Monday, October 27, 2025
- Mike Lennon Director, ICS Cybersecurity Conference - SecurityWeek
Industrial Cybersecurity Launchpad (9AM - 4PM)
(Workshop Registration Fee: $395) Navigating the complex world of industrial cybersecurity can be daunting for those new to the field. With emerging threats targeting Operational Technology (OT), there has never been a more critical time to understand and secure your industrial systems.
Geared towards newcomers but beneficial for all, these sessions cover everything from landscape overviews to emergency response protocols.
Whether you’re new to the field or looking to fill gaps in your existing knowledge, these Launchpad sessions will provide an overview of various elements of industrial cybersecurity. Equip yourself with the foundational tools and skills to secure your industrial systems in today’s ever-evolving cyber landscape. Join us for a full day of learning, practical exercises, and networking opportunities.
The Industrial Cybersecurity Launchpad workshop consists of several sessions that will help you take the next step towards becoming an industrial cybersecurity pro!
- Debbie Lay Principal Solutions Engineer - TXOne Networks
[Launchpad] Answer the ICS Security Wake-up Call: It’s Time to Stop Fixing OT Problems with IT Tools
OT environments are not like data centers. Trying to secure OT with IT tools is like trying to play a vinyl record on a CD player—same goal, ineffective technology.
With so many companies across industries adopting hybrid SOCs to bridge their IT and OT environments, security professionals are quickly recognizing that simply extending IT cybersecurity technologies and approaches across OT creates significant new risks. Take network segmentation, for example. Introducing VLAN technology in firewalls and managed switches for ICS demands costly downtime for continuous maintenance and network redesigns. Furthermore, by forcing all traffic through central firewalls, traditional IT segmentation can introduce unacceptable levels of latency, tee up very expensive points of failure and block critical communications—all while ineffectively protecting against insider threats and failing to block lateral movement.
Indeed, taking IT approaches to tackle critical OT cybersecurity requirements—asset visibility, vulnerability management, anti-virus deployment, change control, application “allowlisting,” EDR and periodic inspection, etc.—often introduces significantly more problems than it solves. Countering one threat might open three new vectors. The inconvenient truth is that cybersecurity that has proven highly effective for IT can actually increase risks in ICS environments. Well-founded concerns in this vein are why OT decision-makers often are reluctant to deploy cybersecurity at all. If the company’s ICS technologies have been delivering results (in some cases for a decade or more), why risk the possibility of unintended consequences of implementing unfamiliar new protection?
Of course, the global rise in cyber threats and attacks against OT makes inaction increasingly unwarranted. Most companies are taking at least some action to ensure business continuity, even if only putting it on the radar. Some are focused on where to start; others are deep into the unfortunate discovery of the substantial challenges of force-fitting traditional IT security into OT.
The good news is that the OT and IT worlds are making strides in working together, and OT now has specific guidance and regulations for protecting critical assets in multiple sectors. Today, forward-thinking companies in more industrial spaces are seeing—from visibility and vulnerability management to risk response—that solutions conceived specifically for the priorities and protocols of the OT environment successfully avert new risks and help keep operations running and revenues flowing.
This presentation will explore how and why OT demands specialized strategies that prioritize minimizing internet exposure, controlling updates, preventing latency, reducing failure points and maintaining operator control. Attendees will walk away with a clear understanding of how to avoid the most common (and costly) missteps and what it really takes to keep operations safe and secure.
- Clint Bodungen Director, AI/ML Engineering - MorganFranklin Cyber
ICS/OT Cybersecurity Incident Preparedness & Response Workshop
Updated with new content for 2025!
It is critical to understand how to effectively train, prepare for, and response to a cyber incident effectively to minimize the impacts to your safety, production, and business. This workshop is designed to equip you with the essential skills and knowledge to effectively create, implement, and manage an incident response plan in the realm of ICS and OT.
Full Workshop Description:
https://www.icscybersecurityconference.com/training/ics-ot-cybersecurity-incident-preparedness-response-workshop/
- David Formby CEO/CTO - Fortiphyd Logic Inc
Applied ICS Security Training Lab
This full-day lab course gives participants hands-on experience attacking and hardening a simulated power plant network to learn about common ICS vulnerabilities and defenses. Participants will attack historians, HMIs, and PLCs to cause a power outage in the 3D simulation, and then implement defenses like firewalls and network monitoring to harden it.
Participants must bring their own laptop with either Chrome or Firefox installed.
Some Linux experience is helpful but not required.
(Additional Fee: $495)
Full Course Description: https://www.icscybersecurityconference.com/training/applied-ics-security-training-lab/
- Jey Krishnan Pandurengan EMS Principal Process Control Engineer - Smurfit Westrock
- Harminder Singh Industrial Cybersecurity Consultant - Valmet Inc./Industrial Applications Consulting
[Launchpad] Integrating IT and OT: Designing a Secure ICS Architecture
The integration of Information Technology (IT) and Operational Technology (OT) is becoming increasingly essential for optimizing Industrial Control Systems (ICS). However, the convergence of these two domains brings significant cybersecurity challenges that must be addressed to ensure the security and resilience of critical infrastructure. This conference session will explore the design of a secure ICS architecture, focusing on the implementation of robust strategies such as the creation of a well-defined De-Militarized Zone (DMZ), network segmentation, and micro-segmentation to safeguard IT and OT environments. The session will cover best practices for minimizing attack surfaces, ensuring secure communication between systems, and maintaining operational continuity in the face of evolving cyber threats.
Real-world case studies will illustrate the successful integration of these strategies, highlighting lessons learned and best practices. Participants will also examine relevant regulatory frameworks and emerging technologies that facilitate secure IT-OT integration. The session will underscore the importance of collaboration between IT and OT teams, emphasizing a holistic approach to securing critical infrastructure and fostering a resilient cybersecurity posture in an increasingly interconnected world.
Key topics of discussion are:
• Introduction to IT-OT Integration
- Definition
- Benefits
- Challenges
• Importance of Secure ICS Architecture
- Why Secure Architecture is Essential
- Key Components of a Secure ICS Architecture
• Overview of DMZ Concepts
- Definition of a DMZ
- Purpose of a DMZ
- Design Considerations
• Best Practices for Network Segmentation
- Key Principles
- Segmentation Strategies
- Implementation Steps
• Micro-Segmentation Strategies
- Definition
- Benefits of Micro-Segmentation
- Implementation Techniques
- Considerations
• Case Studies in IT-OT Integration
- Case Study 1: Manufacturing Facility
- Case Study 2: Energy Sector Organization
• Regulatory Considerations
- Overview of Relevant Regulations
- Implications for ICS Architecture
- Strategies for Compliance
• Tools and Technologies
- Security Tools for IT-OT Integration
- Segmentation Technologies
- Assessment and Management Tools
• Conclusion and Key Takeaways
- Importance of Integrated Security
- Key Strategies
- Ongoing Monitoring and Adaptation
- Mackenize Morris Principal Industrial Consultant at Dragos - Dragos
[Launchpad] Tales from the Road, How to Crawl, Walk, Run in ICS Cybersecurity
ICS Cybersecurity is where Engineering meets IT. Different critical infrastructure verticals have various limitations and constraints that prevent a smooth implementation of many comprehensive cybersecurity frameworks. Rather using the SANS ICS Five Critical Controls as a benchmark, recommendations for ICS Cybersecurity need to be tailored to meet the organization where they are. Case studies on incremental shifts that are attainable within a budget cycle to prepare for the next outage window.
- Ahmik Hindman Sr. Network & Security Solution Consultant - Rockwell Automation
[Launchpad] Securing OT/ICS: Implementing CISA’s Secure by Demand Principles
This session explores CISA’s Secure by Demand guidance, highlighting 12 critical security elements that should seamlessly integrate into OT/ICS products for a defense-in-depth strategy, mitigating vulnerabilities and prioritizing Secure by Design principles.
The 12 Critical Security Elements:
1. Configuration Management: Securely track modifications to configurations and logic.
2. Logging in the Baseline Product: Standardized logs for security and incident response.
3. Open Standards: Interoperable standards ensure secure functionality and flexibility.
4. Ownership: Operator autonomy over maintenance and updates.
5. Protection of Data: Integrity and confidentiality of operational data at all times.
6. Secure by Default: Security features enabled out of the box to reduce attack surfaces.
7. Secure Communications: Authenticated encrypted communication with simplified certificate management.
8. Secure Controls: Resilience against malicious commands, ensuring system availability.
9. Strong Authentication: Phishing-resistant multifactor authentication; no shared role-based passwords.
10. Threat Modeling: Up-to-date threat model detailing security risks and mitigation.
11. Vulnerability Management: Rigorous testing and timely remediation of vulnerabilities.
12. Upgrade and Patch Tooling: Owner-controlled security updates with a streamlined process.
Attendees gain actionable insights for protecting OT/ICS environments against evolving threats. By embedding security into design and procurement, organizations foster a resilient industrial cybersecurity ecosystem that proactively defends against cyber risks.
This session will explore strategic approaches for integrating Secure by Demand principles and fortifying OT/ICS defenses.
- Sachin Mohan Territory Head - OT Cybersecurity - CyberKnight
Build a Resilient OT Cybersecurity Ecosystem: Lessons from Experience in Middle East
The OT cybersecurity landscape in the Middle East faces unique challenges, from protecting critical infrastructure in energy and utilities to countering sophisticated nation-state threats. Drawing on real-world experiences in the region, this presentation, "Build a Resilient OT Cybersecurity Ecosystem" a comprehensive OT cybersecurity ecosystem to safeguard Industrial Control Systems (ICS) against evolving threats.
The ecosystem integrates 12 critical components: End Point Protection, Secure Remote Access, Privileged Access Management, Patch Management, Asset Visibility, Anomaly Detection, Public Key Infrastructure (PKI), Air-Gapped Environment, Vulnerability Management, Incident Response, Insider Risk Management, and Threat Intelligence with Cross-Domain Solutions.
Through case studies of OT cyber incidents in the Middle East, such as attacks on oil and gas facilities, the study highlights vulnerabilities like unpatched legacy systems, insider threats, and inadequate network segmentation. These incidents underscore the need for a holistic ecosystem tailored to OT environments.
This session provides a checklist for assessing ecosystem maturity and actionable steps for enhancing OT security.
- Shibu Thomas Field CTO for Global Insider Risk Solutions - Everfox
[Launchpad] How Effective Insider Risk Management is Essential to Operational Reliability
Organizations in the energy and utility industries must vigilantly defend against a number of risks with the potential to disrupt critical operations. While protecting against cyberattacks from external threats is critical, guarding against internal threats that can compromise reliability of services is equally vital.
