SANS Security West 2021 is right around the corner! Choose from over 30 interactive courses, plus Core & Cyber Defense NetWars.


To attend this webcast, login to your SANS Account or create your Account.

DISC – SANS ICS Virtual Conference

  • Thurs April 30 DISC-SANS ICS NetWars Challege (1-9 pm ET) & Friday May 1 ICS Virtual Conference (10-6 pm ET)Friday, May 01, 2020 at 10:00 AM EDT (2020-05-01 14:00:00 UTC)
  • Tim Conway, Robert M. Lee, John Lavender, Sergio Caltagirone, Amy Bejtlich, Kate Vajda, Tom Van Norman, Dean Parsons, Jason D. Christopher, Jason Dely, Jeff Shearer

You can now attend the webcast using your mobile device!



SANS and Dragos join forces to provide a fully virtual conference on Friday May 1st open to the community to share technical insights, lessons learned, and best practices for ICS/OT cybersecurity presented by SANS Institute instructors and Dragos staff.

The content is focused around being widely acceptable for both IT Security and OT/ICS audiences and the theme is focused around education especially during times when many folks are at home and working remotely. Special focuses are being given in the talks to what work and efforts can be accomplished with minimal effort during slow down periods.

The DISC SANS ICS Virtual Conference will also host a NetWars CTF jointly developed by SANS and Dragos with 4-8 hours with of cyber defense and ICS network security related challenges on Thursday April 30. The winner will be announced at the conference and the answers provided to all attendees. Registration details coming soon.


10:00am - 10:30am - Welcome & Opening Remarks, Tim Conway & Robert M. Lee @robertmlee, Conference Co-Chairs

10:30am - 11:05am - The ICS Security Crucible: Forging Programmatic Armor and Weapons Jason Christopher, Principal Cyber Risk Advisor, Dragos Inc. and SANS Certified Instructor

When we think of cybersecurity, we often think of new technologies that can help us manage all the threats we hear about. That said, our industry also knows that technology cannot solve this problem alone. We further understand that cybersecurity capabilities are defined as a combination of technology, people (like you), and processes (including documentation!). These three ingredients, when merged together, make a powerful compoundand define successful ICS security programs. This presentation will introduce an "ICS Security Crucible" where you will combine people, processes, and technology to create custom-fitted armor and defenses for your industrial operations based on unique risks, associated impacts, budgets, and known threats. Leveraging real use-cases, participants will learn practical next steps in either creating or refining their ICS-specific security program. When we combine technology with the right people and robust processes, organizations create a strong culture of security and forge lasting legacies for critical infrastructure protection. And we sure could use more of that these days...

11:05am - 11:40am - ICS Ranges and DIY For Home Learning, Tom VanNorman, Director of Engineering Services, Dragos Inc

Are you thinking about building your own ICS Range, but you have no idea where to start? Whether you are looking to build something for personal enrichment, or you are looking to build something at work this talk will cover what you need to know to start your project. I will cover pros and cons of different configurations as well as provide you with firsthand knowledge of things that I found that work and do not work.

11:40am - 12:10pm - Break

12:10pm - 12:40pm - Cyber Physical Assessments, Dean Parsons @deancybersec, Instructor, SANS ICS515

12:40pm - 1:10pm - Operationalizing Threat Intelligence in ICS, Sergio Caltagirone, VP of Threat Intelligence, Dragos Inc., Amy Bejtlich, Director of Threat Intelligence, Dragos Inc.

Threat intelligence allows asset owners and operations to make better cybersecurity decisions for ICS/OT environments. However, it's not easy. In this presentation, we'll discuss how to consume and digest threat intelligence to make it usable, and your operations better than before. Do you need a "threat intelligence team?" How would you form one? Does your SOC need to know about threat intelligence? How do you measure the benefit of threat intelligence? We'll answer these questions and more.

