|    Account Log-In/Register    |    Contact Us
GridSecCon 2016 Training Tracks

All training sessions run simultaneously on Tuesday, October 18, and run either all-day (starting at 8 a.m.) or half-day (starting at 8 a.m. or 1 p.m.).  A full conference registration must be purchased to attend a training session.  There is no extra charge to attend the training sessions. 

Since courses overlap (see the graphic below), during registration, please choose either:

  • One or both half-day classes (some combination of 1A, 1B, 2A, 2B, 3A, 3B, 4A, 4B or 5A/5B).  !A/1B and 5A/5B cover the same subject matter in each session.

2016 Training Graphic.jpg

GridSecCon 2016 Training Sessions

Track 1A and 1B:  "Ukraine Workshop" E-ISAC, US Department of Energy, Idaho National Laboratory, SANS Institute (full-day, 120 seats available, starts at 8 a.m.) Audience – cyber security professionals.  Located in Kent - First Floor.

The workshop is a 4-hour, in-depth discussion of the events impacting operations in Ukraine with insights towards discovering and preventing similar intrusions, providing specific mitigation concepts for power system Supervisory Control and Data Acquisition (SCADA) defense, as well as a general learning opportunity for ICS defenders.  Each session covers the same material.

Track 2A:  "Physical Security Workshop" - Ballistic Fire Barrier (half-day, 100 seats available, starts at 8 a.m.)  Audience – Physical security professionals; asset owners and operators.  Located in Saint Louis - First Floor.

Subject Matter Experts, led by John Sinisi of Ballistic Fire Barrier, will provide an overview of the various threat environments and trends facing the electric sector and utilities.  Information sharing includes assessment, identification and mitigation techniques for physical threats including fire, blast and ballistic damage. Threat deployment methods and mitigation designs for drones, bombers, snipers, combined threats and natural disasters will be presented.

The class will learn UL and NFPA Standards and techniques necessary to plan cost-effective physical security installations, barriers and stops to mitigate threat and minimize risk. Highlights include photos and designs of threat mitigation projects to protect transformers and banks, sub substations, switches, controls and critical equipment to standards. Building, geography and facility hardening will be also be discussed as part of the plan. Case studies include physical threat site assessment, new rated materials and using engineered fire barriers to help meet safety and security goals.


Track 2B: "Grid Transmission and Security Expert Workshop" – Physical Security Advisory Group (facilitated by the E-ISAC).  (half-day, 100 seats available, starts at 1 p.m.) Audience – Physical security professionals; asset owners and operators.  Located in Saint Louis - First Floor.

This workshop will be a panel discussion regarding the methodology and identification of critical system components. The panel will be moderated by Louis Dabdoub (Entergy) and Brian Harrell (Navigant) and the members will be comprised of a group of transmission and security experts from across the North American (US and Canadian) electricity grid. The aim is to provide a holistic view of infrastructure and asset protection. This will be a discussion-based panel relying on collaboration and audience participation.

Track 3A:  "Securing the Grid" - Utility Services Inc. and Norwich University Applied Research Institutes. (half-day, 80 seats available, starts at 8 a.m.) Audience - technical / cybersecurity professionals.  Located in Villeray/De Tourny - Main Floor.

The workshop will provide an in-depth primer for preparing, performing, and valuing Cyber Risk Assessments and Exercises.  The half day class will include a simulation of real-world attack vectors, entity response, and entity recovery using the NUARI DECIDECore® exercise delivery platform.


  •   Review of available sector specific exercise and assessment tools
  • Information to assist participants with independently developing and performing valuable cyber/physical risk assessments and exercises
    • Sample exercise materials
    • Data collection techniques
    • Post exercise action report essentials
  •  Discussion and presentation of current threat vectors, adversaries, and defense
  •  Participation in a grid/local exercise simulation through the NUARI DECIDECore® platform that includes valuable data collection and post exercise discussion


NUARI’s DECIDECore® platform replaces traditional tabletop exercises with a web-based, interactive experience customized to specific business models, information technologies, and organizational dependencies and delivers a unique user experience related to an individual’s functional role within their organization.

Track 3B: "NP-View" – Network Perception. (half-day, 80 seats available, starts at 1 p.m.) Audience – cyber security professionals. Located in Villeray/De Tourny, Main Floor.

Network Perception is pleased to announce a half-day training session to learn how to leverage the NP-View software to prepare for a NERC CIP audit. NP-View enables the development of a process-driven approach to systematically review and audit firewall and router configurations. This training will provide users with a step-by-step guideline and a checklist to leverage the different features of the tool. In particular, we will show how the tool can help preparing documentation for 3 requirements of CIP-005-5:

  • R1.1: All applicable Cyber Assets connected to a network via a routable protocol shall reside within a defined Electronic Security Perimeter
  • R1.3: Require inbound and outbound access permissions, including the reason for granting access, and deny all other by default
  • R2.1: Utilize an intermediate system such as the Cyber Asset initiating interactive remote access does not directly access an applicable Cyber Asset

Attendees should bring a laptop running Windows, Mac, or Linux. The training includes hands-on exercises on a realistic network to generate network map documentation, rule audit table with rule justifications, and path access table. 

