A Pragmatic Approach to Threat Detection In Your ICS Program

Detection is a Must: A Pragmatic Approach to Threat Detection Within Your Industrial Cybersecurity Program

🎙️ Austin Scott, Dragos Inc
📍 Presented at SANS ICS Security Summit 2025

This presentation tackles the often-contentious topic of threat detection in industrial control systems (ICS) head-on, addressing criticisms that frame it as a fear-driven industry distracting from fundamental security practices. We directly confront the notion that focusing on detection implies a neglect of preventative measures or an exaggeration of the threat landscape. Through a pragmatic, engineering-minded lens, this session argues that robust threat detection is not a separate entity, but an indispensable component of a mature and effective industrial cybersecurity program.

We will also detail how threat detection plays a pivotal role in regulatory compliance such as NERC CIP-015 – Cyber Security – Internal Network Security Monitoring (INSM).We begin by dissecting common arguments against prioritizing ICS detection, including the assertion that attackers are largely incompetent and that focusing on basic security flaws is sufficient. We then present a compelling counter-narrative rooted in the evolving reality of the OT threat landscape. Drawing on recent vulnerability disclosures, including the exploitation of vulnerabilities in foundational security controls like firewalls, we illustrate how even well-segmented networks can be compromised.

The persistent and increasing threat of ransomware, with statistics highlighting approximately 50 weekly attacks against industrial companies, further underscores the necessity of identifying malicious activity that bypasses preventative measures. The presentation delves into the practical implications of the shrinking attacker dwell time, highlighting data that demonstrates the critical need for rapid detection to minimize impact. We address the challenges of implementing effective detection monitoring, particularly the inevitable reality of false positives. Attendees will gain a nuanced understanding of different types of false positives (technical, contextual, etc.) and learn actionable strategies for their management and mitigation, turning potential noise into valuable signals.

We will also demonstrate threat detection in foundational to established frameworks like the SANS ICS 5 Critical Controls. We explore how visibility and network monitoring (Controls 1 & 2) form the bedrock of detection, while detection itself serves as a crucial validation point for hardening (Control 3) and a trigger for effective incident response (Control 5). The presentation culminates in a discussion of practical steps and technologies for enhancing detection capabilities within OT environments, providing attendees with tangible strategies they can implement upon returning to work.
Attendees will leave this session with:

-A balanced perspective on the role of threat detection in ICS security, understanding its necessity alongside preventative measures.
-A clear understanding of the evolving threat landscape, regulatory landscape and why relying solely on prevention is insufficient.
-Actionable insights into managing and mitigating false positives, enabling more efficient and effective detection programs.
-A practical understanding of how threat detection aligns with and supports the SANS ICS 5 Critical Controls.
-A renewed understanding of the urgency of rapid detection in the face of decreasing attacker dwell times.This presentation is designed for OT security practitioners, engineers, and managers seeking a realistic and actionable approach to building resilient industrial cybersecurity programs. It moves beyond the rhetoric and provides concrete insights into making detection a vital and valuable component of your security strategy.

View upcoming Summits: https://www.sans.org/u/DuS