Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the Interactive Agenda for the 2016 ICS Cyber Security Conference! (View the full ICS Cyber Security Conference website here)  This agenda is currently a work in progress, please check back often as our team is making upates DAILY. (You can register for the conference here)
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 24
 

7:30am

Breakfast and Registration
Please join us for contenential breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!

Monday October 24, 2016 7:30am - 10:00am
Sponsor Hallway

7:30am

Registration and Badge Pick Up
The 2016 ICS Cyber Security Conference registration desk will be open from 7:30AM - 6PM. Pre-Registered attendees, speakers and sponsors may pick up their conference badges and materials. Be sure to register online to save money on the in person registration rate. 

Monday October 24, 2016 7:30am - 6:00pm
Sponsor Hallway

8:00am

Automation Exploitation [8AM-5PM]

Learn how attackers reverse engineer, compromise, and backdoor, control systems.

Brought to you by the Senrio research team (formerly Xipiter) whose custom developed trainings have sold out at Blackhat five years running, this intense hands-on Automation Exploitation workshop is meant to provide an introductory basis to the unique security challenges in the world of Automation.

Participants will learn how attackers reverse engineer, tamper with,and exploit all parts of an industrial control network. Since Automotive technologies have their roots in Industrial Control and Building Automation (CAN bus) this course will also include "Car Hacking" content. Participants will learn about threats to those systems, perform hand-on attacks themselves, and learn how these insecure design patterns are found throughout the world of Automation (and automotives!).

Who Should Attend:

  • Field Service Engineers, Safety Engineers, Automation Engineers,"Makers", Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.

Student Requirements:

  • Understanding basic computing.
  • Some programming experience a plus.
What to Bring:

 

  • A laptop (running their favorite OS) capable of connecting to wired and wireless networks. Laptop must also have several available and operational USB Ports
  • Installed and valid VMWare workstation (with working access to USB Ports and network card bridged or NATed)
  • Three button external mouse.

Speakers
avatar for Stephen A. Ridley

Stephen A. Ridley

Founder and CEO/CTO, Senrio
Stephen A. Ridley is Founder and CEO/CTO at Senrio. He has more than 10 years of experience in software development, software security, and reverse engineering. His original research on embedded device vulnerabilities has been featured on SecurityWeek, NPR, Wired and numerous other publications. Prior to Senrio, Mr. Ridley was Principal Researcher at Xipiter and served as Chief Information Security Officer of a financial services firm. Prior to... Read More →


Monday October 24, 2016 8:00am - 5:00pm
Workshop 4 (Salon 5)

8:00am

Cybersecuring DoD Control Systems [8AM-5PM]
Class is limited to 40 students, additional fee required. Register to confirm a seat

This workshop is open to registrtion for all conference attendees, not just DoD employees 

Over the past several years, the nation’s communities have seen an increasing shift to “smart buildings” that use internet-enabled wireless technology to control building-related systems. Such trends also are being seen in U.S. military facilities. In early 2015, following the release of a Government Accountability Office (GAO) report that called attention to building-related cyber risks, the House Armed Services Committee approved legislative language requiring the U.S. Department of Defense (DoD) to perform a cyber-vulnerability study as part of its fiscal year 2016 defense authorization bill.
 
The Cybersecuring DoD Control Systems Workshop is geared to help architects, engineers, contractors, owners, facility managers, maintenance engineers, physical security specialists, information assurance professionals—essentially anyone involved with implementing cybersecurity in the facility life cycle—to learn the best practice techniques to better protect DoD facilities.
 
Department of Defense Instruction (DoDI) 8500.01 and DoDI 8510.01 in-corporate Platform Information Technology (PIT) and PIT systems into the Risk Management Framework (RMF) process. PIT may consist of both hard-ware and software that is physically part of, dedicated to or essential in real time to the mission performance of special-purpose systems (i.e., platforms). PIT differs from individual or stand-alone IT products in that it is integral to a specific platform type, as opposed to being used independently or to sup-port a range of capabilities (e.g., major applications, enclaves or PIT systems). A Control System (CS) is a specific type of PIT that consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an objective (e.g., transport matter or energy, or maintain a secure and comfortable work environment). 
 
The Cybersecuring DoD Control Systems Workshop will include hands-on classroom exercises and labs to footprint a CS as a hacker would do; use the Cyber Security Evaluation Tool (CSET) to establish a risk baseline and create a System Security Plan; and use the enterprise Mission Assurance Support System (eMASS) to load projects using the new DoDI 8510.01 RMF process. Attendees will gain in-depth experience on using the Committee on National Security Systems Instruction (CNSSI) 1253; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 R4; NIST SP 800-82 R2; the Joint Staff Mission Assurance Vulnerability Benchmarks 2015, the J-BASICS Advanced Cybersecurity Instructions Tactics, techniques and Procedures 2016, and other key publications and tools to load and manage a pro-ject through the six steps of the RMF.

Speakers
avatar for Michael Chipley

Michael Chipley

President, The PMC Group LLC
Dr. Chipley has over 30 years of consulting experience in the areas of Program and Project Management, Cybersecurity, Energy and Environmental (LEED, Energy Star, and Carbon Footprint); Critical Infrastructure Protection and Analysis; Building Information Modeling (BIM) Technology; Base Realignment and Closure (BRAC), and Emergency Management/Disaster Recovery.  Dr. Chipley served 24 years as a Civil Engineer in the US Air Force and has... Read More →


Monday October 24, 2016 8:00am - 5:00pm
Workshop 3 (Conference B)

9:00am

Managing the Industrial Control Message: Firewalls vs NGFW vs Parsing

ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.

ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.

With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.

KEY TOPICS & TAKE AWAYS

  • Understand ICS commands and identify abnormal behavior
  • Learn what is normal vs. abnormal activity relative to standard industrial protocols
  • Define types of DPI and weigh their relevance to types of environment
  • Pros and cons of blacklisting vs whitelisting

 


Speakers
avatar for Matt Cowell

Matt Cowell

Director, Industrial Markets, Ultra Electronics, 3eTI.
Matt Cowell is Director, Industrial Markets at Ultra Electronics, 3eTI. He has more than 15 years of experience in ICS and OT applications with a focus on networks and cyber security. He has specific expertise in automation and SCADA systems as the company's lead for market development through solutions that efficiently secure businesses in power utilities, oil and gas, water treatment, building automation and manufacturing. Matt successfully... Read More →


Monday October 24, 2016 9:00am - 9:45am
Workshop 1 (Salon 3)

9:00am

OT Security – The Big Picture.

OT Security, Control System operation and system administration management often focuses on the technology, overlooking the people, process and politics side of the equations.  Through this presentation explore the soft underbelly of the cyber challenges in the ICS Domain.  As the former CIO of a System Integrator and Workforce Development Co-Chair for the ICSJWG Mike offers a wide angled view of why securing critical infrastructure is so difficult, and doesn’t need to be.  Creating a comparison of the contrasting view of the need from the inside of several different organizations within Critical Infrastructure Mike breaks down the difficult to talk topics about and takes an honest approach to understanding the issues. 

This discussion will shed light on how internal politics drive top down policies and ultimately fail in accomplishing anything but contradiction and conjecture.  This sets up the event horizon for loss of intellectual property through well intentioned trusted insiders, applying “best practices” that actually hurt your organization and loss production due to fear and a lack of establishing ownership to the problem. 

Security does not solve problems, it does not make money and the security paradox is that it rarely provides a more secure environment.  Lack of true situational awareness is the most dangerous part of our Nation’s infrastructure.  The problem is most people do not understand that we are missing a key data point to provide a well-rounded awareness…

Let’s explore though questioning the assumptions and talk about the tough topics.


Speakers
avatar for Michael Glover

Michael Glover

Vice President of Industrial Control Systems Strategy, TDi Technologies
Michael Glover is Vice President of Industrial Control Systems Strategy at TDi Technologies and has over twenty years of information technology management and eight years of industrial control systems security leadership experience. | | Prior to TDi, Mr. Glover was the Managing Partner at Fox Three and founder of an agile innovation firm security the Nation’s Critical Infrastructure through research, consulting, and education to provide... Read More →


Monday October 24, 2016 9:00am - 9:45am
Workshop 2 (Salon 4)

9:45am

Hacking IEEE 802.15.4/WirelessHART From the Ground Up

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.

For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.

Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.

Agenda

  • Researching WirelessHART

  • Understanding the protocol

  • Reverse Engineering Third Party implementations

  • Designing and Building a WirelessHART Fuzzing platform

  • Hardware Platform

  • Transmitter

  • WH debugging (Sniffing and Dissecting)

  • Triggering and Catching crashes

  • Case study

  • Demo 

What is Wireless WirelessHART? WikiPedia desribes WirelessHART as "a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). The protocol utilizes a time synchronized, self-organizing, and self-healing mesh architecture. The protocol supports operation in the 2.4 GHz ISM band using IEEE 802.15.4 standard radios. Backward compatibility with the HART “user layer” allows transparent adaptation of HART compatible control systems and configuration tools to integrate new wireless networks and their devices, as well as continued use of proven configuration and system-integration work practices. It on the estimated 25 million HART field devices installed, and approximately 3 million new wired HART devices shipping each year. In September 2008, Emerson became the first process automation supplier to begin production shipments for its WirelessHART enabled products."

