World-class instructors teaching today's, critical cyber skills - SANS Online Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Sorry, the slides for this webcast are not available for download.

ICS Summit Solutions Track

  • Friday, March 5th | 9:45 AM - 4:30 PM ESTFriday, March 05, 2021 at 9:45 AM EST (2021-03-05 14:45:00 UTC)
  • Don C. Weber, Amy Bejtlich, Michael Firstenberg, Vikram Sharma, Matt Hubbard, Nick Cappi, Michael Rothschild, Phil Trainor, Chris Grove, Scott Smith, Robin Berthier


  • Armis
  • Cisco Umbrella
  • Dragos, Inc.
  • Gigamon
  • Keysight Technologies, Inc.
  • Network Perception
  • Nozomi Networks
  • PAS
  • Tenable
  • Verve
  • Waterfall Security

You can now attend the webcast using your mobile device!




You will earn 6 CPE credits for attending this virtual event.

Summit Format: Virtual

Event Overview

Tremendous gains are being achieved in industrial applications by sharing and analyzing data, but we need professionals who can address the security challenges. With many organizations focusing their information technology (IT) and operational technology (OT) teams on securing the control network and gathering as much information as possible, it is important to maintain secure and reliable operations in the face of determined threats.

Many organizations would consider the finding of actionable intelligence that allows leadership to make informed decisions to be a success. However, this influx of information will, eventually, lead to the identification of anomalous events. These events will lead to the identification of malicious activity. This activity will leave most organizations incident response teams failing at handling actual security incidents, increasing downtime, and difficulties returning to 100% production. Successful organizations focus on training their team to effectively respond to an incident and the deployment of technology designed for prevention and identification.

How organizations prepare their IT and OT teams for security incidents is often dependent on what techniques and tools are available. Teams can use the latest solutions to increase the identification, containment, and eradication of suspicious or malicious activities and overall improve response times and reduce recovery efforts.

 This forum will explore various ICS topics, ranging from logic controllers (PLCs) to distributed controls systems (DCSs), through invited speakers while showcasing current capabilities available today. Presentations will focus on case-studies and thought leadership using specific examples relevant to the industry as we know it.


9:45 - 10:00 AM EST - Event Welcome

Don Weber, @cutaway, Summit Co-Chair, SANS Institute, @SANSInstitute


10:00 - 10:35 AM EST - Threat Intelligence: From Threat to ICS Visibility

Amy Bejtlich, @_Silent_J, Director of Intelligence Analysis, Dragos, @Dragos

As threats to ICS environments increase, so too does the need for organizations to properly contextualize and respond to activity targeting them. Incorporating OT-specific threat intelligence with asset information and attacker tactics, techniques, and procedures (TTPs) into security operations informs effective decision making and allows defenders to better detect and respond to malicious activity. This session will highlight how threat intelligence into the Dragos Platform provides asset visibility and actionable information that OT SOC operators can use to defend their operating environments.


10:35 - 11:10 AM EST - ICS/OT Ransomware in the Supply Chain: Learnings from attacks in 2020

Michael Firstenberg, Director of Industrial Security, Waterfall Security, @WaterfallSecure

2020 was not a good year for cyber attacks on industrial control systems (ICS) and operational technology (OT) networks:

  • Targeted ransomware: Nine attacks shut down physical operations at industrial sites all were targeted ransomware.
  • SolarWinds Orion: The single biggest cyber attack in history the SolarWinds Orion supply chain breach impacted as many as 18,000 organizations, many of which were industrial enterprises with physical operations.

In addition, ICS and OT networks are increasingly connected, both to enterprise networks and to Internet-based cloud providers in Industrial Internet of Things (IIoT) configurations. Such connectivity makes targeted and supply chain attacks ever simpler and more far-reaching in their consequences. In 2020, ransomware, targeted ransomware, supply chain breaches and cloud connectivity all emerged as top-of-mind concerns for security teams at industrial enterprises. Security teams responsible for industrial operations are re-evaluating their security programs in light of this new, pervasive threat environment.

