The Autobahn – 301 Level ICS Security Training

S4x19 had The OnRamp – 101 Level ICS Security Training. S4x20 had The Highway – 201 Level ICS Security Training. And S4x22 brought The Autobahn – 301 Level ICS Security Training on Advanced Topics.

The Autobahn is four 1 hour sessions. Each session is an advanced topic. You should have a solid grounding in OT and ICS Security prior to studying on the Autobahn.

Digital Forensics and Incident Response for PLCs

Instructors: Glen Chason of Mandiant

Collecting and analyzing forensic data is a core component of the incident response process. This process is central to determining the scope of a compromise, the tools used by adversaries, and their capabilities. However, obtaining digital forensics and incident response (DFIR) data in PLCs and other level 1 devices. Embedded systems are normally outside of the scope of traditional forensic methodologies, defenders need to identify or define tools and new methodologies to gather data from these systems.

This session will help students take a systematic approach is to gather forensic data, build collection frameworks, set security baselines, and establish structured incident response processes related to PLC’s. Where possible native functionality built into OT devices will be used. Specialized tools will also be introduced that support this methodology.


Top 20 PLC Secure Coding Practices

Instructors: Vivek Ponneda and Josh Ruff

Software Defined Networking (SDN) Technology, Use and Management in ICS

Instructor: Tim Watkins of SEL

The zero trust principle and buzzword have been getting a lot of attention in 2021. SDN is one technical approach to achieving zero trust and is being deployed in leading/bleeding edge ICS. This session will begin by briefingly describing SDN and its benefits. The marjority of the session will provide examples and lessons learned from early SDN deployments. Learn what systems are good candidates (and what are not) for SDN; what are some of the major challenges in deployments and ongoing operations; and how the SDN deployment can provide network resilience.

As an added bonus, the session will describe how the SDN controllers can be deployed as containers.

Security, Orchestration, and Automation (SOAR) in ICS

Instructor: Josh Magady and Jay Spann

Sure, data from OT is being exported to SIEM and then SOAR, but is anyone doing anything with it? Yes, and in this session you’ll learn where some of the early, low risk wins are and the who and how much is required to get those wins. Learn how automated isolation, workflow tickets, updates to asset management and more can be achieved. The session will use Swimlane, QRadar, Tripwire and other systems as examples, but the techniques can be used with any vendor systems.

Past S4 Training

(Click On The Poster for Details and Videos)