DISC – SANS ICS Virtual Conference Highlights

DISC-SANS ICS Virtual Conference

If you missed the Conference or the CTF, please register here to get access to the recording sessions and to get notified when CTF content be available for download.

AWS Builder Community Hub


On May 1, 2020 SANS and Dragos, Inc. joined forces to provide a fully virtual conference open for free to the Industrial Control Systems (ICS) community. The conference shared technical insights, lessons learned, and best practices for ICS/OT cybersecurity. The conference content covered a variety of material including how to operationalize ICS intel, new ways to attack controllers, and incident response best practices.

The DISC – SANS ICS Virtual Conference is by far the biggest cybersecurity event ever run, with more than 8,000 people tuning into for two days of relevant content for the ICS community. 

“It is always impressive to see the passion and dedication of our security community. Everyone is busy, yet thousands showed up because their focus on and interest in ICS/OT cybersecurity. Thank you to everyone who took the timeout to learn and engage!” – Robert M. Lee


Conference chairs Robert M. Lee and Tim Conway understood it was important to offer a one-of-a-kind conference that could highlight the most up-to-date content as well as a provide an opportunity for attendees to test their skills. For days, the teams at Dragos and SANS worked together to provide the community with a unique “Capture the Flag” (CTF) Challenge to test their skills.


The result? An ICS CTF developed with a unique data set which allowed competitors to conquer several levels of difficulty. Winners were announced at the conference, along with a detailed session that went over results and answers presented by Austin Scott, Principal Industrial Penetration Tester, Dragos Inc., and Jon Lavender, Chief Technology Officer and Co-Founder, Dragos Inc.

DISC SANS Virtual Conference CTF Challenge – Unique Dataset

The DISC CTF Challenge featured an attack orchestrated against the range by the Dragos red team for defenders to review and analyze. In addition, there were a wide variety of flags to find, so attendees could test their ICS network security skills. It is usually very difficult to get access to such data, as ICS equipment and setups can be particularly expensive. This was a gift to the ICS community from SANS and Dragos, Inc. in our hopes that attendees could learn more about ICS and get excited about such a wonderful community of asset owners and operators, such as electric power, oil and gas, water, manufacturing, mining, and transportation providers, to name a few.

The data set is also accompanied by the questions and answers.  Attendees might  use this data set for self-training; it is not meant for commercial purposes and such use is strictly prohibited. The skills required to compete the challenge map directly to the SANS ICS410: ICS/SCADA Security Essentials, ICS456: Essentials for NERC Critical Infrastructure Protection , ICS515: ICS Active Defense and Incident Response, and ICS612: ICS Cybersecurity In-Depth courses

If you missed the Conference or the CTF, please register here to get access to the recording sessions and to get notified when CTF content be available for download.

One Day of full content, networking, Q&A, and above all learning

The conference started with opening remarks by conference Co-chairs Tim Conway and Robert M. Lee, followed by a presentation from Jason Christopher, Principal Cyber Risk Advisor from Dragos, Inc. and SANS Certified Instructor.


Christopher showed real use cases to teach attendees practical steps in either creating or refining their ICS-specific security program.

When we combine technology with the right people and robust processes, organizations create a strong culture of security and forge lasting legacies for critical infrastructure protection.” he said. 

The conference gave special focus to ICS security efforts that can be accomplished with minimal effort during slow down periods and right from home, such as building an ICS Range and DIY for home learning.


Tom VanNorman, Director of Engineering Services at Dragos, Inc. started his presentation by asking questions such as:

Are you thinking about building your own ICS Range, but you have no idea where to start?”

He then proceeded to show attendees the pros and cons of different configurations as well first-hand knowledge of things that he found that work and do not work when it comes to starting projects for personal enrichment or for work.


Continuing by providing attendees with simple wins during slowdowns, Austin Scott, Principal Industrial Penetration Tester, Dragos, Inc., talked about how the COVID-19 pandemic had added constraints to the ICS industry to move ICS cyber security programs forward.

Scott detailed several ways that ICS cybersecurity teams can work with existing technologies and infrastructure to identify and reduce cyber risk.

Many of these recommendations can be done remotely and have a very low chance of inadvertently causing any operational issues,” he said.


Don C. Weber, Instructor SANS ICS410: ICS/SCADA Security Essentials & HOSTED: Assessing and Exploiting Control Systems courses at SANS, took the virtual stage to review the capabilities of a wireless gateway, identifying the potential attacks on the technology, and outlining the methods to mitigate the threats.

“Security assessments help an organization understand the strengths and weaknesses of a technology. Technologies that provide public access to an environment, particularly those with operational technologies, deserve a very close look” he said.


Threat intelligence was another big topic at the DISC – SANS ICS conference, as it allows asset owners and operations to make better cybersecurity decisions for ICS/OT environments. However, it is not easy.

Sergio Caltagirone, VP of Threat Intelligence, Dragos Inc., and Amy Bejtlich, Director of Threat Intelligence, Dragos Inc. discussed how to consume and digest threat intelligence to make it usable, and your operations better than before.

They addressed questions such as:

Do you need a “threat intelligence team?” How would you form one? Does your SOC need to know about threat intelligence? How do you measure the benefit of threat intelligence? They answer these questions and more.

Managing and understanding the risk of vulnerabilities within ICS is crucial in protecting the delivery of the function.
Katherine Vajda, Senior Intelligence and Vulnerability Analyst, Dragos, Inc.
, discussed highlights from the 2019 vulnerability year in review report. She went over lessons learned about these vulnerabilities and what to do with this information.

She went in-depth into processes and drivers for prioritizing and understanding the risks of vulnerabilities within ICS and how to get the best ROI on your efforts involving mitigation.


The second part of the Conference started with a presentation on ICS Cyber Attacks in the future. Jason Dely and Jeff Shearer, SANS Institute, Instructors and ICS612 Co-Authors provided a live demonstration of some common attack objectives and interesting ways to achieve those goals by attacking the control system through the control system itself.


One of the highlights of the conference was the presentation from conference co-chair Tim Conway, SANS ICS Curriculum lead, as he covered new insights on upcoming changes to NERC CIP and commentary on the Executive Order. He also provided Incident Response guidance beyond the current requirements.

There are benefits and challenges that organizations need to consider in relation to the new CIP-008-6 Standard going into effect starting Jan 1 next year,” he said.

Attendee feedback

As we welcomed 8,000+ attendees throughout the two-day DISC SANS Conference, we are thankful that we reached our goals to provide this free conference to the community. But do not take our word for it! Listen to what some of our attendees said about their learning experience at the conference:

“I’ve been to entire conferences and not received as much usable information in three days as I did in these fifteen minutes!”

“The presentation gave me some serious food for thought about application and evaluation of my current environment. Great takeaways.”

*** This is a Security Bloggers Network syndicated blog from SANS Blog authored by SANS Blog. Read the original post at: