GridSecCon 2017 Training Tracks

All training sessions run simultaneously on Tuesday, October 17, and run either all-day (starting at 8:00 a.m.) or half-day (starting at 8:00 a.m. or 1:00 p.m.). Training sessions are included in the price of the conference registration; attendees pay no extra charge to attend the training sessions.

Since courses overlap (see the graphic below), during registration, please choose either:

  • Tracks 1A and 1B, or
  • One or two half-day classes (some combination of 2A, 2B, 3A, 3B, 4A, 4B, 5A or 5B). Each of these training tracks are independent of each other and cover different material.

GridSecCon 2017 Training Sessions

Track 1A and 1B: "GridEx IV Move Zero Training" - The SANS Institute and E-ISAC. (All-day, 200 seats available, starts at 8:00 a.m.). Audience – accessible to a broad level of player skill ranges. Participants are encouraged to attend sessions 1A and 1B for this all-day training track.

GridEx NetWars is a suite of hands-on, interactive learning scenarios that enable Operational Technology security professionals to develop and master the real-world, in-depth skills they need to defend real-time systems. It is designed as a challenge competition and is split into separate levels so that advanced players may quickly move through earlier levels based on their expertise. The GridEx Netwars experience has been themed for the electricity industry and the scenario has been coordinated to align with the E-ISAC GridEx IV event occurring later in the year; however, participation in the full GridEx IV is not required to participate in GridEx NetWars event.

Laptop Required:

Participants will need a non-production laptop with administrator access to the operating system.
Participants will need to install VMware Player

The laptop should include the following:
·         64-bit system
·         Windows 7 or higher installed on the host
·         Physical Ethernet port
·         At least one USB port
·         At least 40 GB of free hard-drive space
·         At least 6 GB of RAM (8 GB recommended)


Track 2A: "Beyond Guards, Guns, and Gates - The Details Matter!" - facilitated by the E-ISAC Physical Security Analysis Team. (Half-day, 100 seats available, starts at 8:00 a.m.). Audience – physical security professionals; asset owners and operators.

"A Cadillac Strategy on a Buick Budget: Tomorrow's Threats Addressed Today" - Building a Physical Security strategy consisting of a risk based approach with an eye for innovation, spread with common sense and flexibility in standards. Reducing risk by sharing, partnering, and communicating are key to a successful physical security program. Innovate and fail fast!
"Drones - The current and Future State for Enterprise Security" - This session will cover an in-depth look at the current threat environment related to drones. Discussion will begin with an overview of drone use by activists, criminals, careless citizens, and terrorists. Other topics will include; safety issues related to enterprise flight operations, current regulatory and legal environment (including both federal and state laws and regulations), detection versus mitigation, and the implementation of policies and procedures for organizations.
"Incident Response Management" - Hydro-Québec's Corporate Security department's primary role is to protect our company's assets and manage security incidents on a daily basis. The presentation will focus on how Hydro-Québec is managing incidents and its security challenges. Over the years, our lessons learned show that to support our business continuity, providing protection plans for all assets is an essential baseline. Furthermore, adding customized and powerful security solutions support the company's growth objectives. So, what are the physical security levels of response and when incidents occur? What about rick assessments?
Track 2B: "Beyond Guards, Guns, and Gates - The Details Matter!"- facilitated by the E-ISAC Physical Security Analysis Team. (Half-day, 100 seats available, starts at 1:00 p.m.). Audience – Physical security professionals; asset owners and operators.
Activist Group Threat Monitoring - The How and Why
"Interactive panel discussion regarding activist threat monitoring for electricity industry security professionals."
Panel speaker and moderator: Travis Moran, Welund
Facilitated by: E-ISAC Physical Security Analysis Team
Panel Participants: TBD

Track 3A: "Convergence of Cybersecurity Situational Awareness Capabilities for the Energy Sector" - National Cybersecurity Center of Excellence (NCCoE) | National Institute of Standards and Technology (NIST). (Half-day, 100 seats available, starts at 8:00 a.m.) Audience - technical / cybersecurity professionals.

