Best Offers of the Year Ends Tomorrow - Don't Miss Out! Get an iPad Air with Smart Keyboard or Pixel 4a Smartphone!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

DISC – SANS ICS Virtual Conference

  • Thurs April 30 DISC-SANS ICS NetWars Challenge (1-9 pm ET) & Friday May 1 ICS Virtual Conference (10-6 pm ET)Friday, May 01, 2020 at 10:00 AM EDT (2020-05-01 14:00:00 UTC)
  • Tim Conway, Robert M. Lee, John Lavender, Sergio Caltagirone, Amy Bejtlich, Kate Vajda, Tom Van Norman, Don C. Weber, Jason D. Christopher, Jason Dely, Jeff Shearer, Austin Scott

You can now attend the webcast using your mobile device!



This virtual conference will be held over Zoom due to the size of the audience (multiple thousand). SANS has evaluated the claims around Zoom's security and have found, collectively with our national partners, Zooms response to the concerns to be appropriate.

It is our assessment that even though there were valid concerns about Zoom, the company has responded accordingly to resolve the situation. SANS also found a significant level of misinformation about the Zoom security. More information about our Zooms security assessment can be viewed in this webcast. However, SANS will configure Zoom so that participants can use the web client if they do not want to install the Zoom application on their systems.

We feel confident in our platform choice and look forward to your participation in the virtual conference.

IMPORTANT: We strongly suggest for attendees to please read the event detail information document here.

SANS and Dragos join forces to provide a fully virtual conference on Friday May 1st open to the community to share technical insights, lessons learned, and best practices for ICS/OT cybersecurity presented by SANS Institute instructors and Dragos staff.

The content is focused around being widely acceptable for both IT Security and OT/ICS audiences and the theme is focused around education especially during times when many folks are at home and working remotely. Special focuses are being given in the talks to what work and efforts can be accomplished with minimal effort during slow down periods.

The DISC SANS ICS Virtual Conference will also host a NetWars CTF jointly developed by SANS and Dragos with 4-8 hours with of cyber defense and ICS network security related challenges on Thursday April 30. The winner will be announced at the conference and the answers provided to all attendees. Registration now open through your SANS Portal account.

IMPORTANT: We strongly suggest for attendees to please read the event detail information document here.


10:00am - 10:30am - Welcome & Opening Remarks, Tim Conway & Robert M. Lee @robertmlee, Conference Co-Chairs

10:30am - 11:05am - The ICS Security Crucible: Forging Programmatic Armor and Weapons Jason Christopher, Principal Cyber Risk Advisor, Dragos Inc. and SANS Certified Instructor

When we think of cybersecurity, we often think of new technologies that can help us manage all the threats we hear about. That said, our industry also knows that technology cannot solve this problem alone. We further understand that cybersecurity capabilities are defined as a combination of technology, people (like you), and processes (including documentation!). These three ingredients, when merged together, make a powerful compoundand define successful ICS security programs. This presentation will introduce an "ICS Security Crucible" where you will combine people, processes, and technology to create custom-fitted armor and defenses for your industrial operations based on unique risks, associated impacts, budgets, and known threats. Leveraging real use-cases, participants will learn practical next steps in either creating or refining their ICS-specific security program. When we combine technology with the right people and robust processes, organizations create a strong culture of security and forge lasting legacies for critical infrastructure protection. And we sure could use more of that these days...

11:05am - 11:40am - ICS Ranges and DIY For Home Learning, Tom VanNorman, Director of Engineering Services, Dragos Inc

Are you thinking about building your own ICS Range, but you have no idea where to start? Whether you are looking to build something for personal enrichment, or you are looking to build something at work this talk will cover what you need to know to start your project. I will cover pros and cons of different configurations as well as provide you with firsthand knowledge of things that I found that work and do not work.

11:40am - 12:10pm - Break

12:10pm - 12:40pm - Don C. Weber @cutaway, Instructor SANS ICS410 & HOSTED: Assessing and Exploiting Control Systems

Analyzing OT Radio Implementations for Attack Surfaces

Security assessments help an organization understand the strengths and weaknesses of a technology. Technologies that provide public access to an environment, particularly those with operational technologies, deserve a very close look. This presentation will focus on reviewing the capabilities of a wireless gateway, identifying the potential attacks on the technology, and outlining the methods to mitigate the threats.

