Full Report
Beijing, 23-27 December 2019: Kaspersky ICS CERT together with the China Industrial Control Systems Cyber Emergency Response Team (CIC) conducted a training course on digital forensics and incident response in industrial control systems.
Analysis Summary
# Industry News: Kaspersky and China’s CIC Formalize Strategic Training Partnership
## Summary
Kaspersky ICS CERT and the China Industrial Control Systems Cyber Emergency Response Team (CIC) successfully completed a joint five-day intensive training program on digital forensics and incident response (DFIR) in Beijing. This event marks the first operational milestone of the "Cyberspace Security Guardian Action 2020" agreement between Russia and China.
## Key Details
- **Date:** December 23-27, 2019 (Announced January 30, 2020)
- **Companies Involved:** Kaspersky (ICS CERT) and China Industrial Control Systems Cyber Emergency Response Team (CIC)
- **Category:** Strategic Partnership / Professional Training & Services
## The Story
Following the high-level "Cyberspace Security Guardian Action 2020" signed during a Russia-China Working Group on ICT and Information Security, Kaspersky moved to localize its expertise in the Chinese market. The five-day course, led by Kaspersky experts Vyacheslav Kopeytsev and Pavel Gritsenko, provided Chinese ICS professionals with deep-dive training into the lifecycle of an industrial cyber incident.
The curriculum balanced theoretical architecture analysis with rigorous practical labs. Specific focus was placed on the complexities of industrial environments, such as analyzing memory dumps, Programmable Logic Controller (PLC) data, and industrial protocol network traffic. The program concluded with a final exam based on real-world investigations previously conducted by Kaspersky, ensuring that the transfer of knowledge was grounded in current threat landscapes.
## Business Impact
### For the Companies Involved
- **Kaspersky:** Strengthens its foothold in the critical Chinese infrastructure market. By aligning with the CIC (a state-affiliated body), Kaspersky cements its status as a trusted foreign security vendor at a time when geopolitical tensions often restrict such access.
- **CIC:** Gains access to "front-line" threat intelligence and forensic methodologies from a global leader, accelerating the maturity of China’s domestic industrial defense capabilities.
### For Competitors
- **Western Competitors:** Firms like Mandiant (Google) or Dragos face increased barriers in the Chinese market as Kaspersky secures "preferred partner" status through state-level cooperation.
- **Local Chinese Security Firms:** While Kaspersky is providing the training, local firms may eventually compete or partner with the newly upskilled workforce.
### For Customers
- **Industrial Operators in China:** Benefit from a workforce that is better equipped to handle sophisticated threats targeting PLCs and SCADA systems.
- **Global Multinationals:** Entities operating in both Russia and China may find more consistency in security standards and incident response protocols across these regions.
### For the Market
- **Standardization of ICS DFIR:** The collaboration signals a move toward standardized forensic practices in the Eastern bloc, potentially creating a divergent ecosystem from Western (NIST/SANS) frameworks.
## Technical Implications
The training highlighted the shift toward **PLC forensics**, a highly specialized field. Unlike standard IT forensics, ICS forensics requires extracting data from proprietary hardware without disrupting industrial processes. The focus on network traffic analysis for industrial protocols suggests a growing need for tools that can parse non-standard data packets (e.g., Modbus, Profinet, OPC UA) for signs of injection or manipulation.
## Strategic Analysis
- **Market Positioning:** Kaspersky is positioning itself as the bridge between international technical excellence and regional political compliance.
- **Competitive Advantage:** Direct involvement in training government-affiliated emergency response teams provides Kaspersky with unparalleled insights into the specific hardware and vulnerabilities prevalent in China’s industrial sector.
- **Challenges:** The deepening ties with Chinese state-level organizations may further complicate Kaspersky’s relationship with Western government agencies, particularly in the US and EU.
## Industry Reactions
- **Analyst Opinions:** Analysts view this as a classic "soft power" move in cybersecurity, where technical training serves as a precursor to multi-year software licensing and service contracts.
- **Market Response:** The move reinforces the trend of "cyber-sovereignty," where nations choose strategic partners based on geopolitical alignment as much as technical merit.
## Future Outlook
- **Predictions:** Expect to see an increase in joint "Cyber Exercises" between Russia and China, moving beyond training into active threat-hunting collaborations.
- **What to watch for:** Potential expansion of this training model to other "Belt and Road Initiative" countries, where China and Russia seek to provide the digital backbone for industrialization.
## For Security Professionals
Practitioners should note the emphasis on **interdisciplinary skills**. Being an expert in Windows forensics is no longer sufficient in the ICS world; professionals must now understand "physical evidence" (hardware states) alongside "digital artifacts" (memory dumps). The focus on formulating "actionable recommendations" after an investigation highlights a shift from merely identifying a breach to ensuring industrial resilience and preventing recurrence in high-availability environments.