Cyber Skills Training at SANS Miami 2019. Choose from Eight Courses and Save $350 thru 11/28.


To attend this webcast, login to your SANS Account or create your Account.

All Your Network Traffic Are Belong to Us - VPNFilter Malware and Implications for ICS

  • Wednesday, July 25th, 2018 at 3:30 PM EDT (19:30:00 UTC)
  • Tim Conway, Doug Wylie and Phil Neray
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • CyberX

You can now attend the webcast using your mobile device!


The world recently learned of new multi-stage router malware with destructive capabilities and the ability to intercept web traffic and insert malicious code into it. Described as "an impressive piece of work" by Bruce Schneier, the VPNFilter malware also includes a packet sniffer for capturing Modbus TCP traffic and credentials passing through VPN routers.

The Modbus TCP plugin indicates the adversary may have the ability and intent to compromise ICS environments and exfiltrate ICS-specific information. It's also possible that compromised routers can now be used as launching points for further attacks into ICS networks and that other payloads could easily be added to capture DNP3, Ethernet/IP, Siemens S7, and other ICS/SCADA traffic in the future.

In this educational webinar led by Tim Conway and Doug Wylie from SANS, with Phil Neray from industrial cybersecurity firm CyberX, you'll learn about:

VPNFilter's architecture and capabilities.

Implications for ICS networks and asset owners.

How to defend against VPNFilter and similar malware in the future.

Speaker Bios

Tim Conway

Technical Director - ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Doug Wylie

Doug Wylie directs the SANS Industrials and Infrastructure business portfolio, helping companies fulfill business objectives to manage security risks and develop a security-effective workforce. His lengthy career spans a wide array of industries. He served as Rockwell Automations director of product security risk management, where he founded and led its industrial cyber security and risk management program. Doug works around the world with companies, industry and standards bodies, and government entities to help safeguard converged IT-OT systems from contemporary cyber security threats. He holds the CISSP certification and numerous patents, as well as being an accomplished writer, speaker and presenter.

Phil Neray

Phil is the VP of Industrial Cybersecurity for CyberX. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an engineer with Hydro-Quebec. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a 1st Degree Black Belt in American Jiu Jitsu.

About CyberX

Founded in 2013 by military cyber-experts with nation-state expertise defending critical infrastructure, CyberX provides the most widely-deployed platform for continuously reducing ICS and IIoT risk. CyberX is a member of the Palo Alto Networks Application Framework developer community and the IBM Security App Exchange Community, and has integrated with CyberArk for secure remote access. CyberX has also partnered with premier solution providers worldwide including Optiv Security and Deutsche-Telekom/T-Systems.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.