SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
ICS515: ICS Visibility, Detection, and Response
ICS515Industrial Control Systems Security
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
- GIAC Response and Industrial Defense (GRID)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 22 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Acquire critical visibility, detection, and response capabilities to protect ICS/OT environments against sophisticated threats while ensuring the safety and reliability of operations.
Featured Quote
ICS515 is so relevant to my day to day that I feel like I can't take notes fast enough. This is so critical for the ICS and OT community.
Course Overview
This ICS incident response course equips security professionals with practical skills to secure industrial environments. Through hands-on exercises using real industrial equipment, you'll learn to gain network visibility, identify assets, detect threats, and respond to incidents in critical infrastructure and other environments that rely on ICS/OT systems. The curriculum covers advanced defensive techniques against sophisticated threats like STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON, FROSTYGOOP, EKANS, and PIPEDREAM. You'll work with a real programmable logic controller (PLC) kit, sector simulation board, and virtual machines that you keep post-course to continue skill development. Leveraging industry frameworks , you'll develop repeatable methodologies to secure industrial environments.
What You'll Learn
- Implement ICS-specific threat detection strategies
- Apply network security monitoring for OT environments
- Perform incident response in operational technology
- Extract intelligence from ICS threat analysis
- Build effective cybersecurity for industrial systems
Business Takeaways
- Improve visibility into ICS/OT asset inventories
- Reduce risk of operational disruption from cyber threats
- Enhance detection capabilities for ICS-specific attacks
- Develop effective OT incident response procedures
- Increase resilience against targeted industrial threats
- Bridge security gaps between IT and OT environments
- Apply intelligence-driven approaches to ICS security
Meet Your Author
Robert M. Lee
Robert M. LeeRobert M. Lee
FellowSANS Fellow and Dragos CEO Robert M. Lee, author of ICS515 and FOR578 and co-author of ICS310, teaches from landmark industrial cyber investigations, turning real adversary tradecraft into visibility, detection, and response skills in OT.
Read more about Robert M. LeeCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in ICS515: ICS Visibility, Detection, and Response.
Section 1ICS Cyber Threat Intelligence
Learn to leverage threat intelligence to analyze threats, extract indicators of compromise, document tactics, techniques, and procedures, and guide security teams to protect industrial environments.
Topics covered
- Case Study: STUXNET
- Introduction to ICS Active Defense
- Cyber Threat Intelligence Primer
- ICS Cyber Kill Chain
- Threat Intelligence Consumption
Labs
- Building a Programmable Logic Controller
- Structured Analytical Techniques
- Analysis of Intelligence Reports
- ICS Information Attack Space
- Maltego and Shodan Heatmap
Section 2Visibility and Asset Identification
Understand the networked environment to build comprehensive asset inventories and develop effective collection strategies for both industrial operations and security operations.
Topics covered
- Case Study: Bhopal Disaster
- Asset Inventories
- Collection Management Frameworks
- ICS Network Visibility
- IT Discovery Protocols
Labs
- Operating the Process
- ICS Traffic Analysis
- ICS Protocol Analysis
- ICS Network Mapping
Section 3ICS Threat Detection
Develop detection strategies to remain resilient against targeted and untargeted threats, with focus on safely conducting threat hunting and analyzing attack patterns in industrial environments.
Topics covered
- Case Study: German Steelworks Attack
- ICS Threat Hunting
- Threat Detection Strategies
- Case Study: SANDWORM
- ICS Network Security Monitoring
Labs
- Detecting Stage 1 Intrusions
- Investigating Stage 2 Compromises
- Traffic Analysis of Control Manipulation
- Validating System Logic Changes
- Logic Manipulation of Control Elements
Section 4Incident Response
Learn to safely perform ICS incident response with focus on acquiring digital evidence while scoping threats and their operational impact, using forensic techniques tailored for industrial environments.
Topics covered
- Case Study: SANDWORM - Ukraine 2015
- ICS Digital Forensics
- Preparing an ICS Incident Response Team
- Case Study: ELECTRUM and CRASHOVERRIDE
- Initial Compromise Vectors
Labs
- Acquisition in an Operational Environment
- PLC Logic and Protocol Root Cause Analysis
- Analyzing Phishing Emails
- HMI Memory Forensics
- Process Triage
Section 5Threat and Environment Manipulation
Extract information from threats through malware analysis to reduce the effectiveness of threats and create shareable threat intelligence for improved defensive posture.
