ICS Instructors

Justin Searle

Justin Searle

Justin Searle is the Director of ICS Security at InGuardians, specializing in ICS security architecture design and penetration testing.  Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and has played key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP).
Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences.  Mr. Searle is currently a Senior Instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT.  Justin co-leads prominent open source projects including the The Control Thing Platform, Samurai Web Testing Framework (SamuraiWTF), Samurai Security Testing Framework for Utilities (SamuraiSTFU).  Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), Web Application Penetration Tester (GWAPT), and GIAC Industrial Control Security Professional (GICSP).

View Upcoming Training for Justin Searle

Robert M. Lee

Robert M. Lee

SANS certified instructor Robert M. Lee brings to the classroom one of the most valuable and respected of credentials: real-world experience. Robert is the CEO and founder of his own company, Dragos, Inc., that provides cyber security solutions for industrial control system networks. Consider the 2015 attack on the Ukraine power grid when for the first time in history a power grid went down due to an intentional cyberattack. Robert and a few others formed a specialized team to analyze the event and passed information to the impacted parties as well as the U.S. government and private sector. "I was the first in the industry to publicly confirm the attack and wrote the industry standard report on the attack exploring how it occurred, the lessons learned, and what must be done to protect other infrastructure sites," Robert says. He and his team also analyzed the malware from the 2016 cyber attack on Ukraine's Kiev substation and dubbed it CRASHOVERRIDE as the first ever malware tailored to specifically disrupt electric grid operations.

That experience is what forms his teaching philosophy. "I make it my teaching philosophy to constantly bring in new material into the classroom through my personal experiences and the successes and failures of those I've seen in the industry," says Robert. This augments the traditional classroom material students receive to ensure they get the most relevant and cutting-edge concepts in the industry. But Robert's real-world experience also keeps things interesting. "I enjoy telling and sharing in case studies and stories from the field, looping in bigger concepts into the technical material, and setting a humorous tone so that no matter the seriousness of the topic we all have fun together."

Robert got his start in information security making small control systems for humanitarian missions. He joined the United States Air Force and became a cyberspace warfare operations officer in the U.S. intelligence community. In that role, he created and led a mission examining nation-states targeting ICS, the first mission of its kind in the U.S. intelligence community. For Robert, that intermixing of defense, intrusion analysis, and threat intelligence provided the ultimate thrill.

Robert has worked offense, defense, and intelligence in various government teams. "My time on the offense helped me better appreciate defense and how sometimes we simply get it wrong: defense is not necessarily harder than offense and there are many opportunities we have to defend and make the world a better place," he says.

Robert joined SANS for myriad reasons. He had long been aware of the organization, and followed the career and workings of SANS fellow and DFIR curriculum lead Rob Lee. Also, ongoing encouragement to attend SANS conferences and consider teaching from a number of friends and colleagues such as Dave Shackelford convinced him to give it SANS a shot. His first pitch - a five-day class on identifying and responding to industrial control systems (ICS) attacks - was well-received, and as Robert says, "the rest is history." Today he teaches SANS ICS515: ICS Active Defense and Incident Response, the industry's first and only incident response and threat hunting class for ICS and FOR578: Cyber Threat Intelligence, the industry standard course for threat intelligence training. "The SANS family is amazing, the students are world class, and teaching is what keeps me constantly refreshed and excited in the industry."

In fact, authoring ICS515 and FOR578 have been highlights in his career, Robert says. Industrial control system security as well as cyber threat intelligence are both exciting topics that receive a lot of hype and misconceptions. "I love destroying hype while giving the students the most blunt and actionable information possible," Robert explains, adding that his experiences "gives me a robust view into the problem space and the solutions needed at various levels. My experiences and hard work have afforded me the chance to significantly advance students' skill sets and the way they view the problem."

Central to helping students succeed in their day-to-day careers is ensuring that they understand the big picture, Robert says. That's more than just understanding what command to run on a specific tool or how to use that tool during an incident. Its' about know the larger context of a security strategy is, all its moving pieces, and how to use analysis to help fill knowledge gaps. "This ensures that students who take my classes are not only technically prepared but are also prepared to think differently about the hard challenges their organizations must face when facing the adversary," says Robert.

Robert has a master's degree in cybersecurity and computer forensics from Utica College as well as cyber and warfare training through the U.S. Air Force, and he's pursuing his doctorate in war studies from King's College London. He was named one of Forbes' 30 under 30 in Enterprise Technology in 2016, was awarded EnergySec's 2015 Cyber Security Professional of the Year and named one of Passcode's "Influencers."

