Program

Konkrete erfaringer, danske perspektiver og det, der virker i praksis

Dette spor samler centrale danske aktører og giver et praksisnært indblik i, hvordan organisationer arbejder med cybersikkerhed og robusthed i kritisk infrastruktur i dag.

Fokus er på:

• hvordan trusselsbilledet konkret påvirker danske organisationer
• hvordan NIS2, regulering og krav omsættes til praksis
• hvilke løsninger og tilgange der faktisk fungerer i drift
• hvordan sikkerhed, forretning og operation hænger sammen i virkeligheden

Sessionerne tager udgangspunkt i virkelige cases, erfaringer og dilemmaer fra myndigheder, industri, forsyningssektoren og leverandører og giver deltagerne konkrete indsigter, der kan omsættes direkte i egen organisation.

Sporet er relevant for alle, der arbejder med sikkerhed, drift, compliance eller ledelse inden for kritisk infrastruktur.

Du kan frit kombinere dette spor med Main track og workshops, så du kan sammensætte dit eget program.

For those looking to understand the threat, the consequences, and how to build real resilience

The Main Track is the central stream of the conference, bringing together key perspectives on cybersecurity in critical infrastructure—from how attacks unfold, to their operational impact, and how organizations strengthen resilience in practice.

The program is structured around three themes:

• Understanding the Threat – how attacks are carried out and where vulnerabilities emerge
• Understanding the Consequences – how incidents impact operations, safety, and critical services
• Building Resilience – how organizations prevent, detect, and respond to cyber threats in real environments

You will gain insights into:

• current attack methods and threat actors targeting industrial environments
• how IT/OT convergence, AI, and regulation are reshaping the risk landscape
• real-world experiences from critical infrastructure and industrial operations
• how cybersecurity is translated into operational resilience

The Main Track brings together strategic perspectives, operational experiences, and technical insights, making it relevant for leaders, specialists, and practitioners working with cybersecurity, operations, risk, or critical infrastructure.

Sessions can be freely combined with workshops across all workshop tracks, allowing you to build a conference experience that matches your role, interests, and level of expertise.

This presentation is focused on tracking nation-state threat actors’ covert networks that hide in compromised routers and consumer devices while targeting critical infrastructure.

The constant changing of compromised devices used for activity against critical infrastructure is making the current model of IOC sharing ineffective, which is due to the static IOC’s decaying faster than the sharing and deployment cycles.

This looks at utilized approaches that incorporate behavior tracking, relation building, and the utilization of deception capabilities

Attackers are using AI to get better at their jobs. So why aren’t we as defenders? This session will help to demystify how we can use AI to help us in becoming more effective defenders through the creation of utilities for both offense and defense in OT/ICS cybersecurity. From vibe coding to agentic AI, the potential for protecting our environment is unlimited (just as it is for the attackers).

Part 1: Demystifying AI for Operations

AI is radically changing every industry, and cybersecurity is no different.  Even more so in OT/ICS environments, where teams are already stretched thin and still trying to catch up on implementing the basics of cybersecurity before throwing AI into the mix.  This session will cover AI basics everyone should know and explore critical use cases to help protect your environment.

Part 2: Writing Offensive OT/ICS Tools with AI

The best way to learn how to defend OT/ICS?  Learn how to attack it.  And in this case, we’ll look at how to attack it with AI.  From writing custom scripts to automating attacks with AI, this session will look at how AI is enabling attackers to be much more effective at their jobs.  And sets us up for the next section on what we can start to do about it.

Part 3: Creating Strong OT/ICS Defenses with AI

Attackers are using AI for EVERYTHING.  So why aren’t we as defenders? In this session, we’re going to cover different uses of AI from a defensive standpoint, especially for teams that are already stretched thin today and just trying to make do with the limited resources they have.

Part 4: Bringing It All Together: Building Your OT/ICS Program with AI

As environments begin to tackle the fundamentals of OT/ICS cybersecurity, there comes a point where it makes sense to formalize their OT/ICS cybersecurity program.  And yet, many of the initial steps in starting a program can be confusing, convoluted, and downright boring.  And that’s where AI can come in and help you excel!

Hvordan opdager organisationer reelt cyberangreb i tide – også når ressourcer, overblik og sikkerhedskapabiliteter er begrænsede?

Cyberalarmen er et konkret cybersikkerhedsinitiativ, udviklet af Sundhedsdatastyrelsen, der giver mindre organisationer mulighed for at opdage cyberkriminel aktivitet i praksis. Selvom løsningen er udviklet til sundhedssektoren, adresserer den en udfordring, der går på tværs af brancher – herunder også kritisk infrastruktur: Manglende synlighed i, hvad der faktisk foregår i egne systemer.

I en omskiftelig trusselsvirkelighed kan både små og store organisationer fra den ene dag til den anden blive mål for cyberangreb. For mindre aktører er udfordringen ofte større, men erfaringerne fra Cyberalarmen viser mekanismer og mønstre, der er direkte overførbare til arbejdet med hvordan man arbejder med detektion og situationsforståelse i kritisk infrastruktur.

Cyberalarmen er i pilotdrift i samarbejde med PLO og Danske Regioner, hvor 79 klinikker har haft løsningen implementeret i omkring et halvt år.

I oplægget deles konkrete erfaringer fra pilotprojektet:

• Hvad er Cyberalarmen, og hvordan fungerer den i praksis
• Hvilke typer angreb og aktivitet der faktisk rammer organisationer
• Hvilke indsigter og læringer pilotprojektet har givet i relation til detektion og respons

Centralt spørgsmål:
Hvilke angribere og cybersikkerhedsudfordringer står reelt og “banker på” – og hvorfor opdager organisationer dem ofte for sent?

Post-quantum cryptography is often discussed as a future technology problem. For operational technology, it is more accurately a lifecycle problem. Industrial systems purchased or designed today may remain in production for 15–25 years, long after cryptographic standards, vendor requirements and regulatory expectations have changed.

A common reaction in OT Security today is: “Why should we worry about post-quantum cryptography when many industrial protocols still lack basic authentication, integrity protection or encryption?” This session starts from that reality. The post-quantum challenge for OT is not simply to replace existing cryptography. It is to build cryptographic trust into long-lived industrial systems without creating the next generation of legacy risk.

This session translates post-quantum cryptography into practical OT language: asset lifecycles, vendor dependency, firmware signing, remote access, certificates, secure communications, embedded devices and procurement decisions. Rather than diving into the mathematics of PQC algorithms, the presentation will explain where quantum-vulnerable public-key cryptography appears in OT environments, why industrial migration will be slower and more constrained than enterprise IT migration, and how asset owners can begin preparing without disrupting operations.
Delegates will leave with a practical readiness model for OT environments: how to identify crypto exposure, prioritize long-lived systems, engage vendors, update procurement requirements, and build a crypto-agility roadmap before today’s purchases become tomorrow’s legacy risk.

Learning outcomes:

• Understand why post-quantum cryptography is relevant to OT lifecycle planning today, even before cryptographically relevant quantum computers arrive.
• Identify where public-key cryptography appears in industrial environments, including remote access, certificates, firmware signing, secure boot, OPC UA, TLS/IPsec and OT/IT data flows.
• Learn how to start an OT-focused crypto inventory and prioritize systems based on criticality, exposure, vendor dependency and remaining lifecycle.
• Define practical questions to ask OT vendors about crypto-agility, PQC roadmaps, firmware signing and long-lived product support.
• Build a phased quantum-readiness roadmap that supports resilience without creating operational disruption.

Cybersikkerhedsrisici i OT-miljøer er steget markant – men mange organisationer har stadig svært ved at få dem forankret på ledelsesniveau. Hvorfor?

Dette oplæg giver en struktureret forståelse af, hvorfor OT-risici ofte undervurderes, og hvordan det påvirker organisationers evne til at handle rettidigt. Med afsæt i aktuelle analyser af trusselsbilledet gennemgås, hvordan moderne cyberangreb mod industrielle miljøer i praksis forløber – og hvorfor mange hændelser opdages for sent.

Oplægget sætter fokus på tre centrale udfordringer:

• Hvorfor OT-hændelser ofte opdages for sent – og hvordan manglende synlighed på tværs af angrebets livscyklus skaber blinde vinkler
• Hvordan skiftet fra “at bryde ind” til “at logge ind” ændrer trusselsbilledet i OT-miljøer
• Hvorfor OT-Cybersikkerhed har svært ved at få prioritet i ledelsen – og hvordan tekniske risici kan omsættes til forretningsmæssige konsekvenser
  Deltagerne får en praktisk ramme til at forstå og vurdere OT-risiko i egen organisation – herunder hvordan man identificerer kritiske blindpunkter og styrker beslutningsgrundlaget.

Oplægget bygger på nyere analyser af OT-Cybersikkerhedsrisici på tværs af industrien, hvor empiriske trusselsdata, brancheindsigt og nationale risikovurderinger er samlet for at identificere mønstre i, hvordan OT-risici opstår og håndteres.

