ONG-ISAC Dragos Day

This members only event hosted by Dragos combined a wealth of knowledge from actions and things to watch out for to leveraging use-cases and how to use heat maps to visualize adversary activity.

Presentation Abstracts:

  • “Cyber Threat Landscape Updates Q2-Q3 2020”
    • A lot has happened across the ICS cyber threat landscape over the last quarter; specifically we’ve seen a number of reports from CISA, FBI, NSA, and the White House as it relates to cyber threats and resiliency in US infrastructure. A heavy focus has been on US electric and US oil and gas with themes that overlap. This presentation will be a quick overview of these actions and things to watch out for both at a technical implementation perspective and policy overview.
  • “The ICS Security Crucible: Forging Programmatic Armor and Weapons” 
    • When we think of cybersecurity, we often think of new technologies that can help us manage all the threats we hear about. That said, our industry also knows that technology cannot solve this problem alone. We further understand that cybersecurity capabilities are defined as a combination of technology, people (like you), and processes (including documentation!). These three ingredients, when merged together, make a powerful compound—and define successful ICS security programs. This presentation will introduce an “ICS Security Crucible” where you will combine people, processes, and technology to create custom-fitted armor and defenses for your industrial operations based on unique risks, associated impacts, budgets, and known threats. Leveraging real use-cases, participants will learn practical next steps in either creating or refining their ICS-specific security program. When we combine technology with the right people and robust processes, organizations create a strong culture of security and forge lasting legacies for critical infrastructure protection.
  • “Mapping FACTS”
    • Using MITRE’s ATT&CK framework, relationships between various security control frameworks, industry standards, adversaries, and their techniques can be visualized. The Professional Services team at Dragos mapped findings from their engagements, common security control frameworks, and industry standards to ATT&CK. Meanwhile, the Threat Intelligence team at Dragos profiled ICS Threat Activity Groups using ATT&CK. Combining these profiles and mappings, Dragos can provide additional context and insight on security posture by generating heatmaps visualizing adversary activity, mitigation or control effectiveness, and vertical specific trends.
  • “INTEL”
    • Threat intelligence claims it helps, but many times it only confuses and frustrates: it doesn’t apply to ICS; threat emails arriving every day; never-ending threat briefings, overwhelming alerts, New York Times hyperbole about the next attack, etc. Sergio Caltagirone, Dragos’ VP of Threat Intelligence, has 20 years of experience producing and consuming threat intelligence. He will discuss the common frustrations with threat intelligence and how you can make it useful and improve the cybersecurity of your industrial environments.

Dragos Speakers:

  • Robert M. Lee, Chief Executive Officer is a recognized pioneer in the industrial security incident response and threat intelligence community. He gained his start in security as a U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency where he built a first- of-its-kind mission identifying and analyzing national threats to industrial infrastructure. He went on to build the industrial community’s first dedicated monitoring and incident response class at the SANS Institute (ICS515) and the industry recognized cyber threat intelligence course (FOR578).
    • Forbes named Robert to its 30 under 30 (2016) list as one of the “brightest entrepreneurs, breakout talents, and change agents” in Enterprise Technology. He is a business leader and a technical practitioner. Robert helped lead the investigation into the 2015 cyber attack on Ukraine’s power grid, he and his team at Dragos helped identify and analyze the CRASHOVERRIDE malware that attacked Ukraine’s grid in 2016 and the TRISIS malware deployed against an industrial safety system in the Middle East in 2017.
    • Robert is routinely sought after for his advice and input into industrial threat detection and response. He has presented at major security conferences such as SANS, BlackHat, DefCon, and RSA and has testified to the Senate’s Energy and National Resources Committee. As a non-resident national security fellow at New America, Robert works to inform policy related to critical infrastructure cyber security and is regularly asked by various governments to brief national level leaders.