Outside of teaching, Robert enjoys running his company Dragos and working with customers in the industrial community. "It allows me to constantly stay relevant, challenge and grow my skills, and directly help people." He also enjoys writing papers and blogs for the industry, and looks for opportunities to travel, snowboard, and play a Steam game or two whenever he can.

Qualifications Summary

Get to Know Robert M. Lee

Publications and Papers

Awards and Honors

  • 2016: Forbes' 30 under 30 in the area of Enterprise Technology
  • 2015: Energy Sector Cyber Security Professional of the Year, awarded by EnergySec
  • 2014: Colonel Sparky Baird Award, awarded by AFCEA
  • 2014: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: Air Force Association Gill Robb Wilson Award - Air Force Nominee
  • 2013: AF Information Dominance Award for Outstanding Cyberspace Operations CGO - 693 ISR Gp
  • 2013: Junior Officer (Operator Category) of the Year - Europe/Africa
  • 2013: Military Performer of the Year - Threat Operations Center
  • 2013: CGO of the Year - 693d ISR Gp
  • 2012: Distinguished Young AFCEAN Officer - Central Europe
  • 2012: Outstanding ISR Officer Contributor of the Year - 693rd ISR Group
  • 2011: AFCEA Intelligence Professional of the Year - 693 ISR Group

Here is What Students Say About Robert M. Lee:

"Real-world practical insight and the technical skills and tools to create meaningful change." - Billy Glen, Pacific Gas & Electric

"Great teaching style - humor - keeps the atmosphere light." - Tim Sanguinett, NCPA

"Good pace, kept things moving, stayed enthusiastic the entire day." - Michael Nowatkowsk, Army Cyber Institute

Here is a SANS Summit presentation by Robert M. Lee:

View Upcoming Training for Robert M. Lee

Dr. Eric Cole

Dr. Eric Cole

Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers focus on the right areas of security by building out a dynamic defense. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University with a concentration in information security. He served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Dr. Cole was the lone inductee into the InfoSec European Hall of Fame in 2014. Dr. Cole is actively involved with the SANS Technology Institute (STI) and is a SANS faculty Fellow and course author who works with students, teaches, and develops and maintains courseware.

Here is What Students Say About Eric Cole:

"Best teacher I've had. Eric's passion, enthusiasm, and knowledge make learning about cyber security an experience instead of just a class." - Adrian Perez, Australian Tax Office

"Dr. Eric Cole is a phenomenal instructor. He can talk to you about any level in the IT stack - from tech to exec." - Christopher E. Bell, Tower Hill Insurance Group, LLC

View Upcoming Training for Dr. Eric Cole

Graham Speake

Graham Speake

Graham Speake is Vice President and Chief Product Architect at NexDefense. Previously to NexDefense, he was Principal Systems Architect for Yokogawa Electric Corporation, ISCI Marketing Chair, and an IEC62443 editor. Graham is an engineer with over 30 years' experience, the last 16 of which have been in the industrial cyber security arena for both end user companies and vendors. Graham has spent 10 years in BP looking at control systems security in both upstream and downstream business areas. Additionally, he has 5 years' experience in designing safety systems at Industrial Control Services.

Graham is the author of a number of books and frequent contributor to magazine articles.

View Upcoming Training for Graham Speake

Eric Cornelius

Eric Cornelius

Eric Cornelius is the Director of Critical Infrastructure and Industrial Control Systems (ICS) at Cylance, Inc. where he is responsible for thought leadership, architecture, and consulting implementations. Eric brings a wealth of ICS knowledge and his leadership keeps organizations safe, secure, and resilient against advanced attackers. 
Previously, Eric served as the Deputy Director and Chief Technical Analyst for the Control Systems Security Program at the US Department of Homeland Security. 
Eric earned a bachelor's degree from the New Mexico Institute of Mining and Technology where he was the recipient of many scholarships and awards including the National Science Foundation's Scholarship for Service. 
Eric went on to work at the Army Research Laboratory's Survivability/Lethality Analysis Directorate where he worked to secure field-deployable combat technologies. It was at ARL that Cornelius became interested in non-traditional computing systems, an interest which ultimately led him to the Idaho National Laboratory where he participated in deep-dive vulnerability assessments of a wide range of ICS systems. 
Eric is the co-author of "Recommended Practice: Creating Cyber Forensics Plans for Control Systems" as part of the DHS National Cyber Security Division, Control Systems Security Program, 2008 and is also a frequent speaker and instructor at ICS events across the globe.

