GridSecCon 2014 Training Sessions
All training sessions run simultaneously on Tuesday, 14 October, and run either all-day (starting at 8 a.m.) or halfday (starting at 1 p.m.). A full conference registration must be purchased to attend a training session. There is a
fee associated with Training Session 3 (details below). Due to the technical nature of the session, Training Session 4
has three preliminary training events scheduled prior to the conference (details below).
Training Session 1: Physical Security – Lawrence Livermore National Laboratory (free, all-day, 100 seats
available)
Audience – physical security professionals
Location - 2nd Floor, Regency Ballroom West
Subject Matter Experts from Lawrence Livermore National Laboratory will provide physical security training on the
approaches they’ve successfully used in their critical energy infrastructure protection work. The individual topics
include:




Performance Based Philosophy and Defining the Threat,
Conducting Performance Based Assessments,
Identifying the Security Enhancements and Developing a Cost Benefit Analysis, and
Software Tools
Training Session 2: Security Awareness Training for Electric Entities - SANS (free, half-day, 75 seats available,
starts at 1 p.m.)
Audience – compliance specialists, trainers, compliance managers
Location - 2nd Floor, Regency Ballroom Center
NERC CIP Versions 1-3 require entities to have training programs for individuals who have authorized cyber or
authorized unescorted physical access to Critical Cyber Assets. The training programs must provide for quarterly
security awareness training as well as annual cyber security training on a variety of topics. SANS Institute’s Securing
the Human has a new awareness training program that addresses these NERC-CIP compliance standards for
Utilities. As the CIP Version 5 implementation date approaches, existing training programs will need to be
3353 Peachtree Road NE
Suite 600, North Tower
Atlanta, GA 30326
404-446-2560 | www.nerc.com
expanded and modified to address new areas and new employees not previously in scope of the NERC CIP
requirements.
This half-day session will walk through CIP V1-3 and CIP V5 training program requirements and will demonstrate the
SANS security awareness offerings for electric sector entities. The session will also demonstrate the new SANS
engineer and operator focused cybersecurity awareness training, which was developed to go beyond compliance
and truly target the development of secure behaviors for the employees that are interfacing with the ICS
technology on a daily basis.
Training Session 3: Sneak Peek at the SANS ICS 500 Level Course - SANS ($575*, all-day, 75 seats available)
Audience – technical / cybersecurity professionals
Location - 2nd Floor, Rio Grande Ballroom East
The SANS ICS 500 level course is a follow on course to the popular ICS 410 cybersecurity essentials course that was
introduced to the market last year at GridSecCon 2013. Following in that tradition, SANS will be introducing the
second ICS defense-focused course in the ICS curriculum at GridSecCon 2014. The new ICS course has been
designed to empower students with the ability to understand and utilize active defense mechanisms in concert with
incident response for industrial control system networks to respond to and deny cyber threats. This class uses a
hands-on approach to give students a technical understanding of concepts such as:




identifying attack paths and information that illuminates them,
communicating control system needs to information technology personnel to deploy appropriate defenses,
detecting malicious actors or threats on control system networks, and
performing threat triage and incident response to ensure the safety and reliability of operations technology
environments
While the full course is a 5-day format, SANS will be offering the unique audience of electricity sub-sector
cybersecurity practitioners a sneak peek at the course and specifically the second day’s material. This course day
provides students with an introduction to the idea of active defense as well as cyber counter intelligence to limit
their control system threat landscape and deploy effective detection and defense measures against known and
unknown threats. This sneak peek will also provide students the opportunity to hear an overview of the course
topics covered in the full 5 day course.
* This training session requires a payment of $595 on the SANS website, location: TBD
Training Session 4: Control System Defensive Exercise - CYBATI (free, all-day, 48 seats available)
Audience – technical / cybersecurity / operational professionals
Location - 2nd Floor, Rio Grande Ballroom Center
CYBATI is offering a sneak preview of its new hands-on control system defensive exercise for cyber and operational
professionals, CybatiWorks Blue. The day-long exercise steps each team of participants through a series of active
cyber-physical events. The teams establish and perform operational and technical procedures to implement
protective controls while detecting and actively defending against a series of attacks performed by the CYBATI red
team.
Participants will be briefly introduced to their team’s environment, and then navigate several stages throughout the
exercise prior to summarizing the day's activities. Each team’s environment will include hands-on elements
including industrial controllers, relays, meters, host operating systems, applications, communication protocols and
processes. All participants will receive 8 CPEs and an exercise completion certificate.
The event is purely a defensive exercise with live cyber-physical attacks performed by the CYBATI red team. Three
(3) additional educational events will be performed leading up to the event to ensure participants are well prepared
and for team selection. The 3 educational events will be live with recordings available afterwards to review for
participants that were unable to attend.
CybatiWorks Blue Preliminary Training Events
1. July 24, 2014 : 11 a.m. – 12 p.m. USA Central (Team Environment Review)
2. August 19, 2014 : 11 a.m. – 12 p.m. USA Central (Preventive Controls)
3. September 18, 2014: 11 a.m. – 12 p.m. USA Central (Detection in Depth)
CybatiWorks Blue at NERC GridSecCon 2014 is limited to a maximum of 48 participants. Participants are allowed to
bring any additional equipment and systems but should be aware that they will be participating on a hostile
network. Each participant will also be provided with the CybatiWorks VMWare virtual machine to optionally use in
the event. Participants can also request to be part of the CYBATI red team or serve as exercise volunteers.