Industrial Control Systems Joint Working Group (ICSJWG)

The Cybersecurity and Infrastructure Security Agency (CISA) hosts the Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing and reduce the risk to the nation’s industrial control systems.

The ICSJWG provides a vehicle for communicating and partnering across all Critical Infrastructure (CI) Sectors between federal agencies and departments, as well as private asset owners/operators of industrial control systems. The goal of the ICSJWG is to continue and enhance the collaborative efforts of the industrial control systems stakeholder community in securing CI by accelerating the design, development, and deployment of secure industrial control systems.

CISA/ICSJWG developed a Fact Sheet for quick reference information about the ICSJWG: ICSJWG Fact Sheet.

ICSJWG Banner and Image

ICSJWG 2019 Fall Meeting 

Tower Square Hotel Springfield | Springfield, Massachusetts

August 27 - 29, 2019

Draft Agenda

We are very pleased to provide the draft agenda for the ICSJWG 2019 Fall Meeting.

New Events for This Fall

Three new events will be introduced during the ICSJWG 2019 Fall Meeting: a technical boot camp, a technical Capture the Flag (CTF) challenge, and brainstorming sessions. These events offer an opportunity for greater interaction among asset owners, integrators, vendors, and government representatives over the course of the meeting. Please consider participation in one or more of these events.

Becoming an ICS Cyber Analyst is an all-day technical boot camp, taught on the first day of our meeting.  This formative session is dedicated to getting started in ICS cyber analysis. The information is specifically designed for IT cyber analysts who are looking to transition into OT environments as well as for OT engineers who are looking to get started in cyber security; however, analysts of all backgrounds and experience levels are welcome. This is a hands-on experience including both setting up essential tools for data collection and ICS artifact analysis. Participants will be led through the process of collecting and analyzing ICS network artifacts for signs of intrusions, abnormal behavior, and potential threats. After the boot camp on Tuesday, participants are encouraged to attend other sessions during Wednesday and Thursday and to participate in the ICSJWG Capture the Flag.

There are two participation options:

Option 1 - For those who would like to kick start their ICS cyber toolkit, bring an ‘empty’ laptop. We will help you install and configure a stack of open-source tools, along with custom enrichments and interconnecting functionality. This security stack provides a free and easily deployable solution for advanced network traffic analysis in both ICS and IT environments. (Hardware requirements for Malcolm Installation:  Minimum 16GB RAM, 2+ CPU cores dedicated to Malcolm/VM, SSD with sufficient capacity for anticipated logs/captured data.)

Option 2 - For those who choose not to dedicate a laptop and install this software stack, please bring a laptop with a Chrome or Firefox browser that will be used to access the tool stack remotely and perform the in-class analysis activities.

ATTENTION – This boot camp is limited in the number of participants that can be supported. You must register specifically for this event. (Please register for both ICSJWG and the boot camp.) If we exceed the capacity of the class, we will maintain a waitlist. Walk-up participation will only be open after all registered participants are given the chance to join. All those who register will be notified of their registration status. To register, please email specifying your request to register for the ICSJWG 2019 Fall Meeting Boot Camp.

The Capture the Flag activity is available all-day Wednesday and Thursday morning. The CTF is designed to expose analysts to hunting across ICS networks for malicious behavior, with puzzles appropriate for both the beginner and the experienced analyst. Challenges include artifacts generated from IT/OT host forensic data, network data (from both bro logs and pcap), and OT equipment actively being exploited by a threat actor.

The Brainstorming Sessions are moderated discussions held each day, intended to provide an equal voice to input from all participants regarding challenges we all face. The first session on Tuesday is dedicated to identifying tools and capabilities that are needed for cyber defense of ICS networks. The next session on Wednesday is focused on more effectively collecting and acting on feedback from asset owner operators, integrators, and vendors supporting the nation’s critical infrastructure. Finally, on Thursday, the session is dedicated to exploring new threats facing America’s critical infrastructure.

Meeting Registration

Meeting registration for the ICSJWG 2019 Fall Meeting in Springfield, Massachusetts from August 27 – 29, 2019 is open until August 21, 2019!

Please register for the meeting as soon as possible.

There is no cost to attend any of these events.  However, travel, accommodations, meals, beverages, and other incidental expenses are the responsibility of the event participant and will NOT be covered by ICSJWG, CISA, or DHS.