Whether done with malicious intent to harm operations or due to simple negligence that is unintentional, insider risk events pose a real threat to critical infrastructure industries today. Preventing them requires more than simply detecting and remedying an event. Effective insider risk management solutions proactively identify the precursors of an event and provide the right level of visibility to mitigate the risk before any unauthorized action becomes a threat to operations or other employees.
Proactively monitoring and analyzing the many variables that can contribute to insider risk is a daunting task for any internal risk management team. Fortunately, the rise of AI has enabled new tools for faster, more thorough insider risk analysis.
AI can correlate numerous precursor and stressor risk indicators with behavioral data across different departments such as Human Resources, IT and physical security systems to more efficiently expose a potential risk.
AI makes possible linguistic analysis that inspects subjective information contained in employee emails, chat logs and other communications for troubling content that gives indication of potential threatening behavior.
AI also enables deep data analytics of vast quantities of risk indicators and customization of metrics by an organization to efficiently and effectively identify anomalous behavior associated with malicious and non-malicious intentions from insiders.
Effective insider risk programs don’t just give analysts insight to what happened, but also why it may have happened. The reason behind the event could mean the difference between the costly and time-consuming option of separating an employee from the organization and re-training a replacement and simply reminding the employee to not to upload files to an unsecure server. By understanding the root cause, effective insider risk programs can provide business value to the organization through a reduction in the mean time to investigate (MTTI) and meant time to remediate (MTTR) an employee or organization behavior.
Today’s operational environment is making it more and more difficult for organizations to defend against insider risks. Organizations in the energy and utility sectors are increasingly leveraging AI-enabled insider threat management tools to successfully manage and avert internal risks.
Participants will learn:
-Various factors that contribute to either malicious or negligent insider risk within organizations
-The monitoring and analysis elements of a successful insider risk management program
-How AI-enabled tools contribute to more effective and efficient insider risk management
- Randy Petersen SCADA Superintendent - San Jacinto River Authority
[Launchpad] The OT Approach to Design and Cybersecurity
Operation Technology (OT) networks are a unique environment that require a different approach to design, maintain, and secure. However, organizations often try and force traditional prioritization of confidentiality in the CIA (Confidentiality, Integrity, Availability) triangle on the OT infrastructure. Yet, when stopping to consider the difference in purposes and goals of the Information Technology (IT) and the OT network, organizations find that the same technologies and approach are not always the best fit. This is where the benefits of separate IT and OT groups for network infrastructure become apparent. Each group can address the design, maintenance, and cybersecurity in a way that is custom tailored to fit the needs of the network. This means that the traditional IT network can prioritize the confidentiality of the CIA triangle, and the OT network can prioritize the availability of the CIA triangle. In the design of the OT network, organizations can consider various topologies, communication methods, and hardware redundancies that are different to maximize the availability. If there are periods requiring network maintenance, the OT network can take an approach that minimizes impact on operations and considers stability. This also allows traditional IT network and server maintenance to be separated to minimize the impact on the OT network. Finally, when considering cybersecurity, the IT network can focus on the protection of confidential data found in IT networks, while the OT network can focus on security measures that ensure continuity of operations. When organizations consider the needs and goals of the OT network that operations depend on, they find there are unique approaches that should be taken when considering the design, maintenance, and cybersecurity of the OT network.
- Roger Hill Founder/CEO - Hillstrong Group Security, Inc.
[Launchpad] Lean Teams, Big Impact: Automating Evidence and Governance in OT
Most manufacturers don’t have large OT security teams; they have one or two people balancing production demands, vendors, and audits. The real challenge isn’t more detections; it’s proving control and compliance without drowning in manual evidence collection.
This session introduces a workflow-driven model where compliance becomes the natural output of daily work. Vendor access, patch decisions, incident response, and periodic assurance cycles are all structured so that each step generates its own evidence. Instead of chasing logs and spreadsheets, teams build a living compliance ledger that is always current and audit-ready.
Attendees will learn how this approach reduces audit fatigue, accelerates governance cycles, and creates board-ready metrics that show real risk reduction. The takeaway: with workflow-embedded proof, even the leanest OT security teams can deliver enterprise-scale confidence and resilience.
Tuesday, October 28, 2025
- Keith Casey Cybersecurity & Identity Strategist, Product Marketing - Keystrike
What Does the Data Reveal About Modern Advanced Threats and How to Counter Them?
State-sponsored and advanced threat groups (e.g., China's Volt Typhoon) routinely bypass well-known controls by abusing identities and tokens across IT and OT. While federal guidance (CISA, NIST, and EPA) has expanded rapidly, attackers still succeed—not because we lack standards, but because most standards prioritize yesterday's attacks.
Over breakfast, Keith Casey will compare real intrusions to federal best practices in 2025 and show a pragmatic approach to detect and block advanced persistent threats earlier—before they reach our sensitive systems.
Learning Objectives (attendees will be able to…)
-Visualize the top identity- and protocol-level attack patterns used across IT/OT.
-Map current CISA/NIST/EPA guidance to these patterns and spot gaps.
-Exploit an efficient chokepoint to disrupt lateral movement of attackers
Key Topics
-Identity, token abuse, and living-off-the-land attacks in IT/OT
-The contours where existing controls and frameworks do and don’t help
-Inside-out security: Securing important data/systems first and then working outwards towards a perimeter
- Brian Schleifer Southeast Regional System Security Engineer & Cybersecurity SME - Modern Technology Solutions Inc (MTSI)
- Benjamin Stirling Director Cybersecurity & Operational Technology - Jacobs
- Kyle Robinson Industrial Network Cybersecurity Analyst - Tallgrass Energy
- Chris Wiwczaroski Enterprise Architect - OT Infrastructure - Metropolitan St. Louis Sewer District
Panel: OT Security Successes, Failures, and the Road Ahead
Industrial cybersecurity has evolved dramatically over the past two decades—from early efforts to raise awareness, to today’s increasing regulatory pressures, advanced threats, and growing recognition of OT security as a national and global priority. But how far have we really come, and what lies ahead?
This panel brings together seasoned veterans of the industrial cybersecurity community who have witnessed the field’s evolution firsthand. Together, they will reflect on where we’ve been, highlight both the successes and shortcomings along the way, and discuss the most pressing challenges for the future of securing critical infrastructure.
Topics will include:
• Lessons learned from early efforts to secure OT and ICS environments
• Success stories and progress made across industries and regions
• Persistent gaps, failures, and areas still lagging behind
• The evolving threat landscape, from ransomware to nation-state actors
• What the next decade may hold for defenders of industrial systems
Join this candid conversation with experts who helped shape the field, as they share hard-earned insights and perspectives on building a safer, more resilient industrial cybersecurity future.
- Brian Schleifer Southeast Regional System Security Engineer & Cybersecurity SME - Modern Technology Solutions Inc (MTSI)
Training: Cyber Attack Methods for Cyber-Physical Systems (Day 1)
US ONLY: This training is available for United States Citizens only. (Workshop Registration Fee: $3995)
Note: This hands on training will take place Tuesday, October 28th – Thursday, October 30th. Day 1 will be a full day, and Day 2 and 3 will be half days. Students will be able to attend sessions of the core ICS Cybersecurity Conference and access instructors event when the workshop is not in session. Access to all conference meals and networking events is also included.
Cyber-physical systems, i.e. systems that bridge the cyber and physical domains, are attractive targets for attack partially due to the possibility of causing real-world physical loss to the victim.
Have you ever wondered how cyber adversaries execute these sort of attacks? Do you see attacks in the news and wonder, “how did the attacker even think to do that?” Do you stay up at night thinking, “could that happen to my system?” Developers want their systems to be secure and need to understand the threat. Unfortunately, broad intel reports and vague proclamations about adversary capability and intent may not give developers a concrete understanding of what they can do to make their systems more secure.
This Cyber Attack Methods course takes a unique approach to meeting this need, putting students into the shoes of an attacker — walking them through the steps of system discovery, exploitation, and delivering a mission-impacting attack against an intentionally vulnerable virtual cyber physical system with their hands on the keyboard. In this course we won’t turn you into a hacker, but you will learn to think like one!
Course Objectives:
Provide an understanding of methods that an attacker may use against cyber-physical systems and their impact on mission readiness, capability, confidentiality, integrity, availability, productivity, or revenue.
With hands-on keyboard, develop and execute attacks against a representative cyber-physical system; discuss and evaluate mitigations against these attacks.
Foster an attacker mindset, enabling participants to think like bad actors, walk through attack methods related to historic exploits, and apply that knowledge to making systems more secure.
What students should know beforehand:
What students will learn:
Students will gain a tangible appreciation for adversary mindset, tactics, techniques and procedures related to enumerating and exploiting weaknesses in cyber physical systems. They will also learn to think through real-world mitigations and design choices to reduce attack surface and provide greater protections in the systems they design, build, or oversee.
- Vivek Ponnada SVP Growth & Strategy - Frenos
Failure to Accelerate - How to Re-ignite the Spark to Sustain OT Security Programs
This session explores practical strategies to reignite stalled OT security initiatives. Attendees will gain insight into what it takes to move beyond FUD, rebuild momentum, and design programs that not only endure but also empower organizations to thrive in an increasingly complex threat landscape.
- Brad Nash OTCRM SOC Supervisor - ExxonMobil
- Ron Ahasan Project Manager - ExxonMobil
- Dusty Courtney Industrial Cybersecurity Engineer - ExxonMobil
- Jason Thompson OT Cybersecurity Engineering - ExxonMobil
Navigating Complexities in Global Oil and Gas Projects: A Fireside Chat on ICS Security
In the dynamic landscape of the oil and gas industry, managing large-scale projects across diverse sectors—midstream, upstream, unconventional, LCS, downstream, and manufacturing—presents unique challenges. This fireside chat will bring together key leaders from our organization to discuss how we navigate conflicting business needs while ensuring robust ICS security.
- Kevin Holcomb Technical Marketing Engineer, Industrial IoT Business Unit - Cisco Systems
Security Fused into the Network to Protect OT at Scale
Security is the foundation of every conversation in today's industrial landscape. As operational technology (OT) environments grow increasingly complex, organizations require a comprehensive security and networking solution that delivers asset visibility, access control, and context-level security. In this demo, we will showcase how Cisco's integrated portfolio-including Cyber Vision, Secure Equipment Access (SEA), Splunk, Identity Services Engine (ISE), and Firewall Management Center (FMC)-enables organizations to secure their industrial operations from the ground up.