Deltagerne får:

• En klar forståelse af, hvorfor OT-risici ofte undervurderes
• Indsigt i, hvordan moderne angreb mod industrielle miljøer reelt udspiller sig
• En praktisk tilgang til at koble tekniske risici med ledelsens beslutningsgrundlag

Oplægget er relevant for alle, der arbejder med sikkerhed, drift og ledelse – og som har behov for at skabe bedre beslutningsgrundlag og prioritering af OT-Cybersikkerhed.

Remote access into ICS and OT environments has become normal. Vendors need it, engineers depend on it, and many organizations cannot operate efficiently without it. But the real risk today is no longer only “whether remote access exists.” It is whether the remote administration path has silently become a trusted attack path into critical environments.

Many recent intrusions start with stolen credentials, compromised endpoints, weak or bypassed MFA, or exposed edge infrastructure. In ICS, remote administration can also bypass parts of the traditional IT security model and compress the path toward sensitive systems. This talk revisits remote access from that perspective.

Building on earlier work around hidden dangers in remote management, this session looks at where the real risks now sit: the source network, the remote endpoint, the jump host, the user behind the session, and the hidden assumptions of trust that connect them. It also links these issues to NIS2/CyFun and IEC 62443 expectations around monitoring, approval, authentication, segmentation, logging, and time-bounded access. Finally, it offers practical questions and control ideas that asset owners, integrators, and vendors can use to reassess their current remote administration model.

Organisationer omfattet af NIS2 står med et konkret ansvar: De skal ikke blot sikre egen robusthed – men også stille krav til deres leverandører og sikre, at hele værdikæden lever op til et tilstrækkeligt sikkerhedsniveau.

Men hvordan omsættes det i praksis?

Dette oplæg tager udgangspunkt i ISO 27001 som et operationelt værktøj til at arbejde struktureret med leverandørstyring under NIS2. Med fokus på både kunde- og leverandørperspektivet gennemgår vi, hvordan standarden kan bruges til at:

• Omsætte NIS2-krav til konkrete krav til leverandører
• Dokumentere og demonstrere informationssikkerhed i praksis
• Understøtte dialog, audit og samarbejde på tværs af værdikæden

Oplægget går derudover tæt på de mest almindelige faldgruber, når organisationer og leverandører arbejder med ISO 27001 i en NIS2-kontekst – herunder hvor certificering alene ikke er tilstrækkelig.

Vi ser også på, hvilke hjælpe-standarder i ISO 27000-serien der skaber reel værdi i arbejdet – med særlig fokus på ISO 27003, som giver praktisk vejledning til implementering.

Deltagerne får:

• En konkret forståelse af, hvordan NIS2-krav kan operationaliseres i leverandørstyring
• Indsigt i, hvordan ISO 27001 bruges som mere end dokumentation – men som styringsværktøj
• Overblik over typiske fejl og hvordan de undgås i praksis

Oplægget er relevant for alle, der arbejder med NIS2, compliance og leverandørstyring – og som har behov for at omsætte krav til konkrete handlinger i organisationen.

In highly digitalized and automated industrial environments, OT systems face threats from a wide range of threat actors. Among the cybersecurity incidents affecting OT in recent years, ransomware has emerged as one of the most disruptive threats.

In this talk, we focus on revealing why modern ransomware can cause OT protection to fail. We will use the most active ransomware groups this year, Qilin ransomware, as a case study to provide an in-depth analysis of its real world attack techniques. These include exploiting newly disclosed network device vulnerabilities, leveraging BYOVD techniques to bypass AV protections, and employing various persistence and defense-evasion methods to maintain long-term access.

By analyzing Qilin’s attack strategies and attack chain, we derived the major factors that often render OT defenses ineffective. These include constraints on endpoint security deployment, and insufficiently confidence to block the abnormal activities. In response, we propose actionable OT security controls to address the ransomware attack strategies observed in recent years. These controls help organizations build a resilient cybersecurity architecture tailored to the OT environments.

Outline

1. Ransomware Attacks to OT Environments

Modern OT environments are no longer isolated systems. Instead, they are highly interconnected through IT/OT convergence, making it expands the attack surface for ransomware groups.

This section present several recent ransomware incidents that have disrupted OT operations, illustrating the OT impact of ransomware.

2026 – Hazeldenes, a major chicken meat processor in Australia, was compromised by a ransomware group, resulting in a shortage of chicken products across multiple businesses in the state

2026 – The Metro in Los Angeles experienced unauthorized activity within internal systems by a ransomware group, leading to disruptions such as station monitors failing to display real-time arrival information

2026 – IntraCare, a healthcare provider, was impacted by a ransomware attack that forced its systems offline, resulting in the postponement of patient surgeries

Through these cases, we explore the evolving ransomware threat landscape facing OT environments. Notably, Qilin has remained the most active ransomware groups from 2025 through H1 2026, consistently targeting a wide range of industries, including manufacturing, automotive, and healthcare.

In the next section, we will deep dive at Qilin, analyzing its attack techniques, to better understand both its strategies and the major factors that render OT defense mechanisms ineffective.

2. Dive into Qilin Ransomware Attack Strategies

This section provides an in-depth analysis of the attack strategies employed by Qilin, drawing on real world incidents and reverse engineering findings. It also reveals why these techniques are effective in OT environments. Key focus includes:

Qilin has been exploited recently disclosed firewall vulnerabilities in that year, including CVE-2024-21762 and CVE-2024-55591. These vulnerabilities can grant attackers admin privileges, turning the security infrastructure designed to protect OT environments into an entry point for compromise.

Disabling endpoint protections using BYOVD technique. Because trusted Windows drivers often operate with elevated privileges and may not be fully monitored by security controls, they can be abused without triggering alerts. In previous incidents, Qilin has leveraged vulnerable drivers such as eskle.sys, rwdrv.sys, hlpdrv.sys, and TPwSav.sys to disable antivirus and EDR solutions.

Once Qilin ransomware is deployed on a endpoint, it establishes multiple persistence and defense evasion tactics. For example, it may invoke the Windows AdjustTokenPrivileges API to enable the SeDebugPrivilege privilege, allowing it to inject DLLs into protected system processes. It also creates autorun registry entries to ensure persistent and stealthy code execution. However, on the demand of high availability of OT environment, these abnormal actions often remain as just logs, but not acted upon.

3. Enhance the Defense architecture through OT Security Controls (5 mins)

This section maps the attack techniques used by Qilin to the OT defense gaps. And proposes actionable security controls tailored for OT operations. Examples include:
Vulnerability Monitoring and Management

In response to ransomware groups exploit newly disclosed vulnerabilities, achieving zero vulnerabilities is not realistic. Instead, organizations should adopt a risk-based approach to vulnerability management, especially internet-facing devices. During the updating period, we propose some actionable compensating controls.

Management of Access Controls

The BYOVD technique is not just a single vulnerability exploit. It usually occurs after threat actors have already gained admin privileges on an endpoint. Therefore, mitigation should focus on the entire attack chain and apply layered security controls. For example, endpoint systems should restrict access to specific source IP and authorized users, and tools such as Mimikatz and similar post-exploitation activities should not be present.

Consolidation and Correlation of Security Events

To face massive logs, we need to turn logs to meaning information. Since security logs originates from diverse sources, including firewalls, IPS, endpoint protection solutions. They should be aggregated into SIEM or dedicated security monitoring system. Correlation and automated analytics can then identify meaningful attack chains, allowing operators to focus on the abnormal activities.

The learnings from this presentation:

• In-depth understanding of modern ransomware attack strategies. These include exploiting newly disclosed network device vulnerabilities, leveraging BYOVD techniques to bypass AV protections, and employing various persistence and defense-evasion methods to maintain long-term access.
• Understanding the major factors that these strategies render OT defenses ineffective. These include constraints on endpoint security deployment, and insufficiently confidence to block abnormal activities.
• We propose actionable OT security controls to address the ransomware attack strategies observed in recent years. These controls help organizations build a resilient cybersecurity architecture tailored to the OT environment.

Nukissiorfiit driver el, varme og vand i hele Grønland, hvor “remote” ikke er en metafor. Mange anlæg kan kun nås med helikopter, båd eller snescooter. Når en tredjepartsleverandør skal have adgang til en PLC eller SCADA-server, er den operationelle virkelighed allerede længere væk fra kontoret, end de fleste CISO’er nogensinde kommer – og cybertrusselsbilledet tager ikke hensyn til det.

Dette oplæg samler to perspektiver på samme problem: Hvordan håndterer et forsyningsselskab tredjeparts-leverandøradgang, når fysisk tilstedeværelse er undtagelsen, når én løsning skal dække både IT og OT, og når regulering og trusler bevæger sig hurtigere, end man kan nå at træffe og gennemføre beslutninger om ny teknologi – især når beslutningerne kræver adfærdsændring hos både interne og eksterne brugere og installation på lokationer, hvor selv det at komme frem er en operation i sig selv?