Hotel Reservations

The ICSJWG 2019 Fall Meeting will be held at the Tower Square Hotel Springfield, located at 2 Boland Way, Springfield, Massachusetts 01115. This is in the heart of downtown Springfield, and is in a centralized location for restaurants and shopping.  To take advantage of the amenities and the government rates offered at the hotel please use the hotel reservation site or copy/paste the URL into your browser ( Alternatively, you can call 1-413-750-3020 to speak to someone about reservations, citing the ICSJWG Fall Meeting. There are a limited number of rooms, so book your hotel room soon.

Additional Information

For additional information, please contact us at


Previous Meeting Information

Please find agendas for previous meetings below.

Contact the respective author(s) directly for copies of presentations.  

Please contact us if you have questions.

ICSJWG Newsletters

If you would like to submit a short article of general interest pertaining to control systems security, please send it to for consideration. Submitted articles will be reviewed and approved by ICSJWG prior to publishing. Please note that marketing or sales presentations aimed at gaining the audience's interest in services, capabilities, or products cannot be approved.

Article submissions for the September 2019 edition are currently being accepted for review until September 13, 2019.

Copies of the current Newsletter and the previous three Quarter's Newsletters may be requested from

ICSJWG Products and Materials

NCCIC/ICSJWG Fact Sheet: ICS Cybersecurity for the C-Level (Six Questions Every C-Level Executive Should Be Asking).
"Common Industrial Control System Vulnerability Disclosure Framework" developed by the Vendor subgroup (July 2012).

ICSJWG Webinar Series

Our Webinar Series is designed to inform the membership and general public about solutions to threats, vulnerabilities, and risks to critical infrastructure and control systems. The search for outstanding and value-added topics is ongoing. Please feel free to send an abstract or short description of any webinar idea to and the Program Office will add it to the topic queue for review and possible inclusion into the series.  Our intent is to have a webinar each quarter of the year.  Please note that marketing or sales presentations aimed at gaining the audience's interest in services, capabilities, or products cannot be approved.

Upcoming Webinars

Secure Operations Technology - November 13, 2019

Most OT security programs seek to "protect the information" - the CIA, AIC, IAC, or something of the information. Thoroughly-secured industrial sites though, do not "protect the information." Instead, such sites protect physical industrial operations from information, more specifically from cyber attacks that may be embedded in information. All cyber attacks are information after all, and every bit of information can encode an attack.

Secure Operations Technology is a perspective, a methodology, and a set of best practices used by thoroughly-secured sites - in addition to classic IT-SEC techniques. Since all cyber attacks are information, a comprehensive inventory of offline and online information flows into the critical network is also a comprehensive inventory of all possible attack vectors targeting the network. SEC-OT sites then take measures to physically block or otherwise discipline the entire inventory of inbound information/attack flows.

Presenter Andrew Ginter of Waterfall Security Solutions

Andrew Ginter leads a team responsible for industrial cyber-security research, contributions to standards and regulations, and security architecture recommendations for industrial sites. He is a coauthor of the Industrial Internet Consortium Security Framework and the author of a number of volumes, most recently, Secure Operations Technology (SEC-OT).

Watch here for registration details and more information about the webinar.

Past Webinars

Past webinar presentations which have been released are found below and may be requested from the Program Office through If they are still available, they will be forwarded to you upon request.

  • July 17, 2019 – Persistent Threat-Based Security for ICS Systems
  • March 2019 – Five Ways to Ensure the Integrity of Your Operations
  • September 2018 - The Top 20 Cyberattacks on Industrial Control Systems
  • January 2018 – Life After Ukraine: Industrial Control System Cybersecurity Industry Trends and Strategies
  • October 2017 – Creating Predictable Fail Safe Conditions for Healthcare Facility - Related Control Systems and Medical Devices by Use of System Segmentation
  • July 2015 – Protecting M2M Systems at the Edge
  • October 2014 – The New Paradigm for Information Security: Assumption of Breach
  • June 2014 – Online Real Time Monitoring for Change Identification
  • March 2014 – I Think, Therefore I Fuzz!

Membership in the ICSJWG

By adding you to our membership rolls, you will receive all outgoing messages to the ICSJWG community, including newsletters, meeting notifications, training information, calls for comments, and other announcements.

Volunteer participation, by contributing ideas, sharing information, or working toward solutions for CI security, is encouraged. To get involved supporting a working activity which addresses critical infrastructure security, please let us know your ideas and the ICJSWG Steering Team (IST) and Program Management Office (PMO) will consider them. To get involved with the ICSJWG in general, please contact us at