Slots Open

ICS Strategic Planning and War Gaming

Network defense is informed by knowing the network, and knowing the adversary – but few practitioners have the fortune of possessing this knowledge before a major breach. Industrial Control System (ICS) networks provide particular challenges due to limitations on operational testing and traditional red team exercises. To address the need for critical assessment of ICS-related networks for developing defensive strategy, this training provides attendees with a comprehensive exercise to identify critical network assets within a theoretical IT and ICS environment, driven by threat intelligence and threat actor profiles.

Starting with an overview of strategy and applying strategic concepts to network defense, attendees will formulate a comprehensive, adversary-oriented network defense plan covering IT and ICS environments. Following additional overview and critique of planning, attendees will then test the plan through an iterative, guided wargaming exercise – the goal being to test planning comprehensiveness, identify gaps, and improve planning and implementation over time. This training is suitable for all levels of security practitioner – from CISO to SOC analyst – as a means to improve and refine defensive planning, especially within environments containing ICS.

Who Should Attend

  • Security senior decision makers, from project managers through CIOs.
  • ICS network operations personnel responsible for assessing risk or managing network security.
  • Security operations personnel, either focused on ICS environment or general IT security, with an interest in network security strategy development.

Key Learning Objectives:

  • How to assess the security threat environment to identify threats facing the organization.
  • Apply threat assessment information to the organization’s security environment to formulate an actionable, working network defense strategy.
  • Learn to critically analyze network defense planning activity and technical controls to identify detection and visibility gaps.
  • Gain experience in developing and executing interactive exercises to test security plans to evaluate effectiveness and relevance.
  • Learn how to apply and interpret testing results to improve security planning over time, and adapt to a changing threat environment.

Prerequisite Knowledge:

  • General understanding of computer network security concepts, technical controls, and applications.
  • Familiarity with reading threat intelligence reporting covering computer network security issues.
  • Base-level knowledge in ICS security concepts preferred but not necessary.

Hardware/Software Requirements:

  • Laptop computer for development, planning, and documentation during exercises.
  • No other significant technical requirements – lectures and exercises will be based around discussion.


Day 1:

  • Introduction to strategy within a computer network defense environment.
  • Identifying unique aspects of ICS networks and their impact on strategy development.
  • Review of threat activity groups and threat intelligence reporting.
  • EXERCISE: Critical evaluation of threat intelligence reporting to extract actionable information.
  • Review of ICS-specific network defense concepts and strategies.
  • Discussion and examples of threat modeling and developing threat-focused defensive plans.
  • EXERCISE: Formulate threat model for hypothetical ICS network based on available reporting.
  • Combining organizational knowledge with threat environment assessment to develop specific network security strategy.
  • EXERCISE: Develop strategic network defense plan for hypothetical ICS network.
  • Plan review and debrief.

Day 2:

  • Review of strategic plans and purpose.
  • Distinction between red teaming and wargaming.
  • Wargaming introduction, rules, and procedures.
  • Importance of and critical components of after-action analysis and iterative development.
  • EXERCISE: Classroom wargaming exercise testing developed network security strategy.
  • After-action review of wargaming exercise, course take-aways, and closing.