student says, Kai “gives an excellent overview and case studies – all current, all relevant and all useful.” Another student notes that Kai “builds on real-experiences [with] great material, which is usable, not just academic theory.”

One story you’re sure to hear in Kai’s class is about his first serious ICS incident response case: the Stuxnet infection in 2010. Sites in his area of responsibility became collateral damage in this first national state-level attack against an ICS system. However, to hear the full story, Kai says you’ll need to take his class! This experience shaped Kai’s career and showed him how easily industrial sites and critical infrastructures can fall victim to cyberattacks – all the more reason for him to share his experiences and findings with others. Kai believes that, with the right knowledge and training, ICS defenders can gain the upper hand against adversaries.

Kai was the 2019 recipient of the SANS ICS Cybersecurity Difference Maker Award in the Europe, Middle East and Africa Region. This award honors an individual who makes a significant difference by increasing awareness of cybersecurity threats to the region’s critical infrastructure and working to mitigate those threats through technical and educational contributions to the community. To earn the award, Kai had to demonstrate world-class ICS skills, teamwork and collaboration with the ICS community, a passion for progress, innovation and change, and dignity and compassion for others.

Kai is a sought-after speaker who has presented at security conferences such as S4 Europe, CS3STHLM, Troopers, ISF, S4xMiami and SIGS SCADA in Switzerland. In the past, he has chaired the SANS Automotive Cybersecurity Summit and the SANS ICS Europe Summit.

On a personal note, Kai likes to travel the world, especially mountainous regions for climbing, hiking, mountain biking. Were he to have more free time, Kai would love to fly hot air balloons again, one of his thrilling experiences that he greatly misses.

Here is a SANS ICS Webcast Presentation by Kai Thomsen:

ADDITIONAL CONTRIBUTIONS BY KAI THOMSEN:

WEBCASTS

SANS @MIC Talk - Incident Response in ICS in times of Lockdown, May 2020

ICS515 update: what’s new in the course and why detection and response in ICS is more important than ever, February 2020

ICS Active Defense Primer, June 2019

ICS Active Defense Primer Part 2, May 2018

Securing Connected Vehicles – what you need to know, April 2018

PRESENTATIONS

Attacking Cars Revisited, CS3STHLM 2018