GridSecCon 2018 Training Descriptions



Training tracks are described below. Training track 1A and 1B are full-day sessions; registering for track 1A requires registering for track 1B. The remaining training tracks are all half-day sessions. You may register for one track “A" and one track “B" session; you cannot register for two track “A" sessions or two track “B" sessions.


Training Tracks 1A and 1B: CyberStrike Workshop | US Department of Energy

Full-day Session

Description: The U.S. Department of Energy's Infrastructure Security and Energy Restoration Division, in collaboration with the Electricity Information Sharing and Analysis Center and Idaho National Lab (INL), has developed the CyberStrike Workshop to enhance the ability of energy sector owners and operators in the U.S to prepare for a cyber incident impacting industrial control systems. The training offers attendees a hands-on, simulated demonstration of a cyberattack, drawing from elements of the 2015 and 2016 cyber incidents in Ukraine. The instruction platform challenges course participants to defend against a cyber attack on the equipment they routinely encounter within their industrial control systems.

Hands-on Labs/Modules include:

  • Open Source Intelligence
  • Denial of Service
  • Controlling the Human Machine Interface
  • Bypassing the Human Machine Interface
  • Firmware Analysis
  • Passive Man in the Middle Attack
  • Active Man in the Middle Attack
  • Defender Mitigations

Target Audience

The workshop is tailored to energy sector owner and operator staff who work in the following areas:

  • Control room operational technology personnel
  • Critical infrastructure protection-focused technical staff
  • Energy Management System (EMS) support
  • Operating personnel
  • Cybersecurity staff


Training Tracks 2A and 2B: Physical Security Workshop I and II

Full-day Session

Description: This physical security-focused training track will cover a holistic look at common security threats and emerging trends for electricity asset owners and security practitioners.


Training Track 3A: Asset Management for Energy Provider | NIST NCCOE

Half-day Session

Description: Monitoring and managing operational technology (OT) assets is an essential component of protecting the nation's critical infrastructure from cyber attacks. To properly assess cyber security risk within the OT network, energy providers must be able to identify and maintain a complete and accurate view of their OT assets, especially the most critical.

The National Cybersecurity Center of Excellence, a part of the National Institute of Standards and Technology (NIST), in collaboration with members of the energy community and cyber security technology providers, is working on an OT asset management example solution to address this complex challenge. This project will result in a NIST cyber security practice guide (Special Publication 1800 series) that shows how commercially available products can be used to create an example solution for electric utilities and for oil and gas companies to effectively track and manage their assets. The guide will be released in March 2019.

Join security engineers from the NCCoE at NIST, alongside the projects' leading collaborators, for a detailed description of this project and other ICS Cybersecurity projects. The panel will share their expertise and best practices on asset management for the energy sector, as well as their current efforts in documenting and implementing methods for managing, monitoring, and baselining assets and information to help identify potential threats to OT assets.


Training Track 3B: Next-generation Cybersecurity for Electric Utility OT Networks | Palo Alto Networks

Half-day Session

Description:  This training, presented by utilities and OT cybersecurity practitioners, focuses on how to apply next-generation firewalls and adjacent technologies within electric T&D and generation infrastructure to maximize visibility, to reduce attack surfaces, and to prevent sophisticated attacks and malware from executing successful cyberattacks. It will use a combination of lecture, case studies, and hands-on exercises in a virtual ICS/SCADA environment to solidify the key concepts, frameworks, and best practice guidance presented during the training.


Training Track 4A: Build a Bulletproof Security Awareness and Phishing Simulation Program | Curricula

Half-day Session

Description: Many organizations have security awareness programs, but are they looking at the emotional intelligence behind their design? We will examine every element of your awareness program and how certain actions positively or negatively impact your employees and the security of your organization.


Training Track 4B: How to be an Exercise Master Planner | Tennessee Valley Authority

Half-day Session

Description: Through gamification, a company's cyber security, physical security, and operational response exercise can be an exciting and engaging adventure that people will talk about for years to come. Company management, technical resources, and responders receive awareness messages, risk reports, and other security documentation that do not always convey the full effects of the threats our communities face. A dynamic, well-delivered exercise can reduce the workload on the cyber security, physical security, and emergency response member and deliver a more effective message.

The workshop's goal is to evolve the way the community holds exercises. Attendees will be able to deliver exciting, dynamic, and useful exercises, and will help planners start working on GridEx V plans.

Participants will leave with an exercise plan that they can communicate to management and other members to develop further and run at their companies. They will receive a set of tabletop scenarios and a sample pack of network maps and corresponding City map "Game Boards" that they can use in their exercises.


Training Track 5A: Cybersecurity Training for SCADA using Testbed | Iowa State University

Half-day Session

Description: This session will provide a scenario-based, hands-on training experience in cyber attack-defense methodology aligning with NERC CIP. The training will leverage industry-grade SCADA platform (Siemens) and state-of-the-art security practice (E-ISAC, NIST, DHS) and tools (Wireshark, OpenVAS, Security Onion). The training will host 24 participants (12 teams, 2 members/team). Each team will be provided with an instance of a SCADA (control center, substation, and a relay). This training session was conducted in GridSecCon 2015 and 2016, and four other instances.


Training Track 5B: Real Time Threat Response | Tanium

Half-day Session

Description: This training session will provide participants a high-level overview of the Tanium platform, as well as a more technical conversation and hands-on threat hunting and incident response with the Tanium Threat Response toolset. In the lab session, attendees will learn the following:

  1. How to query information about hosts in a lab environment to quickly triage threats;
  2. The importance of being able to investigate suspicious activity on hosts with accurate, complete information; and
  3. How to perform threat hunting processes with Tanium Threat Response, using real examples.


Training Track 6A: Social Engineering and Open Source Intelligence (OSINT) Workshop | EC-Council

Half-day Session

Description: This training will focus on how hackers use social engineering to get the information they want, and how you can defend against social engineering.



  • Overview of Open Source Intelligence (OSINT)
  • Describe where OSINT can be gathered
  • Understanding Techniques to Gather OSINT
  • Gathering OSINT on people
  • Ethical and Legal Considerations
  • Understanding privacy in collection of OSINT – LAB: Gathering People OSINT


  • What is social engineering
  • Principles of persuasion
  • Types of social engineering
  • Ethical considerations
  • Social engineering as it pertains to “the hack" - LAB: Interpersonal communications and Pretexting


  • Creating payloads
  • Cloning and standing up phishing web servers
  • Automated phishing solutions
  • Spoofing calls for vishing
  • Physical Security and baiting
  • Tailgating
  • Applying the concepts to gain access – LAB: Phishing, Vishing, and Baiting


Training Track 6B: Who's in Your Network and How Long Have They Been There? | Burns & McDonnell

Half-day Session

Description: In the current state of cyber security affairs, a common theme is the time elapsed between compromise and detection. In many cases, this time period can be days, weeks, or even months. This course lays out a foundation of distribution, transmission, and generation communications, and how a communications network may be implemented with weak points inherent to its design. It identifies the importance of understanding the traffic within a network and how logging, monitoring (network, operating system and applications), and alerting provides visibility into potential attack surfaces. The course also introduces “Kill Chain Analysis" and how that helps create understanding of an adversary's objectives.