Speakers
avatar for Sergio Alvarez

Sergio Alvarez

Security Researcher and Reverse Engineer, Applied Risk
Sergio Alvarez is an security researcher and reverse engineer at Applied Risk, with over 15 of experience in vulnerability research, exploit development and both blackbox and whitebox application pentesting. Sergio has found numerous critical security vulnerabilities in widely deployed software like Apple Quicktime, Apple MacOSX, Apple iOS, and pretty much all antivirus software out there. He has delivered presentations at well known computer... Read More →


Monday October 24, 2016 9:45am - 10:30am
Workshop 1 (Salon 3)

9:45am

Improving the Industrial Cyber Security Ecosystem

The presentation will be an open and general discussion on why there is still such a reluctance at the corporate level to take responsibility for cyber-security. This talk will address topics including: 

  • Classifying attacks as “Incidents” when they are actually “Cybersecurity attacks” and the underreporting internal threats and violations of policies.
  • How vendors and cybersecurity professionals need to do a better job at educating end customers with greater details to the risks, benefits, costs associated with cybersecurity management
  • Where do we typically focus on cyber security measures and why they are not adequate? Examples of ICS cybersecurity breaches that were avoidable if ICS architecture was designed with OT policies and procedures, instead of IT.
  • Value in regional deployments for “simulated honeypots” on their own infrastructure networks to share findings

With increasing attacks on critical infrastructure networks that have become more frequent and consequential, more effective operational cyber solutions are required that aggregate, analyze and correlate various sources of data and across multiple platforms into a near-real time visualization that depicts the potential threats emerging. Organizations have to look beyond their own perimeter to collaborate and assess the impact of a cyber-attack on their corporate partners, suppliers, and vendors. With complex systems of interacting devices, networks, organizations and people to facilitate the productive sharing of information; this is quickly becoming as much of a benefit as it is a threat.

The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, Interoperability and Authentication

Maintaining the integrity of the ICS requires thorough understanding of the communications standards used between all the various ICS components, so that we maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cyber security threats, and poor network health problems. The symptoms are obvious; sluggish HMI updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy OT network is key to preventing these failures. This discussion mentions the tools and techniques used by professional cyber security firms including Network Security Monitoring (NSM), Intrusion Detection Systems (IDS), and manual analysis techniques are used to find and isolate problems on OT networks before they cause harmful impacts, or worse found by your adversaries.

The take away for the attendees will be to demonstrate why all facets of the cybersecurity industry must work together to improve end customers cyber-security processes and understanding from the basic framework to how their resources and organizational structure grow over time to result in a stronger security posture. An acknowledgement from our sector that a lot still needs to be done with standards, collaboration and awareness.

This presentation will also provide end users with a roadmap to start or improve their cyber- security processes through a basic framework and how to develop their resources and organizational structure over time to result in a stronger security posture.


Speakers
avatar for Anil Gosine

Anil Gosine

Anil Gosine has over 17 years of construction management, operations and engineering experience within the Industrial Sector with primary focus on Electrical, Instrumentation and Automation process issues in US, Canada and Caribbean. He has been involved in the Water/Wastewater industry for over 10 years engineering, implementing and project managing a wide range of projects, products and control system technologies within this industry... Read More →


Monday October 24, 2016 9:45am - 10:30am
Workshop 2 (Salon 4)

10:30am

Break
Monday October 24, 2016 10:30am - 11:00am
Sponsor Hallway

11:00am

Case Study: OT Security Management at a Major Oil and Gas Company

The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.

The enterprise strategy was based on three pillars:

  • Top down approach for a standardizing plant-wide security practice
  • Focus on security essential and automate their enforcement to save scarce engineering and IT personal time
  • Outsource the ongoing monitoring of OT security and compliance to a specialized company

In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.

Key Takeaways:

  • What is the aim to strengthen OT security posture and compliance maturity?
  • What challenges are organizations with complex ICS networks facing when addressing OT security?
  • Review of a global OT security project strategy, architecture and functionalities
  • Outcome and recommendation for other industrial and critical infrastructure organizations

Speakers
avatar for Don Harroll

Don Harroll

North America Director of Sales, NextNine
Don Harroll is North America Director of Sales for NextNine.



Monday October 24, 2016 11:00am - 11:45am
Workshop 1 (Salon 3)

11:00am

Surprises in a Decade of Evolving SCADA Security Advice

Over the last decade, Industrial Control System Security has risen to a prominent role in our lives. Much has been said and written to offer our community guidance and structure over this time. Join us for a sometimes humorous, sometimes encouraging, and sometimes pitiful look back at some of the highlights and lowlights from SCADA Security research, advice, and regulation over the past 10 years.


Speakers
avatar for Michael Firstenberg

Michael Firstenberg

Director of Industrial Security, Waterfall Security Solutions
Mike Firstenberg is the Director of Industrial Security for Waterfall Security Solutions. Mike brings almost two decades of experience in Control System Security, specializing in Control System Cyber Security. With a proven track record as a hands-on engineer - researching, designing, and implementing strategic security solutions, Mike has an established background working with governmental institutions, regulatory authorities, and industrial... Read More →



Monday October 24, 2016 11:00am - 11:45am
Workshop 2 (Salon 4)

11:45am

Disassembly and Hacking of Firmware: Live Hacking Demonstration

Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration

 In this session we'll cover:           

  • Vulnerability and capability assessment of firmware attacks
  • Physical ramifications of tool attacks
  • Finding and verifying firmware
  • Some instances where "less security" is better
  • Safety / Security tips for firmware  

Take Aways:

  • Better understanding of the location and use of firmware in unexpected places.
  • Gain insight into the attack methodologies for and security of devices with firmware.

Speakers
avatar for Monta Elkins

Monta Elkins

Security Architect, FoxGuard Solutions
Monta Elkins is currently Security Architect for FoxGuard Solutions, an ICS patch provider. A security researcher and consultant; he was formerly Security Architect for Rackspace, and the first ISO for Radford University.  He has been a speaker at DEFCON , Homeland Security’s ICSJWG (Industrial Control Systems Joint Working Group), EnergySec's Security Summit, VASCAN, GE Digital Energy's Annual Software Summit, Educause Security... Read More →


Monday October 24, 2016 11:45am - 12:30pm
Workshop 1 (Salon 3)

11:45am

Security or Communications Problems: How to tell the Difference

A significant part of implementing security is identifying that there really is a security problem. This discussion will include a discussion of Polling Strategies, and communications integrity checks that can be done online. It can trigger alarms in the SCADA system if they detect real security problems. Furthermore, it can help telecommunications staff detect performance problems earlier.

This session will use DNP3 in this example, but other protocols have similar features.


Speakers
avatar for Jake Brodsky

Jake Brodsky

Control Systems Engineer, Washington Suburban Sanitary Commission (WSSC)
Having spent nearly 30 years of his Control Systems Engineering careerat the Washington Suburban Sanitary Commission, Jake Brodsky has a lotof hard won experience (making mistakes), learning to live with his creations. He has eagerly shared this experience with various standards committees. He has been a member of the DNP3 TC standards committee since 2007. With Bob Radvanovsky, he is co-founder of the SCADASEC e-mail list. Jake has published... Read More →


Monday October 24, 2016 11:45am - 12:30pm
Workshop 2 (Salon 4)

12:30pm

Lunch
Please join us for lunch in the Dining Room located on the 1st Floor of the Georgia Tech Hotel and Conference Center.

Monday October 24, 2016 12:30pm - 1:30pm
Dining Hall

1:30pm

Embedded Security for the Industrial IoT
In this session, attendees with learn:
  • To understand the similarities and differences between OT and IoT security
  • How mission critical IoT has different standards
  • Discover implications for the industrial internet
  • Recommendations on how to build ultra-secure industrial ecosystems
 

Speakers
DW

Dean Weber

CTO, Mocana


Monday October 24, 2016 1:30pm - 2:15pm
Workshop 1 (Salon 3)

1:30pm

Securing Connections for Industrial Control Systems

Securing OT traffic is a fundamental component of improving OT security. There is no question that OT systems need to be hardened against cyber adversaries. The threat is real and incident rates are increasing in number and severity. This presentation explains how a proposed authentication and authorization architecture secures industrial control systems by blending TLS to secure existing OT protocols, extending X.509 digital certificates with Industrial Certification Authority.

This presentation will cover the key challenges that need to be overcome in order to introduce a digital certificate-based industrial authentication authorization concept, as well as a proposal for a secure Modbus protocol.

What will be covered?

  1. The challenges to implementing security for OT-specific protocols; an overall authentication authorization architecture for protocols and devices
  2. How to implement a role-based access control system that does not require a centralized server to be online for communication

Intended audience: General public in charge of cybersecurity for OT/ICS 


Speakers
avatar for Evgeny Bugrov

Evgeny Bugrov

Lead Cyber Security Architect, Schneider Electric


Monday October 24, 2016 1:30pm - 2:15pm
Workshop 2 (Salon 4)

2:15pm

Critical Infrastructure Attacks | Preventing the Kill Chain in Industrial Control Systems

Industrial Control Systems are surrounding every aspect of our life. Our water or electric supply are fully dependent on reliable operation of those systems. The same goes for our medicine production or a chemical facilities. 

Are those systems fully secured? Is your OT network immune against cyber-attacks?

Stay one step ahead of the threat actors by learning from the experience of your sector counterparts. In this interactive discussion explore: how to segment, secure and prevent various attack vectors on your OT networks. The conversation will examine  using most advanced discovery and detection techniques.


Speakers
avatar for Mati Epstein

Mati Epstein

Global Sales Manager, Industrial Control Systems (ICS), Check Point Software Technologies
Mati Epstein is the Global Sales Manager of Security solutions for Industrial Control Systems and Critical Infrastructure in Check Points’ Government and Defense sectors division. With over 20 years’ experience in sales and business development positions in the areas of communication and security, Mati specialized in the constraints and requirements for improved security, due to increased risks to ICS and Critical Infrastructure... Read More →


Monday October 24, 2016 2:15pm - 3:00pm
Workshop 2 (Salon 4)

2:15pm

Cyber-Physical Critical Infrastructure Mission Resiliency Analysis

Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology.  Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors.  However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility.  This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.

A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system.  An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission.  This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations.  The mission impact is quantified to enable informed decision making of the entire solution space.


Speakers
avatar for Dr. David Flanigan

Dr. David Flanigan

Vice Chair, Systems Engineering, Johns Hopkins University Applied Physics Laboratory
Dr. Flanigan works with government, industry, and academia to plan and execute analytical studies in support of advanced concepts and integrated acquisition strategies. Before arriving at JHU/APL, Dr. Flanigan was a Surface Warfare Officer and retired from the US Naval Reserve. Dr. Flanigan holds the following degrees: B.S. in Physics from the University of Arizona; M.S. in Information Systems and Technology from the Johns Hopkins University... Read More →


Monday October 24, 2016 2:15pm - 3:00pm
Workshop 1 (Salon 3)

3:00pm

Break
Monday October 24, 2016 3:00pm - 3:30pm
Sponsor Hallway

3:30pm

Are Your Networked Devices Working for You or Someone Else?

This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.

In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.

Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.  

The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.  

Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation. 


Speakers
avatar for Matthew Caldwell, CISSP

Matthew Caldwell, CISSP

Chief Security Researcher, BorderHawk
Matthew is Chief Security Researcher at BorderHawk.  Notably, Matthew was instrumental at BorderHawk’s Anchorage Lab in identifying cyber risks and developing mitigation strategies associated with IoT used within certain energy company environments. Matthew’s cybersecurity career began as a Security Analyst, then an Information Security Special Projects Manager (responsible for all cybersecurity testing and... Read More →


Monday October 24, 2016 3:30pm - 4:15pm
Workshop 1 (Salon 3)

3:30pm

Understanding the Role of Privilege in ICS Cyberattacks

The Industrial Control System – Cyber Emergency Response Team (ICS-CERT) has highlighted the increased frequency of attempted attacks against Industrial Control Systems (ICS). According to a DHS/FBI/NSA joint publication “Seven Steps to Effectively Defend Industrial Control Systems,” of the 295 breaches reported in the previous year, 98 percent could have been prevented if certain basic security protocols had been in place.

As evidenced by the Ukraine Power Grid Attack and other recent breaches, privileged accounts are on the attackers critical path to success 100% of the time in every attack. Let’s elevate the conversation and talk about how this attack vector is taking the industrial world by surprise. In this session, Alex Leemon will present the case studies of two companies that have put in place proactive controls to safeguard industrial control systems from malicious insiders or external threats by implementing privileged account security controls as recommended by the DHS/FBI/NSA publication.

Attendees will also learn how to mitigate the risks associated with the increased connectivity between IT and OT through the implementation of controls that can be used to isolate, control and monitor interactive remote access sessions which connect to ICS.

With cyber-attacks posing an increasing threat to critical infrastructure, a change of mindset is needed – one that presumes an attacker will inevitably infiltrate the network. It only takes one vulnerable system to be exploited for an attacker to cause significant damage that could compromise system performance and even their operation. It is therefore essential that industrial organizations proactively safeguard their systems with a practical set of steps that includes securing all privileged accounts existing in their networks.

Learning Objectives:

In this session, attendees will learn how organizations have applied the steps recommended by the DHS/FBI/NSA publication to safeguard industrial control systems. Attendees will learn how to lock up the “keys to the kingdom” through the implementation of a privileged account security solution while safeguarding critical assets from potentially malicious activity.

Attendees will also learn how to:

  • Reduce the attack surface area
  • Help prevent the spread of malware to critical systems
  • Implement Secure Remote Access
  • Monitor and  Respond

Speakers
avatar for Yariv Lechner

Yariv Lechner

Senior Product Manager, Operational Technologies (OT), CyberArk
Yariv Lenchner is the Senior Product Manager, Operational Technologies (OT), for CyberArk Software. Over the past 15 years he has served in various product marketing, product management and system engineering capacities in the fields of Security, VoIP, IP networking and enterprise software. Before joining CyberArk, Yariv served in product management and product marketing positions at NICE Systems, as well as a system engineer for the Israeli... Read More →


Monday October 24, 2016 3:30pm - 4:15pm
Workshop 2 (Salon 4)

4:15pm

ICS Vulnerabilities in Modern Data Centers

The world’s industrial and critical infrastructure is now connected to the Internet -- and it’s completely unprotected against network-based attacks. There are many challenges ahead for securing the Industrial IoT. Organizations responsible for critical infrastructure are hesitant to enable Internet communications to industrial assets because of cybersecurity concerns. 

But integrating the “Industrial Internet” can lead to increased visibility into Operational Technology (OT) processes, applications and data. OT data such as Industrial Control Systems (ICS) can be leveraged to prevent disruptions and enhance operational efficiency and continuity.

In this presentation, Francis Cianfrocca will describe Industrial Internet security best practices that can move your organization from vulnerable to secure. The presentation will examine the challenges of IT/OT convergence with real-life stories from the field, describing actual Industrial Internet security projects and lessons learned. These use cases enable benefits such as reduced costs and improved efficiency; protection of field industrial devices from local and Internet-based attack; safe and secure third-party access to local OT/ICS devices and data; and aggregation and analysis of big data to create visibility and insight to operations such as:

  • Data Centers
  • Building Automation Systems
  • Critical Infrastructure

Data Centers are particularly vulnerable to cyber-attacks on industry and infrastructure. Today's hackers can shut down businesses and threaten personal safety by remotely accessing building automation systems, HVAC, power generation, fire suppression, access card readers, and so on -- anything with a sensor can be compromised.

Learning objectives for attendees 

  • Examination of the IT/OT convergence cyber security apertures
  • Overview of Best Practices for Industrial IoT cyber security
  • Operational policies that define how you manage your OT assets and processes
  • Security policies that define how you protect your physical OT assets and business processes from being compromised
  • Safety policies that define how you manage OT assets and processes to ensure the safety of your employees, your customers, the public, and the environment. 

 

 


Speakers
avatar for Francis Cianfrocca

Francis Cianfrocca

Bayshore Networks, Founder & Chief Executive Officer
Francis leads Bayshore’s technology vision and thought leadership. He is Bayshore’s technology inventor, and a recognized IoT industry visionary and evangelist. He has a significant following on subjects relating to technology, cybersecurity, and national economic and security policy. He is a noted expert in the fields of data security, computer-language design, compiler implementation, network communications and large-scale... Read More →


Monday October 24, 2016 4:15pm - 5:00pm
Workshop 1 (Salon 3)
 
Tuesday, October 25
 

8:00am

Welcome to the 2016 ICS Cyber Security Conference

Welcome address and conference introduction for the 2016 ICS Cyber Security Conference. – Michael Lennon, Founder and Managing Director, SecurityWeek, Chairman of ICS Cyber Security Conference


 

Speakers
avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends and and the threat landscape in the enterprise IT security and critical infrastructure space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.


Tuesday October 25, 2016 8:00am - 8:15am
Grand Ballroom

8:15am

Drone Attacks on Industrial Sites: A New Front in Cyber-Physical Security

With new Drone technologies appearing in the consumer space daily, Industrial Site operators are being forced to rethink their most fundamental assumptions about Industrial Sites and Cyber-Physical security. This presentation will cover Electronic Threats, Electronic Defensive measures, Recent Electronic jamming incidents, Latest Drone Threats and capabilities, defensive planning, and Electronic Attack Threats with Drones as delivery platform. 

This talk will present 2 drone attack scenarios with video [potentially live] demonstrations of drone attack capabilities on an industrial wireless flowmeter.  The first attack will illustrate simple disruption of the flowmeters signal potently causing the non-report of a product spill (Hacktivist purposes). The second demonstration would take this a step further demonstrating the ability for a $1000 drone to autonomously turn a directional disrupter via image targeting of plat personnel (Hacktivist/Malicious Attack purposes). 

Attendee Takeaways:

  • A new appreciation for the terrifying capabilities now available in hobby drones.
  • A better understanding how drones can now be the bridge that Hacktivists use to make attacks that were only possible in close proximity before.

  • Realization that large scale EW attacks to Industrial system that used to be possible with military grade equipment are now possible with hobby components.

  • An understand of what a defensive security person must consider when risk evaluating the threats to industrial wireless systems.

  • Using WiFi surveillance to track possible Drone use, scan of MACs associated with drones

  • Physical Defense and what to tell your guards if they see a Drone jump the fence.

  • Overview of Law and FAA regulations concerning drone use in and around plant infrastructure.

  • Much More


Speakers
avatar for Jeff Melrose

Jeff Melrose

Yokogawa US, Principal Technology Strategist for Cybersecurity
Jeff Melrose is the Principal Technology Strategist for Cybersecurity at Yokogawa US. Prior to his assignment with Yokogawa, Mr. Melrose was a Principal Security Engineer at Lockheed Martin and Raytheon designing secure systems for the US Military and US Intelligence Community. In those roles, he led Security Designers creating secure wireless technologies, developing secure networks and cryptographic infrastructures for the most paranoid of... Read More →


Tuesday October 25, 2016 8:15am - 9:00am
Grand Ballroom

9:15am

Keynote: Admiral Michael Rogers
Keynote by Admiral Michael Rogers, Director of the U.S. National Security Agency (NSA) and Commander of U.S. Cyber Command.