Nukissiorfiit fortæller, hvordan driften på tværs af Grønland og ud i bygderne styrkes ved at bruge én sikker fjernadgangsmetode til både egne ingeniører og tredjepartsleverandører – i et miljø, der er både geografisk ekstremt og i stigende grad udsat for cyberangreb. De praktiske erfaringer dækker leverandørstyring over afstande, hvor “send bare en mand ud” ikke er en mulighed, integration af adgangskontrol på tværs af blandede IT/OT-miljøer, og hvordan man fastholder driftskontinuitet, når responstid på stedet måles i dage.

BifrostConnect deler metoden bag det at holde sig State of the art i et felt, hvor nogle ting bevæger sig hurtigt (cybertrusler, regulering), og andre bevæger sig langsomt: legacy-PLC’er, beslutningsprocesser der kræver adfærdsændring på tværs af organisationer, og installationer på lokationer, hvor vejr og logistik jævnligt udskyder planer i sidste øjeblik.

Fokus ligger ikke på værktøjer, men på metode: Hvordan tæt kundedialog og tidlig inddragelse af regulering og best practice-vejledning skaber teknologi, der overlever både audits og operationel virkelighed.

Nøglepointer til deltagerne:

• En ramme for tredjeparts-adgangsstyring i geografisk spredt kritisk infrastruktur – testet i et af Europas mest krævende driftsmiljøer.
• Hvordan man forener fjernadgang til IT og OT uden at udskifte eksisterende udstyr, og hvorfor det betyder noget for både compliance og hændelseshåndtering.
• En metode til at følge med regulering og best practice, når det regulatoriske landskab (NIS2, CER, Maskinforordningen) udvikler sig hurtigere end traditionelle beslutningsprocesser.
• Et enkelt arkitekturprincip for leverandøradgang: Grænsen betyder mere end credentials – OT kalder ud, OT modtager aldrig.

Industrial and OT environments increasingly depend on smart, software-driven devices, yet most asset owners and even manufacturers lack visibility into the software components running inside them. Beneath the surface lies a complex and largely invisible supply chain of third-party code, reused libraries, legacy components, and modified open-source software. This hidden software supply chain introduces risks that traditional security assessments and vulnerability scans frequently fail to detect. As recent incidents have shown, organizations often inherit vulnerabilities they never knowingly introduced.

This session explores how hidden software dependencies accumulate in industrial devices over time and why they remain undetected until a major vulnerability disclosure forces urgent investigation.

Key discussion points include:

• Why conventional vulnerability scanning provides only partial visibility in OT
• How software reuse and legacy components quietly expand the attack surface
• Real-world examples where embedded vulnerabilities remained unnoticed in field devices
• Why SBOMs alone are not enough without accurate component discovery
• The practical role of binary analysis and deep inspection in uncovering hidden risk
• Strategies for manufacturers and asset owners to improve software transparency and long-term risk management
• The audience will gain a clearer understanding of how software supply chain risk manifests in industrial environments, and what steps can realistically reduce blind spots

This is a hands-on workshop for OT security practitioners and managers at small and medium European asset owners. The conference description covers the audience problem and the deliverable. This document covers everything ISC-CPH organizers need to plan, schedule, and support the session. The short version: attendees walk in with their NIS2 compliance audit on the horizon and walk out with three working artifacts (a vulnerability handling policy, a supply chain risk register, and an executive risk briefing) that they finalize at work the following Monday. The workshop runs from a bootable Ubuntu USB distributed before the conference. Everything is local. Nothing phones home.

Attendee technical requirements

Communicated to registered attendees four to six weeks before the conference:

• Laptop with USB-A or USB-C port and BIOS/UEFI capable of booting from USB
• Minimum 8 GB RAM, 16 GB recommended
• Permission from their employer to boot a non-corporate operating system on their device, or willingness to use a personal laptop
• No software installation required on the host operating system
• All artifacts can be saved to an attendee-supplied second USB stick or emailed via webmail at the end of each session

Part 1: Foundation and policy

• Welcome and the regulatory landscape (5 slides). NIS2 Article 21 walkthrough. GDPR, CER, CRA framing.
• USB boot, environment validation, sample data load.

Part 2: Asset inventory to advisory mapping. Attendees load a sample inventory and pull matching advisories from the workbench dataset. Apply EPSS, KEV, and sector context.

Part 3: Supply Chain Risk Register. Attendees build a NIS2 Article 21(2)(d) supply chain register, including a vendor maturity scoring approach derived from advisory quality and SBOM availability

Part 4: Executive Risk Briefing. Attendees generate a board-ready briefing for management bodies operating under NIS2 Article 20 personal liability.

Sector swap exercise. Attendees re-run the workflow on a different pre-loaded sector to internalize the methodology. Optional peer collaboration during this segment.

Part 5-8 continues tomorrow

• En erkendelse: De fleste organisationer genkender situationen, hvor virkeligheden bevæger sig uden for manualen. Det er ikke en fejl – det er et vilkår.
• Et mentalt skift: Fra fokus på bedre processer til stærkere beslutningsevne. Processer håndterer det kendte – beslutningsevne håndterer det uforudsigelige.
• Konkrete værktøjer: Praktiske metoder, der kan anvendes direkte i situationer organisationer allerede står i.

En dansk frivillig ’s førstehåndsberetning om russisk hybrid krigsførelse i Ukraine – og hvad vedvarende angreb på elnettet reelt gør ved en by – omsat til konkrete implikationer for danske operatører inden for energi, vand, varme, tele og havne.

Ikke doktrin, ikke et leverandørindlæg og ikke myndighedernes officielle linje – men feltobservationer fra virkeligheden, fortalt som de blev oplevet.

Deltagerne tager med sig:

Et realistisk billede af, hvad hybrid krigsførelse rettet mod energiinfrastruktur faktisk betyder for en by – vinter, sommer og i det lange økonomiske efterspil.

This presentation frames the challenge for European CNI operators as a single, converging problem: balancing operational performance with accelerating digitalization, tightening regulation such as NIS2, and a more capable threat landscape that is increasingly reaching OT environments.

It shows how risk is shifting from isolated assets to system-level behaviour driven by interconnected dependencies, while regulation is moving toward outcome-based resilience that requires not just controls, but demonstrable capability to detect, respond, and maintain operations under disruption.

Value for asset owners/ operators:

• A clear translation of NIS2 and related regulation into practical, OT-relevant actions
• A prioritization framework to focus investment on what reduces real operational risk (not just compliance gaps)
• A structured approach to align people, process, and technology across IT and OT
• Guidance on embedding sovereignty principles through hybrid architectures (edge / cloud)
• Improved ability to select and challenge vendors/service providers based on outcomes, not features

I dette oplæg deles et perspektiv på den aktuelle tilstand af robusthed i ICS/OT. Der er gjort fremskridt de senere år, men trusselsbilledet udvikler sig fortsat hurtigere, end mange organisationer formår at tilpasse sig.

I en virkelighed præget af geopolitisk spænding, hybridt pres, stigende indbyrdes afhængigheder og en voksende rolle for AI afhænger robusthed i dag ikke kun af kapabiliteter – men i høj grad også af hastighed.

Kontrol, robusthed og tempo er blevet lige så afgørende som protokoller, cybersikkerhed og tekniske kontroller.

Spørgsmålet er: Kan branchen tilpasse sig hurtigt nok til at genvinde kontrollen, fastholde den – og opbygge en markant højere grad af robusthed?

– Cross-Domain Data Pipeline Resilience as a Precursor to AI Adoption

Modern businesses increasingly rely on telemetry from production environments for business decision-making. Realizing productivity gains from business intelligence initiatives & AI-enabled telemetry analysis requires data flows between OT & IT systems. It is critical to establish secure & verified cross-domain data pipelines to harness the power of AI without introducing undue operations risk.

Disruption or interference with telemetry data and control signals can occur by accident or intentionally, with threat actors including criminal gangs seeking ransom or nation-states seeking a geopolitical objective. Regardless of cause, unverified changes to production telemetry or control commands can cause inefficiencies in operations or direct damage & disruption – resulting in safety, regulatory, or financial impacts.

Illustrative examples of leveraging production telemetry and remote commands include:

• Telemetry Used for Business Intelligence: RTU data feeds from distributed energy resources, production output data to optimize throughput, production yield data to feed quality management systems, individual machine performance used for predictive maintenance, supply-chain & warehouse telemetry to manage just-in-time inventory levels, & energy consumption telemetry feeding energy efficiency calculations & ESG reporting
• Remote Commands for Process Adjustment & Optimization: Secure write-back to production systems for human-in-the-loop or closed-loop optimization, AI-
  enabled process adjustments, and remote operations in regulated environments such as electricity or gas distribution

This presentation will begin with examples of these critical data flows and control paths, as well as a discussion of the data integrity risk presented by technical errors, malicious insiders, or geopolitical actors. It will also contain client case studies discussing specific examples of AI-enabled operations as well as examples of data integrity and remote operations incident impacts.

