Tim Conway

Tim serves as the Technical Director of ICS and SCADA programs at SANS, and he is responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. A recognized leader in CIP operations, he formerly served as the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO), where he was responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric.

Recognizing the need for ICS-focused cybersecurity training throughout critical infrastructure environments and increased demand for NERC CIP hands-on training, Tim authored and instructs the ICS curriculum’s ICS456: Essentials for NERC Critical Infrastructure Protection course, as well as the ICS612: ICS Cybersecurity In-Depth course. Outside of SANS, Tim continues to perform contract and consulting work in ICS cyber security, focusing on the energy sector.

More About Tim


Before accepting the opportunity to join SANS, Tim enjoyed a 15-year career with the Northern Indiana Public Service Company (NIPSCO), where he held management and leadership positions as well as EMS Computer Systems Engineer responsibilities over the control system servers and the supporting network infrastructure. During his career, Tim has served as the Chair of the RFC CIPC, Chair of the NERC CIP Interpretation Drafting Team, Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel. He holds GICSP, GCIP, and GCIH certifications and co-authored and teaches both the ICS612 and ICS456 courses at SANS. Tim is also a faculty member of the SANS Technology Institute, an NSA Center of Academic Excellence in Cyber Defense and multiple winner of the National Cyber League competition.

Tim never intentionally set out to become an instructor; instead, he saw in his career a need for training and development of personnel in ICS cybersecurity. Pursuing these resources brought Tim to SANS very early in his career. After more than 15 years of working at an asset owner operator, he got, as he would like to call it himself, a once-in-a-lifetime opportunity to join SANS to contribute to the broader ICS community and seek ways to pour into practitioners hungry for tools, knowledge, information sharing, and ICS cybersecurity-focused courseware. “I worked with some amazing leaders in this space to help create industry resources, courses and credentials,” says Tim.

Passionate about and driven by the mission and purpose of critical infrastructure, Tim has had the opportunity throughout his career to work with and be shaped by operations personnel who work tirelessly to ensure safe and reliable service delivery to their customers and communities. “I want to be in a position to support and help operations and their overall mission in any way I can.” Throughout his career, SANS has been the highest standard for cybersecurity training. However, over the years, it has become clear to Tim that SANS is genuinely looking to make a difference in ICS cybersecurity for practitioners who desperately need a partner. “I can see the difference SANS is making across the ICS community, and I am blessed to say I get to help.”

Like much of the community, Tim struggled to learn as he went, attempting to maintain a balanced understanding of operations, IT, OT, engineering, cybersecurity, and adversarial targeting to misuse the system under control. “With a wide scope of exposure, years of experience, mistakes, troubleshooting, incident response, lessons learned, and information exchanged with others who were also struggling to keep everything working, I started to triangulate on core principles and key learning areas from my experiences that I shared with peers and they with me so we could jump start our learning and grow beyond as a force multiplier,” says Tim. In addition, he provides students with hands-on practical learning that can be immediately put into action when they return to work. Critical Infrastructure organizations and Industrial Control Systems security practitioners cannot lose sight of what makes them special, there is a need for unique hybrid skill sets in this space that intersects operations, engineering, technology, security, and safety.It is crucial for an organization that these unique skill sets are developed and harnessed in a way that recognizes the operational drivers and constraints of the process environment and technology used to control it.IT and OT are different, the ICS community needs to focus on the unique demands that are represented by the first letter in those Acronyms and leverage the second letter in a manner that is informed by the risks to the organization and the overall mission.



The Five ICS Cybersecurity Critical Controls, November 2022

Achieving OT Network Visibility and Detective Controls in a NERC CIP World, June 2021

Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments, July 2020

How to Use NERC-CIP: An Overview of the Standards and Their Deployment with Fortinet, June 2020


How to Build a World-Class ICS/OT Cyber Program Leveraging CISA's Cybersecurity Performance Goals and SANS's 5 Critical Controls for ICS/OT, December 2022

The 5 Critical Controls for ICS/OT Cybersecurity, October 2022

PIPEDREAM and Countering ICS Malware, April 2022

Emerging Cyber Guidance to the Ukraine-Russia War, March 2022

Russian Cyber Attack Escalation in Ukraine - What You Need To Know!, February 2022

Getting Your Hands Dirty with Industrial Control Systems, February 2022

Achieving OT Network Visibility and Detective Controls in a NERC CIP World, June 2021

Ransoming Critical Infrastructure - Emergency Webcast, May 2021

How to Use NERC CIP: An Overview of the Standards, Their Deployment and How to Use Fortinet Products for Compliance, June 2020

Six Steps to Effective ICS Threat Hunting, November 2019

Leveraging Managed Threat Hunting for an Effective ICS/OT Cybersecurity Program, April 2020


Killing Time, SANS ICS Security Summit 2021

A CISO View on the Journey of OT/ICS Cybersecurity, SANS ICS Security Summit 2021

ICS Defense Use Cases (DUC)

ICS Defense Use Case 7: Analysis of the recent report of supply chain attacks on US electric infrastructure by Chinese Actors, June 2020

ICS Defense Use Case 6: Modular ICS Malware, August 2017

ICS Defense Use Case 5: Analysis of the Cyber Attack on the Ukrainian Power Grid, March 2016

ICS Defense Use Case 4: Analysis of the recent reports of attacks on US infrastructure by Iranian Actors, January 2016

ICS Defense Use Case 3: The Lost DUC - Unavailable for Online, April 2015

ICS Defense Use Case 2: German Steel Mill Cyber Attack, December 2014

ICS Defense Use Case 1: Media report of the Baku-Tbilisi-Ceyhan (BTC) pipeline Cyber Attack, December 2014