🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GRID
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GRID GIAC Certifications Coming Soon

GRID

The GRID certification validates advanced skills in detecting, defending, monitoring, and responding to threats within industrial control systems, ensuring analysts can protect critical infrastructure in real‑time.

120
Minutes
75
Questions
74/100
Passing Score
$979
Exam Cost

Who Should Take This

It is intended for experienced OT security analysts, incident responders, and engineers who already manage or support industrial networks. Candidates should have a solid foundation in control‑system architecture and prior exposure to threat‑intelligence workflows, and they seek to deepen expertise in active defense and incident response for critical infrastructure.

What's Covered

1 Domain 1: ICS Threat Detection
2 Domain 2: Active Defense for ICS
3 Domain 3: ICS Network Monitoring
4 Domain 4: ICS Incident Response Procedures
5 Domain 5: Threat Intelligence for ICS
6 Domain 6: ICS Asset Identification and Inventory

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

62 learning goals
1 Domain 1: ICS Threat Detection
3 topics

Detection Methodologies

  • Describe signature-based, anomaly-based, and specification-based detection approaches for industrial control system environments and their respective strengths and limitations.
  • Identify indicators of compromise specific to ICS environments including unauthorized PLC programming changes, anomalous process variable values, and unexpected protocol communications.
  • Describe the MITRE ATT&CK for ICS framework including tactics, techniques, and procedures specific to industrial environments and their mapping to detection opportunities.
  • Compare the effectiveness of IT-derived detection techniques versus ICS-native detection approaches for identifying attacks targeting process control logic and safety systems.

Process Behavior Monitoring

  • Describe process variable monitoring techniques including historian trend analysis, setpoint deviation detection, and physical process invariant checking for cyber-physical attack detection.
  • Implement process behavior alerting rules that detect abnormal operating conditions potentially caused by cyber attacks without generating false alarms during normal process transients.
  • Analyze historian data to identify subtle process manipulation that may indicate a sophisticated adversary altering process values while maintaining apparent normal operation.

Endpoint Detection in OT

  • Describe endpoint detection capabilities for ICS including host-based monitoring of engineering workstations, HMI servers, and historian systems with minimal performance impact.
  • Implement application whitelisting on ICS endpoints to prevent unauthorized executable code from running on HMI stations, engineering workstations, and data servers.
  • Configure USB device control and removable media policies for OT environments to prevent malware introduction through portable media while allowing authorized maintenance activities.
2 Domain 2: Active Defense for ICS
4 topics

Threat Hunting in OT

  • Describe threat hunting methodologies adapted for ICS environments including hypothesis-driven hunting, data-driven analysis, and intelligence-driven hunt operations.
  • Implement threat hunting campaigns targeting MITRE ATT&CK for ICS techniques including lateral movement from IT to OT, engineering tool abuse, and manipulation of view.
  • Analyze threat hunting results to identify persistent adversary access, dormant implants, and pre-positioned attack capabilities in operational technology environments.

Deception Technologies

  • Describe ICS honeypot and decoy technologies including simulated PLCs, HMI servers, and industrial protocol responders designed to attract and detect adversary reconnaissance.
  • Implement ICS-specific honeypots using tools such as Conpot and GRFICSv2 to emulate industrial protocols and attract adversary activity for detection and intelligence collection.
  • Configure deception breadcrumbs including fake credentials, synthetic network services, and decoy engineering documents to detect adversary lateral movement within OT networks.
  • Evaluate the effectiveness of deception deployments by analyzing adversary interaction data, measuring dwell time reduction, and assessing false positive rates of decoy alerts.

Active Defense Planning

  • Describe the Sliding Scale of Cyber Security model levels from architecture through offense and map ICS defense capabilities to each maturity level.
  • Implement detection use cases aligned to the ICS kill chain covering initial access, execution, persistence, lateral movement, and impact stages specific to operational technology.
  • Assess active defense program maturity by evaluating detection coverage against ATT&CK for ICS techniques, hunt cadence, and integration with incident response procedures.