Delegates will also learn key areas to look for when assessing their dependence on these data pipelines, the impact of an integrity incident, as well as practical tips on how to increase their data pipeline resilience.

For those looking to understand the threat, the consequences, and how to build real resilience

The Main Track is the central stream of the conference, bringing together key perspectives on cybersecurity in critical infrastructure—from how attacks unfold, to their operational impact, and how organizations strengthen resilience in practice.

The program is structured around three themes:

• Understanding the Threat – how attacks are carried out and where vulnerabilities emerge
• Understanding the Consequences – how incidents impact operations, safety, and critical services
• Building Resilience – how organizations prevent, detect, and respond to cyber threats in real environments

You will gain insights into:

• current attack methods and threat actors targeting industrial environments
• how IT/OT convergence, AI, and regulation are reshaping the risk landscape
• real-world experiences from critical infrastructure and industrial operations
• how cybersecurity is translated into operational resilience

The Main Track brings together strategic perspectives, operational experiences, and technical insights, making it relevant for leaders, specialists, and practitioners working with cybersecurity, operations, risk, or critical infrastructure.

Sessions can be freely combined with workshops across all workshop tracks, allowing you to build a conference experience that matches your role, interests, and level of expertise.

For those working deeply with OT security and technical solutions

This track is aimed at specialists, engineers, and technical professionals working directly with OT systems, architecture, and advanced security.

Here you will dive into:

• advanced methods and tools
• analysis, testing, and implementation
• real systems and realistic scenarios

The workshops are technically demanding and require experience but provide hands-on insight into how cybersecurity works at system level in practice.

Workshop duration varies from focused single-session workshops to intensive full-day technical deep dives. To ensure a high level of engagement and hands-on interaction, each workshop is limited to a maximum of 35 attendees.

You choose the workshops that match your expertise and can combine them with sessions from the other tracks throughout the conference.

For those turning requirements into practical solutions

This track is for professionals working with the implementation of OT/ICS security—either hands-on or bridging IT, OT, and business stakeholders.

The focus is on:

• how to practically work with NIS2, risk, and OT security
• how to build structures, processes, and solutions
• how to apply tools, data, and methods in real-world settings

These workshops are hands-on and practice-oriented, where you actively work with scenarios and deliverables that can be applied directly in your day-to-day work.

Workshops range from single-session formats to full-day workshops, depending on the topic and level of depth. To maintain a practical and interactive learning environment, each workshop is limited to a maximum of 35 participants.

You are free to choose the workshops most relevant to you and combine them with the rest of the conference program.

For those working with priorities, risk, and decision-making

This track is designed for decision-makers, leaders, and professionals responsible for setting direction for cybersecurity and resilience in critical infrastructure.

The focus is on:

• how the evolving threat landscape impacts organizational priorities
• how risk assessments are translated into concrete decisions
• how governance, compliance, and business priorities connect to operations and OT

The workshops are based on real-world challenges and provide models, perspectives, and tools to help you work more systematically with risk and resilience in your organization.

Workshops in this track vary in length from a single session to a full-day format, allowing for both focused deep dives and more comprehensive learning experiences. To ensure interaction, discussion, and direct access to instructors, participation is limited to a maximum of 35 attendees per workshop.

You can attend one or more workshops in this track and combine them with sessions from the main conference program.

Sofia Rita Tocco & Alexander Victor Dybendal Koefoed’s presentation will cover Reverse engineering and Firmware analysis. They will look at common techniques in reverse engineering, how to interpret disassembled and decompiled code. They will also cover how to successfully analyze firmware for embedded devices.

The workshop will run for 4 hours. After introducing techniques for reverse engineering and firmware analysis, these will be applied in practice, where the remainder of the time will be focused on putting the techniques to practice by analyzing real firmware from an embedded device.

The workshop requires:

• A PC with Linux OS or a Linux VM
• An understanding of Linux and terminal/shell/bash
• Basic understanding of C code

Part 5: Day 1 recap. Questions from overnight. Setup verification.

Part 6: Supply Chain Risk Register. Attendees build a NIS2 Article 21(2)(d) supply chain register, including a vendor maturity scoring approach derived from advisory quality and SBOM availability.

Part 7: Sector swap exercise. Attendees re-run the workflow on a different pre-loaded sector to internalize the methodology. Optional peer collaboration during this segment.

Part 8: Q&A. Resource handout distribution.

OT risk assessments generate findings, but resilience requires engineered change. This interactive workshop helps attendees strategize and translate risk outputs into practical plant improvements across architecture, identification, protection, detection, response, and recovery. Through guided exercises and group problem solving, participants identify the changes needed to strengthen cyber physical resilience aligned with frameworks such as ISA 62443.

Risk assessments in OT

environments are improving in depth and maturity. However, many organizations struggle with the same challenge: reports are delivered, findings are prioritized, yet little material changes in architecture, engineering, operations, or resiliency capabilities. This session focuses on turning assessment insights into measurable engineering outcomes.
Rather than reviewing frameworks or threat case studies, this workshop guides participants through a practical transformation model that answers a simple question: What changes on the plant floor when resilience improves?

Participants will work through:

• Translating risk findings into architectural redesign decisions
  Identifying trust boundary
• weaknesses in zones and conduits
• Converting identity gaps into enforceable hardware and remote access controls
• Integrating detection capabilities into operational workflows • Validating recovery engineering through FAT style testing
• Defining measurable indicators beyond compliance scores The session includes structured small group exercises where attendees map sample assessment findings to real world operational changes. Teams will identify which controls require technical redesign, which require process adjustment, which require user up skilling and which require governance alignment.
• The workshop concludes with a repeatable five step transformation model attendees can use in their own environments: – Assessment:Risk Identification and Translation –
  Design: Engineering design and redesign – Implementation: Control Implementation – Testing: Validation & Commissioning – Operations: Continuous Assurance

This is not a vendor session and does not focus on FUD driven incident narratives. It is a practical, engineering driven approach to building cyber physical resilience that attendees can apply within their organizations.

Participants will leave with:
• A structured risk to resilience canvas and a structured actionable framework • A plant floor change mapping framework
• Practical metrics to demonstrate measurable
improvement
• Guidance for aligning security, operations, and leadership The goal is measurable change not just better reports.

Refining and petrochemical facilities operate complex cyber-physical systems where cybersecurity incidents can impact safety, environmental integrity, and production continuity.

Despite the availability of established methodologies, organizations often face challenges in translating OT cyber risk assessments into actionable outcomes for engineering and operations teams.

This presentation shares practical experience from implementing a structured OT cyber risk assessment in large-scale refining environments, combining BowTie modeling with scenario-based analysis. Emphasis is placed on key preparation activities, including system scoping, functional decomposition, simplified representation of communication paths, and establishing a realistic baseline of existing controls.

The approach enables the mapping of cyber threats to operational process deviations and safety-relevant consequences, facilitating meaningful engagement across multidisciplinary stakeholders. Key challenges encountered include data limitations, variability in system documentation, and stakeholder alignment.

Lessons learned highlight the importance of maintaining simplicity in analysis, ensuring consistency in risk evaluation, and effectively transitioning from assessment results to prioritized and implementable mitigation actions aligned with operational constraints. The presentation provides a practice-oriented perspective on the application of OT cyber risk assessment in complex industrial environments.

Cyber-Physical Systems (CPS) tightly integrate digital control with physical processes
through sensors, actuators, and industrial control systems that monitor and operate critical
infrastructure. Yet most security and monitoring approaches focus primarily on network
traffic, leaving significant blind spots in the engineering and process layers where real
operational behavior occurs.

This session explores how engineering intelligence derived from instrumentation tags,
transmitters, control logic, and safety trips can provide the contextual awareness needed to
understand what is truly happening inside cyber-physical environments. By correlating
process signals with cyber indicators, organizations can detect subtle anomalies, prioritize
operational risk, and improve resilience across safety-critical systems in energy,
manufacturing, and other industrial sectors.

Railway systems are rapidly evolving into highly digitized, interconnected infrastructures, integrating operational technology (OT), information technology (IT), signaling systems, and passenger services. While this transformation improves efficiency and safety, it also significantly expands the attack surface for cyber threats.

This presentation, “Assessing Railway Cybersecurity Threats in the Modern Era,” explores the unique cybersecurity challenges facing the rail sector today. It provides a structured approach to identifying, analyzing, and prioritizing threats across critical railway components, including signaling systems, railway crossings, control centers, and supporting OT infrastructure.

Drawing on real-world scenarios and emerging threat intelligence, the session highlights common attack vectors, threat actors, and vulnerabilities specific to railway environments. It also introduces practical assessment methodologies aligned with industry frameworks (such as risk-based and threat-informed approaches), enabling organizations to better understand their exposure and resilience posture.