Join us to learn about the emerging representative and credible threats for 2021 and beyond pervasive threats that all ICS / OT security teams should consider going forward. This Discussion will include evaluation of defensive strategies and their efficacy at protection.


11:10 - 11:45 AM EST - The Journey Towards a Secure Industrial Network

Vikram Sharma, Senior Manager, Engineering, Cisco IoT, Cisco Umbrella, @CiscoUmbrella

Protecting industrial operations against cyber threats is a very specific challenge. As you are connecting more industrial devices, enabling more remote accesses, and building new applications, the airgap between IT and OT networks erodes and the IDMZ falls short of being sufficient.

Adding extra security to your industrial network will not happen overnight. This session will present:       

  • What's beyond the IDMZ to secure industrial networks
  • Cisco's phased approach to IoT/OT security where each phase builds the foundation for the next
  • How to mature your OT security strategy to embark all stakeholders in the journey and ensure success


11:45 AM - 12:00 PM EST - Break


12:00 - 12:35 PM EST - Analyzing & Preventing ICS Attacks with the MITRE ATT&CK for ICS Knowledgebase

Matt Hubbard, Senior Technology Product Marketing Manager, Armis, @Armis

The typical ICS environment is no longer the impregnable air-gapped network that it once was. It has been connected to the enterprise network, to the Internet, and to business partners who provide remote support. So while the traditional Purdue reference architecture is still "the" model, in most real-world environments it has lost its integrity. Attackers can find their way into your OT environment through new connected devices and converging networks.

The new MITRE ATT&CK for ICS knowledgebase can help security managers understand the tactics and techniques that attackers use to gain access to industrial control systems. Join Armis in this session to learn:

  • How MITRE ATT&CK for ICS works
  • How you can use the new MITRE ATT&CK tool to assess gaps and weaknesses in your existing security tools
  • Practical advice on how to prevent attacks against your ICS infrastructure, based on the MITRE ATT&CK techniques.


12:35 - 1:10 PM EST - A Different Approach to Vulnerability Management: Most Bang for the Buck

Nick Cappi, VP Product Management & Technical Support, PAS part of Hexagon, @PASGlobal

Attend this presentation to learn how to mitigate the cyber threats and vulnerabilities that can negatively impact plant safety, reliability, and your companys bottom line. This session will present:

  • Understand the current OT threat landscape and the state of OT security
  • Identify the security architecture layers required for effective OT endpoint defense
  • Learn what to do and what not to do for driving improved OT endpoint security in industrial facilities


1:10 - 2:00 PM EST - Lunch


2:00 - 2:35 PM EST - OT Cyber Maintenance Best Practices In Proactive Security

Michael Rothschild, Senior Director, OT Solutions, Tenable, @TenableSecurity

Beyond clear and present OT security threats, what are the most critical OT cyber maintenance issues to address now?

As security experts, were too accustomed to being called into action after a breach has been discovered Or with increasing frequency, to address the latest news-making exploit.

Even though we all understand the need for routine maintenance when it comes to the machinery our businesses (and lives) rely on, evidence suggests thats not always the case for your OT cyber assets.

We will share practical advice and best practices to keep your OT systems in top shape from a security perspective.

Topics covered include:

  • Explanation of what cyber maintenance is and why we need it.
  • What are the most critical OT cyber maintenance issues to address now
  • Lessons learned and key takeaways to share with your team and business stakeholders


2:35 - 3:10 PM EST - SOC Techniques for Analysing ICS Attacks

Phil Trainor, Director of Security Solutions, Keysight Technologies, @Keysight

This lecture will delve into the specifics of the efficient collection and analyzation of malicious network events targeting industrial control networks. The dataset in which these techniques are applied comes from the recent Hack the Building event put on through a partnership between US Cyber Command and the Maryland Innovation and Security Institute. Keysight Technologies visibility solutions were utilized to intercept and forward malicious events to relevant security solutions, and to collect metadata. This talk is geared toward all audiences, but will focus on technical points, not high-level scenarios.


