GridSecCon 2014 Training Sessions All training sessions run simultaneously on Tuesday, 14 October, and run either all-day (starting at 8 a.m.) or halfday (starting at 1 p.m.). A full conference registration must be purchased to attend a training session. There is a fee associated with Training Session 3 (details below). Due to the technical nature of the session, Training Session 4 has three preliminary training events scheduled prior to the conference (details below). Training Session 1: Physical Security – Lawrence Livermore National Laboratory (free, all-day, 100 seats available) Audience – physical security professionals Location - 2nd Floor, Regency Ballroom West Subject Matter Experts from Lawrence Livermore National Laboratory will provide physical security training on the approaches they’ve successfully used in their critical energy infrastructure protection work. The individual topics include: Performance Based Philosophy and Defining the Threat, Conducting Performance Based Assessments, Identifying the Security Enhancements and Developing a Cost Benefit Analysis, and Software Tools Training Session 2: Security Awareness Training for Electric Entities - SANS (free, half-day, 75 seats available, starts at 1 p.m.) Audience – compliance specialists, trainers, compliance managers Location - 2nd Floor, Regency Ballroom Center NERC CIP Versions 1-3 require entities to have training programs for individuals who have authorized cyber or authorized unescorted physical access to Critical Cyber Assets. The training programs must provide for quarterly security awareness training as well as annual cyber security training on a variety of topics. SANS Institute’s Securing the Human has a new awareness training program that addresses these NERC-CIP compliance standards for Utilities. As the CIP Version 5 implementation date approaches, existing training programs will need to be 3353 Peachtree Road NE Suite 600, North Tower Atlanta, GA 30326 404-446-2560 | www.nerc.com expanded and modified to address new areas and new employees not previously in scope of the NERC CIP requirements. This half-day session will walk through CIP V1-3 and CIP V5 training program requirements and will demonstrate the SANS security awareness offerings for electric sector entities. The session will also demonstrate the new SANS engineer and operator focused cybersecurity awareness training, which was developed to go beyond compliance and truly target the development of secure behaviors for the employees that are interfacing with the ICS technology on a daily basis. Training Session 3: Sneak Peek at the SANS ICS 500 Level Course - SANS ($575*, all-day, 75 seats available) Audience – technical / cybersecurity professionals Location - 2nd Floor, Rio Grande Ballroom East The SANS ICS 500 level course is a follow on course to the popular ICS 410 cybersecurity essentials course that was introduced to the market last year at GridSecCon 2013. Following in that tradition, SANS will be introducing the second ICS defense-focused course in the ICS curriculum at GridSecCon 2014. The new ICS course has been designed to empower students with the ability to understand and utilize active defense mechanisms in concert with incident response for industrial control system networks to respond to and deny cyber threats. This class uses a hands-on approach to give students a technical understanding of concepts such as: identifying attack paths and information that illuminates them, communicating control system needs to information technology personnel to deploy appropriate defenses, detecting malicious actors or threats on control system networks, and performing threat triage and incident response to ensure the safety and reliability of operations technology environments While the full course is a 5-day format, SANS will be offering the unique audience of electricity sub-sector cybersecurity practitioners a sneak peek at the course and specifically the second day’s material. This course day provides students with an introduction to the idea of active defense as well as cyber counter intelligence to limit their control system threat landscape and deploy effective detection and defense measures against known and unknown threats. This sneak peek will also provide students the opportunity to hear an overview of the course topics covered in the full 5 day course. * This training session requires a payment of $595 on the SANS website, location: TBD Training Session 4: Control System Defensive Exercise - CYBATI (free, all-day, 48 seats available) Audience – technical / cybersecurity / operational professionals Location - 2nd Floor, Rio Grande Ballroom Center CYBATI is offering a sneak preview of its new hands-on control system defensive exercise for cyber and operational professionals, CybatiWorks Blue. The day-long exercise steps each team of participants through a series of active cyber-physical events. The teams establish and perform operational and technical procedures to implement protective controls while detecting and actively defending against a series of attacks performed by the CYBATI red team. Participants will be briefly introduced to their team’s environment, and then navigate several stages throughout the exercise prior to summarizing the day's activities. Each team’s environment will include hands-on elements including industrial controllers, relays, meters, host operating systems, applications, communication protocols and processes. All participants will receive 8 CPEs and an exercise completion certificate. The event is purely a defensive exercise with live cyber-physical attacks performed by the CYBATI red team. Three (3) additional educational events will be performed leading up to the event to ensure participants are well prepared and for team selection. The 3 educational events will be live with recordings available afterwards to review for participants that were unable to attend. CybatiWorks Blue Preliminary Training Events 1. July 24, 2014 : 11 a.m. – 12 p.m. USA Central (Team Environment Review) 2. August 19, 2014 : 11 a.m. – 12 p.m. USA Central (Preventive Controls) 3. September 18, 2014: 11 a.m. – 12 p.m. USA Central (Detection in Depth) CybatiWorks Blue at NERC GridSecCon 2014 is limited to a maximum of 48 participants. Participants are allowed to bring any additional equipment and systems but should be aware that they will be participating on a hostile network. Each participant will also be provided with the CybatiWorks VMWare virtual machine to optionally use in the event. Participants can also request to be part of the CYBATI red team or serve as exercise volunteers.