In industrial and critical infrastructure environments, the data that would make AI most valuable is also the data operators are least willing to expose to public cloud services: network topologies, device configurations, asset context, IP plans, and log data. Yet these are exactly the data sets an AI agent must be grounded in to produce useful, trustworthy results for incident response, segmentation review, and security hardening.

This talk presents practical architecture for on-premises AI-assisted network security that keeps sensitive data inside the operator’s environment. It combines an open-source assistant layer, locally hosted AI models (LLMs), and an open integration layer based on the Model Context Protocol (MCP), allowing the agent to work with local OT data such as logs, topology, and configurations. The focus is on how these layers work together to make local AI operationally useful in real environments.

Using multi-vendor OT network and log data, the session shows the concrete use cases this architecture can support. These include network-wide security assessments, segmentation reviews, hardening checks across many devices, change detection and forensic timelines, and incident response workflows where logs, topology, and device context must be correlated quickly.

The emphasis is on engineering reality rather than AI hype: how MCP tool design affects reliability, how grounded access to live systems reduces hallucinations, and which trade-offs remain compared with cloud models in terms of speed, context limits, and operational complexity.

Attendees will leave with a concrete blueprint for deploying data-sovereign AI in industrial security and a realistic view of where on-premises AI is already practical today.

Food and agriculture appear on virtually every major critical infrastructure list globally, yet they almost never appear on ICS conference programs. This session aims to fix that.

Do you know how many technology touch points your food had before it reached your plate? Most OT professionals would be surprised by the answer, and more surprised by how few of those systems were built with security in mind. Dairy, fisheries, aquaculture, and agricultural technology are among the most connected subsectors in food and agriculture. They are also among the least examined by the security community.

A cyberattack-driven foodborne illness event is not a distant scenario. It is a foreseeable outcome of where this sector currently sits, given systems built for analog, not the internet, agricultural technology (Ag-tech) insecure by design, and the biological realities of food production. When environmental controls, monitoring platforms, and food safety systems are compromised, the effects do not stay inside the network; they enter the food supply.

This session maps where food and agriculture are most vulnerable, traces their connection to energy, water, transportation, and telecommunications, and gives OT and ICS professionals something they rarely get from a food and agriculture conversation: a reason to care that goes beyond what they had for breakfast. For European practitioners, that conversation now has a regulatory dimension. NIS2 has explicitly included food and agriculture within the scope of essential services obligations, but implementation across member states is uneven, and most of the sector is still working out what compliance looks like in practice. The gap between regulation on paper and security in the field is significant.

Delegates will leave with:

• An understanding of where food and agriculture are most vulnerable to cyberattack, across dairy, fisheries, aquaculture, cattle operations, and agricultural technology.
• A clearer picture of how failures in food systems move across the critical infrastructure sectors they work in every day.
• An honest assessment of why a cyberattack-driven food safety event is a near-term risk, if not already occurred and not reported because it isn’t mandated.
• A clear answer to the question this audience rarely gets to ask: what can someone outside this sector do, and where does it start.

How do you secure a substation that doesn’t exist yet — and make sure it stays secure for the next decades?

This is the challenge a nation-wide grid operator set out to solve: not the design of a single substation, but a blueprint architecture to be rolled out across the country and form the backbone of the grid for decades to come. Every security decision baked into this blueprint will be replicated hundreds of times — and so will every gap.

This session shares the unfiltered story of how an OT-specific, risk-based Security-by-Design approach was applied to that blueprint. Instead of bolting controls onto a finished engineering design — the usual fate of OT security — security shaped the architecture from day one, in lockstep with process engineers, automation designers, and asset owners.

The talk walks through the project chronologically:

• Which security decisions belong in which design stage — and what happens when they are made too early or too late.
• Who to bring into the room, and when — and how to ask the right question of each stakeholder to actually get a usable answer instead of a multiple-page deflection.
• How security zones and conduits were tailored for a substation context, including the trade-offs between strict segmentation and the realities of protection, SCADA, and remote engineering access.
• How IEC 62443 becomes the connective tissue linking risk assessment, zone & conduit design, SL-T definition, and supplier requirements into one coherent, auditable story — rather than shelf-ware.

What delegates will take away

• A practical structure for running Security-by-Design across concrete OT design stages.
• Stakeholder engagement patterns that surface the answers security architects actually need.
• Zone and conduit design choices that hold up under real substation operating conditions.
• A working model for using IEC 62443 as a decision-making framework, not a compliance checkbox.
• A blueprint mindset for scaling Secure-by-Design without diluting quality.

The session is aimed at OT security professionals, security architects, and asset owners who are tired of retrofitting security into finished drawings — and who want a candid, field-tested look at what it takes to do it right from the blueprint up.

Part 1: OT Network Segmentation Workshop – From Planning to Implementation

1.1. Foundations of OT Network Segmentation

• Introductions and background
• Understanding the operational and security benefits of segmentation
• Analysis of common threat vectors mitigated by proper segmentation
• Technical vs. logical segmentation approaches in industrial contexts
• Reference architectures and segmentation models

1.2. OT Environment Assessment

• Methodologies for documenting and analyzing existing OT network architectures
• Asset discovery and classification techniques
• Identifying critical systems and communication paths
• Documenting legacy systems and protocol requirements
• Lab Exercise: Analyzing sample OT network diagrams and identifying segmentation opportunities

1.3. Requirements Development and Resource Planning

• Developing technical requirements for OT firewalls based on operational needs
• Performance considerations for industrial environments
• Staffing and skills assessment for implementation and maintenance
• Budgeting and procurement considerations
• Lab Exercise: Creating a requirements matrix and resource plan for a sample industrial use case.

1.4. Project Planning and Communication

• Creating an implementation roadmap with realistic milestones
• Identifying and managing stakeholders across IT and OT domains
• Developing communication plans for technical and non-technical audiences
• Change management strategies for security implementations in OT

Part 2: OT Segmentation project planning and requirements gathering

2.1. Lab Environment Setup

• Introduction to the virtual lab environment architecture
• Overview of simulated OT devices and communication patterns
• Explanation of the Linux firewall platform and configuration approach
• Accessing and navigating the lab environment

2.2. Baseline Configuration

• Initial firewall setup and network interface configuration
• Zone-based architecture implementation
• Configuring basic firewall policies and default stance
• Establishing logging and monitoring capabilities
• Lab Exercise: Setting up the initial firewall configuration

2.3. Protocol-Specific Rule Implementation

• Analyzing and configuring rules for common industrial protocols
• Implementing deep packet inspection for industrial protocols
• Configuring stateful inspection for TCP/IP-based communications
• Creating exceptions for legacy systems and protocols

2.4. Testing and Validation

• Methodologies for testing firewall configurations without operational disruption
• Using packet capture tools to verify firewall behavior
• Protocol compliance testing
• Introduction to digital twins for modeling and simulation
• Simulating common attack vectors to verify protection
• Lab Exercise: Testing and validating the implemented ruleset

From Blueprints to Barriers: Applying Cyber-Informed Engineering to Industrial Control Systems

This hands-on workshop introduces participants to Cyber-Informed Engineering (CIE) and discusses its application to real-world industrial control systems. Attendees will first explore the core principles underpinning CIE — what it is, why it matters, and how it differs from conventional cybersecurity frameworks. From there, the workshop guides participants through the 12 CIE principles, examining how each can be systematically applied to reduce cyber risk by engineering it out of systems rather than patching it away.

The workshop culminates in a participative case study applying CIE within a municipal water system. Working through realistic operational scenarios, participants will apply each of the principles in turn, gaining practical experience in identifying cyber risks at the design level and developing engineering-based mitigations. This collaborative exercise is designed to bridge the gap between theory and practice, equipping attendees with tools and techniques they can take back and apply immediately within their own organizations.

This workshop is ideal for ICS and OT security professionals, control system engineers, infrastructure operators, and policymakers seeking a deeper understanding of how engineering disciplines can be harnessed to build more resilient industrial systems from the ground up.

Part 1. Introduction to Cyber-Informed Engineering & Introduction to the Water Booster Pump Station Case Study

Part 2. CIE Deep Dive

• Consequence-Focused Design
• Engineered Controls
• Secure Information Architecture
• Design Simplification
• Layered Defenses
• Active Defense

Part 3. CIE Deep Dive

• Interdependency Evaluation
• Digital Asset Awareness
• Cyber-Secure Supply Chain Controls
• Planned Resilience
• Engineering Information Control
• Cybersecurity Culture

Part 4. CIE Tools, Publications, and Opportunities to Participate

In cyber-physical system environments, a human operator carries a badge, holds a defined role, works a scheduled shift, operates under a Permit-to-Work, and answers to a supervisor. Every action they can take is scoped, audited, and revocable. We know exactly who they are, what they are allowed to do, and when that authorization expires.

Now consider the autonomous agent sitting alongside that operator today. It has no badge. No shift. No PTW. No supervisor in any formal sense. It reasons, decides, and acts and sometimes on physical infrastructure, carrying nothing more than an API key and a service account that were designed for software, not for entities that think.