- Mike Holcomb Director - ICS/OT Cyber Security - Fluor Corporation
Closing the Gaps: No More Easy Targets
Increasing attacks targeting OT/ICS networks and the connected IT networks continue to increase and yet most OT/ICS environments are still not prepared for what is coming. Not only are they not prepared, but many make it too easy for attackers to get into their environments and have an impact. From shutting down manufacturing operations to turning off the heating for two days with subzero temperatures outside, many successful attacks against OT/ICS environments today happen because environments are not prepared. But why are they not prepared? Lack of awareness and education? Lack of resources? Uncertainty about where to start? The real answer is - all of the above.
This presentation will cover recent real world examples of how we make it too easy for attackers to have an impact on our OT/ICS operations and how defending against such attacks does not have to be complicated or complex, including alook at how easy it easy to use GenAI to write state adversary-level tools to attack OT. Ultimately, we'll discuss the five B.A.S.I.C. steps to defending OT using a cost effective approach to reduce the growing risk of impacts to OT/ICS. And then, any environment can be stronger today than they were yesterday.
- Brian Deken Sales Director, Industrial Cybersecurity - Rockwell Automation
Rethinking Cybersecurity with an OT-First Approach
Operational Technology (OT) cybersecurity is not simply an extension of IT security—it is a distinct discipline with unique challenges and priorities. While IT security focuses on protecting data, OT security is about safeguarding physical processes, uptime, and human safety. Yet many organizations continue to rely on traditional IT tools that were never designed for the specialized protocols, legacy systems, and real-time demands of industrial environments. This misalignment leaves critical infrastructure exposed and decision-makers without the visibility or context needed to accurately assess risk. Without purpose-built OT cybersecurity solutions, leaders are often making strategic decisions based on incomplete or misleading information about their true security posture. To protect operations and ensure resilience, organizations must adopt an OT-first approach that aligns with the realities of industrial environments.
- Ben Callaway Regional Sales Director - Nozomi Networks
- Sandeep Lota Global Field CTO - Nozomi Networks
Securing the Unseen: Transforming OT/IoT Risk Management with Nozomi Networks
OT and IoT Cyber Risk is the potential for loss of life, injuries, equipment damage, environmental damage, financial harm, and operational disruptions caused by the failure, misuse, or cyber compromise of connected OT and IoT systems that support industrial and critical infrastructure operations. Join Nozomi Networks for a deep dive into how global enterprises are rethinking risk management and the “unseen” layers of infrastructure across OT and IoT landscapes.
- Carlos Sanchez Director, OT Systems Engineering Specialist - Fortinet
Harnessing AI to Defend and Transform Critical Infrastructure Cybersecurity
Join this session as we investigate how to leverage AI as a powerful tool for cyber defense:
• Discover how AI can enhance visibility and control across OT environments, enabling faster detection and response to the evolving cyber threats
• Explore how AI can support compliance, reduce downtime, and empower security teams with actionable insights tailored to manufacturing environments
- John Filitz Cybersecurity Product Marketing Manager for Industrial IoT - Cisco
Defend Your Industrial Network: The Zero-Trust Blueprint You Need
Industrial networks are increasingly targeted by sophisticated cyber threats, making traditional perimeter-based security insufficient. Zero-trust architecture, recently highlighted in a CISA advisory as a key strategy for protecting critical infrastructure, assumes no implicit trust within or outside the network. This presentation explores the urgent need for zero-trust in industrial environments, focusing on two essential pillars: zero-trust segmentation—aligned with the IEC62443 zones and conduits model to control lateral movement—and zero-trust remote access, which enforces policy-driven, least-privilege connectivity for remote users. Attendees will learn a practical approach to implementing zero-trust easily and effectively, without disrupting industrial operations.
- Melanie Hutcheson Lead Associate - Booz Allen
Maturing OT Cyber Programs: From Static Defense to Strategic Advantage
It is more critical than ever to remain agile in maturing OT cyber programs. Most organizations have made significant investment in their OT cyber programs all while targets are shifting, objectives are evolving, expectations are in flux, the landscape is changing, and standards are being redefined.
Securing leadership support when the goal posts are moving requires strategic communication and framing while keeping both cost and time in-mind. Organizations must remain agile through continuous adoption and improvement of existing OT cyber programs.
This session will discuss key steps to securing leadership buy-in, and critical ingredients to successfully revitalizing your cyber program.
- Matthew Rogers ICS Cybersecurity Strategy & R&D Lead - CISA
Why OT Johnny Can’t Encrypt
CISA, Standard Development Organizations, and OEMs conducted customer research within the control systems community, including water, transportation, chemical , energy, and food & ag operators, with the aim of understanding barriers to secure communication. Secure versions of industrial protocols exist (e.g., DNP3 to DNP3 SAv5); however, the technical maturity of a solution is irrelevant if the solution is not usable by the target audience. Operators often have the technical tools and desire to secure communication but cannot do so due to cost and complexity.
This talk identifies common barriers for operators and highlights ways that OT manufacturers can reduce these barriers. Examples include prioritizing message signing over encryption for easier integrity and authentication, reducing the complexity of secure deployments, and ensuring secure protocols are interoperable to simplify legacy transitions.
- Glen Combe OT Specialist Systems Engineer - Fortinet
Secure Remote Access for Operational Technology
[This is a Solutions Theater Session Sponsored by Fortinet]
The ability to securely support remote employees and contractors is essential for OT business continuity. OT organizations need to secure remote access to commission new equipment, apply critical patches, and perform repairs or troubleshooting activities remotely. This can also include remote monitoring and diagnostics, or the use of remote operations centers to cost-effectively manage geographically distributed assets.
Join this demonstration to understand the risks associated with unsecured remote access, the impact of regulations and security standards related to remote access requirements, and key security considerations when implementing remote access in OT environments.
- Joe Cody Director, OT Cybersecurity and Network Services - EIS Cyber
Defining, Refining, and Automating Your OT Cyber Processes
Using E-Workflows and the Concepts of Manufacturing in Life Sciences to Streamline OT Cybersecurity Procedures
Effective cybersecurity programs rely on robust documentation. Establishing clear policies, standards, and procedures is crucial. Drawing upon principles from validated manufacturing processes in the life sciences – specifically repeatability, accountability, and audibility – we can leverage electronic workflows to transform cybersecurity procedures into a readily manageable format. This transition enables rapid identification of inefficiencies within existing processes and provides essential oversight to guarantee critical tasks are executed correctly by the appropriate personnel, with readily accessible records of completion. Further integration with existing systems can eliminate manual steps, significantly reducing the workload for information security and technology teams.
- Adam Maruyama Field CTO, Digital Transformation & AI - Everfox
Protecting Critical Infrastructure with the Rigor of Classified Networks
State actors have long targeted classified government systems used to store secrets and sensitive intelligence. Over the past few years, they have expanded their targets to include critical infrastructure systems of utilities and oil & gas networks.
Given the importance of this critical infrastructure and the extent to which it is under threat, its cybersecurity is imperative and has traditionally been protected by an air gap. This solution is complicated by the need to maintain an “always on” stack of legacy technologies in the OT network, the need for the business to have a clear picture of OT telemetry data to inform operations, and business outcomes on the IT network. These competing objectives have led to a variety of ad hoc solutions to protect OT networks and the IT networks that interface with them.
The past 5 years have taught us that such security measures are not enough. The 2021 ransomware IT attack against Colonial Pipeline, the Volt Typhoon actors “living off the land” in critical infrastructure, and Salt Typhoon actors compromising US telecoms show a different approach is needed. Fortunately, the structure of IT, critical IT, and OT systems strongly mirrors that of sensitive US Government networks, which can provide a framework for securing critical infrastructure.
A key principle of architecture for sensitive networks is protecting junctures between systems of different risk levels, using software to bridge slightly differing risk gaps and hardware to bridge high-risk or high-consequence gaps. While software-enforced controls are not new to the industry, hardware-enforced security (Hardsec) is a government innovation that has not been widely adopted in critical infrastructure. Hardsec converts all data flowing through them into a known-good format and uses a hardware verifier running on a separate management plane to verify that content is safe.
Implementing Hardsec at the juncture points between IT and OT systems can enable critical infrastructure industries to better manage risk across this network gap and provide higher levels of assurance that a compromise of the IT network will not spread into the OT network – a far better alternative to makeshift and often unvetted solutions to bridge protected enclaves and the broader network.
Security that comes from these cross-domain security measures can compound across a larger industry sector. As these centralized points of visibility mature within organizations, they can also unite at an industry level via information sharing and analysis centers or ad hoc collaborative networks to understand best practices to minimize risks at these critical network junctures.
Audience Learnings:
-The increased nation-state threat to critical infrastructure networks.
-The complexity in securing OT networks composed of legacy systems intended to be kept on a segregated network.
-Ways to implement techniques used by government to secure critical infrastructure networks.
- Massimo Nardone VP, Operational Technology (OT) Security - SSH Communications Security
Building Secure OT & IoT Environments: How to Future-Proof Industrial Networks
As OT/IoT systems become more connected, securing Industrial Networks requires more than traditional defenses. Join this session to learn about the best practices for protecting critical infrastructure through Zero Trust architecture (agentless secure access, and strong identity management), why Quantum-Safe (QS) encryption is essential for future-proofing long-lifecycle industrial assets and finally how to align with standards like ISA/IEC 62443 and NIS2.
- William Donohue Booz Allen - OT Cybersecurity Engineer
Practical Guide for Evaluating OT Identity Access Management, Endpoint Protection & Backup Solutions
With the rise of smart manufacturing, organizations are facing increased expectation to evaluate and integrate a modern set of technologies that support both operational continuity and cyber protection. This shift is driving the need for a balanced adoption of security solutions to support digital transformation in manufacturing.
Many organizations struggle to select and implement the right mix of solutions that are not only effective but also adhere to OT operational requirements. IAM must account for shared engineering workstations and OEM vendor access, endpoint protection needs to operate with minimal resource overhead, and both immutable and PLC backups must ensure operational resiliency with reliable backup and robust restoration processes.
In this session attendees will learn a structured approach for building requirements and evaluating IAM, endpoint protection, immutable backup, and PLC backup solutions for their OT environments. Attendees will learn how to weigh evaluation criteria, gain insights for piloting and scaling these solutions.