Here is What Students Say About Eric Cornelius:

"Eric is a fantastic teacher. He has in-depth knowledge and is very energetic and engaging." - Anonymous

View Upcoming Training for Eric Cornelius

Matthew Luallen

Matthew Luallen

Matthew E. Luallen is a well-respected information professional, researcher, instructor, and author. Mr. Luallen serves as the president and co-founder of CYBATI, a strategic and practical educational and consulting company. CYBATI provides critical infrastructure and control system cybersecurity consulting, education, and awareness. Prior to incorporating CYBATI, Mr. Luallen served as a co-founder of Encari and provided strategic guidance for Argonne National Laboratory, U.S. Department of Energy, within the Information Architecture and Cyber Security Program Office. In an effort to promote education and collaboration in information security, Mr. Luallen is an instructor and faculty member at several institutions. Mr. Luallen is adjunct faculty for DePaul University, teaching the Computer Information and Network Security Masters degree capstone course. He is also a certified instructor and CCIE for Cisco Systems, covering security technologies, such as firewalls, intrusion prevention, and virtual private networks, and general secure information architecture. As a certified instructor for the SANS Institute, Mr. Luallen teaches infrastructure architecture, wireless security, web application security, regulatory and standards compliance, and security essentials. Mr. Luallen is a graduate of National Technological University with a master's degree in computer science, and he also holds a bachelor of science degree in industrial engineering from the University of Illinois, Urbana.

View Upcoming Training for Matthew Luallen

Tim Conway

Tim Conway

Tim serves as the Technical Director - ICS and SCADA programs at SANS, and is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Additionally, performing contract and consulting work in the areas of ICS cyber security with a focus on energy environments.

A recognized leader in CIP operations, he formerly served as the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO), and was responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric.

Recognizing the need for ICS focused cyber security training throughout critical infrastructure environments and an increased need for NERC CIP hands on training, Tim authored and instructs the ICS curriculums newest course ICS456 - Essentials for NERC Critical Infrastructure Protection.

Outside of SANS, Tim continues to perform contract and consulting work in the areas of ICS cyber security with a focus on the energy sector.

Before accepting the opportunity to join SANS, Tim enjoyed a 15-year career with NIPSCO where he held management and leadership positions as well as EMS Computer Systems Engineer responsibilities over the control system servers and the supporting network infrastructure. During his career, Tim has served as the Chair of the RFC CIPC, Chair of the NERC CIP Interpretation Drafting Team, Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.

Here is What Students Say About Tim Conway:

"ICS456 is the best-in-class NERC CIP Training. The courseware provides the students valuable compliance approaches and software tools to take home for peer collaboration to build consent on entities CIP implementation gaps." - Jeff Manton, WAPA

"Tim Conway is able to convey information to the class very clearly and adds extra content pertinent to the discussion." - Anthony Napier, AES

 "ICS456 course prepares you for CIP, both technically and practically with a blend of experience and knowledge." - Art Conklin, UH

Here is a SANS Summit presentation by Tim Conway:

View Upcoming Training for Tim Conway

Mark Bristow

Mark Bristow

Mark Bristow was born to work in information security as he found his first bug in an ICS system at the age of 10. As a teen, he had a passion for technology and spent a lot of time exploring the possibilities of his computer and the nascent internet. Once he realized he could make a career out of this passion, he jumped at the opportunity and earned a Computer Engineering degree from Penn State. 

Mark loves the ever-changing landscape of security and views it as a puzzle that must be solved. He especially loves the challenges in ICS security as defending the systems where cyber meets physical means there is no greater success than a safe and effective process.

Currently Mark is the Director for the Hunt and Incident Response Team (HIRT) at Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) where he leverages his expertise in incident response, industrial control systems, network monitoring and defense to support national security interests.  Before ICS-CERT was integrated into HIRT, Mark was the Chief of ICS-CERT incident response.  In Mark's sixteen-year security career he has also worked for CSRA and Securicon where he supported a variety of private and public sector clients.  

Mark has been on the front lines of headline grabbing incident response efforts such as the attack on the Ukrainian power grid, intrusions into US election infrastructure and Russian attempts to gain access to the U.S. power grid.  Mark is a frequent speaker on industrial control systems security issues worldwide.

Mark's experience has led him to the path of sharing his knowledge and helping others learn to protect critical infrastructure. He loves teaching not only to help others, but because he learns something from his students in every class. Mark shares his real-world experiences with students so they can relate the information to scenarios in the field.