This is the Non-Human Identity problem in OT. And we are not ready for it.

Autonomous agents are not yet operating independently inside substations and control rooms. But the architectural decisions being made right now, how agents are credentialed, what access they are granted, and which systems they are allowed to touch. These autonomous agents will soon move from monitoring to action, from just detecting/triaging anomalies to isolating assets, from flagging risks to executing response workflows. The absence of formally defined agent identity, scoped authorization, and verifiable behavioral boundaries becomes an operational risk that no firewall addresses and no existing OT standard covers. Existing OT Best practices and standards govern systems, humans and access to critical assets. Neither was written for a principal that is simultaneously software, decision-maker, and actor in a safety-critical process.

This talk presents a framework for securing NHI in OT environments, grounding agent identity in the operational structures OT already trusts: PTW alignment, Management of Change integration, time-bounded capability scopes, and formally verified action boundaries enforced before execution, not after. The path forward is not to limit what agents can do, but it is to be as precise about agent authorization as we have always been about human authorization. Because in OT, the cost of getting that wrong is never just a data breach. It is the safety of human life, safety of environment and safety of vital infrastructures “a substation. A pipeline. A grid.”

What Delegates will Learn:

1. Delegates will leave with a clear understanding of why the Non-Human Identity problem in OT is categorically different from its IT counterpart and why the consequences of getting it wrong extend beyond data loss to the safety of people, environment, and critical infrastructure.
2. They will be able to recognize ungoverned agent identity in their own environments, understand the attack surface it creates, and apply a practical authorization framework built on OT structures they already trust, such as PTW, MoC, time-bounded access, and formal action boundaries. They will gain the language to open this conversation internally with vendors, management, and compliance teams in terms that resonate with OT culture.
3. Most importantly, they will leave understanding that the window to define NHI governance ahead of autonomous agent deployment is open right now and that the architectural decisions being made today will determine whether that future is secure or chaotic.

Security is defined by the threat; resilience is the concrete result of your action (or inaction). And the threat is always changing in your environment. We’ll cover; building your test capabilities for insights, catching threats with proactive adversary emulation in real world asset owners to measure across IT and OT. Understanding what an attack against your organization will look like (deconstructing real-world ICS attacks and technical threats). Live attack demonstrations & the defenses needed to stop them. Case studies and lessons learned performing security in OT/ICS networks. System and organizational investment opportunities that reduce attacker effects.

Zeek is a powerful open-source network security monitoring tool to create comprehensive summaries of network activity. The established Zeek logs for protocols like HTTP and DNS have become a gold standard, leveraged by security analysts for in-depth threat hunting as well as effective alert triage. Thanks to its modular architecture, a lot of OT protocol parser plugins have been published for Zeek recently. While these parsers do a great job in dissecting the OT protocols, they typically log detailed information about each and every PDU instead of creating actionable, high-level summaries. However, logging meaningful abstractions is key to providing a useful big picture to human analysts or AI-powered agents.

In this talk, Jan Grashöfer will explain design patterns for Zeek logs that help to implement valuable abstractions. Jan Grashöfer will discuss these patterns based one the example of IEC-104, a well-known OT protocol for power grid automation. Step by step, we will evolve the simple, PDU-based log to provide a high-level summary of the observed network activity.

The talk concludes by demonstrating how the new log can be used to easily spot and understand the Industroyer attack that was launched against the Ukrainian power grid causing blackouts.

AI is accelerating the speed and complexity of cyber-attacks, and OT environments are increasingly in scope. As attackers adopt advanced capabilities, incidents are unfolding faster than many organizations are prepared to handle.

This session will examine how OT has quickly become a prime target, how the threat landscape is evolving, and how new AI-driven capabilities and tools are reshaping the way attacks are executed. We will also address why OT environments remain uniquely vulnerable and what existing best practices fail to address.

The discussion will focus on a critical gap: maintaining operational continuity when disruption occurs. The session will conclude with a live demonstration, showing how an attack unfolds and how operations can be restored fast and in real time.

Part 1: The AI-Driven Threat Era: Why OT Cybersecurity Must Evolve Now

The industrial sector is entering a period of unprecedented change. While AI is unlocking new opportunities for efficiency, automation, and innovation, it is also reshaping the cyber risk landscape in ways that many organizations have yet to fully grasp. For years, industrial cybersecurity discussions have focused on visibility, detection, and prevention. But as AI accelerates the speed of decision-making, system interconnectivity, and attack execution, leaders must begin asking a different question: Are today’s cybersecurity strategies designed for the realities of tomorrow’s industrial environment?

Rather than focusing solely on threats and technologies, this session will examine the broader strategic implications for industrial organizations, including:

• How AI is reshaping the future of cyber risk in industrial environments
• Why traditional approaches to cybersecurity may become increasingly difficult to sustain
• The convergence of cybersecurity, operational resilience, and operational excellence
• What industrial leaders should prioritize today to remain resilient over the next decade – what can be done?

The session will conclude with a live demonstration illustrating how modern cyber threats can impact industrial operations and what a resilience-focused response looks like in practice.

This session is intended for industrial, cybersecurity, and operational leaders seeking a strategic perspective on one of the most significant shifts currently affecting the sector: the impact of AI on the future of OT cybersecurity and operational resilience.

Part 2: AI, Cyberattacks, and Recovery Reality: Lessons from the Front Lines of Industrial Operations

AI is transforming the cyber threat landscape, enabling attackers to move faster, scale attacks more effectively, and targeting critical industrial operations more deeply. At the same time, industrial organizations across Europe are facing growing pressure to strengthen operational resilience and ensure that rapid recovery from disruption becomes a reality, not just a strategic plan. Drawing on real-world experience supporting Fortune 500 manufacturers, energy companies, and critical infrastructure operators across Europe and North America, Amit Hammer, CEO of Salvador Tech, will share practical lessons from actual recovery events affecting OT environments.

Attendees will learn:

• How AI is rapidly shaping OT resilience strategies and platforms.
• Why traditional backup and recovery approaches often fail to meet today’s operational requirements.
• Recent lessons learned from industrial environments, specifically manufacturing, utilities, maritime, and energy organizations.
• How leading organizations are building operational continuity and rapid recovery strategies that align with today’s threat landscape – the five key elements every industrial organization must pay attention to.

This session offers a practitioner-led perspective on what separates organizations that recover in hours from those that face days or weeks of disruption.

For those looking to understand the threat, the consequences, and how to build real resilience

The Main Track is the central stream of the conference, bringing together key perspectives on cybersecurity in critical infrastructure—from how attacks unfold, to their operational impact, and how organizations strengthen resilience in practice.

The program is structured around three themes:

• Understanding the Threat – how attacks are carried out and where vulnerabilities emerge
• Understanding the Consequences – how incidents impact operations, safety, and critical services
• Building Resilience – how organizations prevent, detect, and respond to cyber threats in real environments

You will gain insights into:

• current attack methods and threat actors targeting industrial environments
• how IT/OT convergence, AI, and regulation are reshaping the risk landscape
• real-world experiences from critical infrastructure and industrial operations
• how cybersecurity is translated into operational resilience

The Main Track brings together strategic perspectives, operational experiences, and technical insights, making it relevant for leaders, specialists, and practitioners working with cybersecurity, operations, risk, or critical infrastructure.

Sessions can be freely combined with workshops across all workshop tracks, allowing you to build a conference experience that matches your role, interests, and level of expertise.

For those working deeply with OT security and technical solutions

This track is aimed at specialists, engineers, and technical professionals working directly with OT systems, architecture, and advanced security.

Here you will dive into:

• advanced methods and tools
• analysis, testing, and implementation
• real systems and realistic scenarios

The workshops are technically demanding and require experience but provide hands-on insight into how cybersecurity works at system level in practice.

Workshop duration varies from focused single-session workshops to intensive full-day technical deep dives. To ensure a high level of engagement and hands-on interaction, each workshop is limited to a maximum of 35 attendees.

You choose the workshops that match your expertise and can combine them with sessions from the other tracks throughout the conference.

For those turning requirements into practical solutions

This track is for professionals working with the implementation of OT/ICS security—either hands-on or bridging IT, OT, and business stakeholders.

The focus is on:

• how to practically work with NIS2, risk, and OT security
• how to build structures, processes, and solutions
• how to apply tools, data, and methods in real-world settings

These workshops are hands-on and practice-oriented, where you actively work with scenarios and deliverables that can be applied directly in your day-to-day work.

Workshops range from single-session formats to full-day workshops, depending on the topic and level of depth. To maintain a practical and interactive learning environment, each workshop is limited to a maximum of 35 participants.

You are free to choose the workshops most relevant to you and combine them with the rest of the conference program.

For those working with priorities, risk, and decision-making

This track is designed for decision-makers, leaders, and professionals responsible for setting direction for cybersecurity and resilience in critical infrastructure.