Topics covered
- Case Study: XENOTIME - TRISIS
- ICS Threat Manipulation Goals
- Environment Manipulation Considerations
- Threat Analysis and Malware Triaging
- YARA
Labs
- Logic Analysis for Root Cause Analysis
Section 6Capstone Day, Under Attack!
A full-day technical challenge where students apply all learned skills to analyze packet captures, logic, memory images, and more from compromised ICS ranges and equipment, simulating real-world scenarios.
Things You Need To Know
Relevant Job Roles
Threat Hunter
Digital Forensics and Incident ResponseThis expert applies new threat intelligence against existing evidence to identify attackers that have slipped through real-time detection mechanisms. The practice of threat hunting requires several skill sets, including threat intelligence, system and network forensics, and investigative development processes. This role transitions incident response from a purely reactive investigative process to a proactive one, uncovering adversaries or their footprints based on developing intelligence.
Explore learning pathAll-Source Analyst (DCWF 111)
DoD 8140: Intelligence (Cyberspace)Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.
Explore learning pathCyber Defense Infrastructure Support Specialist (DCWF 521)
DoD 8140: CybersecurityDeploys, configures, maintains infrastructure software and hardware to support secure and effective IT operations across organizational systems.
Explore learning pathControl Systems Security Specialist (DCWF 462)
DoD 8140: CybersecurityOversees cybersecurity configuration and daily security operations of control systems, ensuring mission support and stakeholder coordination.
Explore learning pathIndustrial Control Systems and Operational Technologies
SCyWF: Industrial Control Systems And Operational TechnologiesThis role conducts cybersecurity tasks for Industrial Control Systems and Operational Technologies (ICS/OT). Find the SANS courses that map to the Industrial Control Systems and Operational Technologies SCyWF Work Role.
Explore learning pathCyber Defense Incident Responder (DCWF 531)
DoD 8140: CybersecurityResponds to and investigates network cyber incidents, performing analysis to mitigate threats and maintain cybersecurity in enclave environments.
Explore learning pathIncident Response (OPM 531)
NICE: Protection and DefenseResponsible for investigating, analyzing, and responding to network cybersecurity incidents.
Explore learning pathICS Security Incident Responder
Industrial Control SystemsExecutes specific industrial incident response for incidents that threaten or impact control system networks and assets, while maintaining the safety and reliability of operations.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
- Date & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price9,230ドル USD*Prices exclude applicable local taxesBuy now for access on Dec 17. Use code Presale10 for 10% off course price!Registration Options
- Location & instructor
SANS Cyber Defense Initiative 2025
Washington, DC, US & Virtual (live)
Instructed byDate & TimeFetching schedule..Course price9,230ドル USD*Prices exclude applicable local taxes - Date & TimeFetching schedule..Course price7,505ドル GBP*Prices exclude applicable taxes | EUR price available during checkout
- Date & TimeFetching schedule..Course price1,404,750円 JPY*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price9,230ドル USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course priceS11,985ドル SGD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price9,230ドル USD*Prices exclude applicable local taxes
- Date & TimeFetching schedule..Course price8,630ドル EUR*Prices exclude applicable local taxesRegistration Options
- Date & TimeFetching schedule..Course price9,230ドル USD*Prices exclude applicable local taxes
- Location & instructor
SANS ICS Security Summit & Training 2026
Orlando, FL, US & Virtual (live)
Instructed byDate & TimeFetching schedule..Course price9,230ドル USD*Prices exclude applicable local taxes
Showing 10 of 21
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3Very good for any ICS program, security-focused or not.
- Slide 2 of 3Very good focus on the OT/ICS side & integrated into class.
- Slide 3 of 3This course was like a catalyst. It not only boosted my knowledge about the threats facing ICS environments and provided me with a framework to actively defend these threats, it also inspired me to learn more.
Slide 1 of 0
Benefits of Learning with SANS
Instructor teaching to a class
Get feedback from the world’s best cybersecurity experts and instructors
OnDemand Mobile App
Choose how you want to learn - online, on demand, or at our live in-person training events
Resources
Get access to our range of industry-leading courses and resources