12:40pm - 1:10pm - Operationalizing Threat Intelligence in ICS, Sergio Caltagirone, VP of Threat Intelligence, Dragos Inc., Amy Bejtlich, Director of Threat Intelligence, Dragos Inc.

Threat intelligence allows asset owners and operations to make better cybersecurity decisions for ICS/OT environments. However, it's not easy. In this presentation, we'll discuss how to consume and digest threat intelligence to make it usable, and your operations better than before. Do you need a "threat intelligence team?" How would you form one? Does your SOC need to know about threat intelligence? How do you measure the benefit of threat intelligence? We'll answer these questions and more.

1:10pm - 1:40pm - Evaluating ICS Vulnerabilities, Katherine Vajda, Senior Intelligence and Vulnerability Analyst, Dragos Inc.

Managing and understanding the risk of vulnerabilities within ICS is crucial in protecting the delivery of the function. In this presentation, we'll discuss highlights from the 2019 vulnerability year in review report, what we've learned about these vulnerabilities, and what you can do with this information. We'll go in-depth into our process and drivers for prioritizing and understanding the risks of vulnerabilities within ICS and how to get the best ROI on your efforts involving mitigation.

1:40pm - 2:40pm - Lunch

2:40pm - 3:25pm - Future Things: Simple Yet Effective ICS Cyber Attacks, Jason Dely and Jeff Shearer, SANS Institute, Instructors and ICS612 Co-Authors

ICS focused attacks have a sliding scale of impacts with the largest effect being hardware manipulation to cause product quality issues, product manufacturing disruption or the highest effect of all; loss of life. This presentation and demonstration will walk through some common attack objectives and interesting ways to achieve those goals by attacking the control system through the control system itself.

3:30pm - 4:10pm - Simple Wins During Slow Downs, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc.

Recent events have added some additional constraints to our ability as an industry to move ICS cyber security programs forward. How do we continue to identify and reduce cyber risk in our ICS environments when we cannot hire consultants or meet with vendors? As ICS operations team are actively working to minimize contact with the outside world, how do we add implement new technology or improve the security posture of our environments? In my presentation, I will detail several ways that ICS cybersecurity teams can work with existing technologies and infrastructure to identify and reduce cyber risk. Many of these recommendations can be done remotely and have a very low chance of inadvertently causing any operational issues.

4:10pm - 4:45pm - Networking Break

4:45pm - 5:25pm - Electric Sector Incident Response, Tim Conway, SANS Institute

This talk will discuss current Incident Response requirements for North American Electric sector asset owners and operators, as well as some IR guidance beyond the current requirements. Looking forward we will also discuss the benefits and challenges that organizations need to consider in relation to the new CIP-008-6 Standard going into effect starting Jan 1 next year.

5:30pm - 6:10pm - ICS CTF Results and Answers, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc., Jon Lavender, Chief Technology Officer and Co-Founder, Dragos Inc.

Cyberville is in an isolated desert town fed only by a single sub-transmission line. The 4444 residents of Cyberville is largely made up of retirees who have come to the desert to escape from cold weather altogether. During the summer, the average high is over 102F, and without air-conditioning, the elderly residents of Cyberville are at risk. A microgrid has been created to protect the residents of Cyberville from high-winds or a lightning strike from cutting power to the town for an extended period. Cyberville's microgrid includes local power generation (solar, wind, and gas turbine), local energy storage, and automated switching. Cyberville's microgrid can disconnect and function independently during emergencies, supplying vital electricity to the local community.

We believe that an adversary has compromised the Cyberville microgrid network. You have been tasked with performing the incident response work on Cyberville's microgrid and removing the threat before it can put the lives of our residents at risk.

Speaker Bios

Tim Conway

Technical Director - ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

John Lavender

Jon Lavender is the Chief Technology Officer, head of engineering and Founder of the critical infrastructure cyber security company Dragos, Inc. In this role he is responsible for delivering the Dragos Platform and Customer Portal as well as the development of ICS/SCADA specific technologies as well as the technologies that enable the Dragos Threat Operations Center analysts to hunt advanced threats. His focus is on the automation of processes to help scale engineering, incident response and threat hunting efforts to cover a wide range of industries and networks.