The focus is on:

• how the evolving threat landscape impacts organizational priorities
• how risk assessments are translated into concrete decisions
• how governance, compliance, and business priorities connect to operations and OT

The workshops are based on real-world challenges and provide models, perspectives, and tools to help you work more systematically with risk and resilience in your organization.

Workshops in this track vary in length from a single session to a full-day format, allowing for both focused deep dives and more comprehensive learning experiences. To ensure interaction, discussion, and direct access to instructors, participation is limited to a maximum of 35 attendees per workshop.

You can attend one or more workshops in this track and combine them with sessions from the main conference program.

Part 1: Intro:

This introductory session is designed to cover the course summary, the origin of the material, and an overview of threat modeling using a real-world example. Topics in this segment will be:

The Threat Model: Introduction to the concept and justification for performing threat modeling.

Contextualizing Threat Modeling: Defining what differentiates a threat model from a Business Impact Analysis (BIA), while also recognizing where the two overlap. The session will also discuss the effect of a threat model and risk for the CRA. (Note: BIA is also part of the general prep work basics and is revisited during the lab session).

Resources and Lingo: Covering the types of threat models available and resources such as the MSFT book, MSFT tool, Miro tool, and others online. It will introduce the basic terminology (lingo) required for a layperson model and the typical workflow for an item in scope. The knock-on effects of threat modeling will also be discussed.

Naive Example: Depending on the audience, a flawed example will be introduced to highlight thought process gaps. This example will start with a simple set of tooling and a software application, followed by an asset in a data center.

Summarizing the Foundational Concepts through one of the examples by leading participants towards the main conceptual gaps:

• Scope: Defining the Subject Under Consideration (SuC) and its essence.
• Context: Understanding the who, what, where, and why of the system.
• Knowledge: Determining the level of knowledge required for proficiency.
• Evaluation: Determining threats, risk, impacts, and controls
• Completion: Establishing when the process is truly finished.

Part 2: SuC Model Patterns & Technical Background

This hour focuses on developing a technical vocabulary for system modeling and introducing the concept of patterns to streamline the threat modeling process.

• System Patterns (Duality): Introducing the idea that nearly every system is not unique at some level, but also maintains a unique duality. Approaching patterns is presented as a crucial way to solicit feedback and serve as an effective communication medium.
• Defining Elements: Establishing clear distinctions between the various components that make up a system model: Components vs. assets vs. processes vs. data stores vs. flows vs. external vs. actors.
• Specific Patterns: Reviewing common system patterns, including: standalone embedded, mobile, cloud, standalone app, hybrid, asset, and facility.
• Analysis Distinction: Clarifying the fundamental differences between Threats vs. Risk vs. Impacts vs. Controls. (Note: Risk, threats, and impacts are also covered in the basics during prep work).
• Handouts: Handouts are provided for each of these distinctions.

Part 3: Lab PT1: System Modeling

This session is dedicated to applying the foundational concepts and technical vocabulary—the Subject Under Consideration (SuC) Model Patterns and Defining Elements—discussed in the previous hours. The goal is to build a robust model of a system, postponing the discussion of actual threats, risk, and controls until the afternoon sessions.

Participants will break into small groups of 3 (total of 6 groups for 18 people). Each group member assumes one of the following roles to ensure diverse perspectives are immediately integrated:

• Business Analyst (BA) or Risk Owner
• Cyber Security Expert
• Technical Person (with deep system knowledge)

The 45-minute lab time will be structured as follows:

1. Individual Response (10 minutes): Each person independently tackles the modeling challenge based on their role.
2. Group Compilation (15 minutes): The group combines individual answers into a unified, draft model.
3. Model Finessing (20 minutes): The team refines the model and prepares for presentation.

Lab Objectives and Focus Systems

Teams will receive briefings and use whiteboards and markers to model one of the following systems, which represent various Specific Patterns covered previously (e.g., embedded, mobile, cloud, facility):
Insulin pump with an app

• PLC for an HVAC system
• ATG (Automatic Tank Gauge) for a gas station
• Mobile app accessing a smart water meter
• BAHA (Bone Anchored Hearing Aid) sound processor
• Facility with an edge collector and cloud historian

Required Modeling Elements

The primary task is to define the system’s architecture using the Defining Elements introduced in the 10AM-11AM session:

• Identify the types of Processes, Interfaces, Data Stores, Boundaries, Flows, Actors, and Externals.
• Detail the properties of these components and their exposure aspects.
• Establish the overall Context of the system of system, including preliminary impact assessment. This context must include:
  • A napkin BIA (Business Impact Analysis, revisited from the prep work/9AM session).
  • HARM (physical harm) considerations.
  • HSE (Health, Safety, and Environment) considerations.
  • Engineering considerations.
  • Cybersecurity considerations.
  • Potential knock-on effects.
• Apply the “If it was my money” perspective to ensure practicality and relevance.

Part 4: Putting the Threat In the Model (System, component, beyond)

Following the 11AM-12PM session, which focused on establishing the system’s architecture and Defining Elements (processes, data stores, boundaries, etc.), this hour shifts to:

• Actors, targets, your SuC, and beyond
• Identifying and articulating specific threats.
• Moving beyond simply modeling the system to actively applying threat identification methodologies (such as DFD3) to their group’s assigned system.

The focus is on examining how threats manifest across different levels of granularity—from the overall system down to individual components and their flows—and considering how threats leverage external factors or result in knock-on effects. Then, bridging the technical definition of the system with the first crucial step of the Analysis Distinction, and, finally, detailing how various threats can exploit the system’s defined properties and exposure aspects.

The goal is to produce a list of relevant, specific threats that the groups can use in the next hour, ensuring they are grounded in the previously defined Scope and Context of the system.

Assessing the controls, risk, and mitigating factors

This hour integrates the remaining aspects of the Analysis Distinction—Risk, Impacts, and Controls—building directly on the threat list generated in the previous session.

Participants will learn how to formally assess the severity of identified threats by incorporating the preliminary BIA, HARM, and HSE analysis performed during the morning lab. The idea is to clarify the necessary distinction between a “threat” (a potential malicious action) and the resulting “risk” (the likelihood and impact of that action).

The core activity involves evaluating existing controls and proposing new mitigating factors, framed by the practical “if it was my money” perspective. This ensures that control implementation and evaluation of residual risk are both effective and pragmatic, leading to a comprehensive understanding of how specific vulnerabilities lead to quantifiable risk.

LAB PT2 & Understanding completion & communicating

The final hour begins with LAB PT2, where groups integrate their identified threats and evaluated risk/controls from the prior sessions into their established system models. This hands-on activity expands the earlier LAB PT1 ideas, directly into the critical discussion of the final Foundational Concept introduced at 9AM: Completion & Communication.

This section defines the necessary criteria for determining when the threat modeling process is truly finished, ensuring the model is not only thorough but actionable.

Finally, the no model is complete without exposing value, and understanding the stakeholder – or whether you will need to titrate the results. This addresses the crucial element of communicating the completed threat model, and howto translate the technical findings into language appropriate for different stakeholders—including the risk owner, the technical team, and the cyber security expert—thereby ensuring the model’s insights drive effective decision-making.

This workshop aims to demystify (and further develop in an engineering-centric way) the often-single sentence of an IRP stating “recovery affected systems.” It will help asset owners and operators develop a workable strategy for systematic recovery, reconstitution, and operational resumption. The workshop will work through a mock scenario of a refinery utilities operation and discuss the steps involved in developing a DR plan.

Delegates will be able to leverage the discussed scenario and handouts to improve upon their own IRP and DR plans or have the capability to begin developing those documents if they don’t exist upon returning to work.

Part 1: Specifying disaster criteria & Identifying cyber-specific loss scenarios that cause those disasters

Part 2: Specifying recovery team responsibilities starting from the activation phase followed by recovery and reconstitution

Part 3: Identifying automation and control system function recovery priority & performing a dependency analysis of recovery priority

Part 4: Documenting reconstitution steps to correct for any data deviation that has been introduced during recovery & Developing assurance and handover qualifications for process restart

– the art of avoiding perplexity when navigating across frameworks, organizational cultures, and incentives

Cyber risk management of OT environments is not just about segmentation and network monitoring. The real challenge is that you mut navigate three distinct domains simultaneously: the technical-operational, the business-strategic, and the intra-organizational — each with its own language, incentives, and risk perception. For example, a vulnerability identified by a security monitoring specialist may not constitute a business risk. And raising alarm it may be a career risk for the system owner, the CISO or the CFO.

This workshop addresses that complexity directly. Three practitioners from different disciplines — ICS security, financial risk modelling, and security governance — demonstrate that measuring and communicating cyber risk is not only possible but expected at every level of the organization.

The session moves from theory to practice: presentations establish a shared conceptual foundation, followed by a structured tabletop exercise where participants manage cyber risk under resource constraints and live incident pressure. The debriefing closing panel debates the choices and the constraints of modelling cyber risk.

Participants leave with an experience in navigating multiple vocabularies across organizational layers, a concrete understanding of risk simulation and modelling.

