Virtual Course

Cybersecurity 201 for Industrial Control Systems: Architecture, Asset Inventory, Network Security Monitoring & Event Detection

Designed for utility IT/OT staff, this course outlines a cybersecurity program in the industrial control system (ICS) environment. Focus on cyber asset inventory, event detection techniques, and learn about network security monitoring tools to identify an attack in the ICS.
February 23 - 24, 2020
12:00pm EST - 4:00pm EST

Virtual Training

Join us on February 23 and 24 as we debut this practical course as two, 4-hour interactive virtual sessions. It’s a convenient way to 'attend', while still having the opportunity to interact with the instructor, network with your industry peers, and earn continuing education credits. This course combines real-time presentation, small group breakouts, tool/software demonstrations, case studies, live polling/quizzes, and Q&A sessions.


Participate in two, real-time sessions from Noon – 4 p.m. Eastern on February 23 and 24. There will be two, 10-minute breaks incorporated into each session. 

Course Overview

Building off of APPA’s introductory cybersecurity courses, this course—designed for utility IT and OT personnel—takes on a more technical focus to outlining a cybersecurity program in the industrial control system (ICS) environment. Review the principles of a defensible architecture, learn how to conduct a thorough cyber asset inventory, and discover the necessary event detection techniques and network security monitoring tools to identify an attack in the ICS. Explore how network security monitoring provides visibility into the operational technology network, including determining a baseline for normal operations and alerting you to unexpected events. 

Sample Agenda

Part 1: Feb. 23

Course introduction, agenda and learning outcomes

12:20 p.m.
Module 1: Foundational Concepts and Secure OT Network Architecture

Topics Include:

  • Purdue Reference Model
  • ICS Cyber Security Kill Chai
  • Frameworks and Standards
  • How defense is doable in ICS/OT
  • Standards and best practices for a defensible network architecture for ICS/OT
  • The three No’s of ICS/OT
  • Secure Remote Access
  • Device, OS and application Hardening
  • To Encrypt or not to Encrypt
  • Migrating to a defensible architecture
  • Recognizing architectures that don’t follow best practice
  • Wireshark Demo

1:30 p.m.

1:40 p.m.
Module 2: Asset Identification & Inventory

  • Asset Inventory and Asset Identification Methodology
  • Operating in an OT environment
  • Tools for asset inventory
  • Expected asset inventory content
  • CyberLens Demo
  • APPA Asset Tracking Tool

2:30 p.m.

2:40 p.m.
Module 2 (continued)

3:45 p.m.
Wrap up, Q&A, and Evaluation

4:00 p.m.
Part 1 Adjourns

Part 2: Feb. 24

Recap from Part 1, review agenda and learning outcomes for Part 2

12:15 p.m.
Module 3: Network Security Monitoring (NSM)

  • NSM and visibility into OT network communications
  • Data sources & types
  • NSM and the ICS Cyber Kill Chain
  • Physical implementation of NSM 
  • Baselining normal network operations 
  • Network protocols found within ICS/OT
  • Common open source ICS protocols
  • Collection Management Framework
  • Development of Content Management Framework
  • Network Miner Demo

1:30 p.m.

1:40 p.m.
Module 4: Host Event Detection, Host Logs and Hunting

  • The four types of detection & alerts
  • Recommended host, device & security event logs to track
  • SIEM technology
  • Time synchronization
  • Hunting in NSM data
  • Benefits of Playbooks
  • ELK Demo 
  • Sophia Demo

2:30 p.m.

2:40 p.m.
Module 4 (continued)

3:45 p.m.
Wrap up and Q&A

4:00 p.m.
Course Adjourns

Recommended For

Utility IT/OT or ICS technical personnel who are responsible for, or interested in, applying cybersecurity standards and best practices to the industrial environment.

The content is geared towards informing IT/OT staff on the nuances and challenges of applying cybersecurity to operational industrial systems, as well as to give controls systems and operational personnel guidelines, best practices, and awareness of implementing an ICS/OT cybersecurity program. 
Past attendee titles have included:

  • IT staff: analysts, application security architects, systems engineers and administrators, cybersecurity engineers, security operations specialists, cybersecurity analysts
  • SCADA engineers, controls system engineers, solutions architects
  • Management: operations directors, plant managers, technology leaders

Course Level

Basic: No prerequisites; no advance preparation.

Technology Requirements

  • Attendees are required to have strong Internet access, in order to run the Zoom meeting platform. 
  • You will need to enable computer audio to listen and speak (alternatively a call-in number will be provided) and it’s also recommended that you have a webcam, so you can fully engage in the small group breakout exercises.  
  • Click here to learn more about downloading the Zoom Web Client.

Course Access and Materials

  • Zoom log in credentials will be sent out the day before class.
  • Attendees will receive access to APPA’s secure electronic document portal a week before the course, where the eManual will be made available. The sessions will be recorded and can also be accessed through this portal, in case you can’t attend the live version.