Speakers
avatar for Admiral Michael S. Rogers

Admiral Michael S. Rogers

Director of U.S. National Security Agency (NSA) and Commander of U.S. Cyber Command, NSA, U.S. Cyber Command
Admiral Michael Rogers is Director of the U.S. National Security Agency (NSA) and Commander of U.S. Cyber Command. Admiral Rogers is a native of Chicago and attended Auburn University, graduating in 1981 and receiving his commission via the Naval Reserve Officers Training Corps. Originally a surface warfare officer (SWO), he was selected for re-designation to cryptology (now Information Warfare) in 1986. | Rogers is a distinguished... Read More →



Tuesday October 25, 2016 9:15am - 9:30am
Grand Ballroom

9:30am

Conversation & Questions with Admiral Rogers
A converstation and Q&A with Admiral Mike Rogers, Commander, U.S. Cyber Command and Director, National Security Agency.

Moderators
avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends and and the threat landscape in the enterprise IT security and critical infrastructure space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.

Speakers
avatar for Admiral Michael S. Rogers

Admiral Michael S. Rogers

Director of U.S. National Security Agency (NSA) and Commander of U.S. Cyber Command, NSA, U.S. Cyber Command
Admiral Michael Rogers is Director of the U.S. National Security Agency (NSA) and Commander of U.S. Cyber Command. Admiral Rogers is a native of Chicago and attended Auburn University, graduating in 1981 and receiving his commission via the Naval Reserve Officers Training Corps. Originally a surface warfare officer (SWO), he was selected for re-designation to cryptology (now Information Warfare) in 1986. | Rogers is a distinguished... Read More →



Tuesday October 25, 2016 9:30am - 10:00am
Grand Ballroom

10:00am

State of the State
Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. 

Speakers
avatar for Joe Weiss

Joe Weiss

SecurityWeek
Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss will provide his annual "State of the State" talk, which weighs in on recent industrial cyber incidents, emerging security threats and more.


Tuesday October 25, 2016 10:00am - 10:30am
Grand Ballroom

10:30am

Break - Exhibits Open
Please visit our exhibitors and sponsors and enjoy refreshments in the Sponsor Hallway located outside the Grand Ballroom.

Tuesday October 25, 2016 10:30am - 11:00am
Sponsor Hallway

11:00am

Attack Demo: Hacking a Protective Relay

In this session we will demonstrate live cyberattacks against a Schweitzer SEL-751A feeder protection relay and the related impact to end devices and operator interfaces.

While the demonstration is not meant to single out any particular vendor or piece of equipment, it will highlight the lack of cyber security built into widely deployed intelligent electronic devices (IED), how these IEDs can be attacked and the physical impact they can have when compromised.

The cyberattack demonstration will highlight a loss of control of the relay, how such loss impacts an end device like a motor and how this can all be hidden from the operator.  The attacks include an adversary gaining access to the relay, taking control, locking out administrators, and changing the relay’s configuration. In addition, the attacks will be masked to leave no trace, making it difficult for an operator to trouble shoot the disruption was caused by a cyberattack, let alone prevent it from happening again.

The SEL-751A is an important piece of equipment performing many critical functions, and such attacks could be repeated across the same or different relays from different manufacturers.



Tuesday October 25, 2016 11:00am - 11:45am
Grand Ballroom

11:45am

Ghost in the Machine: SCADA Vulnerability Enables Remote Control of ICS Networks

Imagine an attack on critical infrastructures that could evade virtually all existing security measures (network firewalls, AV, application whitelisting, etc.) and that would operate generically across a wide range of different SCADA implementations. Indegy researcher Avihay Kain has discovered a vulnerability that would enable just such an attack. We will unveil the vulnerability for the first time at  the 2016 Industrial Control Systems (ICS) Cyber Security Conference.

The vulnerability allows for remote code execution in Schneider Electric’s flagship product - the UnityPro software platform. (The vulnerability applies to all versions of UnityPro, including the latest release of version 10.0.) Schneider Electric’s UnityPro software platform, which runs on Windows-based engineering workstations, is used for programing and managing Schneider Electric equipment in industrial control networks including those operating critical infrastructure.  Regardless of the specific SCADA application in use, if Schneider Electric PLCs are in use, UnityPro software will be deployed for the engineering stations, making this attack relevant across virtually any process controlled by Schneider PLCs.

While we will show an exploit specific to Schneider, all PLC vendors have similar proprietary engineering protocols and  we should expect many vulnerabilities like it that apply to other vendors.  The result is that those concerned with ICS security should realize two key points: 

1.) Attacks on ICS networks do not require exploitation of vulnerabilities in SCADA/HMI applications or the controllers themselves:

There is a misconception in the industrial cyber security space that securing these networks only requires monitoring of the SCADA/HMI application protocols, for instance - MODBUS and DNP3. However, there is an important distinction between the communication protocols used by HMI/SCADA applications, and the control-plane protocols which are used by the engineering station software. The less known engineering station protocols are not fully documented, and worse -- each vendor uses a different proprietary communication protocol, making it extremely difficult to monitor them. As a result, these protocols, which allow an attacker to access the controllers using the vulnerability described above, aren’t monitored and the engineering stations are mostly ignored. 

2.) Combining security controls borrowed from IT Security with HMI/SCADA application monitoring is not enough to secure ICS.

It is commonly believed that with a combination of IT security technologies (secure network design, AV/anti-malware and application whitelisting) and monitoring the HMI/SCADA protocols mentioned in point 1, it is possible to prevent industrial network infiltration and device access. This exploit will look exactly like known good engineering work and will evade all of those controls, demonstrating that IT security plus HMI monitoring is not sufficient for ICS. Additional security controls for engineering network activity monitoring are needed.  


Speakers
avatar for Mille Gandelsman

Mille Gandelsman

Indegy, CTO
Mille Gandelsman is the CTO and Co-Founder of Indegy, an industrial cybersecurity startup that provides situational awareness and real-time security for industrial control networks. He leads Indegy’s technology research and product management activities. Prior to Indegy, Gandelsman led engineering efforts for Stratoscale and spent several years leading cybersecurity research for Israel’s elite intelligence corps. Gandelsman is an... Read More →


Tuesday October 25, 2016 11:45am - 12:30pm
Grand Ballroom

12:30pm

Lunch
Please join us for lunch in the Dining Room located on the 1st Floor of the Georgia Tech Hotel and Conference Center.

Tuesday October 25, 2016 12:30pm - 1:30pm
Dining Hall

1:30pm

An Industrial Immune System: Using Machine Learning for Next Generation ICS Security

As IT and Operational Technology (OT) environments continue to converge, managers of ICS have been faced with the challenge of protecting these crucial systems and data, in spite of inherent security weaknesses and the continual risk of insider threat. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. Existing, legacy approaches have proven inadequate on their own, especially against insiders who, by definition, have authorized access.

There is an urgent need for a new approach to combat the next generation of cyber-threats, across both OT and IT environments. While total prevention of compromise is untenable, utilizing automated self-learning technologies to detect and respond to emerging threats within a network is an achievable cyber security goal, irrespective of whether the suspicious behavior originated on the corporate network or ICS.

Some of the world’s leading energy and manufacturing companies are using these technologies to detect early indicators of cyber-attacks or vulnerabilities across IT and OT environments, without reliance on pre-identified threat feeds, rules, or signatures. These technologies represent an innovative and fundamental step-change in automated cyber-defense.

In this session, attendees will learn:

  • How new machine learning and mathematics are automating advanced threat detection
  • Why 100% network visibility allows you to preempt emerging situations, in real time, across both IT and OT environments
  • How smart prioritization and visualization of threats allows for better resource allocation and lower risk
  • Real-world examples of detected OT threats, from non-malicious insiders to sophisticated cyber-attackers
Sponsored by Darktrace

Speakers
avatar for Jeff Cornelius, Ph.D.

Jeff Cornelius, Ph.D.

EVP, Industrial Control and Critical Infrastructure Solutions, Darktrace
Jeff Cornelius joined Darktrace in February of 2014 as EVP.  His background with large Enterprise Software organizations over the past 15 years lends itself to the needs of a young, innovative, market-defining organization from a commercial standpoint.  Jeff oversees the global strategic direction of Darktrace’s Industrial Immune System solution tailored specifically for Operational Technologies and Critical Infrastructure... Read More →



Tuesday October 25, 2016 1:30pm - 2:15pm
Breakout 1 (Salon 1,2,3)

1:30pm

CyberFence - More than an Industrial Firewall

Persistent attackers will always find a way in, often exploiting the very processes that facilitate productivity and profitable collaboration. Operators must lock down these access points to close frequently exploited attack vectors –firewalls are not enough. This session will overview CyberFence, the award-winning and military-approved solution for robust and comprehensive industrial (ICS/SCADA) cyber security. CyberFence surpasses basic firewall, perimeter and signature-based defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity. Listen for yourself why the US Navy, Department of State and many critical businesses worldwide trust CyberFence to secure network endpoints.

Sponsored by: Ultra Electronics, 3eTI


Speakers
avatar for Ben Garber

Ben Garber

Cyber Guru, Ultra Electronics, 3eTI
Mr. Garber joined 3eTI soon after completing his Master of Science in Cyber Security at University of Maryland University College (UMUC). He is instrumental in designing and implementing hacker tools and techniques to conduct penetration tests for critical infrastructure. These cyber-attack scenarios are used for competitive analysis and evaluating new product features and rule sets. Mr. Garber continually assesses experimental network... Read More →


Tuesday October 25, 2016 1:30pm - 2:15pm
Breakout 2 (Salon 4,5,6)

2:15pm

Hacking the Bakken: Attacks on Kelly and Top Drive Oil Rigs

This talk will go into detail about how drilling systems communicate and some of the attacks that could be performed on a drilling rig. This includes throwing off toolface information and burning out motors in BITs, Disabling H2S and sour gas detection systems, changing survey data to cause the drilling crew to drill out of zone causing sidetrack and time drilling operations that can cost millions of dollars to a drilling rig. And finally modifying chromatograph information and mud weight causing a blow out and potentially burning a rig to the ground. Infection methods include excel files used by directional drillers and MWD staff and 3rd party’s. 