When Mark isn't defending ICS systems, he enjoys spending time with his family, working toward his pilot's license and SCUBA diving as much as possible.

View Upcoming Training for Mark Bristow

Kai Thomsen

Kai Thomsen

Kai has worked in a wide range of IT security roles for more than 15 years. Currently he is the lead Digital Forensics and Digital Response (DFIR) analyst at premium automaker AUDI AG. He has played a key role in establishing a modern cyber defense team at Audi to protect the enterprise, industrial control system (ICS), and connected car infrastructure.

Before Audi, Kai worked for more than 12 years in the steel industry at the engineering company SMS Group, where he designed and implemented defensible LANs for enterprise and ICS environments in-house as well as for customers' plants. The steel industry was also where Kai delved into Network Security Monitoring and DFIR, building security monitoring solutions for company and customer sites and performing incident response in Europe, Asia, and the United States.

Kai has spoken and taught at various security conferences, including S4 Europe, CS3STHLM, Troopers, ISF, and SIGS SCADA in Switzerland. In 2018, he chaired the SANS Automotive Cybersecurity Summit and the SANS ICS Europe Summit. Kai holds the GIAC Response and Industrial Defense (GRID) certification and has a master's degree in computer science and English and American literature from the University of Siegen.

In the little free time that is left between working in his DFIR job and as a SANS instructor, Kai loves to travel the world, especially mountain regions where climbing, hiking, and skiing look promising.

Kai holds an MA in Computer Science and English and American Literature.

View Upcoming Training for Kai Thomsen

Billy Rios

Billy Rios

Billy is an accomplished author and speaker. Billy is recognized as one of the world's most respected experts on emerging threats related to Industrial Control Systems (ICS), Critical Infrastructure (CI), and medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. He has been publically credited by the Department of Homeland Security (DHS) over 50 times for his support to the DHS ICS Cyber Emergency Response Team (ICS-CERT).  

Billy is the Founder of WhiteScope LLC which is known as a leading provider of deep security research, world class advisory services, and innovative security solutions.  Prior to venturing into entrepreneurship, Billy served in a number of roles that demonstrated increasing responsibility and security expertise. 

As the Director of Vulnerability Research and Threat Intelligence with Qualys, Billy led the development of product offerings for vulnerability research, threat intelligence, ICS/SCADA, and embedded security. Before Qualys, Billy led the Google front-line response for externally reported security issues and incidents.  Prior to Google, Billy was the Security Program Manager at Internet Explorer (Microsoft).  During his time at Microsoft, Billy led the company's response for several high-profile incidents, including the response for Operation Aurora. Before Microsoft, Billy worked as a penetration tester, an intrusion detection analyst, and served as an active duty Marine Corps Officer.

Billy currently holds an MBA from Texas A&M University-Commerce and a Master of Science in Information Systems from Hawaii Pacific University.  He was a contributing author for several publications including: Hacking, the Next Generation (O'Reilly), Inside Cyber Warfare (O'Reilly), and The Virtual Battle Field (IOS Press).

Here is What Students Say About Billy Rios:

"Billy is doing everything right! Bringing real life examples help with understanding the material." - Gina Mayfield, University of Delaware

View Upcoming Training for Billy Rios

Paul A. Henry

Paul A. Henry

Paul Henry is a Senior Instructor with the SANS Institute and one of the world's foremost global information security and computer forensic experts with more than 30 years of experience covering all 10 domains of network security. Paul began his career in critical infrastructure / process control supporting power generation and currently manages security initiatives and incident response for Global 2000 enterprises and government organizations worldwide.

Paul is a principal at vNet Security, LLC and is keeping a finger on the pulse of network security as the security and forensic analyst at Lumension Security and as a retained security expert for multiple financial and healthcare firms.

Throughout his career, Paul has played a key strategic role in launching new network security initiatives to meet our ever-changing threat landscape. Paul also advises and consults on some of the world's most challenging and high-risk information security projects, including the National Banking System in Saudi Arabia, the Reserve Bank of Australia, the Department of Defense's Satellite Data Project (USA), and both government as well as telecommunications projects throughout Southeast Asia.

Paul is frequently cited by major and trade print publications as an expert in perimeter security, incident response / computer forensics and general security trends and serves as an expert commentator for network broadcast outlets, such as FOX, NBC, CNN, and CNBC. In addition, Paul regularly authors thought leadership articles on technical security issues, and his expertise and insight help shape the editorial direction of key security publications, such as the Information Security Management Handbook, where he is a consistent contributor. Paul serves as a featured and keynote speaker at seminars and conferences worldwide, delivering presentations on diverse topics including anti-forensics, network access control, cyber crime, DDoS attack risk mitigation, perimeter security, and incident response.