ICS Security Exercises

  • Describe ICS-specific tabletop exercise scenarios including ransomware targeting HMI systems, supply chain compromise of PLC firmware, and insider threat against safety systems.
  • Implement red team and blue team exercises for ICS environments using network ranges with realistic industrial protocol traffic and simulated control processes.
  • Evaluate exercise outcomes to identify detection gaps, communication failures, and procedure deficiencies requiring remediation in the ICS security program.
3 Domain 3: ICS Network Monitoring
3 topics

Zeek for ICS Protocols

  • Describe Zeek network security monitor architecture including event engine, script interpreter, and logging framework with ICS protocol analysis capabilities.
  • Configure Zeek with ICS protocol analyzers for Modbus, DNP3, and BACnet to parse and log industrial protocol transactions from network captures.
  • Implement custom Zeek scripts to detect suspicious ICS protocol activity including unauthorized function codes, abnormal polling intervals, and unexpected device communications.
  • Analyze Zeek log output to identify reconnaissance scanning, unauthorized Modbus writes, and DNP3 command sequences indicative of adversary interaction with control devices.

Packet Capture Analysis

  • Describe pcap analysis techniques for ICS traffic including Wireshark dissectors for Modbus, DNP3, EtherNet/IP, and S7comm protocol inspection.
  • Implement pcap collection infrastructure for ICS networks using network TAPs and SPAN ports positioned to capture traffic between control system zones.
  • Analyze industrial protocol pcap captures to reconstruct adversary actions including command injection into PLCs, firmware upload attempts, and data exfiltration via covert channels.

Centralized Log Management for OT

  • Describe log collection challenges in OT environments including limited syslog support, proprietary event formats, and bandwidth constraints on industrial networks.
  • Implement centralized log aggregation for ICS environments collecting events from firewalls, IDS sensors, Windows event logs, and industrial device logs into a SIEM platform.
  • Configure correlation rules in SIEM platforms to detect multi-stage ICS attacks by linking network events, authentication logs, and process alarms across IT and OT boundaries.
  • Evaluate SIEM detection coverage for ICS-specific attack scenarios by mapping detection rules to MITRE ATT&CK for ICS techniques and identifying gaps.
4 Domain 4: ICS Incident Response Procedures
4 topics

ICS Digital Forensics

  • Describe digital forensics challenges unique to ICS environments including volatile PLC memory, proprietary file systems, limited storage on embedded devices, and process uptime requirements.
  • Implement forensic evidence collection procedures for ICS components including PLC program extraction, HMI configuration capture, and historian database preservation.
  • Configure forensic disk imaging and memory acquisition for Windows-based ICS systems including engineering workstations and HMI servers while minimizing process disruption.
  • Analyze forensic artifacts from compromised ICS systems to reconstruct the attack timeline, identify persistence mechanisms, and determine the scope of adversary access.

Incident Handling Procedures

  • Describe ICS incident classification criteria including impact to safety, process availability, environmental consequences, and regulatory reporting thresholds.
  • Implement ICS incident containment strategies that isolate compromised systems while maintaining safety system functionality and minimal process disruption.
  • Configure communication procedures for ICS incident escalation including notification of plant operations, management, regulators, and sector-specific ISACs.
  • Evaluate incident response effectiveness through post-incident review assessing detection time, containment speed, communication quality, and lessons learned integration.

Recovery and Eradication

  • Describe ICS system recovery procedures including verified backup restoration, PLC program integrity validation, and controlled process restart sequences.
  • Implement malware eradication procedures for ICS environments addressing persistence in Windows systems, PLC logic modifications, and firmware-level implants.
  • Assess system integrity after incident recovery by validating PLC programs against known-good baselines, verifying network configurations, and confirming control loop behavior.