Research Background

Using a honeypot run as a disposable mail service on TOR, Weston Hecker came across custom tailored malware including several versions of SAMSAM and Cryptolocker.  In early May he came across a sample that is targeting (WITS) information “Wellsite Information Transfer Specification” and (MWD) Measure while drilling systems associated with land based drilling platforms. This lead him to do research the attack surface of a drilling rig.


Speakers
avatar for Weston Hecker

Weston Hecker

Sr. Pentester & Senior Security Engineer, NCR Corporation
Weston Hecker has been pen-testing for 11 years and has 12 years of experience doing security research and programming. He is currently working for NCR Corporation. Weston has recently spoken at Blackhat 2016, Defcon 22,23 and 24, Enterprise Connect 2016, ISC2-Security Congress, SC-Congress Toronto, BSIDESBoston, TakdownCON, HOPE 11 and at over 50 other speaking engagements from telecom regional events to Universities on security subject... Read More →


Tuesday October 25, 2016 2:15pm - 3:00pm
Breakout 1 (Salon 1,2,3)

2:15pm

Risk Management & Insurance Implications of ICS Incidents [Panel]

ICS incidents threaten not just process safety and mission assurance, but also – based on the layer of assets compromised – may impact physical assets, result in operational downtime, and trigger liability. This session examines how the risk management community thinks about ICS cybersecurity impacts, from insurance actuarial models and underwriting decisions, to broker guidance for insureds, and to how risk managers approach the unique risks generated by ICS cyber events that cross multiple types of insurance policies. The session explores how risk management and vulnerability remediation relate to insurance coverage and costs, in a complex cross-section of insurance that is new to virtually every player in the food chain.


Moderators
avatar for Scott Corzine

Scott Corzine

Managing Director, FTI Consulting
Scott Corzine is a Managing Director at FTI Consulting, where co-heads the Risk Management practice, a unit of the Global Insurance Services practice in the Forensic and Litigation Consulting segment. Scott is considered an expert in operational resilience and recovery, governance, compliance and risk management. Prior to FTI, Scott was co-founder and Principal of Risk Solutions International (RSI), a leading operational risk management... Read More →

Speakers
MG

Mike Gaudet

Mike Gaudet, Managing Director at Marsh USA – (Broker)
PH

Peter Halprin

Coverage Attorney, Anderson Kill LLP
avatar for David White

David White

Chief Knowledge Officer, Axio Global, LLC
David White is founder and Chief Knowledge Officer at Axio Global — a cyber risk-engineering firm that helps organizations comprehensively manage cyber risk by harmonizing cybersecurity controls and cyber risk transfer. David works directly with Axio clients and is responsible for Axio’s Risk Action Framework and associated methods, including cybersecurity program evaluation, cyber loss scenario analysis, insurance program analysis... Read More →


Tuesday October 25, 2016 2:15pm - 3:00pm
Breakout 2 (Salon 4,5,6)

3:00pm

Break - Exhibits Open
Please join us for afternoon coffee and snacks in the sponsor hallway. 

Tuesday October 25, 2016 3:00pm - 3:15pm
Sponsor Hallway

3:30pm

Enhanced ICS/SCADA Security Using Field Device Fingerprints Composed of WS-DNA Features

Protecting Critical Infrastructure and Key Resources (CIKR) of the United States emerged as a national priority [Oba13] and simple adaptation of Information Technology (IT) security solutions for Industrial Control System (ICS) applications presents certain technical challenges for the cybersecurity community.

Results here expand upon AFIT’s PHY-based Level 0 protection strategy that was first introduced by researchers in [LoT14, LTM15]. These early works demonstrated a promising proof-of- concept capability for a Level 0 (physical end-device) anomaly detection scheme that aims to improve cyber-physical system resilience using device fingerprints composed of Wired Signal Distinct Native Attribute (WS-DNA) features. The WS-DNA features were extracted from WS responses of differential pressure transmitters employing smart sensor technology to control and monitor an experimental automated control process.

AFIT’s WS-DNA exploitation capability has been expanded, with results here based on field devices from four different manufacturers (Siemens, Yokogawa, Honeywell and Endress+Hauser) implementing the Highway Addressable Remote Transducer (HART) protocol. The aim is on discovering discriminable PHY features from the Frequency Shift Keyed (FSK) signals used for closed-loop control. Discriminability is assessed for a multi-state problem using each of the manufacturer devices operating under two different conditions. Manufacturer and operating state discrimination results include percent correct classification of %C ≥ 90% for both manufacturer (cross-model) and serial number (like-model) assessments. Thus, Level 0 WS-DNA processing is promising for discriminating field device manufacturer/operating state and remains a viable alternative for securing ICS operations. 


Speakers
avatar for Juan Lopez Jr.

Juan Lopez Jr.

Cybersecurity Research Engineer, Air Force Institute of Technology
US Air Force Institute of Technology


Tuesday October 25, 2016 3:30pm - 4:15pm
Breakout 1 (Salon 1,2,3)

3:30pm

Securing Critical Infrastructure in Global Companies. A Return on Experience

Franky Thrasher, Senior Cyber Security Expert & Information Systems Security Officer at ENGIE, will share his end user experience in securing globally distributed critical infrastructure at one of the world’s leading energy companies.

With more than 150,000 employees worldwide and revenues in excess of €69 billion, ENGIE understands how global companies can sometimes have much diversified complex models.

If you run a micro grid in Antarctica, A Hydro plant in the Rainforest and or gas fired power plants in Europe and LNG fleets worldwide are you facing the same challenges? Is any given standard applicable across your business? Is any technology applicable? Is your threat landscape modified according to your geographical location?

Thrasher will share his end user experience based on three different aspects;

Governance and regulations: - Examples of corporate policies that are either not applicable across the company due to regulatory constraints, or even local sensibilities. The talk will also explain how policies and governance practices can be adapted to a complex business model in global energy utility.

Technology: Examples of technology will be provided that have been implemented that were not as viable in different ICS environments, demonstrating that while magic “technology” boxes are useful, a completely different outlook is needed when deploying solutions on a global scale and across different business models. Thrasher will explain a remote connectivity system solution developed internally because a market product to fullfil the challenges ENGIE faced globally could not be found.

Geo politics in cyber security: How is your risk affected when you have assets in the Middle East? In Turkey? In South America? Sometimes data is not allowed outside the country sometimes technology is deemed illegal. What are some of the cultural issues you can run into? How does a conflict between two countries you have assets in affect your business?  What happens when you are not allowed to do security testing across borders. This talk will also give to the point examples of issues experienced when doing cybersecurity across the globe.  


Speakers
avatar for Franky Thrasher

Franky Thrasher

Senior Cyber Security Expert & Information Systems Security Officer, ENGIE
Senior Cyber Security Expert & Information Systems Security Officer


Tuesday October 25, 2016 3:30pm - 4:15pm
Breakout 2 (Salon 4,5,6)

4:15pm

Achieving a Cyber Security Architecture for the OT Systems of Oil & Gas, Power, Chemicals, and Other Industrial Environments

This presentation provides a view of a target cyber security architecture made for industrial control systems – for the Operations Technology (OT) of the oil and gas, power, chemicals and other industries.

It would seem a straightforward idea. There is a cyber risk to vulnerable OT systems so why not cyber-secure the process control networks (PCNs) by integrating layered security (a defense-in- depth security architecture) in the same manner as the IT enterprise is made secure? Sounds simple. Yet a deeper understanding of the OT - the technology, business and operational requirements – makes it clear that simply adding an IT defense-in-depth security is not so straightforward. In some cases, it can even run counter to the safe operation of the plant.

There is no question that OT systems need to be hardened against cyber adversaries. The threat is real. The vulnerabilities and lack of protections against cyber attacks is alarming. Incidents are cropping up in growing numbers, ever more consequential. But the PCNs in OT systems have significant differences from IT systems. The security architecture must fit to the purpose and conditions of OT systems currently deployed in plants and remote locations - systems that are not easily replaced, enhanced or patched.

This is the challenge – to achieve a suitable security architecture for OT systems that provides needed defense-in-depth protections against cyber attacks while still meeting business requirements and safety functions.

This presentation delivers an architectural overview – first to reconcile the differences between OT operational requirements of reliable, real-time operations and safety with the cyber security requirements for identity and access control, asset management, segmentation, configuration and network management – just to name a few. Second, the presentation will discuss ways to achieve a target security architecture – one that can work within the reality of legacy (installed) PCNs with limited resource capacity constraints for computing and network flows.

How it is currently relevant to the industry: There is increasing concern within ICS industries (including Oil and Gas) about cyber threats at the same time that the industry becomes more aware of the existing exposures / vulnerabilities in its process control networks. The industry needs the right security answers – the kind that would work within a security architecture that is fit-for purpose in an OT environment with its constraints and business demands.

What objectives will be covered?

  1. Defines the challenges to implementing cyber security in an oil and gas OT environment
  2. Defines what would be the target OT-suitable (fit-for-purpose) cyber security architecture
  3. Defines a three-step progression to achieve this target security architecture within the realities of PCN system and operational constraints

Intended audience: Engineers and Architects charged with security for OT/ICS 


Speakers
avatar for Carlos Solari

Carlos Solari

CIO, Mission Secure, Inc.
Carlos Solari is an internationally recognized information technology and cyber security expert. He has been involved in some of the most sensitive roles in the U.S. federal government as well as in large multinational corporations. As the former CIO of The White House, Carlos was responsible for the IT systems for the Executive Office of the President where the highest levels of national security must be protected. He also served as Vice... Read More →


Tuesday October 25, 2016 4:15pm - 5:00pm
Breakout 1 (Salon 1,2,3)

4:15pm

Addressing the ICS Cybersecurity Leadership Gap

Operational Technology (OT) and specifically Industrial Control Systems (ICS) and associated equipment and devices, have mostly been ignored by industry leadership.

