- From Plant Floor to Push-Request—Why I Still Write Up Bugs
I spend ±180 days a year inside refineries, water treatment halls and turbine rooms running purple-team drills for ICS Defense Force. Every trip ends the same way: engineers hand me a Post-it with the same two questions:
“Which new TTP just dropped?”
“What actually works against it, no marketing?”
SANS is the only place where I can post packet captures, YARA and a Zeek script on Monday and have 40 operators stress-test it by Friday. Below is the vendor-neutral path we now offer tool builders who want to join that loop. - Program Refresher—No Logos on Stage, Code in Repo
• Sponsored projects are released under CC-BY-SA 4.0; no paywalls, no registration gates.
• Every artifact (white-paper, Sigma rule, PCAP) is stored in a GitHub org with in-toto SBOMs so analysts can reproduce results.
• AI-assisted review: since 2024Q4 each draft is co-checked by a private GPT-4o instance fine-tuned on MITRE ATT&CK for ICS; maintainers receive a diff of hallucinations vs. ground truth before publication. - 2025–26 Research Tracks—Open Call, Fixed Timelines
Track A – OT/ICS Zero-Trust Fabrics
– 6-week sprint; output = open-source Terraform plan that spins a miniature plant network with IEC-62443 micro-segments, test traffic and Wireshark coloring rules.
Track B – Post-Quantum Firmware Signing
– Deliverable: reference implementation of LMS/HSS and XMSS on a STM32 discovery board + Renode CI pipeline so anyone can runmake emulate.
Track C – AI-Guided Incident Drill Generator
– Uses LangGraph to convert NERC-CIP audit findings into bespoke tabletop injects; export formats include Markdown, Excel and STIX-2.1 bundles. - Engagement Formats—Pick One, Mix Several
Micro-survey (n≈300, ±10 questions, 3-week turnaround)
First Look Lab (half-day, live virtual, audience drives the CLI)
SANS Review Board (three analysts, 30-day adversarial test, public scorecard)
Summit Plugfest (bring a laptop, defend the OT honeypot for 90 min while peers attack) - Audience by the Numbers (Rolling 12 mo)
71 % operate ≥1 plant with >10 k IEDs
46 % hold GICSP or GRID certification
38 % already run their own in-house SOC
Median budget authority: US $ 2.4 m for cyber tooling
Regions: 57 % North America, 24 % EU, 19 % APAC - Fast-Track Calendar
15 Nov 2025 – CFP for Track A closes (repo branch locked)
01 Feb 2026 – Draft package due for AI review gate
15 Mar 2026 – Public release + live Reddit AMA
18 May 2026 – Plugfest finals at ICS Security Summit, Orlando (no vendor booths—only laptops and crash carts) - How to Participate—Three Steps, No Sales Calls
- Fork the track template repo, add your proposal as an issue.
- Tag at least one SANS mentor (handle list in CONTRIBUTING.md).
- Pass automated linting (Markdown, YAML, SBOM) → automatic invite to Slack channel.
- Bottom Line
If your roadmap is ready for hostile scrutiny, we will fund the lab gear, supply the hostile network and publish the results—good or bad—for the whole community. Ship code, not brochures.
正文完