1:10pm - 1:40pm - Evaluating ICS Vulnerabilities, Katherine Vajda, Senior Intelligence and Vulnerability Analyst, Dragos Inc.

Managing and understanding the risk of vulnerabilities within ICS is crucial in protecting the delivery of the function. In this presentation, we'll discuss highlights from the 2019 vulnerability year in review report, what we've learned about these vulnerabilities, and what you can do with this information. We'll go in-depth into our process and drivers for prioritizing and understanding the risks of vulnerabilities within ICS and how to get the best ROI on your efforts involving mitigation.

1:40pm - 2:40pm - Lunch

2:40pm - 3:25pm - Future Things: Simple Yet Effective ICS Cyber Attacks, Jason Dely and Jeff Shearer, SANS Institute, Instructors and ICS612 Co-Authors

ICS focused attacks have a sliding scale of impacts with the largest effect being hardware manipulation to cause product quality issues, product manufacturing disruption or the highest effect of all; loss of life. This presentation and demonstration will walk through some common attack objectives and interesting ways to achieve those goals by attacking the control system through the control system itself.

3:30pm - 4:10pm - Simple Wins During Slow Downs, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc.

Recent events have added some additional constraints to our ability as an industry to move ICS cyber security programs forward. How do we continue to identify and reduce cyber risk in our ICS environments when we cannot hire consultants or meet with vendors? As ICS operations team are actively working to minimize contact with the outside world, how do we add implement new technology or improve the security posture of our environments? In my presentation, I will detail several ways that ICS cybersecurity teams can work with existing technologies and infrastructure to identify and reduce cyber risk. Many of these recommendations can be done remotely and have a very low chance of inadvertently causing any operational issues.

4:10pm - 4:45pm - Networking Break

4:45pm - 5:25pm - Electric Sector Incident Response, Tim Conway, SANS Institute

This talk will discuss current Incident Response requirements for North American Electric sector asset owners and operators, as well as some IR guidance beyond the current requirements. Looking forward we will also discuss the benefits and challenges that organizations need to consider in relation to the new CIP-008-6 Standard going into effect starting Jan 1 next year.

5:30pm - 6:10pm - ICS CTF Results and Answers, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc., Jon Lavender, Chief Technology Officer and Co-Founder, Dragos Inc.

Cyberville is in an isolated desert town fed only by a single sub-transmission line. The 4444 residents of Cyberville is largely made up of retirees who have come to the desert to escape from cold weather altogether. During the summer, the average high is over 102F, and without air-conditioning, the elderly residents of Cyberville are at risk. A microgrid has been created to protect the residents of Cyberville from high-winds or a lightning strike from cutting power to the town for an extended period. Cyberville's microgrid includes local power generation (solar, wind, and gas turbine), local energy storage, and automated switching. Cyberville's microgrid can disconnect and function independently during emergencies, supplying vital electricity to the local community.

We believe that an adversary has compromised the Cyberville microgrid network. You have been tasked with performing the incident response work on Cyberville's microgrid and removing the threat before it can put the lives of our residents at risk.

Speaker Bios

Tim Conway

Technical Director - ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

John Lavender

Jon Lavender is the Chief Technology Officer, head of engineering and Founder of the critical infrastructure cyber security company Dragos, Inc. In this role he is responsible for delivering the Dragos Platform and Customer Portal as well as the development of ICS/SCADA specific technologies as well as the technologies that enable the Dragos Threat Operations Center analysts to hunt advanced threats. His focus is on the automation of processes to help scale engineering, incident response and threat hunting efforts to cover a wide range of industries and networks.

Previously, Jon was a member of the National Security Agency where he led diverse teams in challenging environments experiencing both red and blue team type operations. Notably, he was lead of a hand-selected team tasked with developing analytics, tools, and best practices for identifying national-level cyber adversaries breaking into U.S. government and infrastructure networks. There he managed and built relationships with key partners around the U.S. Intelligence Community and its allied partners. Jon received his bachelors in Management Information Systems from Wake Forest School of Business and later his Masters in Cyber Security from the University of North Carolina at Charlotte.

