Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

ICS Solutions Forum

  • Thursday, October 1st | 9:00 AM - 12:30 PM CDTThursday, October 01, 2020 at 10:00 AM EDT (2020-10-01 14:00:00 UTC)
  • Don Weber, Trevor Houck, Ian Schmertzler, Jack Marsal, Sam Van Ryder, Alessandro Di Pinto, Chris Grove


  • Armis
  • Dispel
  • Revolutionary Security
  • Dragos, Inc.
  • Nozomi Networks

You can now attend the webcast using your mobile device!





Forum Format: Virtual

Event Overview

How can organizations prepare their IT and OT teams to be ready for security incidents? What are the techniques and tools the teams can use to improve the identification, containment, and eradication of suspicious or malicious activities to improve response times and reduce recovery efforts? This briefing will explore these questions through invited speakers while showcasing current capabilities available today. Vendor presentations will focus on case-studies and specific capabilities that may improve communication and response activities during an actual security incidents.


9:00 - 9:20 AM CDT - Welcome & Keynote

Don Weber, @cutaway, Chairperson, SANS Institute

Most organizations focus their information technology (IT) and operational technology (OT) teams on securing the control network and gathering as much information as possible. The tasks associated with improving brown field environments or engineering green field environments with the appropriate design requirements typically necessitates a large investment in project work hours. Solutions are often a conglomeration of technologies that are stitched together by sweat, creativity, and ingenuity. The end result is an influx of information that needs to be stored, correlated, analyzed, and monitored. The result is actionable intelligence that allows leadership to make informed decisions and improve the organizations security program in line with the direction and goals of the control network.

Many organizations would consider this a success, and it is. But this influx of information will, eventually, lead to the identification of anomalous events. These events will lead to the identification of malicious activity. What does your team do now? The incident responses plans for most organizations are geared to their corporate environment and assets. They are not consistent with the technologies and operational requirements of the control network. Organizations that fail to prepare their team to handle actual security incidents will experience increased downtime and difficulties returning to 100 percent production. Response and recovery is just as important to an organization as the deployment of technologies designed for prevention and identification.


9:20 - 9:55 AM CDT - Faster, Cheaper, Better: Why Companies Should Embrace IT/OT Security Operations Centers

Trevor Houck, Lead, OT Network Defense Services, Revolutionary Security - Part of Accenture Security, @RevSec

When it comes to Operational Technology (OT), traditional security monitoring and response operations are no match against evolving cybersecurity threats. Even the latest tools and technology are not enough. What many organizations have found successful is using a well-structured joint SOC model that combines IT and OT environments. This aggregate approach allows both environments to benefit from the tools and technology, threat intelligence sources, and talented staff employed by an organization. The result is a streamlined security incident response process, reduction in duplicated efforts, and improved collaboration.


9:55 - 10:30 AM CDT - Remote Access to SCADA Systems: Designs That Make it Worthwhile & How to Get Them Approved

Ian Schmertzler, President, Dispel, @DispelHQ

Remote access is an operational efficiency and crew safety tool with a cybersecurity problem. This is SANS, so we are going to show you how to identify and fix this cyber problem so your firm can start benefitting from remote access again. From a security perspective, we will be covering the new (MTD networks and disposable infrastructure), the old (static VPNs, MPLS, UDP hole punching, and multi-tenanted systems), and the just plain ugly (on-prem systems with static portals and mailed laptops). From an operational perspective, we will be covering how to get remote access deployments through the committees where such initiatives tend to die.


10:30 - 10:40 AM CDT - Break & Trivia Game


10:40 - 11:15 AM CDT - Analyzing & Preventing ICS Attacks with the MITRE ATT&CK for ICS Knowledgebase

Jack Marsal, Director, Product Marketing, Armis, @ArmisSecurity

The typical ICS environment is no longer the impregnable air-gapped network that it once was. It has been connected to the enterprise network, to the Internet, and to business partners who provide remote support. So while the traditional Purdue reference architecture is still the model, in most real-world environments it has lost its integrity. Attackers can find their way into your OT environment through new connected devices and converging networks.

The new MITRE ATT&CK for ICS knowledgebase can help security managers understand the tactics and techniques that attackers use to gain access to industrial control systems.


11:15 - 11:50 AM CDT - Detecting and Understanding Unusual Network Activity in a Plant Environment

Sam Van Ryder, @SamVR, Director of Strategic Accounts, Dragos, Inc., @DragosInc

Plants were originally designed with the primary objective of reliable output, with safety and resilience coming in a very close second. As organizations continue to evolve their plants through transformational projects, or build new facilities, one thing is clear: interconnectivity and automation are inevitable. With this comes the need to understand the environment and establish baselines and norms in order to continue to ensure safe and reliable output. This presentation will walk through a case study leveraging tools to identify assets on a plants network, understand potential threats, and guide response in the event of an incident.