- David Formby CEO/CTO - Fortiphyd Logic Inc
Faster, Lighter, and more Vulnerable than Ever: Modern OT Labs with GRFICSv3
Hands-on experience is critical for developing real-world OT security skills, but access to ICS hardware and realistic testbeds is often prohibitively expensive. GRFICS v3 helps close this gap by providing a lightweight, open-source platform for simulating industrial environments in software. Fully containerized for faster deployment and easier scaling, GRFICS v3 supports affordable training, repeatable testing, and research on ICS attacks and defenses. This session will cover what is new in v3, practical examples of how it is being used, and lessons learned in building modern OT security labs. Whether you are new to GRFICS or looking to enhance your existing training and testing efforts, this talk will give you tools and ideas to take back to your own environments.
- Greg Houser Senior Cybersecurity Engineer - exida
Supply Chain Risks: When The Vendors Are an Attack Vector
This panel addresses the very real, very messy cyber gremlins that can introduce vulnerabilities into critical Operational Technology (OT) environments. Using examples Such as SolarWinds, NotPetya, and the 2024 Lebanon electronic device attacks, we’ll discuss real-world challenges and best practices to secure each link of the supply chain, including threat modeling for vendors, zero-trust approaches for third-party vendors, and compliance with frameworks such as NIST 800-161, IEC 62443, and Executive Order 14028.
Wednesday, October 29, 2025
- Blake Gilson OT Cyber Security and Risk Manager - ExxonMobil
Tug-of-War in OT Security: Balancing Operations, Cybersecurity, and Compliance
Operational Technology (OT) environments face a constant push and pull between three powerful forces: operations, cybersecurity, and regulatory compliance. While each domain is critical to safe and reliable system performance, their priorities can often clash; creating a complex decision-making landscape where trade-offs are inevitable. It is well known that a change that improves security posture may hinder operational uptime, while a compliance-driven control may offer limited to no security value in real-world conditions.
This session explores this “tug-of-war” dynamic through the lens of real-world scenarios from critical infrastructure sectors including energy, oil & gas, and manufacturing. Building on frameworks like NIST CSF and insights from field operations, we’ll examine how to assess these competing priorities and develop strategies that minimize conflict. Attendees will gain a mental model blueprint for evaluating security initiatives within this triad and learn how to spot “false wins”; solutions that check compliance boxes but provide little operational or security benefit. The session will also include a discussion on governance models, the role of OT service management, and the importance of collaborative planning across engineering, IT, and security teams.
Whether you're a cybersecurity leader, plant engineer, or risk manager, the goal of this session is to provide a realistic guide to secure, operationally sound, and standards-aligned decision making in complex OT environments.
- Brian Schleifer Southeast Regional System Security Engineer & Cybersecurity SME - Modern Technology Solutions Inc (MTSI)
How to Assess Risk for AI in Embedded Systems and Cloud Environments
Artificial Intelligence (AI) has transcended its status as a mere buzzword—it is now a transformative force reshaping the very fabric of enterprise operations and embedded systems.
While AI delivers remarkable advantages—supercharging anomaly detection, enabling predictive maintenance, and bolstering operational resilience—it also ushers in a new era of risk and complexity, especially within Industrial Control Systems and Operational Technology (ICS/OT) environments.
As legacy systems, IoT devices, and cloud platforms converge, the attack surface widens exponentially. This interconnected landscape not only amplifies the potential for adversarial attacks and data poisoning but also raises the stakes for regulatory compliance and operational integrity.
So, the critical question emerges:
How can organizations effectively assess and manage the risks posed by AI in the context of embedded systems and cloud environments?
The answer is not simple, but it is essential.
Prepare yourself: we’re about to journey through the evolving world of AI risk assessment—where vigilance, innovation, and strategic foresight are your best allies.
Strap in, and let’s navigate this complex terrain together!
- Brian Schleifer Southeast Regional System Security Engineer & Cybersecurity SME - Modern Technology Solutions Inc (MTSI)
Training: Cyber Attack Methods for Cyber-Physical Systems (Day 2)
US ONLY: This training is available for United States Citizens only. (Workshop Registration Fee: $3995)
Note: This hands on training will take place Tuesday, October 28th – Thursday, October 30th. Day 1 will be a full day, and Day 2 and 3 will be half days. Students will be able to attend sessions of the core ICS Cybersecurity Conference and access instructors event when the workshop is not in session. Access to all conference meals and networking events is also included.
Cyber-physical systems, i.e. systems that bridge the cyber and physical domains, are attractive targets for attack partially due to the possibility of causing real-world physical loss to the victim.
Have you ever wondered how cyber adversaries execute these sort of attacks? Do you see attacks in the news and wonder, “how did the attacker even think to do that?” Do you stay up at night thinking, “could that happen to my system?” Developers want their systems to be secure and need to understand the threat. Unfortunately, broad intel reports and vague proclamations about adversary capability and intent may not give developers a concrete understanding of what they can do to make their systems more secure.
This Cyber Attack Methods course takes a unique approach to meeting this need, putting students into the shoes of an attacker — walking them through the steps of system discovery, exploitation, and delivering a mission-impacting attack against an intentionally vulnerable virtual cyber physical system with their hands on the keyboard. In this course we won’t turn you into a hacker, but you will learn to think like one!
Course Objectives:
Provide an understanding of methods that an attacker may use against cyber-physical systems and their impact on mission readiness, capability, confidentiality, integrity, availability, productivity, or revenue.
With hands-on keyboard, develop and execute attacks against a representative cyber-physical system; discuss and evaluate mitigations against these attacks.
Foster an attacker mindset, enabling participants to think like bad actors, walk through attack methods related to historic exploits, and apply that knowledge to making systems more secure.
What students should know beforehand:
What students will learn:
Students will gain a tangible appreciation for adversary mindset, tactics, techniques and procedures related to enumerating and exploiting weaknesses in cyber physical systems. They will also learn to think through real-world mitigations and design choices to reduce attack surface and provide greater protections in the systems they design, build, or oversee.
- Paul Innella CEO - TDI
Measuring ICS Cybersecurity Effectiveness: Implementing Cybersecurity Performance Management (CPM)
Cyber threats targeting Industrial Control Systems (ICS) are rapidly evolving, placing critical infrastructure—utilities, manufacturing plants, and transportation networks—under increased risk. Despite investments in cybersecurity, many ICS operators still rely heavily on traditional activity-based metrics such as patches deployed or alerts acknowledged. These metrics often fail to demonstrate actual security resilience or meaningful risk reduction.
Cybersecurity Performance Management (CPM), a strategic framework developed and championed by cybersecurity expert Paul Innella, empowers ICS leaders to transition cybersecurity management from reactive to proactive, focusing clearly on measurable outcomes. CPM provides critical infrastructure organizations with precise, outcome-focused metrics—such as vulnerability remediation effectiveness, asset visibility in OT environments, incident response speed, and resilience of critical control systems.
This session will equip attendees with a practical understanding of CPM implementation in ICS environments, demonstrating real-world case studies and best practices. Paul Innella, with over three decades of cybersecurity experience advising high-stakes organizations such as DARPA, Deutsche Bank, and the U.S. Navy, will outline methods to accurately measure ICS cybersecurity performance, communicate strategic insights clearly to executive leadership, and ensure cybersecurity investments deliver demonstrable operational impact and ROI.
Participants will leave this session with actionable strategies for adopting CPM, strengthening ICS cybersecurity posture, and effectively reducing operational and financial risks.
- Tom Sego CEO - BlastWave
Failing Open Fails Zero Trust
Cyber resilience in Operational Technology (OT) environments is paramount, yet a fundamental conflict exists between traditional safety-driven "fail open" requirements and Zero Trust principles. While fail-open designs are mandated to ensure continuous operation and prevent catastrophic shutdowns in critical infrastructure, this paradigm fundamentally undermines the security tenets of Zero Trust. Zero Trust operates on the principle of "never trust, always verify," demanding explicit authorization for every access attempt and assuming compromise. However, when an OT system or control fails, failing open essentially grants unverified, implicit trust, allowing traffic or operations to proceed without security validation.
This inherent contradiction eliminates the core protective mechanisms of Zero Trust, exposing critical industrial processes to significant cyber risks. This presentation will explore how "fail open" paradigms create bypasses for microsegmentation, continuous authentication, and least privilege enforcement. We will demonstrate how attackers can exploit these design choices, turning safety features into vectors for unhindered lateral movement and data exfiltration within OT networks. Understanding this paradox is crucial for practitioners aiming to implement robust cyber resilience. We argue that achieving true security in OT requires a fundamental re-evaluation of fail-open mandates, proposing alternative architectural approaches that reconcile safety with the imperative of Zero Trust. This session offers insights into bridging this critical gap, advocating for innovative strategies to secure industrial control systems without compromising operational integrity.
- David Mazary CTO - Corsha
AI You Can Touch: Securing the Hidden Power of Physical AI
We're moving past the hype and entering a new reality: Physical AI. Let’s talk about intelligent agents that aren't just processing data; they're actively operating on your plant floor, directly influencing safety, efficiency, and availability. This is the future of industrial automation, but it means we have new powerful, non-human actors, which creates new critical operational risks.
This session will give ICS professionals an actionable roadmap to evaluate and embrace Physical AI securely. We'll define the AI agent as a sophisticated Machine Identity, the key concept you need to govern and secure its behavior. We'll show you precisely how to leverage your security frameworks, like IEC 62443 and Zero Trust, to ensure the integrity of the AI control loop. You'll leave with a clear strategy to integrate these next-generation actors while keeping your operations resilient and your security rock-solid.
- Sanjay Kumar Threat Intelligence Manager - Landis+Gyr
From Spam to Shutdown: Ransomware’s Social Engineering Path into OT
Ransomware campaigns are evolving. Attackers increasingly rely on social engineering and the misuse of remote management tools to gain trusted access, bypassing traditional defenses. Instead of exploiting vulnerabilities, adversaries overwhelm employees with spam or fraudulent calls, persuading them to install or approve remote access software. From this initial foothold in IT, they move laterally with credential theft and legitimate administration tools, preparing the ground for ransomware deployment.
For industrial organizations, the risk is amplified by the growing convergence of IT and OT networks. Dual-use engineering laptops, jump servers, and weak segmentation provide adversaries with potential pathways from corporate systems into operational environments. What begins as a nuisance in IT can quickly escalate into production downtime or disruption of critical services.
This session will present a case study of ransomware operators abusing remote management tools to demonstrate how IT intrusions can cascade into OT impact. We will also show how threat intelligence can uncover early warning signs—spam floods, anomalous RMM usage, or low-severity alerts—and map them against MITRE ATT&CK for ICS to guide risk-based defenses.