Track 4A: "NIST Workshop" - National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE).   (half-day, 80 seats available, starts at 8 a.m.) Audience – cyber security professionals. Located in Beauport, Second Floor.

The NIST NCCoE will host a workshop with three guest speakers discussing the top three most significant challenges facing the industry today. Following that discussion, the group will discuss solutions by reviewing profiles and worked example solutions.  Topics include:

    • NIST Cybersecurity Portfolio
    •  Cybersecurity Framework (CSF)
    • New/forward-looking challenges in the industry from utility, association, and integrator perspective
    • Applied cybersecurity: example solutions to guide the industry from the NCCoE/NIST (i.e., IdAM and Situational Awareness for Electric Utilities, Industrial Control System Security topics including but not limited to: Leveraging NCCoE Elec. Utilities Body of Work for Oil and Gas, CSF profiles for Bulk Liquid Transport and Manufacturing)

Track 4B:  "Grassmarlin workshop" - National Security Agency.  (half-day, 80 seats available, starts at 1 p.m.) Audience – cyber security professionals and ICS System Owners. Located in Beauport, Second Floor.

The first step of an industrial control system (ICS) cybersecurity project, most of the time, is the creation, or the consolidation, of the inventory of all networked components. GRASSMARLIN answers this need by giving a network mapping solution based on passive detection. GRASSMARLIN is a passive network mapper dedicated to industrial networks and developed by the National Security Agency (NSA). The tool has recently become open-source and is directly available on GitHub (

GRASSMARLIN gives a snapshot of the ICS including:

    • Devices communicating over the network;
    • Communications between these devices;
    • Metadata extracted from these communications.

Maintaining ICS availability is a paramount necessity. In fact any failure can lead to important consequences going from loss of service to loss of life. Thus in order to not disrupt the availability of industrial devices all the mapping is done passively by GRASSMARLIN. In fact, GRASSMARLIN passively records and analyzes the communications unlike active mapping tools, such as nmap or plcscan, which send packets over the network and analyze the potential answers.

Attendees will need a laptop with:

    • GrassMarlin (Free,
    • Java 1.8 update 66 or newer
    • Wireshark
Track 5A and 5B:  "CyDECS: Cyber Attack-Defense Training Exercise for Power Grid" - Iowa State University.   (half-day, 24 seats available for each session) Audience - Practicing industry engineers/professionals; academic cyber researchers and graduate students.  Located in Beaumont/Belair, Second Floor

Goal:  The goal of the training session is to provide practical scenario-based hands-on learning experience for its participants in cyber attack-defense methodology for power grid using an industry-grade SCADA platform and state-of-the-art security practice and tools.

Learning outcomes:

    • Basic understanding of engineering secure systems, attack and defense concepts.
    • Hands-on experience in attack/vulnerability assessment tools, such as Wireshark, nmap, and Nessus.
    • Hands-on experience in using defense tools, such as firewalls, intrusion detection systems (IDS), system configuration management.
    • Scenario-based attack-defense experimentation.
    • Build a secure SCADA network environment.
    • Defend a SCADA network environment against cyber attacks.
    • Evaluate the effectiveness of defense measures.
    • Cyber security technical skills – such as vulnerability analysis, configuration management, and electronic security perimeter – that are relevant to NERC CIP compliance.
    • Attack-defense learning experience in the context of industry-grade SCADA/EMS platform – e.g., protocols (IEC 61850, DNP3), substation automation system, control center, power system devices like relays or PMUs.



  •  Duration: 4 hour-long session (1 hour lecture, 3 hour hands-on training)
  • Class size: 24 participants (12 training stations, each with 2 participants working as a team).
  • Two sessions: morning (6A) and afternoon (6B.)



Training Station Resources (provided):

  • Laptop or Server hosting an industry-grade SCADA platform and a corporate network environment as virtual machines (VMs) - substation VMs, control center VM, corporate network VM, and associated communication protocols (DNP3, IEC 61850, and TCP/IP).
  • Relay interfaced to the SCADA platform.
  • Attack tools – Wireshark, nmap, Nessus.
  • Defense tools – firewalls, IDS.

Materials provided to the participants:

    • Lecture notes and a few relevant publications.
    • Attack and defense scenarios.




















































home | account log-in/register | legal and privacy/trademark policy | site map | careers | contact us

Atlanta Office | 3353 Peachtree Road, NE Suite 600 North Tower, Atlanta, GA 30326 | 404-446-2560
Washington Office | 1325 G Street, NW Suite 600, Washington, DC 20005| 202-400-3000

Copyright 2016 North American Electric Reliability Corporation. All rights reserved.