Safeguarding this critical area requires a unique mix of technical and operating insight into how threat actors (hostile nation-states, terrorist organizations and hacktivist organizations) can compromise industrial controls that operate and manage industrial processes – at the process level, the control component level, the human-machine interface level and the SCADA system level.

This talk will raise the level of awareness in the C-suite and Boardroom to this perilous operating risk that we think needs to be elevated well above the current limited focus on compliance with regulatory regimes that have not kept pace with the executional characteristics of industrial cyber risk. Power and utility companies need to address these risks head on, and likewise CFO and CISOs need to understand their true insurance coverage, and possible gaps, to assess whether their stature meets their company’s acceptable risk profile. Creating awareness at high levels and driving appropriate action is required.

Attendees will learn how companies should map their at-risk industrial component configurations, provide analysis and synthesis of the critical interfaces between operating OT and IT, perform risk and asset downtime impact assessments as part of their failure mode and effects analysis, and develop practical policy recommendations - so that cybersecurity experts and operating engineers can begin to correlate conventional information security anomalies with process controls events that may impact how effectively – and how safely – industrial processes operate. We believe effective security includes developing a documented understanding of the downtime impact of addressable system equipment across the entire process, or system, with specific focus on ICS interconnection and interdependency considerations.


Speakers
avatar for Ellen Smith

Ellen Smith

FTI Consulting
Ellen Smith has held senior leadership roles at several leading energy, power and utility companies including General Electric Co., Pratt & Whitney, Hess Corp. and as Chief Operating Officer of National Grid, U.S.  Find out what Ellen, now Senior Managing Director and Power & Utilities segment leader for FTI Consulting, has to share about what is really missing in most U.S. power/utility companies’ cybersecurity... Read More →


Tuesday October 25, 2016 4:15pm - 5:00pm
Breakout 2 (Salon 4,5,6)

5:00pm

Sponsor Hall Cocktail Reception - Exhibits Open
Please join us in the sponsor hallway for a recption with cocktails and appetizers and network with industy peers. At this VIP reception we have prepared a fantastic menu and premium bar!

Tuesday October 25, 2016 5:00pm - 7:30pm
Sponsor Hallway
 
Wednesday, October 26
 

8:15am

Checklist for Process Security & Overview of ICS Patch Standard

Bill Cotter, Master System Engineering Specialist at 3M, will provide a Top 12 Checklist for Process Security, along withan overview of the ISA-TR62443-2-3 ICS Patch Standard.


Speakers
avatar for William Cotter

William Cotter

Senior Engineering Specialist, 3M
Mr. Cotter has more than 40 years of manufacturing experience in various chemical manufacturing areas. He started as a mechanical engineer then progressed thru maintenance, project engineering and finally into process control. He has worked for a tire company, a large chemical, a small pharmaceutical and now 3M, where he has worked for the last 30 plus years. He has reached the level of Master System Engineering Specialist with the Process... Read More →


Wednesday October 26, 2016 8:15am - 9:00am
Grand Ballroom

9:00am

Inside the CRIT-EX 16.2 Cyberattack Readiness Exercise

The state of Indiana executed CRIT-EX 16.2 on the 18th and 19th of May, 2016, at the Muscatatuck Urban Training Center.  This cyberattack readiness exercise aimed to improve the overall security and responsiveness of Indiana’s critical infrastructure in the face of an advanced cyber incident that disrupts essential water utility services and presents a public safety threat. 

The Indiana Department of Homeland Security in conjunction with the Indiana National Guard, Indiana Office of Technology, Cyber Leadership Alliance, and over 16 other public and private partners developed this controlled functional cyberattack exercise to allow participants to deploy resources and communicate with response partners to mitigate adverse effects and expedite recovery.  Additionally, CRIT-EX is the first joint public-private partnership simulating responses to cyberattacks on the Muscatatuck water treatment plant, with expert programming and cybersecurity teams acting as cyberterrorists who attack the facility’s Supervisory Control and Data Acquisition (SCADA) systems.  

The exercise had three very important themes that differentiated Crit-Ex from other cyber exercises: First, participants had to agree on a common language. Second, privacy was at the center of the exercise. The third unique theme and what is considered to be the hallmark of Crit-Ex 16.2 was the complexity of the event.  

This presentation will cover the importance of training cybersecurity for industrial control systems in a complex environment. While using lessons learned as examples, the presenter will provide a roadmap to plan and execute a complex cyber exercise.

View a detailed description of the talk here 


Speakers
avatar for Douglas C. Rapp

Douglas C. Rapp

President, Cyber Leadership Alliance
Douglas C. Rapp is the President and CEO of the Cyber Leadership Alliance, a nonprofit industry organization and an action arm for cyber efforts in Indiana. He also serves as the Advisor for Cyber and National Security for the State of Indiana. He holds an MS in Management from Indiana Wesleyan, and a Bachelors from Indiana University in Fort Wayne. His accomplishments include creating the strategic plan for the Indiana National Guard Cyber... Read More →


Wednesday October 26, 2016 9:00am - 9:45am
Grand Ballroom

9:45am

Inside ExxonMobil's Initiative to Build a Next Generation Process Control Architecture

Don Bartusiak, Chief Engineer, Process Control at ExxonMobil Research & Engineering, will present an exclusive talk about ExxonMobil's initiative regarding a standards-based, open, secure, interoperable process control architecture.  Bartusiak will address the business problem that the world's largest publicly traded international oil and gas company is trying to solve and why ExxonMobil feels that existing ICS vendor approaches are not adequate to meet their needs.  

He will also discuss the status of formulation of an end user, supplier, system integrator, and standards organization consortium that is underway with The Open Group.  


Speakers
avatar for Don Bartusiak

Don Bartusiak

Chief Engineer, Process Control, ExxonMobil
Don Bartusiak is Chief Engineer, Process Control for ExxonMobil Research and Engineering.  He has 28 years of experience in process control and advanced computing with ExxonMobil and 7 years of experience in process development research with Bethlehem Steel.  From 2000 to 2002, he was Lecturer and Adjunct Professor of Chemical Engineering at Rice University.  Don received a B.S. (ChemE) from the University of Pennsylvania and... Read More →



Wednesday October 26, 2016 9:45am - 10:30am
Grand Ballroom

10:30am

Break - Exhibits Open
Please visit our exhibitors and sponsors and enjoy refreshments in the Sponsor Hallway located outside the Grand Ballroom.

Wednesday October 26, 2016 10:30am - 11:00am
Sponsor Hallway

11:00am

Demo: Technical Attack Disabling a Fully Air-gapped System

Live Demo: Remote Attack That Can Permanently Disable a Fully Air-gapped System

Industrial control systems that claim to be fully air-gapped often aren't. In particular, elements of the ICS take electrical power from a local network, or UPS. Power supply engineers who work on power disturbances can demonstrate certain types of events -- as simple as turning the power off and on in a particular pattern -- that can permanently disable typical off-the-shelf power supplies.  A technical discussion of this attack vector, with a follow-on live demonstration, will be provided.


Speakers
avatar for Alex McEachern

Alex McEachern

President, Power Standards Lab
Alex McEachern is well known worldwide for his cheerful, thought-provoking speeches on electric power quality.  Active in writing and approving international power standards, Alex is the chairman of the IEC Working Group that sets the standard for power quality instruments, and the Chair of voltage sag standard for the semiconductor industry, SEMI F47. He is Fellow -- the highest possible member -- of the IEEE, with 30 U.S. patents awarded... Read More →


Wednesday October 26, 2016 11:00am - 11:45am
Grand Ballroom

11:45am

Industrial Equipment Exposed: The Rise of Industrial Vulnerabilities

The ICS threat landscape is expanding fast. With the rise of the Industrial IoT, and increased device connectivity, no mission-critical entity is safe. On one hand, the expansion of the Internet also makes ICS easier prey to attackers, with ICS components being available online. On the other hand, attackers can easily attain industrial products and technologies and reveal relevant vulnerabilities to exploit. Both aspects emphasize that it is getting increasingly simpler for attackers to exercise their will in industrial environments, having to invest less resources to do so.

In this session, we will provide an example which emphasizes this trend, where the CyberX research group was able to expose vulnerabilities within a leading vendor’s PLC, getting from complete obscurity to the desired end-game, while having to cope with diverse challenges. These include physical extraction of components and de-coding of the encoded firmware.

The aforementioned trend in the ICS Security eco-system leads to a flux in ICS vulnerabilities, which is part of the inevitable cat and mouse race between attackers and defenders in the ICS security domain. This race has peaked a new level, where every Industrial IoT environment is in harm's way. We will also outline the need for comprehensive threat analysis tools for the ICS industry required to mitigate the ever growing risks.

Attendee takeaways

  1. Understanding of the unique, yet attainable methods required for discovering and exploiting ICS vulnerabilities and how these facilitate the rising number of ICS cyber incidents.
  2. Industrial hacking expertise, once thought to be rare, is becoming more common knowledge.
  3. Forward thinking insights regarding the need for effective and readily available tools for the ICS industry.

Speakers
avatar for David Atch

David Atch

VP of Research, CyberX
David is a highly experienced security professional with vast experience in reverse engineering and unique knowledge in malware research. During his military career in the Israel Defense Forces (IDF), Atch lead a team of programmers and reverse engineers, hunting and mitigating complex cyber intrusions. He has also received multiple awards for technological innovation.
avatar for Nir Giller

Nir Giller

CTO and Co-Founder, CyberX
Nir Giller, Co-founder and CTO of CyberX, is a seasoned security researcher with extensive knowledge and experience in securing OT networks. Following a lengthy career, as a Team Leader and a Security System Engineer in the Israel Defense Forces (IDF) elite cyber unit, Giller brings to CyberX the invaluable combination of a true technology visionary with vast hands-on expertise.


