Learn real-world skills from real-world cyber security practitioners. View upcoming Live Online Events.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

MITRE ATT&CK® for ICS Live Demonstration

  • Thursday, April 02, 2020 at 1:00 PM EDT (2020-04-02 17:00:00 UTC)
  • Austin Scott, Robert M. Lee


  • Dragos, Inc.

You can now attend the webcast using your mobile device!



MITRE released its new ATT&CK for Industrial Control Systems (ICS) as a community resource on the tactics and techniques of ICS threats and a common lexicon for the community. This framework is an important tool in developing an ICS cybersecurity program and threat detection strategy. Dragos contributed significantly to the framework with our threat intelligence on the 11 different ICS specific threats tracked. In this presentation, the Dragos team will conduct a technical demonstration of an ICS cyber attack from both the attacker and defender perspective. The attacker perspective will be orchestrated by a member of Dragos' red team and the defender perspective will be done leveraging the Dragos Platform. Attendees will experience:

  • Detailed understanding of ICS ATT&CK and how to leverage it
  • Use-cases for threat detection and response scenarios
  • Technical demonstration of the Dragos Platform
  • Technical demonstration of an attack on an ICS range

Speaker Bios

Austin Scott

Austin started his career in the early 2000’s as a software developer working on Supervisory Control and Data Acquisition (SCADA) products for Schneider Electric. In 2006, Austin launched a boutique ICS Cybersecurity consulting company in Calgary, Alberta Canada called Synergist SCADA Inc. Synergist SCADA provided system integration and cybersecurity for power plants, pipelines and other critical assets around the world. In 2013 Synergist was acquired by Cimation, a leader in industrial automation and cybersecurity consulting based in Houston, Texas. Cimation was later acquired by Accenture in 2015.

In 2016, Austin joined San Diego Gas and Electric (SDG&E) as a Senior ICS/SCADA Cybersecurity Engineer. At SDG&E, Austin provided security assessment and oversight on for Transmission, Distribution, Generation, Electric Vehicle and DERMS projects.

Austin joined Dragos in 2018 as a Principal ICS Security Analyst and is part of the Dragos Threat Operations Center (TOC). Austin is a published author with two books on PLC Programming:

  • Learning RSLogix 5000 – PACKT Publishing – ISBN 9781784396039 – 2015
  • PLC Programming RSLogix 5000 – PACKT Publishing – ISBN 1849698449 – 2013

Austin was nominated by Shell for his ICS Cybersecurity program contributions for the SANS Cybersecurity Difference Maker 2015 Award and won. He is also the president of San Diego Chapter for Control System Cybersecurity Association International (CS2AI) and founder of the Calgary, Alberta chapter.

Robert M. Lee

Rob is a recognized pioneer in the industrial security incident response and threat intelligence community. He started in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first-of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).

Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader but also technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.