11:50 AM - 12:25 PM CDT - OT/IoT Security Threat Report 2020

Chris Grove, Technology Evangelist, Nozomi Networks, @NozomiNetworks

Alessandro Di Pinto, @adipinto, Security Research Manager, Nozomi Networks, @NozomiNetworks

Learn about the most active threats seen in 2020, including IoT malware, ransomware, and COVID-19-themed malware. Gain insight into their tactics, and recommendations for securing OT/IoT networks.


12:25 - 12:30 PM CDT - Closing Statement & Trivia Winner Announced


Oil & Gas Cybersecurity Summit & Training

Summit: October 2 | Training: October 5-10

The SANS Oil & Gas Cybersecurity Summit will bring leading experts together to discuss industry trends, challenges, and opportunities. Theyll address recent attacks and current threats, integrated IT/OT security operations, best practices, and lessons learned to benefit the community.

Explore a diverse range of topics, including:

  • Incident response workflows, from detection to recovery
  • Security in the supply chain: upstream, midstream, and downstream
  • Ever-flattening architecture and the security effects 
  • Security key performance indicators (KPIs) and dashboards
  • Security Operation Centers (SOCs) for the new integrated enterprise

View Summit Agenda & Register


Speaker Bios

Don Weber

Don C. Weber has devoted himself to the field of information security since 2002. He has extensive experience in security management, physical and information technology penetration testing, web assessments, wireless assessments, architecture review, incident response and digital forensics, product research, code review, and security tool development. He is currently focusing on assisting organizations secure their business and Industrial Control System environments through program reviews, security assessments, penetration testing, and training.

Don's past experiences encompass a wide variety of responsibilities. Senior manager of the incident response team and acting Director of the vulnerability / risk management program for a large media organization. Senior security consultant for a boutique security consultancy where he focused on penetration testing, hardware analysis, and wireless research of ICS technologies used in the energy sector. Senior consultant for an emergency response team providing incident response and forensic services to large, international corporations.

Trevor Houck

Trevor is a Senior Security Consultant and the OT Network Defense Services Lead for Revolutionary Security. His experience includes comprehensive cybersecurity consulting services across a myriad of industry verticals. He is primarily responsible for assisting clients improve their network defense capabilities within their operational technology environments. Activities include unifying SOC functions within IT and OT environments, improving and aggregating logging and monitoring capabilities, defining incident response activities, reviewing architecture design, and performing other security related functions.

Prior to Revolutionary Security, Trevor worked with both IT and OT infrastructure within the electric utility, nuclear, and oil & gas industries. Experience includes creating analyst level workstreams, IT/OT SOC technology and process integration, and development and delivery of advanced incident response training. Ongoing consulting initiatives include IT/OT convergence efforts and enhancing grid security monitoring functions. Additional experience includes penetration testing and vulnerability management activities for ICS environments, including a multi-year global effort to bring awareness of ICS security risk across a Fortune 50 organization.

Trevor holds a Master of Science degree in Cybersecurity from the University of Maryland, as well as a Bachelor of Science and associate's degree in Information Sciences & Technology from Pennsylvania State University. His certifications include SANS GRID, SANS GICSP, Security+, and BOSIET.

Ian Schmertzler

By profession, Ian is the President and one of the Founders of Dispel. By training, he is an industrial engineer. Ian’s focus is on making processes efficient at scale. Ian holds an MSc from Georgia Tech and a BA from Yale. He is the Vice President of the National Defense Industry Association’s New York Chapter.

Jack Marsal

Sam Van Ryder

Sam Van Ryder is the Director of Strategic Accounts at Dragos. In this role he works with Dragos’ most sizeable and complex customer environments and their OT security strategies. His career started as a Mechanical Engineer with several years of experience designing various systems from robotic assembly tools to hydro plant environments and aircraft systems. For the past 20 years, he has spent his time first in IT networks in a security sales role, and then realizing his true passion of OT security while working with some of the largest O&G customers on incidents in plants and supporting technologies and services. Sam resides in Houston, Texas where he is an active Board Member of InfraGard Houston, the nation’s largest InfraGard chapter and a co-founder of HOU.SEC.CON, the largest local security conference going into its 10th year.

Alessandro Di Pinto

Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.

Chris Grove

Chris brings more than 25 years of cybersecurity experience with deep knowledge of IT, OT and IoT networks and mission-critical infrastructure. His prior experience includes managing large, critical and complex security projects around the world for customers of leading IT and OT security vendors. Security executives turn to Chris for his expertise in almost every sector including commercial, government, defense, law enforcement, and the intelligence community.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.