Listen to Paul discuss "Incident Response and Forensics in the Cloud" in this SANS webcast that every DFIR professional should listen to.

Here is What Students Say About Paul A. Henry:

"Paul is an excellent instructor, his experiences in the field of security makes this course even better." - Bhavesh Bhudia, Bloomberg, LP

"Paul is a fantastic instructor. I really liked his real-life stories and shared experiences." - Manuel Duron, VMWare

View Upcoming Training for Paul A. Henry

Thomas Brandstetter

Thomas Brandstetter

Prof. Thomas Brandstetter is a widely-recognized industrial cybersecurity expert, with 20 years of experience.

Thomas started his Infosec career as a security engineer and penetration tester at Siemens, working on everything ranging from single controllers to entire industrial control and energy automation solutions. Consequently, Thomas became the founder of the Siemens Hack-Proof Products program, their earliest secure product development initiative. This job also led to his role as the appointed lead Stuxnet incident handler for Siemens in 2010. After having worked in both offensive and preventive security, he went into response and founded the Siemens Product Cyber Emergency Readiness Team, which is still one of the most effective industrial vulnerability and incident response teams worldwide today.

Since 2013, he is the founder and managing director of Limes Security, a well-established European cyber security company specializing in top-class industrial security consulting and secure software development coaching.

Thomas has a passion for teaching security courses, as he is convinced that demand continues to outstrip available workforce by far. On the professional side, he is sharing his infosec experience as instructor at the prestigious SANS technology institute, where he has been teaching industrial control system security courses throughout Europe and the Middle East since 2015.

On the academic side, he is Professor for IT Security at University of Applied Sciences St. Poelten, Austria, where he teaches various security courses at bachelor and master security programs. He also was appointed as Honorary Professor for Cyber Security at the esteemed Cyber Technology Institute of DeMontfort University Leicester, UK.

When not in classroom, Thomas still likes to spend as many days as possible in projects, supporting industrial vendors and operators to ramp up their security posture, where he has helped to establish and improve numerous industrial security programs and PSIRTs for multinational corporations.

Thomas presented at top-level security conferences such as Blackhat USA, Blackhat Europe, BSI Conference and SANS ICS summits. Besides speaker engagements, Thomas likes to actively contribute to the security community. He helped to establish the ICS villages at DEFCON and BruCON as well as the hackerspace Segmentation Vault. He is conference chair of the industrial control system cyber security research (ICS-CSR) conference series, program committee member of the ARES as well as SANS ICS conferences and director of the program committee of the annual IT Security Community Exchange (ITSECX) conference series.

He is the inventor of several security-related patents, holds the renown GSEC, GICSP and GRID certifications from GIAC as well as a CISSP, an academic degree in IT security from the University of Applied Sciences Hagenberg, Austria and a Master's degree in business administration from the Universities of Augsburg and Pittsburgh.

View Upcoming Training for Thomas Brandstetter

Jason Dely

Jason Dely

Jason Dely is responsible for leading the critical infrastructure and industrial control systems (ICS) security practice for Cylance. Prior to joining Cylance, Jason held many roles at Rockwell Automation where he assisted clients with their research, design, integration, testing and response activities across a variety of application, security and infrastructure initiatives. During this time, Jason gained in-depth ICS product, protocol and operational experiences that are invaluable when it comes to evaluating and building defenses within critical infrastructure organizations. His security passion over the past 18 years of experience with ICS is founded upon balancing business requirements against people, process and technologies unique to each organization to ensure their operations are safe, reliable and secure.

Jason frequently speaks at industry events to share his knowledge of the technical operations and integration challenges one faces when securing ICS systems. Likewise, Jason is knowledgeable in the practical application of security standards, guidelines and publications; for example, ISA99, ISA/IEC 62443, NIST Cybersecurity Framework, NIST SP 800 Series, NERC CIP, CPwE, CIS CSC 20. 

With a comprehensive understanding of the industry's technical and operational security challenges, Jason has effectively spearheaded multiple engagements surrounding security assessment, implementation, research and response activities spanning Information Technology (IT) and Operational Technology (OT). In addition, Jason has provided turn-key security improvement solutions for many industries which include the assessment, design and integration of an entire SCADA platform and infrastructure (networks, firewalls, VPN, DMZ applications, jump hosts, virtual server environments, virtual desktop environments).

