SANS and SERC Launch National Training Initiative for Grid Cybersecurity
SANS and SERC Partner to Bolster Grid Cybersecurity Training
Related Entities
Organizations
Full Report
Executive Summary
The SANS Institute, a global leader in cybersecurity training, and the SERC Reliability Corporation, one of the regional entities responsible for ensuring the reliability of North America's bulk power system, have announced a strategic partnership. The collaboration is designed to provide advanced, hands-on cybersecurity training specifically for professionals in the U.S. electric utility sector. The initiative aims to strengthen the security and reliability of the nation's power grid, enhance the NERC Critical Infrastructure Protection (CIP) compliance posture of utilities, and address the growing skills gap in the operational technology (OT) security workforce.
Program Details
The partnership is launching a national NERC CIP training initiative. The primary goals are:
- Strengthen Grid Reliability: By improving the technical skills of the cybersecurity workforce protecting the bulk electric system.
- Improve Compliance Readiness: To provide training that bridges the gap between technical implementation and the complex documentation and evidence requirements of NERC CIP standards.
- Accelerate Workforce Development: To build a larger and more capable pool of talent qualified to secure critical infrastructure.
The inaugural event of this partnership will be the ICS456: NERC Critical Infrastructure Protection (CIP) course, hosted at SERC's facilities from August 3-7, 2026. This course is tailored to both the technical practitioners who implement security controls and the compliance professionals who must document and audit them.
Impact Assessment
This partnership represents a significant investment in the security of the U.S. critical infrastructure.
- For Utilities: It provides a clear, trusted pathway for employees to gain specialized, in-demand skills. It helps them meet regulatory requirements more effectively and reduce the risk of non-compliance penalties.
- For Professionals: The program prepares participants for the GIAC Critical Infrastructure Protection (GCIP) certification, a valuable industry credential that validates hands-on expertise in OT and NERC CIP security.
- For National Security: By strengthening the cybersecurity posture of the electric grid, the initiative directly contributes to national security and economic stability. A more resilient grid is better able to withstand and recover from cyberattacks by nation-state actors or sophisticated cybercriminals.
Jason Blake, CEO of SERC, emphasized that the partnership is a direct investment in the human element of grid security. Tim Conway, ICS Curriculum Lead at SANS, highlighted the importance of building trust and collaboration between utilities and regional leadership.
Compliance Guidance
The ICS456 course and the GCIP certification are designed to provide tangible benefits for NERC CIP compliance.
- Understanding the 'Why': The training helps technical staff understand the regulatory context behind the security controls they are asked to implement.
- Bridging the IT/OT/Compliance Gap: The course brings together professionals from different departments, fostering a common language and understanding, which is crucial for effective compliance.
- Actionable Knowledge: Participants learn how to apply cybersecurity principles within the specific constraints and requirements of the NERC CIP framework, moving from theoretical knowledge to practical application.
Mitigation and Preparedness
This initiative is a proactive measure to mitigate the risk of cyberattacks against the electric grid. By upskilling the workforce, utilities can improve their ability to:
- Detect Threats: A better-trained workforce can more effectively use security tools to detect intrusion attempts in both IT and OT environments.
- Respond to Incidents: Professionals with GCIP certification will have validated skills in incident response within a critical infrastructure context.
- Harden Systems: The training provides best practices for hardening industrial control systems (ICS) and OT networks against common attack vectors.
- Maintain Compliance: A deep understanding of NERC CIP standards helps prevent compliance gaps that can be exploited by attackers.
Timeline of Events
MITRE ATT&CK Mitigations
This entire initiative is a form of advanced, specialized user training for critical infrastructure protection.
The training helps professionals understand and prepare for the rigorous auditing requirements of NERC CIP.
Training on ICS/OT security inherently covers best practices for network segmentation between IT and OT environments.
D3FEND Defensive Countermeasures
The SANS and SERC partnership directly supports Platform Hardening for the electric grid by educating the workforce on how to properly secure Industrial Control Systems (ICS) and Operational Technology (OT). The ICS456 course teaches professionals how to implement security controls that are specific to the NERC CIP standards. This includes hardening devices like PLCs and RTUs by disabling unnecessary ports and services, implementing secure configurations, and managing access control effectively. By training the people who manage these systems, the initiative ensures that hardening is not just a one-time checklist item but an ongoing process informed by deep technical understanding of both the systems and the regulatory landscape.
Timeline of Events
SANS Institute and SERC Reliability Corporation officially announce their strategic partnership.
The first joint training course, ICS456, is scheduled to begin.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.