GridSecCon 2018 Training Descriptions



Training tracks are described below. Training track 1A and 1B are full-day sessions; registering for track 1A requires registering for track 1B. The remaining training tracks are all half-day sessions. You may register for one track “A" and one track “B" session; you cannot register for two track “A" sessions or two track “B" sessions.


Track 1A and 1B: CyberStrike Workshop

U.S. Department of Energy (DOE)/Idaho National Laboratory (INL)

All-day session, 95 seats available, starts at 8:00 a.m.

Audience: Energy sector owner and operator staff, specifically control room operational technology (OT) personnel, critical infrastructure protection-focused technical staff, Energy Management System support, operating personnel, cyber security staff

The DOE's Infrastructure Security and Energy Restoration Division, in collaboration with the E-ISAC and INL, developed the CyberStrike Workshop to enhance the ability of energy sector owners and operators in the United States to prepare for a cyber incident impacting industrial control systems (ICS). The training offers attendees a hands-on, simulated demonstration of a cyber attack, drawing from elements of the 2015 and 2016 cyber incidents in Ukraine. The instruction platform challenges course participants to defend against a cyber attack on the equipment they routinely encounter within their ICS.

Hands-on labs/modules include:

  • Open source intelligence
  • Denial of service
  • Controlling the Human Machine Interface (HMI)
  • Bypassing HMI
  • Firmware analysis
  • Passive man-in-the-middle attack
  • Active man-in-the-middle attack
  • Defender mitigations


Track 2A: Physical Security Workshop I

Physical Security Advisory Group (PSAG)

Half-day session, 60 seats available, starts at 8:00 a.m.

Audience: Physical security professionals and asset owners and operators

This track explores issues that affect the physical security of the electricity industry. It allows participants the opportunity to hear a variety of perspectives from physical security experts about topics of importance, such as current issues and best practices, and discuss any concerns.

  • Drones/Emerging Technology, Foreign Investment

Travis Moran, Welund, will discuss trends in drones and emergency technologies, as well as foreign investments, and how they impact the security of the electricity industry. Welund monitors and analyzes politically based threats to the electricity industry.

  • Physical Security Best Practices
    Nick Weber, Grant County Public Utility District, Western Electric Coordinating Council (WECC), will provide insight on best practices in physical security. This provides participants a chance to hear the regional perspective and gather information about solutions peers are using to address current threats.
  • Intelligence Sharing vs. Information Sharing

John Bryk, Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC), will share perspectives discuss how intelligence sharing differs from information sharing, stressing that understanding can improve your ability to assess threats. The downstream natural gas sector shares much of the same operating environment and threats as the electricity sector.


Track 2B: Physical Security Workshop II

PSAG and Design Basis Threat (DBT)

Half-day session, 60 seats available, starts at 1:00 p.m.

Audience: Physical security professionals and asset owners and operators

This track demonstrates the use of the DBT Implementation Guide and how to use the methodology to assess and improve the security of electricity sector assets. The PSAG created the Electricity Sector Design Basis Threat to tailor the DBT methodology to the electricity sector. DOE, through the Pacific Northwest National Laboratory (PNNL), developed the Design Basis Threat: Implementation Guide as a companion product designed to assist owners and operators in using the DBT methodology to assess the physical security of their assets.

The goal of this session is demonstrate how to use these products and help participants gain familiarity with the tools. Rob Siefken, PNNL, will provide step-by-step instructions on how to use the guide to assess the security of a generic facility.

Agenda includes:

  • Explanation of DBT Implementation Guide
  • Sample run of Implementation Guide
  • Discussion of the software tool DOE developed for the Power Marketing Administrations
  • Questions and answers


Track 3A: Asset Management for Energy Providers

National Cybersecurity Center of Excellence (NCCoE), National Institute of Standards and Technology (NIST)

Half-day session, 60 seats available, starts at 8:00 a.m.

Audience: Cyber security professionals and ICS owners

Monitoring and managing OT assets is an essential component of protecting the nation's critical infrastructure from cyber attacks. To properly assess cyber security risk within the OT network, energy providers must be able to identify and maintain a complete and accurate view of their OT assets, especially the most critical.

The NCCoE, a part of NIST, in collaboration with members of the energy community and cyber security technology providers, is working on an OT asset management example solution to address this complex challenge. This project will result in a NIST cyber security practice guide (Special Publication 1800 series) that shows how commercially-available products can be used to create an example solution for electric utilities and for oil and gas companies to effectively track and manage their assets. The guide will be released in March 2019.

Join security engineers from the NCCoE at NIST, alongside the projects' leading collaborators, for a detailed description of this project and other ICS cyber security projects. The panel will share their expertise and best practices on asset management for the energy sector, as well as their current efforts in documenting and implementing methods for managing, monitoring, and baselining assets and information to help identify potential threats to OT assets. Additionally, this conversation will expand to include a panel discussion on Industrial Internet of Things cyber security challenges within the energy sector.


Track 3B: Next-generation Cybersecurity for Electric Utility OT Networks

Palo Alto Networks, Southern Company, Securicon

Half-day session, 50 seats available, starts at 1:00 p.m.

Audience: Cyber security professionals and ICS owners

This training is presented by utilities and OT cybersecurity practitioners and focuses on applying next-generation firewalls, advanced endpoint protection, and adjacent technologies within electric transmission and distribution, and generation infrastructure with the purpose of maximizing visibility, reducing attack surfaces, and preventing sophisticated attacks and malware. The training features a combination of lecture, case studies, and hands-on exercises in a virtual ICS/SCADA environment.