Participants will:

• Understand why cyber risk management is structurally difficult, and requires multiple languages to bridge strategic, technical and organizational domains
• Get practical experience with simplistic risk quantification
• Get a practical introduction to IEC 62443 risk assessment as a starting point
• Experience simulation as a tool for measuring, communicating and monitoring risk over time

Target Audience

All levels — OT engineers, security managers, CISOs, risk owners, and executives. The session is explicitly designed to be useful across organizational layers simultaneously. The tabletop exercise is most valuable with a mixed audience: the differences in decision-making between participants are themselves the learning outcome.

Part 1: Why Cyber Risk Management is Hard

A framing of the three domains every risk manager must navigate simultaneously — technical, strategic, and organizational — and why the gaps between them are where organizations fail. Sets up the central premise of the workshop: that risk management is continuous effort that requires consistent communication and risk monitoring, and it can not be limited to a transaction where the assessed risk is mitigated.

What the CFO Expects

How the financial sector treats risk as a quantifiable, manageable variable — not a warning light. Drawing on statistical simulation methods, Andreas demonstrates what board-level risk reporting looks like in practice, and asks: why should OT cyber risk be any different? Regulatory frameworks in financial services already mandate quantified risk assessment. The tools exist. The expectation is there.

Getting Started with IEC 62443 Risk Assessment

A practical walkthrough of initial and follow-up risk assessments under IEC 62443 — how to define Security Level targets per zone, and why re-assessment mid-implementation is not failure but standard practice. Morten grounds the methodology in real-world project experience.

Bridging the Gap — A Simulation Tool

A brief introduction to a MITRE ATT&CK-based simulation tool designed to connect operational risk findings with strategic decision-making allowing for consistent risk management. Concepts introduced: attack vectors (kill chains), mitigations (MITRE / IEC 62443 controls), and business impact (value chains and supporting functions). The tool is a proof-of-concept designed to create appetite for applying simulation tools in the ongoing risk management practice.

Part 2: Tabletop Exercise

Participants split into groups of approximately 5. Each group receives a two-page company profile and a resource budget to invest in mitigations. Over four rounds, incidents occur — groups must adapt, re-prioritize, and defend their decisions in real time. The exercise is not a competition. The goal is to surface the reasoning behind decisions — why one group prioritized detection over prevention, why another protected the wrong asset first. At the end of each round, groups briefly note the one decision they would revisit and why. Those choices become the material for debrief.

11.10 Part 3: Debrief and Panel Debate

The facilitator surfaces two or three divergent decisions from across the groups and opens them to the floor. Speakers and 2–3 participants continue as a panel —to examine what the exercise revealed about how differently we assess and communicate risk depending on where we sit in the organization.

The value of “detections” is viewed as a given in information security circles, but such assumptions bury many elements of detection design, implementation, and value when applied to security operations. In this presentation, we will review detection engineering as a systematic mechanism for creating, applying, and refining alerting content, and critically evaluate precisely where detection engineering is placed with respect to adversary intrusions.

Notably, we will observe that detection engineering is not a discipline aligned with preventative actions, but rather identifying intrusions that have alredy taken place and are in progress. This observation of detection engineering’s place with respect to adversary timelines and kill chains reveals an interesting bifurcation in value proposition between IT and OT defense. Specifically, IT-oriented detections can meaningfully identify intrusions in progress and thus work to prevent adversaries from achieving actions on objectives within compromised environments. OT-specific detecitons, however, reside far later in adversary operational kill chains and in most instances provide little if any value to defenders in disrupting adversary success as a result.

The simple take-away from the above would-be detection investment is simply not as worthwhile in OT events, but this obscures the real value proposition of detecitons in OT security. Whereas possibilities exist for interrupting adversary operations in most IT instances, OT detections still have significant value in orienting and describing what may have taken place even if they arrive too late to respond in preventative fashion. Thus, we can look at OT-specific detections, such as identifying malicious control logic changes or application of attack code to OT devices, as having critical FORENSIC value to ascertain “just what happened” as part of incident investigation and root cause analysis. This perspective can rapidly facilitate incident triage and environment restoration by revealing adversary actions and differentiating them from more typical environment interruptions.

Regulations and standards increasingly require not only security controls, but also evidence that those controls operate effectively. In OT environments, this is challenging: vendor access is common, maintenance windows are short, and logging is often fragmented across jump hosts, engineering workstations, identity platforms, and network layers.

This session introduces a practical “evidence engineering” approach for OT access governance aligned to NIS2 and IEC 62443 programs. We define what “good evidence” looks like in operational terms—who accessed what, when, why, under whose approval, and what happened in the session—and how to design access workflows so evidence is produced by default rather than by manual reporting.

Attendees will receive a reusable blueprint for mapping OT access controls to common audit questions, implementing time-bounded access for maintenance windows, and producing defensible session/accountability artifacts that support both investigations and compliance reporting. We will also cover common failure patterns (shared accounts, standing access, uncorrelated logs) and how to close these gaps without disrupting production.

Use case from an industrial electrical network: Passive, fail-safe data acquisition combined with intelligent traffic aggregation and filtering enables full-spectrum visibility—without impacting sensitive industrial processes.

Attendees will discover how this project dramatically simplified tool deployment, accelerated troubleshooting, and strengthened cybersecurity monitoring across legacy and modern systems alike. The use case highlights key benefits including reduced operational overhead, improved incident response, minimized downtime, and optimized tool efficiency.

Beyond the technical architecture, we will also share practical lessons learned: deployment strategies in constrained environments, integration techniques with existing monitoring and security tools, and how to scale visibility as infrastructure evolves.

Penetration testing and security assessments are critical in industrial environments, but can they really be performed safely in a live environment?

In this session, Søren Egede Knudsen will explore exactly that challenge. He will share practical approaches for conducting OT assessments and penetration tests without disrupting operations, while also demonstrating how these activities can deliver real value to both process control and the business.

Unlike traditional FAT (Factory Acceptance Testing) or SAT (Site Acceptance Testing), this talk
focuses on the complexities and opportunities of working directly in live environments.

Attendees will gain valuable insights whether they are commissioning assessments and penetration tests, or preparing to perform them in operational OT settings.

This presentation examines how the Terrorist Lifecycle and the Cyber Kill Chain—two frameworks describing adversary planning and execution across physical and digital domains—can be integrated to provide a unified view of modern hybrid threats. When combined, these models illustrate how cyber enabled terrorist groups and APTs coordinate physical and digital actions to strengthen the effectiveness of their attacks.

Quantifying risk in OT environments requires a multidisciplinary methodology. We will outline how targeted, cross disciplinary remediation strategies can be applied to identify, prioritize, and mitigate risks. The session will also introduce the CP RAM approach, a structured method for managing cyber physical risk across critical infrastructure.

The EU’s Cyber Resilience Act (CRA) introduces new requirements for product security, vulnerability handling, and lifecycle responsibility – with direct implications for manufacturers, asset owners, and operators of industrial and OT environments.

This session provides a practical legal perspective on how the CRA will impact organizations working with industrial systems, connected devices, and software components embedded in critical infrastructure. It will clarify what the regulation requires, how it relates to existing frameworks such as NIS2 and IEC 62443, and where organizations should start preparing now.

The presentation will translate legal obligations into actionable considerations, including product scope, supply chain responsibilities, documentation requirements, and vulnerability disclosure processes. It will also address key challenges in applying the CRA to complex industrial environments with long lifecycles and embedded legacy systems.

Delegates will leave with:

• A clear understanding of the scope and core requirements of the Cyber Resilience Act
• Insight into how the CRA interacts with NIS2, product compliance, and existing security standards
• Practical guidance on what manufacturers, integrators, and asset owners need to prepare for now
• Awareness of key legal and operational challenges when applying CRA in OT and industrial contexts

After this workshop, participants will know why network monitoring is a good idea, how to implement one using open-source components (we use Malcolm) and what to look for in PCAP data. We will finish the workshop with a practical class using realistic PCAPs.

Part 1: Introduction to OT-Monitoring

What is OT network monitoring and where is the difference between IT and OT monitoring? Why do I need it economically as well as cyber-security related? What are the low hanging fruits? What are the biggest issues we ran into so far?

Part 2: Use Case “Network Hygiene” and Use Case “Forensics” with Malcolm

• What is Malcolm?
• Realistic PCAP to find the “low hanging fruits” from section 1 using Malcolm
• Forensics: How to analyze it with Malcolm?

Artificial intelligence is rapidly entering operations and planning discussions across the energy industry, often framed as a solution to growing complexity and data overload. In this session, Earl W. Shockley will share an experience-based perspective on where AI can genuinely strengthen operational awareness, asset risk management, compliance visibility, and planning under uncertainty, and where it can quietly introduce new reliability and governance risks if it is not properly understood and governed.

The discussion focuses on accountability, culture, and leadership decisions that determine whether AI becomes a force multiplier or a source of unintended exposure.