3:10 - 3:45 PM EST - Using AI to Precisely Detect Anomalies in the OT Process

Chris Grove, Technology Evangelist, Nozomi Networks, @nozominetworks

Scott Smith, Senior Product Owner, Nozomi Networks, @nozominetworks

Artificial Intelligence and machine learning techniques are vital to automating the detection and analysis of cybersecurity and OT system incidents. However, a full understanding of the process being monitored, including its communications and assets, is needed to avoid deluging security teams with anomalous events.

This session looks at how AI can be used to precisely identify anomalies in the OT process indicative of equipment failure, a cyberattack or a system problem.

A combination of process parameter deviation information, and rules that detect specific data and events from a stream of network traffic, make for a powerful threat hunting tool. See a demonstration of process anomaly detection in action and learn how it can help you accelerate incident detection and response, safeguarding availability and cybersecurity.White

3:45 - 4:20 PM EST - Accelerate Incident Response with Instant OT Network Access Visualization

Robin Berthier, CEO, Network Perception, @networkperceptn

As the size and complexity of networks continue to grow, ICS and OT environments are getting exposed to larger attack surfaces. The frequency, severity, and sophistication of cyber attacks has also been rising and incident response teams are facing a greater challenge to identify and contain issues faster.

With the realization that network access policies are our first line of defense, this session will present a practical case study to demonstrate the value of instant visualization into network access and the exposure of connected assets. You will learn about technology to:

  • Keep network topology diagram and asset inventory up to date at all time
  • Leverage next-generation network visualization to gain situational awareness
  • Verify network access containment policies and network segmentation

White4:20 PM- 4:30 PM EST - Wrap-Up


ICS Security Summit & Training 2021

Summit: March 4-5 | Training: March 8-13

The annual ICS Security Summit brings together the industrys top practitioners and leading experts from around the globe to share actionable ideas, methods, and techniques for safeguarding critical infrastructures. In-depth talks and interactive panel discussions deliver proven advances and approaches that make a real difference for the individuals leading this fight every day.

​The ICS Security Summit will address a wide range of topics, including:

  • Understanding what an attack against your organization will look like (deconstructing real-world ICS attacks and technical threats)
  • Live attack demonstrations & the defenses needed to stop them
  • Case studies and success stories
  • System and organizational investment opportunities that reduce attacker effects
  • Future attack vectors on ICS
  • Mitigations - Defenders, governance, and controls

View Summit Agenda & RegisterWhite

Speaker Bios

Don C. Weber

Don C. Weber has devoted himself to the field of information security since 2002. He has extensive experience in security management, physical and information technology penetration testing, web assessments, wireless assessments, architecture review, incident response and digital forensics, product research, code review, and security tool development. He is currently focusing on assisting organizations secure their business and Industrial Control System environments through program reviews, security assessments, penetration testing, and training.

Don's past experiences encompass a wide variety of responsibilities. Senior manager of the incident response team and acting Director of the vulnerability / risk management program for a large media organization. Senior security consultant for a boutique security consultancy where he focused on penetration testing, hardware analysis, and wireless research of ICS technologies used in the energy sector. Senior consultant for an emergency response team providing incident response and forensic services to large, international corporations.

Amy Bejtlich

Amy Bejtlich is a Director of Intelligence Analysis at Dragos, Inc. She has over 10 years of intelligence experience across multiple Intelligence Community (IC) disciplines including Signals Intelligence (SIGINT), Measures and Signatures Intelligence (MASINT), Counterterrorism, and Cyber Threat Intelligence. Amy began her career as an Intelligence Officer in the US Air Force, where she served as a Watch Officer for the Information Operations Center at Air Intelligence Agency. Following her military service, Amy joined the FBI as a counterterrorism analyst. After her federal service, Amy transitioned into cyber threat intelligence, first for a financial institution, then for a Fortune 15 telecommunications company.