Previously, Jon was a member of the National Security Agency where he led diverse teams in challenging environments experiencing both red and blue team type operations. Notably, he was lead of a hand-selected team tasked with developing analytics, tools, and best practices for identifying national-level cyber adversaries breaking into U.S. government and infrastructure networks. There he managed and built relationships with key partners around the U.S. Intelligence Community and its allied partners. Jon received his bachelors in Management Information Systems from Wake Forest School of Business and later his Masters in Cyber Security from the University of North Carolina at Charlotte.

Sergio Caltagirone

Sergio Caltagirone is the Vice President of Threat Intelligence at Dragos. He spends his days tracking hackers and his evenings chasing human traffickers. In 9 years with the US Government and 3 years at Microsoft, Sergio has hunted the most sophisticated targeted threats in the world, applying intelligence to protect billions of users while safeguarding civilization through the protection of critical infrastructure and industrial control systems. He co-created the Diamond Model of Intrusion Analysis, helping thousands of others bring more pain to adversaries by strengthening hunters and analysts. He also serves as the Technical Director of the Global Emancipation Network, a non-profit, non-governmental organization (NGO), leading a world-class, all-volunteer team dedicated to ending human trafficking and rescuing victims through data science and analytics, saving tens of millions of lives.

Amy Bejtlich

Amy Bejtlich is a Director of Intelligence Analysis at Dragos, Inc. She has over 10 years of intelligence experience across multiple Intelligence Community (IC) disciplines including Signals Intelligence (SIGINT), Measures and Signatures Intelligence (MASINT), Counterterrorism, and Cyber Threat Intelligence. Amy began her career as an Intelligence Officer in the US Air Force, where she served as a Watch Officer for the Information Operations Center at Air Intelligence Agency. Following her military service, Amy joined the FBI as a counterterrorism analyst. After her federal service, Amy transitioned into cyber threat intelligence, first for a financial institution, then for a Fortune 15 telecommunications company.

Kate Vajda

Kate Vajda is a Senior Vulnerability Analyst for Dragos Intelligence Team. Kate analyzes public advisories for accuracy, understanding, and correction to feed Intelligence and the Platform. She also performs vulnerability research and assessments of software and hardware, as needed. Kate believes in leaving everything better than she found it with her top two priorities being process and automation.

Prior to Dragos, Kate was a senior security consultant at Secure Ideas, focusing on network penetration testing, architecture reviews, and security program maturity guidance. She also has 8 years experience at a Fortune 500 utility where she worked with several aspects of the company, including business, IT, OT, and security. She started her profession in a network research lab where she was free to explore technology and utilize different techniques for implementation and automation.

Kate is also an adjunct professor in the security program at a local college and a network admin for her local church. She spends her free time playing board games, breaking escape room records, organizing security conferences, and running or playing in CTFs.

Tom Van Norman

Tom is the Director of Engineering Services at Dragos, where he works on the Research and Development team building out Cyber Range capabilities. Tom has an extensive background in industrial controls and enjoys getting into the field and making things work. Prior to joining Dragos, Tom held various roles all focused on the operation, engineering and security of industrial control systems.

Tom started his career in the U.S. Air Force, eventually retiring with a total of 24 years between Active Duty, Reserves and Air Guard. He spent the last half of his service serving on a National Mission Team in a Cyber Operations Squadron. In addition to Dragos, Tom is the co-founder of the ICS Village and consults with SANS on the construction and operation of Cyber Ranges. The ICS Village is a non-profit educational organization that equips industry and policymakers to better defend industrial equipment through experiential awareness, education, and training.

Tom calls the Lehigh Valley Pennsylvania home with his six kids. In his spare time, he enjoys outdoor activities and riding motorcycles.

Don C. Weber

Don C. Weber has devoted himself to the field of information security since 2002. He has extensive experience in security management, physical and information technology penetration testing, web assessments, wireless assessments, architecture review, incident response and digital forensics, product research, code review, and security tool development. He is currently focusing on assisting organizations secure their business and Industrial Control System environments through program reviews, security assessments, penetration testing, and training.

Don's past experiences encompass a wide variety of responsibilities. Senior manager of the incident response team and acting Director of the vulnerability / risk management program for a large media organization. Senior security consultant for a boutique security consultancy where he focused on penetration testing, hardware analysis, and wireless research of ICS technologies used in the energy sector. Senior consultant for an emergency response team providing incident response and forensic services to large, international corporations.