Key Takeaways:
How ransomware groups are shifting from exploits to social engineering and RMM abuse
Why IT compromises represent growing risks to OT environments
How to use threat intelligence to connect weak IT signals into early OT warnings
Practical defenses: limiting RMM tools, tightening segmentation, and intelligence-led monitoring
- Kelli Schwalm Senior Engineer - RunSafe Security
SBOMs for Embedded OT: A Practical Approach to Reducing Supply Chain Risk
As industrial environments face mounting software supply chain risks, operators and OEMs are under increasing pressure—from both regulators and industry best practices—to generate accurate and actionable Software Bills of Materials (SBOMs). Yet in ICS and OT environments, especially those reliant on embedded C/C++ code, generating meaningful SBOMs remains a significant technical challenge.
This session will explore the practical realities of SBOM generation for C/C++ systems used in OT. It will break down the core approaches, including source-based, build-time, and binary analysis, and highlight the strengths, limitations, and suitability of each approach for different operational contexts. Attendees will learn how decisions around timing, tooling, and data granularity directly affect vulnerability identification, regulatory compliance, and system safety.
The discussion will provide a framework for evaluating trade-offs based on your environment, toolchain maturity, and risk tolerance. With industrial software supply chains under increasing scrutiny, this session aims to move SBOMs from theory to practice without losing sight of the complexity inherent to C/C++ and embedded system development.
Learning Objectives:
1) Understand the primary methods for SBOM generation in C/C++ embedded systems and their respective trade-offs
2) Learn how SBOM strategies intersect with emerging regulatory requirements and software assurance best practices
3) Identify key constraints in OT environments, such as legacy systems and lack of source access, and how different SBOM approaches can address them
4) Gain insights on how SBOM quality impacts downstream vulnerability identification and risk mitigation
- Jeevan Sakti ICS Cybersecurity Program Manager - ExxonMobil
- Pankaj Goel Upstream New Operations Advisor - ExxonMobil
Cybersecurity Implementation for Major Industrial Capital Projects
The oil and gas industry stand as a critical pillar of global industrial technology, heavily reliant on interconnected digital systems for efficient operations across the value chain (upstream, midstream, and downstream sectors). This increasing reliance on operational technology (OT) and industrial control systems (ICS), while enhancing productivity and efficiency, simultaneously introduces significant vulnerabilities to cyberattacks.
The oil and gas industry manages vast repositories of sensitive data, including critical geological surveys and proprietary drilling technologies, rendering it a highly attractive target for malicious actors seeking to exploit these informational assets. The real-world impact of inadequate OT cybersecurity has been starkly illustrated by incidents such as the Colonial Pipeline attack, which caused significant disruption to fuel supply and highlighted the urgent need for robust protective measures. Given this elevated threat landscape, a comprehensive and lifecycle-oriented approach to OT cybersecurity is not merely advisable but essential for the resilience and safety of the oil and gas industry.
To navigate the complexities of securing industrial automation and control systems, organizations increasingly turn to established cybersecurity frameworks and standards. Among these, the IEC 62443 series stand out as a collection of standards specifically tailored for industrial automation and control systems (IACS) and operational technology (OT) environments. This presentation aims to highlight how organizations undertaking industrial greenfield projects can significantly reduce their cyber risk exposure, enhance operational reliability and safety, meet regulatory expectations, and build a strong foundation for secure and resilient operations through development and implementation of a Cybersecurity Management Plan.
- Andrew Carney Program Manager - DARPA
Automated Cyber Defense for Critical Infrastructure: Lessons from DARPA’s AI Cyber Challenge
Critical infrastructure is increasingly targeted by sophisticated cyber threats that can originate from anywhere around the world. To address this threat, DARPA launched the AI Cyber Challenge (AIxCC), a landmark competition designed to ignite the development of AI-driven tools capable of autonomously finding and fixing software vulnerabilities. This talk explores lessons learned from the challenge, its implications for securing code that critical infrastructure relies on, and what the competition reveals about the future of automated cyber defense.
- Leo Kershteyn Director of Product Management, Cybersecurity - Honeywell
Case Study: Deploying Asset Discovery and Intrusion Detection Across 100+ Sites
Honeywell has tested and evaluated different OT cybersecurity software products in its labs for use in its 400+ factory sites. In this session we will cover the lessons learned from deploying asset discovery and intrusion detection to 120 of Honeywell’s most critical manufacturing sites.
- Liliane Scarpari Security Technical Specialist - Microsoft
Untrusted by Design: Agentic AI in Industrial Control Systems
Industrial Control Systems (ICS) are embracing AI agents, but this comes with new security questions. Integrating agentic AI—AI systems with autonomy and decision-making capability—into ICS can be as risky as installing a physical component from an unknown supplier with no security certification. Just as one would be wary of hardware from an unvetted source (no security score, no pen-testing results, unknown vulnerabilities), we must scrutinize AI agents before trusting them in critical infrastructure. Agentic AI can turn into a double-edged sword in the hands of threat actors. Adversaries are already exploiting these AI systems to turbocharge attacks on industriais targets. For example, recent threat intelligence reports show attackers using AI to dramatically accelerate the attack lifecycle, cutting the time from initial breach to system compromise or data exfiltration from days to hours. An AI-driven malware might intelligently adapt to mimic normal ICS network traffic, evade detection, or rapidly identify weak points in a SCADA system. This means that AI is not only helping defenders, but equally empowering attackers – a reality that ICS operators must urgently address. AI: Attack Accelerator: Threat actors are leveraging agentic AI to automate and speed up ICS attacks — shrinking the window from intrusion to impact. Lock Down AI Agents: Applying strict “least privilege” access controls on AI agents can prevent them from taking unauthorized actions or accessing sensitive systems. As we embrace AI in ICS, we must do so with eyes wide open. Agentic AI is not inherently malicious—but its autonomy, if left ungoverned, can become a liability. Security teams must evolve their threat models, treating AI agents with the same caution as any third-party component. In the age of autonomous systems, trust must be earned—not assumed.
- Mackenize Morris Principal Industrial Consultant at Dragos - Dragos
Leveraging Network Visibility to Validate Defensible Architecture
The SANS ICS Five Critical controls provide an overview of the core principals of cybersecurity in critical infrastructure. Control 3, ICS network visibility, provides the positive feedback to validate the implementation of the other critical controls. Using network visibility to see the outcome of several tests, organizations can see and validate the defensible architecture solutions in place. Attempting to jump network zones, bypass firewalls, or break through levels of trust highlights whether network defenders can see such attempts and that the current segmentation tools are effective implemented. Furthermore this process can be automated.
- Glen Combe OT Specialist Systems Engineer - Fortinet
From Implied Trust to Zero Trust for Operational Technology
Today, the once-siloed worlds of operational technology (OT) and information technology (IT) are becoming increasingly interconnected through digital transformation and the need to support scarce or remote workers. This connectivity enhances production by enabling data sharing and leveraging new cloud-based tools that help organizations unlock additional business value.
However, one major drawback of IT/OT convergence is that ever-evolving cyberthreats now have easier access to previously air-gapped OT environments, jeopardizing the benefits of this integration. OT systems are particularly vulnerable because they were originally designed to implicitly trust everything within their environments.
To strengthen protection, organizations should move toward a zero-trust cybersecurity model, one that continuously verifies the trustworthiness of users and devices while controlling access based on contextual information. As more users work remotely and Industrial Internet of Things (IIoT) devices proliferate, organizations must verify every user and device accessing applications and data.
Join this demonstration from Fortinet security experts to learn how zero-trust principles for OT are enabled through the Fortinet OT Security Fabric.
- Debbie Lay Principal Solutions Engineer - TXOne Networks
Visibility Is a Good Starting Point, But What Are the Crucial Next Steps for OT Protection?
Visibility in OT environments is essential, but it’s only the beginning. Gaining a clear view of assets is the critical first step, but visibility alone doesn’t prevent breaches, reconfigurations, or operational disruption. As cyberattacks on industrial systems continue to escalate, relying solely on patch lists or post-incident forensics is no longer enough.
This session will share practical, low-risk, and non-disruptive strategies that go beyond visibility to achieve real protection. Attendees will learn how to safeguard legacy systems without downtime, apply OT network segmentation to limit exposure, and implement proactive protection strategies that strengthen business continuity.
Achieving safer operations and greater resilience is within reach - join this discussion to learn how to put effective protection into practice today.
- Margaret Cunningham Technical Director Security & AI Strategy, Field CISO - Darktrace
Cognitive Readiness in OT Security: Human Performance Under Pressure
Cyber disruptions in industrial environments rarely follow a clear path. Impact is uncertain, timelines shift, and threats evolve faster than teams can adjust. Most OT security strategies focus on tools and telemetry but overlook the human performance needed to detect, respond, and recover effectively.
This session introduces a cognitive readiness framework built on research in human factors and performance science. It shows how to prepare OT security teams to operate under stress, ambiguity, and fatigue. The framework draws from high-stakes domains where teams must coordinate quickly, adapt to changing conditions, and make decisions with limited information.
Attendees will learn how to reduce cognitive overload, improve situational awareness, and strengthen coordination during active disruptions. The session also explains how detection systems and workflows can either support or hinder human performance, and how to design them to enhance decision-making.
As adversarial AI increases threat complexity, human readiness becomes a strategic advantage. This talk offers a practical approach to building teams that respond with clarity, adapt to uncertainty, and recover with confidence.
- Saman Zonouz Associate Professor - Georgia Tech
- Anna Raymaker Ph.D. Student in Electrical and Computer Engineering - Georgia Institute of Technology
From Ship to Shore: Real-World Threats and Zero-Day Attacks in Maritime Operational Technology
As the maritime sector undergoes rapid digital transformation, the security of shipboard Operational Technology (OT) has emerged as an urgent yet underexamined challenge within the broader industrial cybersecurity landscape. In this talk, we present recent research and practical insights from a deep technical analysis of the maritime OT attack surface, focusing on the convergence of navigation, propulsion, and communication subsystems through legacy and modern protocols. Using a full-scale maritime testbed built in our lab with real commercial vessel hardware, we identify and exploit a novel remote attack vector enabled by mandated situational awareness broadcasts. By chaining previously unknown vulnerabilities in navigation processing software, bridge equipment, and serial-to-Ethernet gateways, we demonstrate how unauthenticated external messages can cross isolation boundaries and compromise critical OT components such as steering and engine control systems. These attacks require no initial onboard presence, highlighting the erosion of the “air-gapped at sea” security assumption.
Beyond individual vessel compromise, we analyze how the structure and behavior of global maritime logistics—particularly predictable vessel movement patterns and international RF communication requirements—introduce systemic cybersecurity risks. Using global maritime traffic data, we simulate how coordinated adversarial campaigns could propagate compromise through high-traffic regions, maritime chokepoints, and transoceanic shipping lanes, potentially leading to widespread operational disruption. These findings expand the traditional ICS threat model by introducing a mobility-aware, domain-specific attack paradigm tailored to maritime systems.