  • Performed assessment, testing and response activities across all critical infrastructure owners
  • Provided guidance on design and rollout of ISA/IEC 62443 and NIST CSF
  • Industry specific business and operational experience including, but not limited to, Water/Waste Water Utilities, Oil & Gas, Metals, Manufacturing, Mining and Chemical

Education, Certifications and Training 

  • Electronics Engineering Technologist, Niagara College 
  • Multiple ICS Product and Technology Certificates
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Security Manager (CISM)
  • SANS SEC566: Implementing and Auditing the Twenty Critical Security Controls
  • SANS SEC560: Network Penetration Testing and Ethical Hacking
  • SANS SEC660: Advanced Penetration Testing, Exploit Writing, and Ethical Hacking (GXPN Certifiied) 

View Upcoming Training for Jason Dely

Jason Christopher

Jason Christopher

Jason D. Christopher is the Chief Technology Officer for Axio. His responsibilities include providing technical leadership on security and resilience issues relevant to Axio, its partners, and clients, and the development of all Axio technology platforms for security metrics and benchmarking.

Prior to Axio, Jason led the research for cybersecurity metrics and information assurance at the Electric Power Research Institute. Previously, he was the technical lead for cybersecurity capability and risk management at the US Department of Energy, where he managed the Cybersecurity for Energy Delivery Systems Operations program, which included the Cybersecurity Capability Maturity Model and other collaborative efforts. Jason also served as the program lead for both Critical Infrastructure Protection Standards and Smart Grid Security at the Federal Energy Regulatory Commission.

Mr. Christopher has worked on a variety of infrastructure projects, particularly in the field of industrial control systems design and implementation. He has also researched and designed technology systems across multiple industries, including energy, water, transportation, and communications. He has been a representative on the Federal Smart Grid Task Force, the Critical Infrastructure Protection Committee (CIPC), and other technical committees.

Independent of his work at Axio, Jason is a member on the Institute of Electrical and Electronics Engineers (IEEE-USA) Energy Policy, Communications Policy, and Research & Development Policy Committees. Over the past decade, Jason has focused on the development of cybersecurity standards and practices for the nation's critical infrastructure.

Outside of the workplace, Jason focuses on Science, Technology, Engineering, and Mathematics (STEM) education issues. He has lectured at several universities across the country and developed cross-disciplinary courses focusing on resilience, sustainable energy, and community design.

Mr. Christopher holds a Bachelor of Science and Master of Engineering from the State University of New York at Binghamton, and Master's of Engineering degree in electrical engineering from Cornell University.

Here is a SANS Summit presentation by Jason Christopher:

View Upcoming Training for Jason Christopher

Dean Parsons

Dean Parsons

Cybersecurity Leader, ISO, Industrial Control System Defender, and Speaker - Dean continues his passion for cybersecurity with goals of continuous education and giving back to the community. His enthusiasm in the field started at an early age writing educational hacking tools on his custom compiled versions of Linux. His project portfolio includes such tools as password crackers written in Python, host-based intrusion detection systems (IDS), network sniffing tools, intelligent port scanners, kernel modules and exploits for Linux written in C. 

Dean funded his studies at Memorial University of Newfoundland by working as a security consultant doing Linux hardening, writing networking applications, performing ethical hacks and vulnerability assessments. Also during that time he mentored and taught programming to high school students that would go on to compete in programming competitions. After earning a Bachelor's degree in Computer Science he held various security and cyber defense positions in software companies and in one of Canada's largest Telecommunications providers. He spent 10 years leading security and incident response initiatives in Unix, Linux and Windows environments. For the last 6 years he's been managing a security operations team and is the ISO for Critical Infrastructure in the Utility and Energy sector in Canada. 

An active member of the security community, Dean is dedicated to coaching others. His speaking engagements are international presenting at high profile conferences including the SANS ICS Summit on all things ICS. Dean has a natural way of engaging his audience, taking every opportunity to encourage others. While working at a high-level most of the time, Dean maintains his technical skills by paying close attention to the 'devil in the details' when overseeing cyber incident response in an IT and OT environment. In the run of a day it's common for Dean to be working at the packet or policy level. 