Sergio Caltagirone

Sergio Caltagirone is the Vice President of Threat Intelligence at Dragos. He spends his days tracking hackers and his evenings chasing human traffickers. In 9 years with the US Government and 3 years at Microsoft, Sergio has hunted the most sophisticated targeted threats in the world, applying intelligence to protect billions of users while safeguarding civilization through the protection of critical infrastructure and industrial control systems. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He also serves as the Technical Director of the Global Emancipation Network, a non-profit, non-governmental organization (NGO), leading a world-class, all-volunteer team dedicated to ending human trafficking and rescuing victims through data science and analytics, saving tens of millions of lives.

Amy Bejtlich

Amy Bejtlich is a Director of Intelligence Analysis at Dragos, Inc. She has over 10 years of intelligence experience across multiple Intelligence Community (IC) disciplines including Signals Intelligence (SIGINT), Measures and Signatures Intelligence (MASINT), Counterterrorism, and Cyber Threat Intelligence. Amy began her career as an Intelligence Officer in the US Air Force, where she served as a Watch Officer for the Information Operations Center at Air Intelligence Agency. Following her military service, Amy joined the FBI as a counterterrorism analyst. After her federal service, Amy transitioned into cyber threat intelligence, first for a financial institution, then for a Fortune 15 telecommunications company.

Kate Vajda

Kate Vajda is a Senior Vulnerability Analyst for Dragos Intelligence Team. Kate analyzes public advisories for accuracy, understanding, and correction to feed Intelligence and the Platform. She also performs vulnerability research and assessments of software and hardware, as needed. Kate believes in leaving everything better than she found it with her top two priorities being process and automation.

Prior to Dragos, Kate was a senior security consultant at Secure Ideas, focusing on network penetration testing, architecture reviews, and security program maturity guidance. She also has 8 years experience at a Fortune 500 utility where she worked with several aspects of the company, including business, IT, OT, and security. She started her profession in a network research lab where she was free to explore technology and utilize different techniques for implementation and automation.

Kate is also an adjunct professor in the security program at a local college and a network admin for her local church. She spends her free time playing board games, breaking escape room records, organizing security conferences, and running or playing in CTFs.

Tom Van Norman

Tom is the Director of Engineering Services at Dragos, where he works on the Research and Development team building out Cyber Range capabilities. Tom has an extensive background in industrial controls and enjoys getting into the field and making things work. Prior to joining Dragos, Tom held various roles all focused on the operation, engineering and security of industrial control systems.

Tom started his career in the U.S. Air Force, eventually retiring with a total of 24 years between Active Duty, Reserves and Air Guard. He spent the last half of his service serving on a National Mission Team in a Cyber Operations Squadron. In addition to Dragos, Tom is the co-founder of the ICS Village and consults with SANS on the construction and operation of Cyber Ranges. The ICS Village is a non-profit educational organization that equips industry and policymakers to better defend industrial equipment through experiential awareness, education, and training.

Tom calls the Lehigh Valley Pennsylvania home with his six kids. In his spare time, he enjoys outdoor activities and riding motorcycles.

Dean Parsons

Dean Parsons is a SANS instructor for ICS515: ICS Active Defense and Incident Response, a member of the SANS/GIAC advisory board, an active member of the cybersecurity community, and OT Cyber Security Officer. With 20 years combined experience in IT, Industrial Control System cyber defense across the telecommunications to critical infrastructure sectors, Mr. Parsons lead's an active ICS Cybersecurity Program for an electric utility in Canada across facilities for generation (hydro, thermal, gas turbine), transmission and distribution.

As an ICS security practitioner and ambassador for safety and operational resilience, he frequently speaks at high-profile cybersecurity events across North America, and has a natural way of engaging his audience.