To contextualize these findings with real-world practice, we also present results from our recent user study involving 21 officer-level mariners from both commercial and military fleets. The study revealed direct exposure to cyberattacks such as GPS spoofing and ransomware, but also systemic gaps: cybersecurity training that does not reflect operational realities, poor integration of security protocols into vessel operations, and widespread uncertainty about roles and responsibilities during cyber incidents. These human and organizational factors compound technical risks and present barriers to implementing resilient defenses.
Informed by both attack research and user feedback, we conclude with a discussion of defense mechanisms and recommendations, including architectural segmentation strategies, broadcast message sanitization, and regulatory co-design. We also describe our collaborative efforts with the National Marine Electronics Association (NMEA) to embed security into the next generation of maritime communication standards. This talk will equip attendees with new perspectives and actionable insights for securing the maritime OT ecosystem—an often-overlooked but globally critical domain.
- Kevin Holcomb Technical Marketing Engineer, Industrial IoT Business Unit - Cisco Systems
Security Fused into the Network to Protect OT at Scale
Security is the foundation of every conversation in today's industrial landscape. As operational technology (OT) environments grow increasingly complex, organizations require a comprehensive security and networking solution that delivers asset visibility, access control, and context-level security. In this demo, we will showcase how Cisco's integrated portfolio-including Cyber Vision, Secure Equipment Access (SEA), Splunk, Identity Services Engine (ISE), and Firewall Management Center (FMC)-enables organizations to secure their industrial operations from the ground up.
- Roger Hill Founder/CEO - Hillstrong Group Security, Inc.
Mean Time to Replace Expertise (MTTRE): Building an Expert Knowledge System that Reduces Risk
Manufacturing’s biggest unpriced risk isn’t malware, it’s brain drain. When senior OT SME's retire or rotate, plants lose tacit knowledge that no SOP captures. This keynote turns Mean Time to Replace Expertise (MTTRE) into a program you can run. We’ll unveil an Expert Knowledge System that can be built for real plant constraints. The concept connects everyday sources you already own (CMMS, downtime logs, safety events, OEM service notes, shift reports) through a context hub and converts them into Task Capsules mapped on a Skill Graph. With LLMs + RAG and agentic workflows, the EKS coaches OT personnel through changeovers, sanitation, stoppage recovery, vendor visits, and calibrations; verifies key steps with lightweight evidence; and learns from each shift. You leave with a 90-day plan to baseline MTTRE, capture the 10–15 tasks that matter most, deploy “coach mode” on the floor, and report measurable reductions in time-to-competence, hazard-misses, and recovery time. The takeaway is knowledge capture & retention: AI is your continuity lever. If you can measure MTTRE, you can manage it and you can turn institutional knowledge into an auditable, compounding asset.
- Clint Bodungen Director, AI/ML Engineering - MorganFranklin Cyber
- Suhail Ahmad Rana Al Assurance and OT/Cybersecurity Professional - Independent AI Assurance and Cybersecurity/OT Professional
Secure AI Adoption Framework for ICS/OT
Join this session to learn about a new open community framework designed to provide structured guidance for the safe, secure, and compliant integration of Artificial Intelligence (AI) into ICS and OT environments.
As organizations plan to adopt AI for predictive maintenance, anomaly detection, and process optimization, this framework will address the critical challenges at the intersection of AI and industrial operations. It establishes governance structures and risk management approaches aligned with commonly accepted international standards. It also includes OT-specific considerations such as threat modeling approaches, explainability requirements for safety-critical decisions, and secure AI development practices.
Key components include operational safeguards for AI deployment, incident response procedures tailored to AI-specific failures, resilience mechanisms with fail-safe fallbacks, and regulatory alignment with industrial safety standards. The framework will also provide practical implementation guidance through a phased adoption roadmap and an application-based tool to help organizations navigate their compliance and guidance.
By addressing both technical and organizational challenges, this framework will enable organizations to responsibly leverage the potential of AI while maintaining the safety, reliability, and security of critical industrial infrastructure.
- John Newsome Partner Services Offering Architect - Claroty
Taking Back Control: Centralizing Remote Access to ICS
Many vendors require remote access to your critical systems, and each has their own way of getting in. Every remote access path creates a window into your environment, with little to no control or visibility of what's going on within your devices. In this session, we will walk through the secure access maturity model to help you create a plan for centralizing all access. You will leave this session with a vendor engagement playbook to help you prioritize your vendors and guide conversations to get everyone on board with your single, centralized point of control for all remote access.
- Jason Silva Principal, Sales - Software Defined Automation
Securing the Future of Industrial Operations: The Evolving Role of OT Backups in Cyber Resilience
Over the past five years, cyberattacks targeting operational technology (OT) in manufacturing environments have grown in both frequency and sophistication. From ransomware crippling production lines to nation-state threats exploiting outdated firmware, the industrial sector has become a prime target. Amid this escalating threat landscape, one critical—yet often overlooked—pillar of cyber resilience is a robust backup strategy for OT systems, particularly programmable logic controllers (PLCs) and other field-level devices.
This session will explore the fundamental role of backups in OT environments: ensuring business continuity, reducing downtime, and accelerating recovery from both cyber and operational incidents. We will examine the unique challenges of implementing backup solutions in OT, such as limited device access, lack of standardization, and the need to minimize disruption to real-time operations.
One of the core challenges in implementing backup solutions for OT environments is the extreme heterogeneity of the ecosystem: a typical manufacturing facility runs equipment from multiple OT vendors, each requiring a different method to perform a backup with no interoperability between them. Even within a single vendor’s portfolio, backup procedures often vary significantly between device families or firmware versions, making standardization and automation exceedingly difficult.
The presentation will provide a survey of current industry practices, spanning:
• On-premises solutions, including manual approaches (e.g., technician-led exports or USB-based copies) and software-driven tools managed within the factory network.
• Hybrid models: combining on-site control with off-site storage or orchestration.
• Cloud-based strategies: from custom-built “roll your own” architectures to fully managed SaaS platforms designed for industrial backup and recovery.
Attendees will gain insights into the state of the art in OT backup strategies and practical guidance for enhancing their cyber resilience posture across legacy and modernized infrastructures.
- Hien Nguyen Chief Engineer - Booz Allen Hamilton
From Tabletop to Practical Preparation: Advance OT Cyber Response Readiness with Live-Fire Exercises
OT environments are increasingly targeted by cyber threats actors and that makes readiness to respond to unexpected cyber events an imperative. Many organizations have been utilizing traditional OT tabletop exercises (TTX) to build awareness, test plans, and harness coordination between enterprise IT cybersecurity and OT shopfloor teams. These exercises provide valuable insights into shopfloor production uptime requirements, enterprise cybersecurity operation via safe, discussion-based sessions.
However, TTX approaches often fall short in simulating the technical complexity, and cascading impacts of actual incidents on shopfloor operations. Hypothetical scenarios leave gaps in both preparedness and confidence, creating a false sense of cyber secure among stakeholders.
In this session, attendee will learn values of integrating live-fire exercises using an OT cyber range with real OT devices and technologies that mimic production environments. Attendees will also learn how hands-on keyboard exercises help organizations validate both technical and procedural responses and foster cross-functional collaboration under realistic scenarios.
- Chris Grove Director of Cybersecurity Strategy at Nozomi Networks - Chris Grove
Securing the Unseen: AI-Driven OT/IoT Risk Management
As cyber and operational risks continue to evolve in industrial enterprises, security leaders expand upon detection and embrace AI-driven risk management to safeguard their OT, IoT, and cyber-physical systems (CPS). In this session, with Nozomi Networks Director of Cybersecurity Strategy Chris Grove, we’ll explore real examples of ways organizations are using AI-powered technology to shift their industrial enterprises from reactive defense postures to proactive risk management—enabling the identification, scoring, mitigation, and monitoring of OT/IoT risks. You’ll leave with:
- A solid understanding of OT/IoT risks and the fundamentals of risk management
- Strategies for overcoming the challenges of managing risks in OT/IoT environments
- Insights for leveraging AI-powered technology to effectively manage OT/IoT risks at every stage of the risk management process
- Ralph Spada Technical Fellow - Owl Cyber Defense
Applying Zero Trust in ICS: Where It Works — and Where It Breaks
Zero Trust has become the dominant paradigm in enterprise cybersecurity — but what happens when you try to apply its principles in Industrial Control System (ICS) environments? In OT networks where uptime trumps agility, devices predate identity controls, and changes can jeopardize safety, the promise of “never trust, always verify” runs headfirst into operational reality.
Complicating matters further, the boundary between IT and OT has become increasingly porous — often through years of ad hoc growth and digital transformation — expanding the attack surface and blurring security assumptions.
This session takes a grounded, practical look at how — and where — Zero Trust concepts can be adapted to ICS/OT networks. We’ll explore what works (like least privilege and segmentation), what doesn’t (like dynamic policy enforcement on legacy PLCs), and where hardware-enforced boundaries, such as data diodes, still offer unmatched assurance in environments where software-defined trust breaks down.
Attendees will walk away with a realistic view of how to translate Zero Trust into the language and limitations of OT, without introducing risk, fragility, or unnecessary complexity.
- Michael Rothschild VP of Product - Armis
Achieving "Left of Boom" Cyber Security and Resilience in CPS
As cyber-physical systems become increasingly interconnected, they also become prime targets for sophisticated cyber threats. The concept of "Left of Boom" refers to proactive security measures taken before a catastrophic event occurs, ensuring operational resilience and business continuity. This session will focus on strategies for anticipating, mitigating, and preventing cyber threats in industrial control systems (ICS) and critical infrastructure.
Key Topics Covered:
Comprehensive Asset Management - Enhancing visibility and control over ICS and OT environments to eliminate security blind spots. (Which go beyond the PLC)
Threat Intelligence and Early Warning Systems - Leveraging AI-driven detection and deception technology to identify threats before they impact the environment.
Risk-Based Vulnerability Management - Prioritizing vulnerabilities that pose the highest risk to operational integrity and continuity.
Incident Response and Cyber Resilience - Implementing robust response playbooks and what they should look like.