Qualifications Summary: 

  • GIAC Response and Industrial Defense (GRID) 
  • GIAC Certified Intrusion Analyst (GCIA) 
  • GIAC Security Leadership (GSLC) 
  • Bachelor Major Computer Science, Memorial University of Newfoundland 
  • Certified Information Systems Security Professional (CISSP) 
  • Is a member of the SANS/GIAC Advisory Board 

Get to know Dean Parsons: 

When Dean is not in ICS Active Cyber Defense mode you can find him exploring the coast of Newfoundland on his jet ski, playing piano or riding motorcycles, even in intense Newfoundland winters. An accomplished motorcycle instructor and rider, he published some adventures in his travel book "The Evergreen Rider - Newfoundland By Motorcycle. Through All Seasons, All Weather" 

Favourite quote: "Do. Or do not. There is no try." - Yoda

Here is what students say about Dean Parsons:

"Dean has been my best instructor. He did a great job and I feel I have gotten so much value out of his class that I am extremely confident I will pass the GRID on my first try." - Scott Elmer, DTNA

'Loved Dean's enthusiasm and passion for the subject matter." - Chris Lada, Exelon

"Instructor is a fantastic speaker with exactly the right amount of energy." - Brian Boosz, WA ANG

View Upcoming Training for Dean Parsons

Monta Elkins

Monta Elkins

Monta Elkins is currently "Hacker-in-Chief" for FoxGuard Solutions, an ICS patch provider. A security researcher and consultant; he was formerly Security Architect for Rackspace, and the first ISO for Radford University.  He has been a speaker at DEFCON , Homeland Security's ICSJWG (Industrial Control Systems Joint Working Group), EnergySec's Security Summit, VASCAN, GE Digital Energy's Annual Software Summit, Educause Security Professionals Conference, Toshiba's Industrial Control Systems Conference, NERC's GridSecCon, ICS CyberSecurity by Security Week, UTC Telecom and other security conferences. Monta also is the recipient of the EnergySec's Cyber Security Professional of the Year Award for 2018. Elkins was recognized by the Industrial Control System (ICS) community and staff at EnergySec for his exceptional contributions to ICS security.

Monta is the author and instructor of the "Defense against the Dark Arts" hands-on, hacker tools and techniques classes.  He is also a guest lecturer for Virginia Tech and teaches rapid prototyping and Arduino classes with Let's Code Blacksburg. He has a YouTube channel as well.

Please also see the article on supply chain chipping attacks, published by Wired. (

Here is a SANS Summit presentation by Monta Elkins:

View Upcoming Training for Monta Elkins

Paul Piotrowski

Paul Piotrowski

Paul Piotrowski is currently an Automation Engineer in Shell's Global PCD Integrity Organization (Process Control Domain).   Paul consults on Global Capital Projects and supports Shell Operated and Non-Operated Assets across all business units.  Paul has spent over 16 years in Shell in various security roles including network operations, risk governance and compliance, audit, incident management, forensics, pen testing and project management.  He has travelled extensively for Shell allowing him the opportunity to work across diverse set of cultures and landscapes which have shaped his view of the world.

Paul possesses the valuable hybrid skill set of Operations Technology (OT) and Information Technology (IT).  Through visiting and working at over 50 Shell assets globally he understands how to embed practical solutions between operations and corporate IT that reduce an organization's cyber security risk while minimizing operational impact.  Paul was involved in the initial development of the GICSP course curriculum.

He holds a B.SC degree in Computer Science with a minor in management.  He holds several certifications including the GICSP (Global Industrial Cyber Security Professional) and CISSP. In addition, he has participated in several executive development programmes.  He is based out of Calgary, Canada.

View Upcoming Training for Paul Piotrowski

Larry Vandenaweele

Larry Vandenaweele

Larry Vandenaweele is a Manager at PwC Australia's Cyber and Forensics Practice where he focuses on security architecture design, penetration testing and governance for organizations dealing with control system environments.

Previously, Larry did charity work in the Philippines as part of his Bachelor's study where he led a network and system migration project for a local government in combination with support of existing initiatives providing aid to local communities. He obtained a Master of Science in Information Security from Royal Holloway, University of London and holds SANS GIAC Global Industrial Cyber Security Professional (GICSP), Penetration Tester (GPEN) and Critical Controls Certification (GCCC). Larry frequently presents at top security conferences such as RSAC, BSidesLV and AISA. 

In his spare time, Larry enjoys being involved in the security community. Larry is co-founder of The ICS Village which is a non-profit organisation designed to increase awareness and educate the public on protecting critical infrastructure environments by providing an interactive experience that showcases latest technologies and security controls.

He also co-organizes the annual BruCON security conference in Belgium by and for the security community.

Outside of teaching, working at PwC and doing something back for the security community, Larry enjoys exploring new cultures by traveling, snowboarding, and photography.