ICS Malware Analysis

  • Describe ICS-specific malware families including Industroyer, TRITON, BlackEnergy, and Pipedream along with their targeting, capabilities, and industrial protocol interactions.
  • Implement safe malware analysis environments for ICS samples using isolated virtual machines with simulated industrial protocols and PLC emulators.
  • Analyze ICS malware samples to identify command and control mechanisms, industrial protocol abuse, and intended physical impact on targeted control processes.
5 Domain 5: Threat Intelligence for ICS
2 topics

ICS Threat Intelligence Sources

  • Identify ICS-specific threat intelligence sources including CISA ICS advisories, sector ISACs, MITRE ATT&CK for ICS, and vendor security bulletins for industrial products.
  • Describe ICS threat actor groups including their known targets, preferred attack techniques, infrastructure overlaps, and attribution challenges in operational technology campaigns.
  • Implement threat intelligence consumption workflows that ingest STIX/TAXII indicators into ICS monitoring platforms for automated alerting on known adversary infrastructure.
  • Evaluate threat intelligence relevance for specific ICS environments by assessing sector targeting, geographic focus, and technical overlap with deployed industrial systems.

Intelligence-Driven Defense

  • Describe the Diamond Model of intrusion analysis including adversary, infrastructure, capability, and victim vertices applied to ICS-targeted campaigns.
  • Apply threat intelligence to develop ICS-specific detection signatures, hunting hypotheses, and defensive priorities based on adversary capability and intent analysis.
  • Assess the operational value of threat intelligence products by measuring detection rate improvement, false positive reduction, and hunt success rates after integration.
6 Domain 6: ICS Asset Identification and Inventory
2 topics

Asset Discovery Techniques

  • Describe passive asset discovery techniques for ICS networks including traffic analysis, protocol fingerprinting, and broadcast monitoring to identify connected devices.
  • Identify the risks and appropriate use cases for active scanning in ICS environments including safe scanning parameters and vendor-approved discovery protocols.
  • Implement automated asset inventory collection using ICS-aware discovery tools that identify device types, firmware versions, and communication relationships without process disruption.

Asset Management and Baselines

  • Implement ICS asset inventory databases tracking device criticality, firmware versions, patch status, network connectivity, and communication baselines for all OT assets.
  • Configure automated configuration backup and change detection for PLCs, RTUs, and network devices to detect unauthorized modifications to device programming.
  • Analyze network communication baselines to detect new device connections, changed communication patterns, and unauthorized protocol usage within ICS network zones.
  • Evaluate asset inventory completeness and accuracy by comparing discovered assets against engineering documentation, network diagrams, and configuration management records.

Scope

Included Topics

  • All domains in the GIAC Response and Industrial Defense (GRID) certification aligned to SANS ICS515: ICS threat detection, active defense for ICS, ICS network monitoring, ICS incident response procedures, threat intelligence for ICS, and ICS asset identification and inventory.
  • ICS-specific threat detection techniques including industrial protocol anomaly detection, process behavior monitoring, Zeek scripting for ICS protocols, and pcap analysis of Modbus, DNP3, and EtherNet/IP traffic.
  • Active defense strategies for industrial environments including deception technologies, honeypots for ICS protocols, threat hunting in OT networks, and adversary engagement techniques that do not impact process safety.
  • ICS incident response procedures including digital forensics for industrial devices, malware analysis in OT context, coordinated response between IT and OT teams, and evidence handling for regulatory reporting.
  • Threat intelligence for ICS including MITRE ATT&CK for ICS framework, threat actor profiling, indicator sharing through ISACs, and intelligence-driven defense for operational technology.
  • ICS asset identification and inventory management using passive discovery, active enumeration, and configuration management databases for operational technology environments.

Not Covered

  • ICS control system engineering, process design, and instrumentation configuration not related to cybersecurity.
  • Enterprise IT incident response procedures without ICS-specific considerations.
  • General compliance and audit processes not specific to industrial environments.
  • Cloud-native security architectures and DevSecOps practices outside ICS context.
  • Offensive ICS exploitation beyond what is needed for defensive understanding.

Official Exam Page

Learn more at GIAC Certifications

Visit

GRID is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.