Learning Objectives:
1. Understand the significance of "Left of Boom" cybersecurity strategies in preventing cyber-physical disruptions.
2. Learn how AI, machine learning, and automation can strengthen early detection and response capabilities.
3. Explore real-world case studies that illustrate successful proactive security approaches in ICS and CPS environments.
4. Gain actionable insights on the role of your existing tech stack.
- Kareem Sykes Director, Industry and Engagement, Ecclalon - Eccalon
Defending Industrial Innovation: CMMC Resources for America’s Manufacturing Backbone
As cyber threats increasingly target the operational technology (OT) environments and digital assets of America’s industrial sector, the defense supply chain faces an inflection point. This session explores the vital intersection of Industrial Cybersecurity and federal compliance—highlighting how Project Spectrum, a DoD-recognized cybersecurity initiative, is enabling small and mid-sized manufacturers to fortify their cyber posture and meet the evolving requirements of the Cybersecurity Maturity Model Certification (CMMC).
Drawing on real-world case studies and frontline engagement with stakeholders across the Defense Industrial Base (DIB), this presentation will demystify the complexities of Controlled Unclassified Information (CUI) handling, illustrate key vulnerabilities in OT/IT convergence, and present a roadmap for risk-informed implementation of NIST and CMMC-aligned controls. Attendees will gain actionable insights into threat mitigation, regulatory alignment, and the no-cost tools and advisement services available through ProjectSpectrum.io.
Whether you're a system integrator, plant operator, or compliance lead, this session will deliver a pragmatic, resource-backed strategy for securing industrial innovation and maintaining mission-readiness in an era of persistent cyber aggression.
Thursday, October 30, 2025
- Brad Tenenholtz Product Security Officer - Becton Dickenson
Breaking the Kill Chain: How Industrial Sectors Can Coordinate to Deny Nation-State Infrastructure
When Russian hackers target a water utility, they don't just attack the SCADA systems—they use Western telecom providers for command-and-control, Western cloud platforms for staging, and Western financial systems for resource acquisition. This session reveals how coordinated infrastructure denial can break these attack chains before they reach OT environments.
Drawing from experience securing critical medical devices and industrial systems, this presentation demonstrates why traditional IT security approaches fail in OT environments facing nation-state adversaries. We'll examine real-world attack chains against industrial targets, showing how 90% depend on commercial Western infrastructure that could be denied through coordination.
Key Takeaways:
Mapping nation-state attack infrastructure dependencies in industrial sectors
Why ISACs fail at real-time threat sharing (and how to fix them)
Legal frameworks needed to enable cross-sector defensive coordination
Practical models for utility, manufacturing, and energy sector collaboration
Case study: How coordinated denial could have stopped recent water sector attacks
Building sector-specific threat fusion centers that actually work
This session provides industrial defenders with actionable strategies for collective defense. When China targets one manufacturer's IP, every manufacturer in that sector should know within hours. When we identify hostile infrastructure, every participating utility should deny access simultaneously.
Technical Level: Intermediate
Primary Audience: Security leaders in utilities, manufacturing, oil & gas, transportation
Secondary Audience: Government liaisons, ISAC coordinators, OT security engineers
Note: This is a strategy session focused on coordination frameworks, not a vendor pitch. All recommendations are vendor-neutral and based on operational experience.
- Clint Bodungen Director, AI/ML Engineering - MorganFranklin Cyber
Project DARWIN - Can Bio-Evolution Solve OT Cybersecurity?
Modern organizations face an impossible equation: thousands of vulnerabilities, limited resources, and adversaries who chain exploits in ways traditional tools cannot predict. Current vulnerability management relies on static scoring systems that assess threats in isolation, missing the complex attack paths that real adversaries exploit. Project DARWIN is an open-source research project that uses bio-inspired AI algorithms to evaluate and evolve cybersecurity defenses in much the same way a living ecosystem works. It employs AI agent swarms across a virtual representation of an organization's attack surface to discover the most likely routes attackers would take through networks. Genetic Algorithms then determine the most optimal defensive strategies, by “evolving” defenses over multiple successive simulated generations. This isn't just another security tool—it's a new paradigm for thinking about cyber defense, where our protections evolve as dynamically as the threats they face.
Key Takeaways - This presentation will equip security professionals with:
• Understanding of how bio-inspired algorithms solve complex cybersecurity challenges
• Practical insights from real deployments and case studies
• Framework for implementing evolutionary approaches in their own environments
• Vision for the future of adaptive, intelligent cyber defense
- Jon "McFly" McEllroy Offensive/Defensive Cyber Engineering Team Lead - Modern Technology Solutions, Inc. (MTSI)
Training: Cyberattack Methods for Cyber-Physical Systems (Day 3)
US ONLY: This training is available for United States Citizens only. (Workshop Registration Fee: $3995)
Note: This hands on training will take place Tuesday, October 28th – Thursday, October 30th. Day 1 will be a full day, and Day 2 and 3 will be half days. Students will be able to attend sessions of the core ICS Cybersecurity Conference and access instructors event when the workshop is not in session. Access to all conference meals and networking events is also included.
Cyber-physical systems, i.e. systems that bridge the cyber and physical domains, are attractive targets for attack partially due to the possibility of causing real-world physical loss to the victim.
Have you ever wondered how cyber adversaries execute these sort of attacks? Do you see attacks in the news and wonder, “how did the attacker even think to do that?” Do you stay up at night thinking, “could that happen to my system?” Developers want their systems to be secure and need to understand the threat. Unfortunately, broad intel reports and vague proclamations about adversary capability and intent may not give developers a concrete understanding of what they can do to make their systems more secure.
This Cyber Attack Methods course takes a unique approach to meeting this need, putting students into the shoes of an attacker — walking them through the steps of system discovery, exploitation, and delivering a mission-impacting attack against an intentionally vulnerable virtual cyber physical system with their hands on the keyboard. In this course we won’t turn you into a hacker, but you will learn to think like one!
Course Objectives:
Provide an understanding of methods that an attacker may use against cyber-physical systems and their impact on mission readiness, capability, confidentiality, integrity, availability, productivity, or revenue.
With hands-on keyboard, develop and execute attacks against a representative cyber-physical system; discuss and evaluate mitigations against these attacks.
Foster an attacker mindset, enabling participants to think like bad actors, walk through attack methods related to historic exploits, and apply that knowledge to making systems more secure.
What students should know beforehand:
What students will learn:
Students will gain a tangible appreciation for adversary mindset, tactics, techniques and procedures related to enumerating and exploiting weaknesses in cyber physical systems. They will also learn to think through real-world mitigations and design choices to reduce attack surface and provide greater protections in the systems they design, build, or oversee.
- Mike Holcomb Director - ICS/OT Cyber Security - Fluor Corporation
Workshop: Introduction to OT/ICS Penetration Testing (9AM – 3PM)
(Free for all Full Conference Pass Holders!)
Workshop: Time: 9:00 AM – 3:00 PM 🕒 [Certificate of Completion (4 CPEs) – awarded after passing a short 10-question quiz] (Free for conference participants)
Penetration testing in operational technology (OT) and industrial control systems (ICS) is often misunderstood and underexplored. Few resources exist to help security professionals understand how to safely and effectively test these environments, leading to misconceptions and gaps in cybersecurity programs.
This workshop is designed to bridge that gap, offering a comprehensive, hands-on experience packed with knowledge and practical labs. Participants will learn how OT penetration testing differs from IT testing, how to evaluate the security of OT networks and assets (such as PLCs and HMIs), and most importantly, how to conduct testing safely.
By the end of this course, attendees will be able to identify security weaknesses in their OT/ICS environments and gain the attacker’s perspective in critical industries such as power generation, chemical refining, and water treatment.
Hands-on labs are included and can be completed at your own pace, providing a deeper understanding of how adversaries target and compromise OT/ICS networks.
Agenda
Part 1: Course Introduction
Part 2: Getting Started with OT/ICS Penetration Testing
Part 3: The OT/ICS Penetration Testing Framework
Part 4: Reconnaissance and OSINT
Part 5: Discovery and Enumerating OT Assets
Part 6: Attacking and Compromising OT Assets
Part 7: Impacting Operators and Industrial Processes
[No additional fee for this workshop]
- Terry McCorkle CEO and Co-Founder - PhishCloud Inc
From Fire Drills to Fusion: How Cyber Fusion Centers Transform Security Operations
Modern security teams are overwhelmed—drowning in alerts, disconnected tools, and reactive “fire drill” responses. Cyber Fusion Centers (CFCs) offer a path out of this chaos, transforming the traditional Security Operations Center into an integrated, intelligence-driven hub that brings together IT and OT data, automation, and cross-functional workflows to reclaim time, reduce risk, and increase visibility.
This session explores how Cyber Fusion Centers enable organizations to move from reactive to proactive defense. By fusing data from disparate sources—firewalls, endpoint telemetry, industrial control systems, asset inventories, and behavioral analytics, ticketing, and more—CFCs give teams a shared operational picture that spans both cyber and physical domains. This is especially critical in environments with legacy OT infrastructure, where visibility and context are often fragmented or nonexistent.
We’ll examine how intelligent automation within a CFC not only reduces alert fatigue and improves incident response times but also creates the foundation for predictive maintenance. By correlating anomalies in OT systems with IT indicators, CFCs can identify early signs of system degradation, unauthorized changes, or latent failure points—enabling preventive actions before incidents escalate into outages or breaches. This capability translates into significant cost savings across operations, maintenance, and security teams alike. We have worked with organizations in Transportation, Manufacturing, Energy and other sectors to achieve incredible results and will share the insights we have gained though decades of experience in the OT cybersecurity space.
Insights:
* How to identify and prioritize IT and OT data sources for fusion
* Building playbooks and automated workflows that eliminate repetitive tasks
* Detecting and responding to blended threats with real-time, cross-domain context
* Leveraging fused data for predictive maintenance and downtime prevention
* Structuring a CFC that supports compliance, scalability, and business alignment
We’ll also discuss how organizations have used Cyber Fusion Centers to strengthen collaboration across departments—bridging the cultural divide between cybersecurity, engineering, and operational stakeholders. By automating routine analysis and surfacing only the most relevant intelligence, CFCs give analysts and engineers their time back to focus on higher-value strategic functions.
Drawing from extensive experience in both red team operations and ICS/OT environments, I’ll share lessons learned from implementing fusion models in critical infrastructure and corporate networks. Real-world examples will highlight both the technical and human challenges of making fusion successful—from data normalization to workflow adoption—and how to overcome them.
This session will provide a blueprint for scaling cybersecurity operations with efficiency, intelligence, and resilience.