NCCoE engineers alongside former Department of Energy Chief Technology Officer Pete Tseronis, Mark Rice of Pacific Northwest National Laboratory, and Don Hill of University of Maryland College Park, Engineering and Energy, will share their expertise on Situational Awareness and discuss the recent NIST Special Publication 1800-7 that uses commercially available products to explore the methods for energy providers to more readily detect and remediate anomalous conditions and investigate the chain of events that led to the anomalies.
Track 3B: "Mission Dependency Analysis" - Johns Hopkins Applied Physics Laboratory​. (Half-day, 100 seats available, starts at 1:00 p.m.). Audience – cyber security professionals.
To catch an attacker, you must think like an attacker. How would you attack your organization to cause the greatest impact?
Mission Dependency Modeling is a two-part systems approach for risk management that is used to identify the physical and cyber dependencies within an organization. Part 1 is focused on mapping the physical systems that support the corporate mission. Part 2 consists of mapping the information technology/cyber process that support those systems. This mapping process enables both physical and cyber security specialists to identify critical dependencies that, if impacted for any reason, would affect the organizational mission. This process graphically informs both senior leaders and security personnel on where to prioritize limited resources to reduce risk as well as validating current risk mitigation process in place.
During this workshop, the Mission Dependency Modeling process will be explained, followed by walkthroughs of several organizational models. The workshop objective is to provide understanding for attendees to apply this model to their own organizations to identify physical and cyber critical dependencies.
Track 4A: "Designing a Powerful NERC CIP Training and Awareness Program" - Curricula, LLC. (Half-day, 60 seats available, starts at 8:00 a.m.). Audience – cyber security professionals.
Gain expert insight on how to build and maintain an effective CIP training and awareness program in your organization. The industry has spent years developing cyber security programs across their organizations. Everything from patch management, incident response, and policies and procedures. The training will examine a critical part of your cyber security program, which includes educating and training your personnel.
Track 4B: "Patching Lessons Learned: An Interesting Perspective"- Foxguard Solutions. (Half-day, 60 seats available, starts at 1:00 p.m.). Audience – cyber security professionals and industrial control systems owners.
FoxGuard has learned many lessons over the past ten years and is excited to share their experiences. They will discuss challenges in building a compliant, as well as secure, patch management program including intelligent electronic devices, relays, and other operationally focused equipment. Through hands-on opportunities, as well as classroom teaching, you will gain a better understanding of how to identify, analyze, search for, and consume applicable patch and update information.
Track 5A: "Live Exercise: Red Teaming the Micro Grid" - Norwich University Applied Research Institutes. (Half-day, 100 seats available, starts at 8:00 a.m.). Audience – cyber security professionals. 


Every day we read of a new cyber breach compromising the integrity and operations of another company. Even organizations with defense in depth and response playbooks are impacted. Now you have been breached, how will your organization respond and recover? The GridSecCon training will engage individuals in a cyber attack scenario beginning with indicators and warnings of an event. Each team (one per table) will organize and respond to the event from a leadership perspective. When to stand up the incident response team? How to respond from Operations, Public Relations, Legal, Compliance, Information Security, and Business Continuity roles. Who is in charge? Escalating within the organization and to Law Enforcement or external constituents? An engaging crisis simulation using the DECIDE platform to execute the exercise.

Norwich University Applied Research Institutes, NUARI, has developed the DECIDE platform for delivering distributed multi-organization cyber and physical exercises to engage institution leadership. Developed with the support of the Department of Homeland Security and in cooperation with the finance sector.


Track 5B: "Threat Modeling, Intelligence Consumption, and Hunting in the ICS" - Dragos, Inc. (Half-day, 100 seats available, starts at 1:00 p.m.). Audience - cyber security professionals.
The cyber threats you face may not be the same as the threats your fellow electric industry members face; it is most certainly not the same threats that the larger information technology security community faces. It is important to understand how to create an threat model based off of what threats you can anticipate facing, adapt it when new threats emerge, and use that to generate and consume intelligence about those threats. Upon doing so you will be able to perform better defense in your industrial control systems (ICS) including leveraging more advanced models such as threat hunting.
This workshop will show you how to create a threat model using best practices and models in the community, such as target centric modeling and the ICS Cyber Kill Chain, and bridging them with requirements in the larger community, such as the Cyber Security Maturity Model for the electricity industry. From here, the workshop will introduce how threat intelligence can be useful once organizations understand the risks they are trying to reduce. Lastly, it will introduce the concept of threat hunting and strategies for performing it in the ICS.

The half day workshop is well suited for personnel of all backgrounds and will be a lecture style with audience participation. If you are a security practitioner looking to add intelligence into your toolkit, or if you are not of a security background but want to understand how to start security off correctly to benefit ICS operations - this workshop is for you.