Michael Firstenberg

Mike Firstenberg is the Director of Industrial Security for Waterfall Security. Mike brings two decades of experience in Process Control Security, specializing in Control System Cyber Security. With a proven track record as a hands-on engineer - researching, designing, and implementing strategic security solutions, Mike has an established background working with government institutions, regulatory authorities, and industrial utilities. The former chair of the American Water SCADA Council, Mike studied Computer Science, Chemical Engineering, and Mathematics at the University of Pennsylvania, and has served as a speaker and panelist at numerous conferences and events around the world. Mike participates actively in ISA, and serves on committees that have created Industrial Cybersecurity guidelines and roadmaps in many sectors.

Vikram Sharma

Vikram Sharma has 18 years hands on experience in building and operating industrial networks. He was responsible for Cisco’s manufacturing industrial networks and application across 100+ plants globally. He is now responsible for building reference security architectures for Cisco industrial customers and partners. Vikram is a cryptographer by training and has led Cisco anti-counterfeiting initiatives in manufacturing and overseeing security operations for the plants.

Matt Hubbard

Matt Hubbard has dedicated over two decades of his career designing and bringing to market solutions that enable companies to protect and secure their technology environment. He has worked in product marketing, product management and research & development at companies such as Veritas, Symantec, Trend Micro, Dell and Compaq. He currently serves as a Sr. Technical Product Marketing Manager at Armis.

Nick Cappi

Nick Cappi joined PAS in 1995. As Vice President of Product Management and Technical Support, Nick oversees product management, strategic development of the PAS Integrity Software Suite and PAS PlantState Suite, and technical support. During his tenure at PAS, Nick has held a variety of positions including Director of Technical Consulting, Director of Technology, Managing Director for Asia Pacific Region, and Director of Product Management. Nick brings over 25 year of industrial control system and cybersecurity experience within processing industries.

Michael Rothschild

Michael Rothschild is senior director of OT solutions who comes to Tenable by way of the Indegy acquisition. He focuses on Tenable's OT product line, is an advisory board member at Rutgers University and is a past professor of marketing. He also has a number of published works in marketing and healthcare. In his spare time Rothschild is a first aid instructor and volunteers as an EMT.

Phil Trainor

Phil is a network security specialist with over twenty years in the industry. He has lectured at prestigious security conferences such as BlackHat, Defcon, RSA, and SANS ICS Summit events (twitter: @Phil_Trainor), as well as numerous other security conferences. He is currently a Director in Keysight Technologies Security Solutions Group, focusing on Keysight solutions that leverage threat intelligence.

Chris Grove

Chris brings more than 25 years of cybersecurity experience with deep knowledge of IT, OT and IoT networks and mission-critical infrastructure. His prior experience includes managing large, critical and complex security projects around the world for customers of leading IT and OT security vendors. Security executives turn to Chris for his expertise in almost every sector including commercial, government, defense, law enforcement, and the intelligence community.

Scott Smith

Scott is the Sr. Product Manager at Nozomi Networks. In his role, he is accountable for working closely with key customers to assist with helping solve cybersecurity challenges by evolving the Nozomi Solution. Scott spent 8 years working for a large Electric Utility supporting devices in the EMS and DCS environments. As Scott worked to help his organization meet NERC CIP compliance and enhance its cybersecurity posture he noticed gaps in available products, he then transferred from the customer side to the commercial side which led to his current role at Nozomi Networks to help close those gaps.

Robin Berthier

Dr Robin Berthier is the co-founder and CEO of Network Perception. He has over 15 years experience in the design and development of network security technologies. He was part of the University of Illinois research team that originally developed the technology that drives the Network Perception Platform. He received his PhD in the field of cybersecurity from the University of Maryland College Park before joining the Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign (UIUC) as a Research Scientist.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.