Track 4A: Build a Security Awareness Program Your Employees Will Love

Curricula, LLC

Half-day session, 40 seats available, starts at 8:00 a.m.

Audience: Cyber security professionals

Many organizations have security awareness programs, but are they looking at the emotional intelligence behind their designs. How do you make your employees love security? Change your focus to get employees to become your best defense and give them the tools to succeed.

Section 1: Introduction to Security Awareness Elements

Security awareness starts with understanding the basic principles behind psychology and human behavior. Changing the way we communicate information to our employees is the key to success. This session highlights marketing and advertising principals, along with understanding metrics that matter to powerful security awareness programs.

Section 2: Building Your Plan

Successful security awareness requires a plan. We will walk through how to build your ambassador program, security awareness roadmap, and provide detailed information on how to successfully launch a phishing simulation program. This session includes demonstrations of detailed phishing simulation tests and how to approach the ongoing exercise of phishing prevention training. We will review the following guides:

    • Security awareness program assessment
    • Security awareness ambassador program
    • Phishing simulation best practices
    • Phishing lessons learned
    • Phishing recovery questions
    • Metrics for executives

Section 3: Case Study and Best Practices

Time to put all your new knowledge to use. Review case studies that require thinking outside the box and being creative. There are no right answers here, but the group will scrutinize historically predictable approaches. This session will explain best practices from successful security awareness programs. Your new perspective will give you the insight, tools, and motivation to start making a change in your own security awareness and phishing simulation program.


Track 4B: How to be an Exercise Master Planner

Tennessee Valley Authority

Half-day session, 40 seats available, starts at 1:00 p.m.

Audience: Open to all

Through gamification, a company's cyber security, physical security, and operational response exercises can be an exciting and engaging adventure that people will talk about for years to come. This training takes participants through an overview of the exercise planning process outlined in the FEMA Homeland Security Exercise and Evaluation Program process mixed in with elements of tabletop gaming campaign building. The workshop goal is to evolve the way the community holds exercises.

This training event will help planners start working on GridEx V plans and can be applied to drills, such as phishing, emergency response, and multiple organization 100+ inject.

During this course, the participants will develop an exercise plan that they can communicate to management and other members to develop further and run at their companies. They will receive a set of tabletop scenarios, a sample pack of network maps and corresponding city maps “Game Boards," and other material.


Track 5A: Cybersecurity Training for SCADA using Testbed

Iowa State University

Half-day session, 24 seats available, starts at 8:00 a.m.

Audience: Cyber security professionals

This session provides a scenario-based, hands-on training experience in cyber attack defense methodology aligning with NERC CIP. The training leverages an industry-grade SCADA platform (Siemens), relays/PMUs (SEL and Siemens), state-of-the-art security tools, and practices (E-ISAC, NIST, DHS).

The training has the following four modules:

  • Module 1: Network reconnaissance using Nmap tool
  • Module 2: Vulnerability assessment using OpenVAS tool
  • Module 3: Vulnerability exploitation, such as “tripping the relay" via sending malicious packets (Wireshark tool)
  • Module 4: Defense techniques – network monitoring, firewall, and intrusion detection systems – using Security Onion SIEM tool

The participants will experiment with real platforms for attack-defense training. This session includes an illustration of real-world scenarios, like the 2015 Ukraine grid attack and potential defenses. Iowa State University conducted similar training sessions at GridSecCon 2015 and 2016, as well as other venues for industry professionals.


Track 5B: Real Time Threat Response


Half-day session, 60 seats available, starts at 1:00 p.m.

Audience: Cyber security professionals

This session provides participants with a high-level overview of the Tanium platform, as well as a more technical, hands-on conversation on threat hunting and incident response with the Tanium Threat Response toolset. Attendees will learn the following:

  • How to query information about hosts in a lab environment to quickly triage threats;
  • The importance of being able to investigate suspicious activity on hosts with accurate, complete information; and
  • How to perform threat hunting processes with Tanium Threat Response, using real examples.


Track 6A: Social Engineering and Open Source Intelligence (OSINT) Workshop


Half-day session, 95 seats available, starts at 8:00 a.m.

Audience: Cyber security professionals

This training focuses on how hackers use social engineering to get the information they want and how you can defend against social engineering.

Fundamentals of OSINT

  • OSINT overview
  • Where OSINT can be gathered
  • Understanding gathering techniques
  • Gathering OSINT on people
  • Ethical and legal considerations
  • Understanding privacy
  • LAB: Gathering people OSINT

Fundamental Social Engineering

  • Social engineering overview
  • Principles of persuasion
  • Types of social engineering
  • Ethical considerations
  • Social engineering as it pertains to “the hack"
  • LAB: Interpersonal communications and pretexting

Applied Social Engineering

  • Creating payloads
  • Cloning and standing up phishing web servers
  • Automated phishing solutions
  • Spoofing calls for vishing
  • Physical security and baiting
  • Tailgating
  • Applying the concepts to gain access
  • LAB: Phishing, vishing, and baiting


Track 6B: Who's in Your Network and How Long Have They Been There?

Burns & McDonnell

Half-day session, 95 seats available, starts at 1:00 p.m.

Audience: Cyber security professionals and ICS owners

In the current state of cyber security affairs, a common theme is the time elapsed between compromise and detection. In many cases, time to detection can be days, weeks, or even months. This course lays out a foundation of distribution, transmission, and generation communications, and how a communications network may be implemented to avoid weak points inherent to its design. It identifies the importance of understanding the traffic within a network and how logging, monitoring, and alerting provide visibility into potential attack surfaces. The course also introduces the concepts of attack trees and kill chains and how they can help create insight into an adversary's objectives.