Wednesday October 26, 2016 11:45am - 12:30pm
Grand Ballroom

12:30pm

Lunch
Please join us for lunch in the Dining Room located on the 1st Floor of the Georgia Tech Hotel and Conference Center.

Wednesday October 26, 2016 12:30pm - 1:45pm
Dining Hall

1:45pm

The Insecurity of Industrial Things

When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. We haven’t thought of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. This is a HUGE blind spot. Embedded devices, such as ICS and SCADA systems, are the low-hanging fruit for potential attackers: They are fairly easy to compromise, are connected to high-value networks and detection often only happens after the fact.

This talk will share experiences exploiting embedded system used in industrial control environments and discuss the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting. Attendees will get an inside view into how attackers operate and walk away knowing what to look for when future-proofing our industrial control systems. 

This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. 


Speakers
avatar for Stephen A. Ridley

Stephen A. Ridley

Founder and CEO/CTO, Senrio
Stephen A. Ridley is Founder and CEO/CTO at Senrio. He has more than 10 years of experience in software development, software security, and reverse engineering. His original research on embedded device vulnerabilities has been featured on SecurityWeek, NPR, Wired and numerous other publications. Prior to Senrio, Mr. Ridley was Principal Researcher at Xipiter and served as Chief Information Security Officer of a financial services firm. Prior to... Read More →


Wednesday October 26, 2016 1:45pm - 2:30pm
Grand Ballroom

2:30pm

Cybersecurity Services for the Next Level of Automation

Driven by business sustainability requirements, access to (near) real-time data within the automation industry has created a growing trend towards interconnectivity between control system and enterprise environments.  A component of this trend is the movement away from proprietary control system platforms and technology, to a more open and interoperable Asset Control System.  This development creates opportunities for businesses, but can also simultaneously increase their exposure to potential vulnerabilities.  Due to the evolving, complex nature of control systems in the enterprise today, many asset owners simply do not know where to start when it comes to devising a security strategy.  A lack of awareness about their current vulnerability state makes the effective application of security controls and /or processes difficult.  Many customers lack experience in determining vulnerability levels, exposure, and possible impacts of threats to network and critical assets.  They also face difficulty in effectively distributing and enforcing appropriate policies and procedures.

This presentation will describe how an external Cybersecurity Services team can provide valuable assessment, implementation, maintenance, and education services for businesses focused on minimizing Operational Technology (OT) cybersecurity risks within their ICS environment.  It will also include an overview of how IT / OT environments are converging today, the challenges with managing that process and the sprawl of the Industrial IoT.  Finally, we’ll discuss some best practices that have been assembled from lessons learned in Building Automation Systems, Water / Wastewater, Refineries, and other critical infrastructure.

Sponsored by: Schneider Electric


Speakers
avatar for Joshua Carlson

Joshua Carlson

Cybersecurity Services Manager, Schneider Electric
Mr. Carlson possesses over 16 years of Cybersecurity experience working with the United States and Middle Eastern governments, global financial institutions, as well as market verticals for bulk energy providers, oil & gas, nuclear, petrochemical, and paper / pulp organizations; regional water / wastewater utilities; and food / beverage companies. He brings a breadth of technology skills including Industrial Control System security... Read More →



Wednesday October 26, 2016 2:30pm - 3:15pm
Breakout 1 (Salon 1,2,3)

2:30pm

Risk Management in ICS Security to Demonstrate Results

With cyber risk insurance as the fastest growing segment in property/casualty insurance, the discussion around industrial cyber security has moved from one of best practices and compliance to one of risk management.  The emergence of debt rating agency resiliency requirements, regulations and industry standards, boards have increasingly prioritized cyber security as a top enterprise risk.

Too many organizations opt to start with standards based frameworks or maturity models to define their ICS security programs.  Adopting these models can actually add risk and often fail to prioritize the most critical enterprise threats.  Likewise, relying upon the opinions of Subject Matter Experts to take decisions where data is scarce can create more harm than good in the establishment of ICS security programs.

This talk will focus on using robust methods to define organizational risk tolerances and methods to measure and track programs to prioritized areas of risk.  This approach allows ICS security program stewards and stakeholders to more easily demonstrate real improvements in security posture, achieved with security related expenditures. 

With more organizations creating dedicated operational technology security structures and responsible executive leaders, the development and maintenance of a mature ICS security program is vital.  

Sponsored By: Honeywell

Speakers
avatar for Susan Peterson-Sturm

Susan Peterson-Sturm

Director, Cyber Product Marketing & Strategy, Honeywell Process Solutions



Wednesday October 26, 2016 2:30pm - 3:15pm
Breakout 2 (Salon 4,5,6)

3:15pm

Break - Exhibits Open
Please visit our exhibitors and sponsors and enjoy refreshments in the Sponsor Hallway located outside the Grand Ballroom.

Wednesday October 26, 2016 3:15pm - 3:45pm
Sponsor Hallway

3:30pm

Know Your Industrial Networks Better Than Your Adversaries
Results and observations from joint IT/ICS projects

The hallmark of this year’s attack on the Ukrainian power grid was the extensive reconnaissance, performed by attackers on their target’s control networks, used to maximize system disruption.  Situational awareness, incident response and recovery all depend on an accurate understanding of control system inventories, including normal process behavior.  The Ukrainian attack has led our community to a key question; do we know our industrial control networks as well as our adversaries?

Despite the emergence of technologies that monitor data flows of industrial control networks, ICS operators consistently cite inadequate real-time views to control system the topology, devices, and behavior as a fundamental obstacle to securing their operations.   Historically, gathering and maintaining this information has proven incredibly labor intensive and disruptive to economic operations of industrial operations. 

Dr. Carcano’s talk will explore case studies in which emerging technology and process-centric analytics have facilitated more automated, passive methods of inventory collection, network monitoring and characterization of normal process behavior of industrial control systems.  These emergent technologies have enabled operators to baseline normal operational processes and measure network loading.  Dr. Carcano will discuss the operational and safety benefits of automated inventory technologies such as improved visibility to misconfigurations and early detection of zero-day attacks, device failures, and other anomalies. While improving operability, these technologies also hold the promise of expedited detection of adversaries’ reconnaissance activities and improved recovery times.

Speakers
avatar for Andrea Carcano

Andrea Carcano

Chief Product Officer, Nozomi Networks
Andrea Carcano received the Ph.D. degree in computer science from the University of Insubria, Italy, in February 2012. During his PhD had the chance to collaborate with international research groups and with important industries in the field of energy. From 2011 to 2013 was entitled as a Sr. Security Engineer in Eni Spa with a particular responsibilities about the security of interconnection between Critical Installation and office networks. He... Read More →


Wednesday October 26, 2016 3:30pm - 4:15pm
Breakout 1 (Salon 1,2,3)

3:30pm

Safety and Cyber Security: Toward a Safe and Reliable Operations

Health, safety, and environment (HSE) management systems are widely adopted by many organizations and industrial facilities we work with. The main benefits of HSE programs are risk reduction from injuries, lost time incidents, liability and insurance costs. Safety management systems have a long history of statistical evidences showing how different types of well-documented unsafe practices, near misses and incidents have been dramatically reduced and improved through ongoing awareness training, intervention and controls. The ongoing realization of safety management system is a continuous effort towards zero incidents.

On the other hand, cyber security for industrial control systems (ICS) does not have the same benefit of decades of statistics, legislation, training, and budgets to build on, but are as critical as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are still strangely neglected in many organizations

In this presentation, we will cover the various aspects of Safety and Cyber Security and how this could be part of every organization’s culture not only as a priority, but also as core value:

  • How Safety and Cyber Security programs can be integrated to achieve the highest level of operational excellence?

  • How to use Cyber security awareness training to reduce risk and ensure safe/reliable operations?

  • Example of the first Cyber security Golden Rules from the first Online ICS Cyber Security Awareness Training for engineering community.


Speakers
avatar for Jalal Bouhdada

Jalal Bouhdada

Founder, Principal ICS Security Consultant, Applied Risk
Founder and principal ICS security consultant with over 15 years of experience as security professional covering diverse platforms and security issues. His expertise is mostly focused around security assurance and risk assessment in OT environments. Jalal has knowledge of all areas of the ICS/SCADA security landscape including technical, personnel and awareness and physical security, security management, policies, procedures, regulations and... Read More →


Wednesday October 26, 2016 3:30pm - 4:15pm
Breakout 2 (Salon 4,5,6)

4:15pm

ICS Incident Response Planning

Most ICS organizations haven’t done a good job preparing to respond to a cyber attack. Further complicating this is the fact that IT personnel don’t have a good understanding of the ICS need for 100% availability, or what it takes to get a process up and running after it has been shut down. 

This presentation will help organizations prepare to respond to ICS cyber incidents whether they’re caused by unintentional insiders or malicious outsiders such as industrial spies, hactivists, or nation state attackers.  Proper Cyber Incident Response planning will minimize financial losses due to system downtime, data loss, higher insurance premiums, and most importantly to the safety of the organization personnel and the public.


Speakers
avatar for Jack Oden

Jack Oden

Principal Program Manager, Cybersecurity Programs, Parsons
Jack D. Oden is a Principal Program Manager and Cybersecurity Compliance Subject Matter Expert (SME) within the Federal Defense & Security Division. Jack provides consulting services to US government and commercial customers on cybersecurity in the area of industrial control systems (ICS) for mission-critical infrastructure. Jack advises customers on the application of and compliance with legal, regulatory, and policy requirements, such as... Read More →


Wednesday October 26, 2016 4:15pm - 5:00pm
Breakout 2 (Salon 4,5,6)

4:15pm

Open Discussion: Cyber Issues With Safety and Security

Wednesday's breakout sessions will conclude with a moderated discussion of the important cyber issues with safety and security.