  • Jason D. Christopher, Principal Cyber Risk Advisor Threat Operations Center is the Principal Cyber Risk Advisor at the industrial cybersecurity company Dragos, Inc., where he blends innovative approaches for risk management with state-of-the-art technology and services across the company’s product catalogue. With over 15 years’ experience in cybersecurity and industrial control systems, Jason offers critical infrastructure expertise in developing successful cyber risk strategies.
    • Prior to Dragos, Jason held multiple roles in industry as an executive leader, researcher, regulator, and engineer. As CTO of Axio, a cyber risk management SaaS company, he pioneered new cyber risk techniques for clients to measure and address their risk exposure. He previously led security metrics R&D at the Electric Power Research Institute where he worked directly with utilities on actionable measurement capabilities. While working for the United States government, Mr. Christopher spearheaded the energy sector strategy for the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Cybersecurity Capability Maturity Model (C2M2), and was the technical lead for the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standards.
    • Jason continues to focus on developing cybersecurity standards & best practices for critical infrastructure. He is a Certified Instructor for the SANS Institute & often presents at leading ICS security conferences. He was awarded Cybersecurity Leader of the Year in 2019 by the Energy Sector Security Consortium.
    • Jason holds a Bachelors of Science, Computer Engineering from Binghamton University and a Masters of Electrical Engineering from Cornell University
    • He is certified in GIAC Critical Infrastructure Protection (GCIP) and Global Industrial Cyber Security Professional (GICSP)
  • Jacob Benjamin, Principal Industrial Consultant Threat Operations Center is a Principal Industrial Consultant, at the industrial cyber security company Dragos, Inc. In this role, Jacob leads or assists in various service engagements for the international services team including architecture reviews, tabletop exercises, vulnerability assessments, and threat hunts.
    • Prior to joining Dragos, Dr. Benjamin was a nuclear cybersecurity researcher at Idaho National Laboratory and a nuclear cybersecurity specialist for Duke Energy. Over the last ten years, Jacob has performed a variety of cyber-related tasks at many domestic and international critical infrastructures. He has substantial experience developing cybersecurity programs for nuclear power plants as well as performing cybersecurity risk assessments for critical digital assets, systems, and networks within industrial environments. Dr. Benjamin has provided his expertise for the U.S. Department of Energy, the National Nuclear Security Administration (NNSA), and the International Atomic Energy Agency (IAEA).
  • Jacob remains active in the industrial control system security community as an author on a several research publications and a speaker at various industry conferences. He continues to act as a part-time lecturer and subject matter expert for industrial cybersecurity workshops affiliated with Idaho National Laboratory.
  • Formal Education: Bachelor of Science, Computer Science, Coastal Carolina University and Master of Science, Cybersecurity, Utica College o Doctor of Philosophy, Computer Science, University of Idaho
  • Certifications: Certified Information Systems Security Professional (CISSP)


  • Sergio Caltagirone, Vice President of Threat Intelligence. Almost 20 years ago Sergio Caltagirone took a journey tracking hackers and malware beginning with the Code Red worm after it infected his workstation. He followed his passion into computer science and information security at NASA briefly and then the National Security Agency (NSA) for nine years.
    • At NSA he was a founding member and senior-most intelligence analyst at the NSA/CSS Threat Operations Center (NTOC). Sergio focused his energy on hunting many national security cyber threats including those targeting industrial control systems (ICS). He built methods and practices which grew into hundreds of analysts around the world following his footsteps to hunt new threats to the US and Allies.
    • In 2013, Sergio left NSA to become the Director of Threat Intelligence at Microsoft launching the Microsoft Threat Intelligence Center. He directed a mission improving Microsoft’s products and services through intelligence-driven approaches. His team hunted threats against billions of customers adding mitigation, detection, and product improvements to disrupt hundreds of cyber threats.
    • In 2016, Sergio joined Dragos to start the world’s only dedicated ICS threat intelligence team focused on uncovering cyber threats to ICS. He launched Dragos WorldView in early 2017 delivering threat intelligence on ICS threats to asset owners and operators worldwide.
    • He moonlights part-time as Technical Director at the Global Emancipation Network using technology to counter human trafficking and working to save millions from modern day slavery.
    • Publications and Presentations:
      • The Diamond Model of Intrusion Analysis Whitepaper o Industrial Control Threat Intelligence Whitepaper o Threat Intelligence at Microsoft: A Look Inside Video (Cyber Threat Intelligence
        Summit 2017)