SANS Industrial Control Systems Security Blog: Category - Instructors

Four Keys to Effective ICS Incident Response

This post was written by SANS ICS515 - ICS Active Defense and Incident Response instructor Mark Bristow.

While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response and safe, reliable operations. Understanding these gaps and closing them ahead of the incident is key to a successful ICS incident response. Continue reading Four Keys to Effective ICS Incident Response


Detecting the Siemens S7 Worm and Similar Capabilities

An article came out on May 5th titled "Daisy-chained research spells malware worm hell for power plants and other utilities" with the subtitle of "World's first PLC worm spreads like cancer". Having been on the receiving end of sensationalized headlines before I empathize with the authors of the research. Regardless of the headlines, the … Continue reading Detecting the Siemens S7 Worm and Similar Capabilities


Collecting Serial Data for ICS Network Security Monitoring

Below is a postby SANS ICS515 - ICS Active Defense and Incident Response instructor Mark Bristow. Adversaries across the capability spectrum are increasingly targeting Industrial Control System (ICS) environments. Malware such as BlackEnergy2, Havex, and Stuxnet have been developed with specific capabilities against different control system targets. As exemplified by BlackEnergy2 and Havex even today's … Continue reading Collecting Serial Data for ICS Network Security Monitoring


Ready, Set, Stop! FERC Postpones CIP Version 5

This post was written by SANSICS456 - Essentials for NERC CIP co-author TedGutierrez. Just when the electric industry thought that they had seen it all, FERC pulls another rabbit out of its hat astonishing audiences near and far. In an order issued today (February 25, 2016) FERC granted a motion to defer the implementation of … Continue reading Ready, Set, Stop! FERC Postpones CIP Version 5


Takeaways from Reports on Iranian Activity Against the Power Grid and a Dam

Yesterday a report on Iranian activity focused on a small dam in New York was released by Danny Yadron at the Wall Street Journal. Today a report was released by Garance Burke and Jonathan Fahey at the Associated Press reporting on Iranian activity linked to the OpCleaver report by CYLANCE where documents related to Calpine … Continue reading Takeaways from Reports on Iranian Activity Against the Power Grid and a Dam