The official title of Jason Holcomb’s (Lockheed Martin) session was Turning the Tables: Transformation to Intelligence Driven Defense for ICS, but the thrust of his talk is describing how the cyber kill chain can be used in ICS.

The cyber kill chain steps for a targeted attack are Recon, Weaponization, Delivery, Exploit, Installation, C2 and Actions. Jason points out that the saying the attacker only has to be successful once isn’t quite true. A targeted attack has multiple steps, and the defender has a chance to detect, deny, disrupt, … at each step.

Looking at your SCADA or DCS from the cyber kill chain steps is another way of analyzing and selecting security controls. Jason shows an example of this in a different type of defense in depth table at 26:30. The kill chain steps are on the y axis and the defensive action are on the x axis. The table will identify when you are missing controls at different stages of the attack, and it will also identify the types of security you have in place. For example, a system could have strong deny or disrupt protection at one or more kill chain steps, but lack any detection.