At Verizon’s Boston offices, the CRISP Autumn Training ran over two days and featured two technical sessions led by Patrick Kelley and Jared Haviland of Critical Path Security. Their focus: how Léargas, Zeek, and OT/ICS protocol analyzers turn raw industrial traffic into precise, auditable detections that operators can act on fast.
Why this workshop mattered
Kelley and Haviland anchored the training in current realities: OT/ICS incidents aren’t hypothetical, and the blind spot is often at the protocol layer. Their message was straightforward—pair Zeek’s deep protocol visibility with CISA’s ACID to surface behaviors traditional IT tools miss, then push those insights into workflows operators actually use.
What they showed
Zeek’s evolution and deployment. The instructors walked through practical changes from Zeek 7 to Zeek 8—enhanced telemetry, storage improvements, broader analyzer coverage, and modern build requirements—then translated that into deployment choices (Dockerized OT builds, tuned workers, and packet-loss discipline) that matter in noisy industrial networks.
OT/ICS analyzers that see what matters. Using analyzers for Modbus, DNP3, ENIP/CIP, S7Comm, BACnet, Profinet and others, the sessions demonstrated how to move from “traffic observed” to “behavior understood”—flagging mode changes, unauthorized function calls, firmware-level activity, and force/parameter operations tied to MITRE ATT&CK for ICS.
Léargas detections. Attendees saw how Léargas enriches Zeek output and applies purpose-built detections—such as DNP3 restart and unauthorized function requests, or Modbus diagnostics, firmware replacement, and illegal address patterns—so analysts get fewer question marks and more clear actions.
From detection to decision
Kelley and Haviland outlined a clean workflow: Zeek logs flow to the SIEM; Léargas and the Multi-modal Command Processor (MCP) summarize and score activity; then the results can drive SOAR tickets or executive-ready reports. Running targeted, OT-specific models on dedicated GPUs keeps latency low without leaning on heavyweight cloud models—a practical balance for plants and utilities.
Outcomes and the road ahead
CRISP labs and pilots continue to show real gains: faster triage, less noise through deduplication, stronger mapping to compliance frameworks, and more confident operator decisions. Looking ahead, the instructors pointed to AI copilots, local RAG pipelines enriched with site context, and standardized OT/ICS datasets that raise the detection floor for everyone.
Bottom line: Over two days in Boston, Patrick Kelley and Jared Haviland didn’t just walk through slides—they gave operators and defenders a repeatable path to protocol-level visibility and action, grounded in Zeek, powered by Léargas, and tuned for the realities of OT.