Top Cybersecurity Training Protects Your Assets - Learn From the BEST and Apply New Knowledge Immediately!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

NotPetya, Dragonfly 2.0 & CrashOverride: Is Now the Time for Active Cyber Defense in ICS/SCADA Networks?

  • Thursday, October 12, 2017 at 1:00 PM EDT (2017-10-12 17:00:00 UTC)
  • Phil Neray, Mike Assante


  • CyberX

You can now attend the webcast using your mobile device!



Recent campaigns against industrial and critical infrastructure organizations demonstrate that conventional ICS/SCADA defenses such as firewalls and segmentation are no longer sufficient to protect our ICS/SCADA networks from targeted attacks and sophisticated malware. With industrial organizations showing significant financial losses from widespread disruption to their production operations, management teams and boards of directors are now asking their cybersecurity and OT teams "How do we make sure this doesn't happen to us?"

Active Cyber Defense is the next step in the cybersecurity maturity model. As defined by SANS, it's the process of using security operations to continuously identify and counter threats. The Active Defense Cycle consists of four phases that continuously feed each other to create an ongoing process: asset identification and network security monitoring; incident response; threat and environment manipulation (e.g., addressing vulnerabilities); and threat intelligence consumption.

In this educational webinar led by Mike Assante, SANS Director of Critical Infrastructure & ICS/SCADA Security recently selected as one of "The Most Influential People in Security" by Security Magazine, we'll explore why "basic" ICS/SCADA security won't cut it anymore. We'll discuss the architecture of modern malware such as NotPetya and CrashOverride/Industroyer, as well as recent targeted attacks such as Dragonfly 2.0. And we'll provide actionable takeaways to help ICS/SCADA defenders implement Active Cyber Defense in a practical and pragmatic manner.

Phil Neray, CyberX's VP of Industrial Cybersecurity, will present a timeline of nation-state cyberattacks on critical infrastructures worldwide, so we can better understand our adversaries' motivations, TTPs, and how their capabilities have evolved over time. He'll also describe how network traffic analysis (NTA) can be used to visualize and predict the most likely attack vector paths to our most critical ICS/SCADA assets so you can prioritize remediation and mitigation activities when you have narrow change windows and how modern ICS/SCADA cybersecurity platforms can effectively support Active Cyber Defense for industrial and critical infrastructures.

Speaker Bios

Mike Assante

Michael Assante is currently the SANS lead for Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) security and Co-founder of NexDefense an Atlanta-based ICS security company. He served as Vice President and Chief Security Officer of the North American Electric Reliability (NERC) Corporation, where he oversaw industry-wide implementation of cyber security standards across the continent. Prior to joining NERC, Mr. Assante held a number of high-level positions at Idaho National Labs and served and as Vice President and Chief Security Officer for American Electric Power. Mr. Assante's work in ICS security has been widely recognized and was selected by his peers as the winner of Information Security Magazine's security leadership award for his efforts as a strategic thinker. The RSA 2005 Conference awarded him its outstanding achievement award in the practice of security within an organization.

He has testified before the US Senate and House and was an initial member of the member of the Commission on Cyber Security for the 44th Presidency. Before his career in security served in various naval intelligence and information warfare roles, he developed and gave presentations on the latest technology and security threats to the Chairman of the Joint Chiefs of Staff, Director of the National Security Agency, and other leading government officials. In 1997, he was honored as a Naval Intelligence Officer of the Year.

Phil Neray

Phil Neray is Director of Azure IoT & Industrial Cybersecurity at Microsoft. He joined Microsoft after its acquisition of CyberX, a leader in agentless security and behavioral analytics for industrial and critical infrastructure networks. Prior to CyberX, Phil held executive roles at IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as an engineer with Hydro-Quebec and as a Schlumberger engineer on oil rigs in South America. He has a BSEE from McGill University, is certified in cloud security (CCSK), and has a First-Degree Black Belt in American Jiu Jitsu.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.