The following continuing education credits will be provided, after successfully completing both live sessions. Certificates will be emailed out by February 16. These sessions will be recorded, though certificates can only be awarded to those who participate in the live events (click here to review requirements).

Recommended CEUs .8/PDHs 8/CPEs 8.8 (for both sessions)
Field of Study: Specialized Knowledge


gusGus Serino, Principal, ICS Security Analyst, Dragos Threat Operations Center

Gus is a mechanical engineer and holds a Professional Engineering License (PE) in Control Systems with 20 years of experience in the design, implementation, management and security of Industrial Controls Systems. For 15 years prior to joining Dragos, he was part of the SCADA team for a large U.S. water utility, where he held a lead role in the engineering, programming, cyber security and management of a SCADA system with over 100 sites. He holds multiple GIAC Cyber Security Certificates (GRID, GCWN, GICSP & GCIA), is a member of the GIAC advisory board, and is passionate about solving the cyber security challenges of critical infrastructure.


Contact us at [email protected].

Register Now

Registration fees:

  • $675 for members
  • $1,350 for nonmembers

Not a member? Join today and save on your course registration. Call Member Services at 202-467-2926 to learn more.

Group Discounts

Save an additional $50 on each when your organization registers 5 or more people. The larger your group, the more you save!

Number of registrants

(per person)

Registration Fee

Registration Fee

















Contact [email protected] for more information and to request the group registration form to receive this special discount.  


Registrants who cancel in writing on or before February 16, 2021, are entitled to a refund of their registration fee, minus a $50 cancellation fee. Registrants who cancel after February 16 will not receive a refund, but attendee substitutions will be allowed for this event only. Registrants and no-shows who do not cancel by February 16 are responsible for the full registration fee and are not entitled to a refund. Email your cancellation request to [email protected].


Contact [email protected].

Earn While You Learn!

Participate in online programs to earn Continuing Education Units (CEUs), Professional Development Hours (PDHs) and Continuing Professional Education credits (CPEs). This course is eligible for the following credits:

Recommended CEUs .8/PDHs 8/CPEs 8.8 (for both sessions)
Field of Study: Specialized Knowledge


  • Attendees are required to attend and participate in 90% of both live events and complete an online evaluation at the end of each session
  • Partial credit cannot be given
  • Attendance is monitored by an Association staff member
  • Certificates will be emailed out on March 3
  • The sessions are recorded (in case you miss the live events), though credits can only be given for attending the live sessions

What educational credits are available?

You can earn the following kinds of educational credits for attending live sessions during the conference:

  • IACET logoContinuing Education Units (CEUs) - The American Public Power Association is accredited by the International Association for Continuing Education and Training (IACET) and is authorized to issue the IACET CEU. For information regarding certification status, attendance requirements and obtaining attendees transcripts, contact [email protected] or 202-467-2965.
  • CPE logoContinuing Professional Education (CPE) Credits - The American Public Power Association is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: There are no prerequisites for the courses offered; no advance preparation is required for any courses. Courses are group-live offerings. Credit hours and areas of study for the courses are listed on the individual course pages. For more information regarding administrative policies, such as clarification of requirements, complaints, and refunds, please contact [email protected].
  • Professional Development Hours (PDHs) -  The American Public Power Association’s educational practices are consistent with the criteria for awarding Professional Development Hours (PDHs) as established by the National Council of Examiners for Engineering and Surveying (NCEES). Course eligibility and number of PDHs may vary by state.


Format and Log-In Information

This class will be offered on the Zoom meeting platform. Presented in two interactive sessions, featuring real-time presentations, small group breakouts, case studies, and Q&A sessions.

  • You’ll receive a logistics email one week in advance of the class.
  • You will receive your Zoom access link the day before the course from the APPA Academy <[email protected]>. Please reach out to [email protected] if you do not receive that email.

New to Zoom?

If you haven't participated in a Zoom meeting before, please download the Zoom web client from the Zoom Download Center. This will enable you to access all of the Zoom tools and functionality vs. using the web version. For the course, you will need an Internet connection and sound (we recommend using your computer’s audio and microphone, though a phone number will also be provided). Then, visit to ensure you are able to join a meeting. 

If you are not able to download the Zoom web client, you can still participate via your Internet browser. We recommend using Chrome for the best results. If you use your Internet browser, your functionality may be more limited (for example, you will only be able to see one video feed at a time), and you will need to create a Zoom account. (Account creation is a free and straightforward process, but you will want to do this in advance so you do not miss any part of the meeting).

Privacy and Security

The American Public Power Association takes your privacy and security very seriously. For this reason, we have put the following security measures in place for this course:

  • A random Meeting ID
  • Password-protected
  • Enabled waiting room to screen meeting participants
  • Restricted screen sharing to hosts only

Code of Conduct

Participants agree to abide by the APPA Code of Conduct. If participants engage in unacceptable behavior as outlined in the code, the Association may take any action it deems appropriate, including but not limited to, expulsion from the current and future meetings, with no warning or refund.


Contact us at [email protected].