Jason D. Christopher

Jason D. Christopher is the Principal Cyber Risk Advisor at the industrial cybersecurity company Dragos, Inc., where he blends innovative approaches for risk management with state-of-the-art technology and services across the company’s product catalogue.

With over 15 years of experience in cybersecurity and industrial control systems, Jason offers critical infrastructure expertise in developing successful cyber risk strategies.

Prior to Dragos, Jason held multiple roles in industry as an executive leader, researcher, regulator, and engineer. As CTO of Axio, a cyber risk management SaaS company, he pioneered new cyber risk techniques for clients to measure and address their risk exposure. He previously led security metrics R&D at the Electric Power Research Institute where he worked directly with utilities on actionable measurement capabilities. While working for the United States government, Mr. Christopher spearheaded the energy sector strategy for the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Cybersecurity Capability Maturity Model (C2M2), and was the technical lead for the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.

Jason continues to focus on developing cybersecurity standards & best practices for critical infrastructure. He is a Certified Instructor for the SANS Institute & often presents at leading ICS security conferences. He was awarded Cybersecurity Leader of the Year in 2019 by the Energy Sector Security Consortium.

Formal Education

• Bachelor of Computer Engineering, Binghamton University

• Master of Electrical Engineering, Cornell University


• GCIP (GIAC Critical Infrastructure Protection)

Jason Dely

Jason Dely, SANS co-author of ICS612: ICS Cyber Security In Depth and instructor for ICS515: ICS Active Defense and Incident Response, has 20 years of operational, technical and security experience, spanning multiple industry verticals, such as power utility, water utility, oil and gas, manufacturing, mining and chemical. He contributes to developing and implementing technical components of the SANS ICS and SCADA product offerings. Jason is also the Principal Consultant and Founder at Northern Strong Security Inc., based in Ontario, Canada.

Jeff Shearer

Mr. Shearer is a member of the SANS Institute ICS team focused on developing courseware in support of the ICS curriculum. Jeffrey also acted as a Subject Matter Expert (SME) for the Global Industrial Cyber Security Professional (GICSP) certification and is a content contributor for ICS Netwars. He also participates as an advisory board member for the ICS Security Summit and Training events.

Prior to joining SANS Institute, Mr. Shearer worked at Rockwell Automation for twenty three years where his most recent role was a Sr. Security Architect for Rockwell Automation's Commercial Engineering group focused on network and security designs for Industrial Automation Control Systems (IACS) and Industrial Demilitarized Zones (IDMZ). Mr. Shearer was a contributing member of the Rockwell Automation and Cisco Systems Converged Plantwide Ethernet (CPwE) team where he participated in architecture design and validation efforts. He also co-authored publications such as Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture, Site-to-Site VPN to a Converged Plantwide Ethernet Architecture and Securely Traversing IACS Data across the Industrial Demilitarized Zone. 

Prior to joining the Rockwell Automation's Commercial Engineering team, Jeffrey was a Principal Security Consultant for Rockwell Automation's Network & Security Services where his consultancy targeted Automation, Industrial Control System (ICS), Distributed Control System (DCS) and SCADA asset owners. Jeffrey has also held the position of Product Manager, Controller Platform Security where he was responsible for security products provided by Rockwell Automation's ControlLogix business.

In addition to controller focused security initiatives, Jeffrey also represented Rockwell Automation to security bodies such as the Idaho National Labs (INL) Control Systems Cyber Security Vendor Forum, ISA-SP99, Manufacturing and Control Systems Security and Department of Homeland Security (DHS) Control System Security Program.

Austin Scott

With nearly 20 years of industrial automation experience, Austin Scott, (GICSP, CISSP, OSCP) is a Principal Industrial Penetration Tester at Dragos Inc. where he identifies cyber risk within industrial control networks. Prior to Dragos, Austin worked as part of the industrial cybersecurity team at Sempra, Shell and as an industrial cybersecurity consultant at Accenture. Austin is a SANS Cybersecurity Difference Maker (2015) winner for his industrial cybersecurity contributions. In August 2018, Austin won the DEFCON ICS Village HACK THE PLAN(3)T competition and were awarded the DEFCON UBER black badge.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.