His enthusiasm in the field started at an early age writing ethical hacking tools on his custom compiled versions of Linux; password crackers, host-based intrusion detection systems, network sniffing tools, smart port scanners, kernel modules and exploits. Any given day Dean could be dissecting packets from plant operations, writing policies, or presenting to a board of directors.

Dean earned a bachelor’s degree in computer science from Memorial University of Newfoundland and holds the CISSP, GSLC, GCIA and GRID accreditations.

Jason D. Christopher

Jason D. Christopher is the Principal Cyber Risk Advisor at the industrial cybersecurity company Dragos, Inc., where he blends innovative approaches for risk management with state-of-the-art technology and services across the company’s product catalogue.

With over 15 years of experience in cybersecurity and industrial control systems, Jason offers critical infrastructure expertise in developing successful cyber risk strategies.

Prior to Dragos, Jason held multiple roles in industry as an executive leader, researcher, regulator, and engineer. As CTO of Axio, a cyber risk management SaaS company, he pioneered new cyber risk techniques for clients to measure and address their risk exposure. He previously led security metrics R&D at the Electric Power Research Institute where he worked directly with utilities on actionable measurement capabilities. While working for the United States government, Mr. Christopher spearheaded the energy sector strategy for the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Cybersecurity Capability Maturity Model (C2M2), and was the technical lead for the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.

Jason continues to focus on developing cybersecurity standards & best practices for critical infrastructure. He is a Certified Instructor for the SANS Institute & often presents at leading ICS security conferences. He was awarded Cybersecurity Leader of the Year in 2019 by the Energy Sector Security Consortium.

Formal Education

• Bachelor of Computer Engineering, Binghamton University

• Master of Electrical Engineering, Cornell University


• GCIP (GIAC Critical Infrastructure Protection)

Jason Dely

Jason Dely, SANS co-author of ICS612: ICS Cyber Security In Depth and instructor for ICS515: ICS Active Defense and Incident Response, has 20 years of operational, technical and security experience, spanning multiple industry verticals, such as power utility, water utility, oil and gas, manufacturing, mining and chemical. He contributes to developing and implementing technical components of the SANS ICS and SCADA product offerings. Jason is also the Principal Consultant and Founder at Northern Strong Security Inc., based in Ontario, Canada.

Jeff Shearer

Mr. Shearer is a member of the SANS Institute ICS team focused on developing courseware in support of the ICS curriculum. Jeffrey also acted as a Subject Matter Expert (SME) for the Global Industrial Cyber Security Professional (GICSP) certification and is a content contributor for ICS Netwars. He also participates as an advisory board member for the ICS Security Summit and Training events.

Prior to joining SANS Institute, Mr. Shearer worked at Rockwell Automation for twenty three years where his most recent role was a Sr. Security Architect for Rockwell Automation's Commercial Engineering group focused on network and security designs for Industrial Automation Control Systems (IACS) and Industrial Demilitarized Zones (IDMZ). Mr. Shearer was a contributing member of the Rockwell Automation and Cisco Systems Converged Plantwide Ethernet (CPwE) team where he participated in architecture design and validation efforts. He also co-authored publications such as Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture, Site-to-Site VPN to a Converged Plantwide Ethernet Architecture and Securely Traversing IACS Data across the Industrial Demilitarized Zone. 

Prior to joining the Rockwell Automation's Commercial Engineering team, Jeffrey was a Principal Security Consultant for Rockwell Automation's Network & Security Services where his consultancy targeted Automation, Industrial Control System (ICS), Distributed Control System (DCS) and SCADA asset owners. Jeffrey has also held the position of Product Manager, Controller Platform Security where he was responsible for security products provided by Rockwell Automation's ControlLogix business.

In addition to controller focused security initiatives, Jeffrey also represented Rockwell Automation to security bodies such as the Idaho National Labs (INL) Control Systems Cyber Security Vendor Forum, ISA-SP99, Manufacturing and Control Systems Security and Department of Homeland Security (DHS) Control System Security Program.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.