Get an 11" iPad Pro w/ Apple Pencil or other Special Offers with OnDemand Training thru 8/19


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

SANS ICS Briefing: Defending Energy Systems

  • Thursday, July 13, 2017 at 4:15 PM CST (2017-07-13 21:15:00 UTC)
  • Jason Farmer, Nick Cappi, Stuart Bailey, Robert M. Lee


  • Waterfall Security
  • PAS
  • Cylance
  • Arbor Networks
  • Tripwire, Inc.
  • Claroty Inc.

You can now attend the webcast using your mobile device!



In conjunction with the ICS - Houston training event, SANS is pleased to offer the 4th Annual Industrial Control Systems Security Briefing. This event provides the opportunity to engage in dialog around Industrial Controls Systems Security and learn about key solution capabilities.

Theme for this year's event: Defending Energy Systems

Times in Central Time Zone


4:15pm - 4:45pm   CRASHOVERRIDE and Detailing Different Types of Detection

        Speaker: Robert M. Lee, Dragos and SANS Certified Instructor

Organizations are constantly asked to evaluate new technologies, approaches, and tradecraft largely focused around different ways of detecting threats. However, there is not a standard model for the different types of detection. This presentation is a preview of an upcoming SANS paper on the four types of threat detection, how to leverage them, and the pros and cons of each for your organization. CRASHOVERRIDE will be leveraged as an example so that defenders can leave with actionable recommendations for their environments.

Click Here to view the slides from Rob's presentation.

4:45pm - 5:20pm Defending ICS Perimeters with Unidirectional Gateway

       Speaker: Stuart Bailey, Director of Industrial Security, Waterfall Security Solution

This talk will discuss how owners and operators in the energy sector are securing their reliability-critical and safety-critical network perimeters. An IT centric defense in depth security approach is fundamentally inadequate to address ICS security requirements. A perimeter focused approach is the most effective method to address ICS security needs. Implementing corporate IT security measures on ICS networks will never be an effective security strategy. A new approach is needed.

Click Here to view the slides from Stuart's presentation.

5:20pm - 5:55pm   Anatomy of an Attack: Two ICS Attack Vectors and How to Defend Against Them

         Speaker: Nick Cappi, Director of Global Business Development for Integrity Solutions

What are your blind spots when protecting critical Industrial Control Systems (ICS) from attacks that can impact production and safety? Compromising ICS cyber assets - particularly proprietary ICS - is not difficult for someone with knowledge of these systems. 

Traditionally, industrial processing facilities have relied on security by obscurity, system complexity, air gapping, network segmentation, and perimeter-based security protection for process control networks (PCNs). Many organizations have put IT-centric security technologies in place that primarily focus on securing Level 3 and 2 systems within the PCN. This IT-centric approach fails to protect Level 1 and 0 production-centric assets sufficiently, thus leaving them vulnerable. This creates a huge blind spot, which leaves industrial processing facilities vulnerable to common ICS attack vectors.

This presentation provides an overview of two simple Level 1 and 0 attack vectors that challenge most industrial processing facilities to defend proactively against. It provides an in-depth examination of the thought processes used by an attacker, along with detail of each attack. It then discusses the required technical controls needed for defense.

Attendees will learn:

  • How an attacker approaches an ICS environment
  • How two real-world attack vectors can lead to process and safety disruption as well as how to defend against them
  • Security controls that protect against these two scenarios

Click Here to view the slides from Stuart's presentation.

5:55pm - 6:05pm   Networking Break

6:05pm - 6:40pm   Lessons from the WannaCry / ICS Trenches

       Speaker: Scott Scheferman, Director of Consulting, Cylance

This talk will bring to light some of the recent lessons our Incident Response team has learned when dealing with the latest threats like WannaCry, Qbot2017, etc. We'll focus in particular on how these threats are now more than just theoretical when it comes to affecting ICS/OT environments and mission critical systems. We'll also take a close look at how, in 2017, predictive artificial intelligence is being used to help counter these threats on a few levels. We'll also couch the broader threat landscape and killchain against a temporal landscape where time becomes the ultimate advantage for either the attacker or the defender, using real-world theat campaign examples to illustrate, including the Shamoon 2 campaign. Finally, well end with recommendations our ICS consultants find to the most important whether in preventing a threat, or dealing with an active ICS incident.

Click Here to view the slides from Cylance's presentation.

6:40pm - 7:15pm   Rise of the Industrial Internet of Things (IIoT)

        Speaker: Jason Farmer, Advanced Threat Consulting Engineer

The Industrial Internet of Things (IIoT) promises to change Oil and Gas. Everything from connected barrels to new insight into the hydrocarbon supply chain and marketing to customers will be impacted by the IIoT. These new capabilities and insights into our business also bring new opportunities for malicious actors. This session explores our roles in using, exploiting, controlling, and surviving the hyper-connected world.

Click Here to view the slides from Jason's presentation.

7:15pm - 7:30pm   Closing Remarks

Speaker Bios

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Stuart Bailey

Nick Cappi

Jason Farmer

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.