homepage
Menu
Open menu

SANS ICS Summit Solutions Track 2025

  • Monday, 16 Jun 2025 10:00AM EST (16 Jun 2025 14:00 UTC)
  • Speaker: Dean Parsons

Attackers are increasingly targeting critical infrastructure — including power grids, water systems, heavy manufacturing, and oil and gas — with a deep and sophisticated knowledge of ICS components, industrial protocols, and engineering processes. Employing advanced techniques like Living Off The Land (LOTL) strategies, they repurpose legitimate ICS software for malicious purposes. These tactics, when combined with ransomware and ICS-specific attacks, significantly escalate the risks to both human lives and essential infrastructure, especially in times of warfare.

To counter these threats, ICS/OT environments need specialized technology solutions and highly trained ICS defenders. The ICS Active Cyber Defense model emphasizes “skilled human analysts capable of monitoring and responding to adversaries within the ICS/OT network.” Defending against LOTL and similar threats demands cybersecurity teams with a blend of specific expertise in control systems, IT security knowledge and a prioritization of safety.

Is your ICS/OT cybersecurity program equipped with the appropriate technology and expertise? The ICS Summit Solutions Track 2025 will present cutting-edge solutions, live demonstrations, and strategies for tackling today’s ICS security challenges. Presentations and panels will align with industry frameworks, such as the SANS ICS Cybersecurity Critical Controls, demonstrating how expertly trained ICS defenders, armed with ICS-specific solutions, can safeguard the vital infrastructure we all depend on.

Why Register?
- Expert-led Sessions
- Flexible Attendance (Attend live or watch on your own time)
- On-Demand Access (Revisit sessions and download presentations at your convenience)
- Connect with Industry Leaders
- Build Your Professional Network
- Earn CPE Credits

SANS Slack:

  • Connect with our event chairs, speakers, and fellow participants on SANS Slack for real-time discussions and networking opportunities.
Login to Register
470x382_ICS-2025.jpg

Thank You to Our Sponsors & Partners

Screenshot 2025-04-23 at 2.57.15 PM.png

Platinum Sponsors

Cisco_Systems.pngClaroty-Logo-2022-FullColor.pngCyolo_Logo_Colors-Green_and_Black.pngPRIMARY_LOGO_Dragos_Logo_RGB_Transparent.pngFortinet_Logos_Color.pngopswat-logo-2018.pngPalo_Alto_Networks.pngTXOne logo-RGB_100x50-red-black.png

Silver & Tabletop Sponsors

Acronis-logo-white-large.pngC2A SecurityDispel_Logo2x (1).pngFrenos_Black_2500x2500.pngInsane Cyberkeystrike_logo_positive_RGB.pngtransparentlogo.pngnozomi-networks-logo-color.pngsc-logo-blue.pngsie-logo-petrol-rgb.pnglogo-Xage Security Color Light Background.pngXona Logo-Full Color.png

Partners

transparent EISAC logo.pngone-isac_symbol- full color+ name (1).pngSSA Logo Horizontal Blue Black.pngWTW-FULL- logo.png

This webinar is offered free of charge through collaboration between SANS and its sponsor(s). If you prefer not to share your registration details with sponsor(s), a recorded webinar will be available approximately 30 days after its initial release through the SANS archive. To access the recording, you will need to create a SANS account, but your information will not be shared with the sponsor(s).

ICS Summit Solutions Track Agenda 2025

Time

Presentation Title

Presentation Abstract

Speaker

10:00am-10:15am

Event Kickoff & Introduction

 

Dean Parsons, Event Chair, SANS Principal Instructor

10:15am-10:50am

Identity is the Perimeter: Neutralizing Insider Threats in ICS/OT

As LOTL (Living Off The Land) techniques and insider threats grow more prevalent in critical infrastructure, one truth is clear: the perimeter is no longer physical or even network-based — it’s identity. This session walks through how industrial organizations are redefining security by authenticating users, devices, and access context before every connection.

 

We’ll explore how ICS-specific Zero Trust controls are helping defenders:

-Prevent unauthorized tool use even from legitimate accounts

-Monitor and record sessions for forensic-ready oversight

-Enable safe, controlled access for contractors and operators

-Apply least privilege without compromising workflows

 

Whether in heavy manufacturing or remote utilities, ICS defenders must rethink access before it’s abused.

Josh Martin, Sr. Solutions Architect, Cyolo

10:50am-11:25am

Automating Zone Segmentation to Protect Industrial Operations

Segmenting industrial networks in small zones of trust is an efficient way to protect operations and avoid attacks to spread. But in many cases, it can be too complex to modify the network, deploy zone-based firewalls, and ensure assets are placed in the proper segment without disrupting production.

 

This session will look at the roadblocks asset owners are facing and discuss ways to make segmentation projects finally move forward.

Ruben Lobo, Director of Product Management, Cisco

11:25am-12:00pm

ICS Cyber Threat Landscape

Dragos released its 8th annual report, highlighting threats to Industrial Control Systems (ICS), lessons learned from the field, and insights into vulnerabilities.

