SANS 2025 Utilities Forum

When a cyber incident strikes operational technology, the wrong response plan can cause more damage than the attack itself. Too often, organizations default to IT-centric incident response processes that fail in an ICS/OT environment—introducing delays, jeopardizing safety, and disrupting operations. In this session, Dean Parsons will break down why traditional IT controls and playbooks can be fatal for ICS/OT environments, and how to adapt IR processes to the unique realities of industrial networks. Drawing from real-world lessons learned, Dean will walk you through two high-impact ICS/OT Incident Response tabletop exercises you can run immediately to sharpen your team’s readiness. Attendees will leave with practical, sector-specific scenarios and clear action steps to strengthen their industrial cyber resilience—starting today.

It’s time for public water suppliers to take action in securing their ICS/OT environments from cyber threats. In the absence of comprehensive regulatory requirements, utilities must adopt a reasonable, risk-based strategy that is both prioritized and sustainable. This session outlines a practical approach grounded in the SANS Five ICS Cybersecurity Critical Controls and supported by engineering-based methods to reduce the most severe consequences of cyber incidents. Attendees will learn about some of the most reasonable approaches to address highest risk vulnerabilities and strengthen operational resilience — even with limited resources.

As industrial cyber threats increasingly target critical infrastructure, the water sector must prioritize ICS/OT-specific defenses. This panel brings together experts to discuss real-world attacks, the limitations of traditional IT controls in water systems, and practical strategies for improving control system network visibility for proactive detection, industrial grade response and threat mitigations. Panelists will share insights on managing vulnerabilities with limited resources, engaging engineering teams, and aligning cybersecurity with operational and safety goals. From legacy SCADA to digital transformation, the discussion will focus on building resilient programs that protect the systems delivering our most essential resource — water.

Discover how Idaho National Laboratory's integrated approach to cyber resilience is transforming the landscape of control system security. This session unveils an engineering mindset change. Cyber-Informed Engineering (CIE) provides engineers with principles to design systems with built-in cyber resilience from the ground up.

Join us to learn how to design robust, resilient control systems that can withstand evolving cyber threats. Whether you're an engineer, security professional, or control systems architect, you'll gain practical insights into changing the engineering mindset. 

Session Details Coming Soon!

It is estimated that over 90% of the more than 50,000 community water systems and approximately 17,000 wastewater systems in the U.S. are rural or small municipal systems serving populations of less than 10,000. These rural utilities face ongoing challenges related to aging infrastructure, severely limited funding, and the need to comply with (non-cyber) regulations. These legacy issues result in cybersecurity rarely (if ever) making the to-do list. This panel will discuss these challenges and how trusted relationships and mentorship, especially with larger/cyber mature utilities are crucial for building sector resilience.

For over two decades critical infrastructure and key resource sectors have been working to implement cybersecurity preventative controls wrapped around the Industrial Control Systems and process environments to ensure safe, reliable, and resilient operations. As environments have moved to increasingly more interconnected and interdependent digital systems, industry has seen a corresponding growth in cybersecurity complexity demands. The impact of this complexity growth lands squarely on the dedicated teams of humans supporting and defending these environments daily who are often under resourced. As we look to current and future workforce demands we need to ask what are we doing to equip and enable the most critical part of critical infrastructure – the humans

In the electric sector, ICS security decisions must balance security, safety, and reliability. Yet many programs are shaped by urgency rather than understanding. A high-profile incident, a regulatory pressure point, or a vendor’s promise can set priorities without answering the most important question: what is at risk and how do we know. This often leads to investments that look solid on paper but leave critical assets vulnerable in ways that are not immediately obvious.

Critical infrastructure sectors face remarkably similar security challenges despite their operational differences. This panel brings together ISAC representatives to explore common challenges. By examining these cross-cutting challenges, we will uncover how different sectors have developed unique solutions to similar problems, identify transferable best practices, and discuss opportunities for collaborative approaches that strengthen security postures across critical infrastructure sectors.

As AI evolution continued its breakneck pace through the first half of 2025, ongoing interactions with grid management systems suppliers and their trade group representatives indicated that these companies are exploring the addition of generative forms of AI within their product lines. These include EMSs, DMSs, DERMS and SCADA, all of which play essential roles in the nation’s grid control centers. Their utility customers have concerns, the regulators have concerns, and every electric sector stakeholder has concerns. Well-founded concerns.

This talk will flesh out some of those concerns, and describe capabilities INL is attempting to develop to assure these systems for safety and security before they go live on the grid.

Organizations face a natural tension between deploying advanced tools to protect critical assets and maintaining the segmentation required to secure them. This challenge is amplified in regulated operational environments such as generation plants, where compliance, reliability, and security must align.

In this session, Corbin Jarms will share a practical approach to building and deploying custom, on-premise AI threat detection capabilities guided by CIP-015 INSM principles. Drawing from real-world experience in electric generation facilities, he will walk attendees through key design patterns, architectural considerations, and lessons learned that enable AI-enabled detection without compromising segmentation or compliance.

Over the past 10 years, electric utilities have seen an explosion in both cyber threats targeting IT and OT systems and the regulations impacting those systems. Utilities must defend against both the attack and the audit—but are these two goals aligned? Or are we focusing on differing controls and attack vectors?

Join our panelists as we discuss how utilities can improve both security and compliance, regardless of their size, location, or ownership structure.