- Dave Smit OT Infrastructure and Security, Interstates - Interstates
- Sandeep Lota Global Field CTO - Nozomi Networks
Something’s in the Air: Uncovering Hidden Wireless Threats in OT/IoT
In industrial cybersecurity, you can’t protect what you can’t see – and for many OT teams, the wireless airspace in and around operational environments remains a significant blind spot - and highly vulnerable attack surface. The rise of wireless tools on the factory floor and IoT devices has expanded the attack surface in ways that transcend physical perimeters and traditional network segmentation. Industrial control systems are no longer confined to isolated, wired networks – they’re now active in and surrounded by Wi-Fi, Bluetooth , Zigbee, cellular, LoRaWAN and WirelessHART wireless networks, among others. Many industrial control systems ship from the factor with wireless radios and get installed with wireless functionality turned on. Yet today, most plants lack the means to monitor rogue Wi-Fi, Bluetooth, and other RF activity until after an incident occurs.
In this panel discussion, experts from Nozomi Networks, Interstates, and one of our industrial customers will dive into the reality of wireless threats in OT environments. We’ll share real-world examples of unexpected devices, explore how to identify and monitor what’s in the air, and talk through practical steps to build better visibility without disrupting operations.
- Brad Nash OTCRM SOC Supervisor - ExxonMobil
Harmonizing Cyber Security Across Diverse Business Lines: The Role of the SOC
Join Brad Nash as he explores how the Security Operations Center (SOC) unifies our five distinct business lines through a common thread—cyber security.
- John Cusimano Chief Security Officer (CSO) - Armexa, LLC
Packaged Control Systems – The Achilles Heel of Most OT Cybersecurity Programs
Packaged control systems (PCS) are a mainstay in industrial environments due to their standardized functionality, ease of integration, cost efficiency, and rapid deployment. From gas compression skids to boiler control systems and vapor recovery units, PCS offer a pre-engineered, plug-and-play approach that enables organizations to quickly meet operational needs. However, these benefits come at a significant cost because they are often the most overlooked and vulnerable components in Operational Technology (OT) cybersecurity programs.
This presentation will explore why PCS pose a disproportionate risk to industrial cybersecurity. It will examine the systemic challenges they introduce, including lack of built-in security features, poor patch management, and insecure communication protocols.
Drawing on real-world examples from oil and gas, chemical processing, and utility operations, this session will highlight how PCS can become the entry point for cyber threats—and what organizations must do to address these risks. Attendees will gain insights into practical mitigation strategies, including risk assessments, architectural segmentation, protocol hardening, and vendor engagement, to strengthen their OT cybersecurity posture against the hidden dangers of packaged control systems.
- Glen Combe OT Specialist Systems Engineer - Fortinet
Solutions Theater: Using the Right Signals to Protect and Manage OT Network Traffic
[Solutions Theater Session - Sponsored by Fortinet]
Despite consensus on attack surface expansion and shared management challenges responding to attacks, there remains high degree of variation in security practices and capabilities, including practices for securing legacy and modern equipment. To protect the critical infrastructure in OT, industrial organizations need to harness the power of segmentation to secure their resources, systems, and users, as well as minimize the risk of attackers gaining access to their critical infrastructure. Join this demonstration to experience how the Fortinet OT Security Platform removes the risks associated with flat network architectures and supports operationalizing NIST, IEC 62443 and other cybersecurity frameworks to secure network traffic.
This is a Solutions Theater Session - Sponsored by Fortinet.
- Sachin Mohan Territory Head - OT Cybersecurity - CyberKnight
The Airgap Fallacy: Why Isolated OT Systems Are Still Vulnerable to Ransomware
The notion of airgapped OT systems as a bulletproof defense against cyber threats is a dangerous myth in today’s interconnected world.
Despite their perceived isolation, airgapped industrial control systems (ICS)—such as SCADA, PLCs, and DCS—are increasingly vulnerable to sophisticated ransomware attacks, as evidenced by incidents like the 2025 Saudi Al Bawani breach and the 2024 UAE Lulu Hypermarket attack.
This presentation dissects the airgap myth, revealing how modern attack vectors exploit connectivity gaps and human factors to compromise OT environments, particularly in critical Middle Eastern sectors like oil, gas, and manufacturing, which faced a 68% surge in ransomware victims in 2024.
We identify key vulnerabilities shattering the airgap illusion:
(1) Hardware exposures: Wi-Fi, Bluetooth, USB drives, and even external keyboards can serve as malware vectors, as devices may inadvertently connect or employees make errors.
(2) Maintenance staff risks: Third-party technicians often introduce infected devices behind the airgap, spreading malware to intranets, as seen in attacks like IOCONTROL targeting US and Israeli OT systems.
(3) Supply chain threats: New devices may arrive pre-infected if suppliers’ systems are compromised, a growing concern with 34 of 39 IoT exploits targeting legacy vulnerabilities over three years old.
(4) Inherent limitations: Airgapped systems often cannot update antivirus patterns or install modern security software, leaving them defenseless against evolving threats like double extortion ransomware from groups like LockBit (22.22% of 2024 Middle East attacks).
Leveraging Rob M. Lee’s Pyramid of Value vs. Cost, this talk proposes a layered defense strategy to secure OT systems beyond the airgap myth.
Low-cost, high-impact measures—such as rigorous device vetting, employee training to counter phishing (a primary ransomware entry point), and network segmentation—form the foundation.
Higher-value strategies, like behavioral analytics and threat intelligence integration, target adversary TTPs to disrupt campaigns, as demonstrated by countermeasures against RansomHub’s 2024 exploits. Case studies from the Middle East, where 66% of attacks targeted UAE and Saudi Arabia, highlight the stakes for critical infrastructure.
Attendees will gain a practical roadmap to assess airgap vulnerabilities, prioritize investments, and implement modern solutions like zero-trust architecture and OT-specific monitoring. This session equips ICS operators, engineers, and CISOs with actionable insights to protect against ransomware and emerging threats in 2025, redefining resilience in OT cybersecurity.
- Kevin Holcomb Technical Marketing Engineer, Industrial IoT Business Unit - Cisco Systems
Solutions Theater: Security Fused into the Network to Protect OT at Scale
[Solutions Theater Session - Sponsored by Cisco]
Security is the foundation of every conversation in today's industrial landscape. As operational technology (OT) environments grow increasingly complex, organizations require a comprehensive security and networking solution that delivers asset visibility, access control, and context-level security. In this demo, we will showcase how Cisco's integrated portfolio-including Cyber Vision, Secure Equipment Access (SEA), Splunk, Identity Services Engine (ISE), and Firewall Management Center (FMC)-enables organizations to secure their industrial operations from the ground up.
This is a Solutions Theater Session, Sponsored by Cisco.
- Christopher Walcutt Chief Security Officer - DirectDefense
Control Systems Under Pressure: Strategies for Running Effective OT Tabletop Exercises
In this session, we’ll explore how to design and execute effective tabletop exercises specifically for OT environments. OT incident response is fundamentally different from IT, and tabletop scenarios must reflect the realities of SCADA architectures, limited staff, tool constraints, and the nuances of OT forensics. This session will present strategies that are pivotal for organizations to maximize the impact and effectiveness of their OT incident response tabletop exercises.
We’ll explore:
1. Designing Realistic OT Tabletop Exercise: How to build injects and flow to effectively test an organization’s OT incident response capabilities, not just documentation. OT tabletop exercises require specific response strategies that are very different from the IT world. Injects must take into account operational limitations and unique OT architecture, from control systems to remote access constraints.
2. Including IT in the Exercise: Some organizations choose to isolate their OT tabletops. Others see the OT to IT data flows as critical business processes and chose to test them together. These data integrations become not only a required resilience component but also a potential attack vector, particularly where custom code or custom-written connectors exist.
3. The Role of Third-Party Vendors: The OT vendor landscape requires organizations to adapt incident response in ways that IT doesn’t. In this part of the session, we'll discuss the proprietary nature of OT hardware and software and the impact that these vendors can have on IR cybersecurity practices.
Insights are drawn from over 25 years of experience handling both IT and OT breaches, offering actionable takeaways to help teams build tabletop exercises that surface real gaps and improve resilience.
Key Takeaways:
- Consider OT business processes and IR tools capabilities as part of exercise design.
- Evaluate the OT to IT data flow so that critical business processes are included in the test. Identify threats to business continuity and attack vectors.
- Understand the roles and risks of third-party vendors in the OT space, particularly special remote access requirements and proprietary administration tools that have the potential to be used nefariously.
- Jerome Farquharson Managing Director - MorganFranklin Cyber
Embedding Cyber Resilience: A Security-by-Design Blueprint for Critical Infrastructure Systems
This workshop is designed to equip utility professionals, engineers, and cybersecurity teams with the principles and methodologies of Security by Design. This proactive approach embeds cybersecurity into every phase of system development, deployment, and operation. Unlike reactive security measures, Security By Design ensures that hardened architectures, secure configurations, and risk-mitigated designs are implemented upfront, reducing vulnerabilities and lifecycle costs while enhancing resilience. Focusing on Operational Technology (OT) and Industrial Control Systems (ICS)—including SCADA, DCS, protective relays, and RTUs—this session provides actionable strategies to integrate security into engineering workflows, procurement, and maintenance, ultimately delivering better ROI, compliance readiness, and breach prevention.
- Hien Nguyen Chief Engineer - Booz Allen Hamilton
Practical Guidance for Modernizing OT Infrastructure to Enable Secure Smart Manufacturing
As manufacturing technologies rapidly evolve, organizations face a common challenge: modern shopfloor sensors generate significantly larger volumes of data, enabling Al and machine learning platforms to rapidly deliver insights that previously required extensive processing time. These insights improve quality assurance and quality control by utilizing machine vision and acoustic inspection, which help detect defects in real time, enhance predictive maintenance scheduling by identifying equipment issues before they cause downtime, and reduce operational waste by optimizing the utilization of raw materials.
The OT infrastructure supporting this surge in data, network bandwidth, and compute demands often remains outdated and overloaded, resulting in adjustments to configurations which often lower security requirements and increase online exposure.
Attendees will learn common pitfalls and practical guidance to modernize legacy OT infrastructure, securely manage increased data volumes, network bandwidth, and compute demands of smart manufacturing while minimizing disruption to shopfloor operations. The session will also cover effective strategies for gaining stakeholder buy-in and detailed technical guidance for planning and executing successful OT infrastructure upgrades.
- Mike Lennon Director, ICS Cybersecurity Conference - SecurityWeek
Closing Panel: Takeaways and Insights from the 2025 ICS Cybersecurity Conference
As the 2025 conference comes to a close, join us for a panel discussion where participants will share their key takeaways, lessons learned, and insights from various sessions and discussions over the three-day event. Designed to be a fun and informal discussion, we encourage audience participation and will wrap up with our annual open mic opportunity where anyone can chime in.