View Upcoming Training for Larry Vandenaweele

Stephen Mathezer

Stephen Mathezer

Stephen has had hands-on experience since the early days of the Internet. He has a broad perspective and experience with technology in the real world having written network software for a very small company while supporting it at customers in the fortune 50. He later spent 15 years working for a large Oil & Gas company, beginning as a member of the network and operational security teams and eventually managing a team of 25 responsible for Security Architecture, Security Operations, Industrial Control System Security Operations and Technical Security.

He has also consulted for a wide variety of companies, providing managed security services and security assessments of various sorts. Stephen has recently joined iON Secured Networks as a Director in order to allow him to better focus on his passion, network security.

Stephen says, "I have had the good fortune to see the IT and security worlds from a variety of perspectives. I have experienced the challenges of security practice on both a very small and very large scale. I very much enjoy technology and enjoy employing my knowledge hands-on. Teaching for SANS enables me to pass my knowledge and experience on to others while benefiting from my student's unique experiences and perspectives.

He currently holds the GSEC, GICSP, GCIH, GCFA, GWAPT, GAWN and GXPN certifications

View Upcoming Training for Stephen Mathezer

Don C. Weber

Don C. Weber

Don C. Weber has devoted himself to the field of information security since 2002. He has extensive experience in security management, physical and information technology penetration testing, web assessments, wireless assessments, architecture review, incident response and digital forensics, product research, code review, and security tool development. He is currently focusing on assisting organizations secure their business and Industrial Control System environments through program reviews, security assessments, penetration testing, and training.

Don's past experiences encompass a wide variety of responsibilities. Senior manager of the incident response team and acting Director of the vulnerability / risk management program for a large media organization. Senior security consultant for a boutique security consultancy where he focused on penetration testing, hardware analysis, and wireless research of ICS technologies used in the energy sector. Senior consultant for an emergency response team providing incident response and forensic services to large, international corporations.

View Upcoming Training for Don C. Weber

Christopher Robinson

Christopher Robinson

Chris Robinson graduated from the United States Naval Academy with a B.S. in Computer Science and served over 6 years in the United States Navy. He also earned a M.S. in Computer Science from San Diego State University.

Throughout his career, Chris has filled many different IT positions and is currently an ICS Security Principal Consultant for Cylance in Houston, TX where he regularly works on a variety of ICS security projects. By working for an owner/operator and with many clients as a consultant, Chris has learned first-hand the operational constraints and unique requirements for securing ICS environments. Chris teaches ICS410 and is a course author for ICS612.

View Upcoming Training for Christopher Robinson

Jeffrey Shearer

Jeffrey Shearer

Mr. Shearer is a member of the SANS Institute ICS team focused on developing courseware in support of the ICS curriculum. Jeffrey also acted as a Subject Matter Expert (SME) for the Global Industrial Cyber Security Professional (GICSP) certification and is a content contributor for ICS Netwars. He also participates as an advisory board member for the ICS Security Summit and Training events.

Prior to joining SANS Institute, Mr. Shearer worked at Rockwell Automation for twenty three years where his most recent role was a Sr. Security Architect for Rockwell Automation's Commercial Engineering group focused on network and security designs for Industrial Automation Control Systems (IACS) and Industrial Demilitarized Zones (IDMZ). Mr. Shearer was a contributing member of the Rockwell Automation and Cisco Systems Converged Plantwide Ethernet (CPwE) team where he participated in architecture design and validation efforts. He also co-authored publications such as Deploying Industrial Firewalls within a Converged Plantwide Ethernet Architecture, Site-to-Site VPN to a Converged Plantwide Ethernet Architecture and Securely Traversing IACS Data across the Industrial Demilitarized Zone. 

Prior to joining the Rockwell Automation's Commercial Engineering team, Jeffrey was a Principal Security Consultant for Rockwell Automation's Network & Security Services where his consultancy targeted Automation, Industrial Control System (ICS), Distributed Control System (DCS) and SCADA asset owners. Jeffrey has also held the position of Product Manager, Controller Platform Security where he was responsible for security products provided by Rockwell Automation's ControlLogix business.

In addition to controller focused security initiatives, Jeffrey also represented Rockwell Automation to security bodies such as the Idaho National Labs (INL) Control Systems Cyber Security Vendor Forum, ISA-SP99, Manufacturing and Control Systems Security and Department of Homeland Security (DHS) Control System Security Program.

View Upcoming Training for Jeffrey Shearer