 

In this talk, Kate will cover the latest Tactics, Techniques, and Procedures (TTPs) of existing threat groups tracked by Dragos, with a deep dive into two new threat groups targeting ICS. In 2024, Dragos observed a convergence of hacktivism and sophisticated threat group activity, posing a significant risk, as loud hacktivist attacks can mask more dangerous TG activities. Threat groups like VOLTZITE continue to expand their compromised networks, underscoring the need for enhanced visibility and proactive threat hunting. Dragos' hunting efforts identified two unsophisticated tools used to attack ICS: FrostyGoop and Kurtlar_SCADA.

 

Kate will discuss the techniques, visibility requirements, and methods to hunt for these threats and mitigate risks to ICS.

Kate Johnson, Director of Intel Research, Dragos

12:00pm-1:00pm

Lunch - One Hour

 

 

1:00pm-1:35pm

Secure Remote Access for Operational Technology

The ability to securely support remote employees and contractors is essential to OT business continuity. OT organizations need to secure remote access because for commissioning new equipment, applying critical patches, or executing repairs and troubleshooting activities remotely. This can also include remote monitoring and diagnostics or use of remote operation centers to affordably take care of geographically distributed assets.

 

From this session you will understand the risks associated with unsecured remote access, impact of regulations and security standards around remote access requirements and security considerations when implementing remote access in OT.

Glen Combe, OT Specialist Systems Engineer, Fortinet

1:35pm-2:10pm

Stop Applying IT Fixes to OT Problems: The OT Security Wake-up Call

OT environments are not like data centers & trying to secure them with IT tools is like trying to play a vinyl record on a CD player (same goal, ineffective tech). From visibility and vulnerability management to risk response, operational technology demands specialized cybersecurity strategies that prioritize continuity and control.

 

Join TXOne Networks as we explore how traditional IT security can actually increase risk in ICS environments. You’ll walk away with a clear understanding of why OT requires purpose-built solutions, how to avoid the most common (and costly) missteps, and what it really takes to keep operations running safely and securely.

Matthew Willard, Senior Solutions Engineer, TXOne

2:10pm-2:25pm

Break

 

 

2:25pm-3:00pm

Common Misperceptions About CPS/OT Asset Visibility and How Organizations Have Overcome Them

We'll discuss some of the popular use cases that require the deep classification of assets in OT, as well as multiple safe methods for obtaining the needed details quickly and safely. The presentation will include actual stories from the field.

Wes Roberts, Solution Engineer, Claroty

3:00pm-3:35pm

File-Based Threats in Focus: Securing OT Data Transfers with Field-Tested Strategies

As industrial organizations modernize their operations, the secure transfer of files into, within, and out of OT environments remains one of the most technically complex—and often underestimated—attack vectors. From engineering updates and vendor diagnostics to remote support and system logging, every data movement presents a potential intrusion path if not rigorously controlled. In this panel, OPSWAT experts will dive into proven technical strategies for defending OT systems against file-based threats.

We’ll explore real-world deployments of technologies like unidirectional gateways (data diodes), secure kiosks, endpoint protection, and managed file transfer platforms—all designed to enforce trust boundaries while enabling critical workflows. The session will address specific use cases including USB media control, secure remote file drops, OT network segmentation with diodes, and safe data ingestion from third-party vendors. We’ll also unpack new findings from the 2025 SANS ICS/OT Cybersecurity Budget Report to discuss how organizations are investing in layered defenses that protect the file transfer chain—without sacrificing uptime or compliance. If you're responsible for OT asset integrity, secure engineering data flow, or managing third-party access, this session will offer practical, technical insights to strengthen your defenses.

Itay Glick, VP, Products, OPSWAT

Colin Dunn, VP of Products, GM, OPSWAT DC USA

Jeremy Fong, VP, Products, OPSWAT

3:35-4:10pmEmpowering the ICS Defender: Implementing SANS Critical Controls with Palo Alto Networks Solutions

For ICS defenders, aligning security strategies with established frameworks is paramount. This session, presented by a Palo Alto Networks OT Technical Marketing Engineer, will provide actionable insights into implementing the SANS ICS Cybersecurity Critical Controls using Palo Alto Networks' cutting-edge solutions.

We will walk through practical examples and live demonstrations, illustrating how our technology directly addresses key controls like incident response and recovery, risk-based vulnerability management, and on demand controlled remote access. Learn how Palo Alto Networks empowers ICS defenders with the visibility, control, and automated threat prevention necessary to protect vital infrastructure from sophisticated attacks and ensure operational resilience

Dan Behrens, Sr. Technical Marketing Engineer, Palo Alto Networks
4:10-4:15pm

Event Recap & Closing Remarks

 

Dean Parsons, Event Chair, SANS Principal Instructor

Related Content

Blog
Industrial Control Systems Security
Culture Over Checklists: How NextEra Is Rethinking NERC CIP with People at the Center
When people ask me what makes a successful NERC CIP program, my answer is always the same: it’s not just about compliance, it’s about culture. You can meet every regulatory requirement and still be vulnerable. You can pass every audit and still lack resilience. The organizations that stand out—the...
370x370_Jason-D-Christopher.jpg
Jason D. Christopher
read more
Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
Blog - Cloudy with a Chance of_340 x 340.jpg
Industrial Control Systems Security
Cloudy with a Chance of Industrial Cyber Threats, Part 1
Cloud in ICS/OT can enable scalable data storage, remote monitoring, analytics, disaster recovery, & industrial process control capabilities.
DeanParsons_340x340.png
Dean Parsons
read more