Open to audience participation, topics will

  • Understanding the differences between safety and security
  • What is currently happening with standards affecting safety and security
  • What are the pros and cons of integrated control and safety as it pertains to security should safety systems be connected (accessible) to the Internet
  • How should cyber security of safety systems differ from cyber security of control systems

Moderators
avatar for Joe Weiss

Joe Weiss

SecurityWeek
Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss will provide his annual "State of the State" talk, which weighs in on recent industrial cyber incidents, emerging security threats and more.

Wednesday October 26, 2016 4:15pm - 5:00pm
Breakout 1 (Salon 1,2,3)

6:30pm

VIP Offsite Party at The Community Smith
Join us for a VIP recption at Community Smith, Midtown Atlanta’s modern meatery. The protein-centric cuisine is rooted in seasonal, responsibly-sourced global cookery. Designed to be a contemporary eatery with a neighborhood feel, Community Smith offers an innovative menu that showcases humanely-raised meat and seafood and vegetables at the height of their season, presented in a straightforward, approachable manner.

The bar serves classic cocktails, an esoteric wine list, and a considerable bottled craft beer list with an emphasis on approachability, service, and quality.


Wednesday October 26, 2016 6:30pm - 9:30pm
TBA
 
Thursday, October 27
 

8:30am

Ukrainian Hack: What it Means to the U.S. Grid

Could the U.S. nuclear or energy critical infrastructures be vulnerable to a cyber attack similar to the Ukrainian Power attack in 2015? 

Marlene Ladendorff is a subject matter expert on Nuclear Cyber Security for the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).  


Speakers
avatar for Marlene Ladendorff, Ph.D.

Marlene Ladendorff, Ph.D.

Nuclear Cyber Security SME, DHS ICS-CERT
Marlene Ladendorff, PhD, is a Nuclear Cyber Security SME for the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Her specific areas of interest and expertise include industrial control systems cyber security in the nuclear power and energy critical infrastructure sectors in the United States. Marlene has written cyber security strategies and training plans for the domestic nuclear power... Read More →
avatar for Joseph D. Price

Joseph D. Price

Deputy Director, Critical Infrastructure Protection National & Homeland Security, Idaho National Laboratory
Joseph Price served as a Communications and Computer Systems Officer in the United States Air Force (USAF) for nine years, where he was one of the original members of the 609th Information Warfare Squadron (USAF’s first operational IW squadron) conducting computer network defense on Air Force and Joint networks starting in 1996. He has been active in cyber mission areas since then serving in multiple positions (operator, engineer, test... Read More →


Thursday October 27, 2016 8:30am - 9:15am
Grand Ballroom

9:15am

3 out of 5 ICS Security Practitioners Say What?

Using data from a few key research projects and primary interviews with a variety of industry practitioners, this session will provide insights to what practitioners are actually thinking and doing every day. What really are the perceived highest risks? What initiatives are gaining traction and which ones aren’t? Is the “C” level bought in? How is the ICS cyber security work force developing? Is OT and IT a divide that can’t be crossed or are organizations building bridges right now? Get the view from the trenches, and share yours as well. 


Speakers
avatar for Derek Harp

Derek Harp

Director, ICS Strategic Programs, SANS
Derek Harp is currently the Director for ICS Strategic Programs at SANS and the GICSP Steering Committee Chair. He is responsible for organizing events, resources and initiatives that educate and enable increased collaboration within the entire ICS security community. Mr. Harp has served as a founder, CEO, or advisor of early-stage companies for the last 18 years with a focus on cybersecurity. Derek is also a co-founder and a board member of... Read More →


Thursday October 27, 2016 9:15am - 10:00am
Grand Ballroom

10:00am

Fact or F.U.D.? – ICS Cyber-Attack Simulation and Impact Analysis

Using computer gaming technology for industrial purposes is certainly not an obvious concept. However, as the technology has improved with advanced AI and seemingly realistic physics, one can see where using gaming engines for something beyond just an entertainment medium might actually make a lot of sense. The industrial community seems to finally be turning the corner in regards to industrial control systems (ICS) cyber security. The community now understands that   there is a real and growing threat to these systems and preventative security measures need to be put in place. An area of contention however, remains the ability to determine a realistic threat level for each and every U.S. ICS-CERT advisory, flash report, and security vendor claim. Asset owners/operators find themselves at the mercy of speculation. After all, they can’t exactly simulate attacks that cause actual catastrophic results to industrial environments and systems. Or can they?

In this session, Clint Bodungen will demonstrate how several technologies once intended for completely different industries, such as computer gaming engines and engineering software/hardware, can be combined to simulate realistic consequences of cyber-attack scenarios on industrial systems. Powerful gaming engine physics and 3D animation, scientific data and simulation capabilities (i.e. Matlab and engineering applications), and real-life physical devices (i.e. PLCs) are all connected in this presentation in order to provide a cutting-edge look at the impact analysis capabilities with stunning realistic 3D visuals.

Key Takeaways:

  1. Attendees will gain an understanding of what cyber-attack simulation/impact analysis are, and why it they are important for ICS risk mitigation.
  2. They will also learn methods of performing realistic cyber-attack simulation/impact analysis using different technologies together.
  3. As well as walk away with a better understanding of how to deploy these methods and tools in their own ICS risk mitigation program.

Speakers
avatar for Clint Bodungen

Clint Bodungen

Senior Critical Infrastructure Security Researcher, Kaspersky Lab
With more than 20 years of professional experience in cybersecurity, including 12 years focused exclusively on ICS security, Clint brought his expertise to Kaspersky Lab as a senior critical infrastructure security researcher in May 2016. Throughout his career, Clint has worked in several key cybersecurity roles where he focused on cyber threat/vulnerability research, risk analysis, penetration testing, and cybersecurity product R&D for the... Read More →


Thursday October 27, 2016 10:00am - 10:45am
Grand Ballroom

10:45am

Break - Exhibits Open
Thursday October 27, 2016 10:45am - 11:15am
Sponsor Hallway

11:15am

Current Status of ICS in Developing Countries - Case Study of Argentina and LATAM

Although developed countries such as the United States have shown the path in terms of Cyber Security in Critical Infrastructure, developing countries are falling behind due to socio-economic conditions. Lack of investment and difficulty in finding the necessary skills are the main reasons that make Cyber Security a challenge for these countries.

This presentation goes through LATAM’s critical infrastructure situation with Argentina as a case of study. On one hand, we provide the audience a brief overview of the actual cyber regulation and national initiatives. On the other, we describe the state of the main industries, common issues and what we are the next steps to be taken in the near future.


Speakers
avatar for Pablo Almada

Pablo Almada

Manager, IT Advisory, KPMG
Pablo is a Manager at KPMG Argentina’s IT Advisory practice and has over 10 years of experience in different domains of Cyber Security. Pablo has remarkable experience providing consulting services in the Cyber Security space for different industries and organizations mainly in the manufacturing, financial, Oil & Gas, telecommunication, Energy and industrial sectors in South - America. He has developed experience in Cryptography... Read More →
avatar for Nicolas Brahim

Nicolas Brahim

Sr. Cybersecurity Consultant, KPMG
Nicolas is a consultant of the Cyber Security Practice, specialized in Industrial Control Systems Security, Cyber Architecture, Secure Software, among other subjects.  Since he has been incorporated to KPMG, he has acquired a vast experience providing consulting services Information Security, IT Security and IT Audit for different industries and organizations mainly in the manufacturing, financial, Oil & Gas, telecommunication, Energy... Read More →


Thursday October 27, 2016 11:15am - 12:00pm
Grand Ballroom

12:00pm

Practical Attacks on Oil and Gas industries

The industries most plagued by cyber-attacks are Oil and Gas businessesSeveral attacks against the infrastructure of Oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major Oil companies. The Oil and Gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in Oil and Gas industries, and there are even specific SAP modules for Oil and Gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service and Oracle Enterprise Asset Management.

Cyber-attacks on SAP systems belonging to Oil and Gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices).

Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks.

For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.

This talk is based on a several case studies conducted during research and professional services will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to Oil and Gas companies as well as guidelines and processes on how to avoid them.

Takeaways

  • Understand specific risks related to Oil and Gas companies infrastructure from IT and OT perspective.
  • Learn what kind of enterprise applications are used in Oil and Gas industry and whit kind of security issues they have.
  • Learn how to secure these applications.
  • For pentesters, it will be helpful to learn how to analyze security of these specific systems. For information security specialists, it will be useful to know how to protect their systems.

Speakers
avatar for Alexander Polyakov

Alexander Polyakov

ERPScan, CTO, Co-Founder
Founder of ERPScan, President of EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year. His expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions developed by enterprise software companies such as SAP and Oracle. He has received several accolades, and published over 200 vulnerabilities. He has authored multiple whitepapers such as annual award... Read More →


Thursday October 27, 2016 12:00pm - 12:45pm
Grand Ballroom

12:45pm

Lunch
Please join us for lunch in the Dining Room located on the 1st Floor of the Georgia Tech Hotel and Conference Center.


Thursday October 27, 2016 12:45pm - 1:45pm
Dining Hall

1:45pm

The Physics of Cyber Security

This presentation will describe the need to integrate approaches to the physical aspects of computer and network device security during design.

Even if steps are taken to make software attacks on a system impractical, it is possible to bypass these by attacking weaknesses in the physical implementation of systems.  These attacks are much harder or even impossible to “patch” once systems are fielded, and include attacks on the physical implementation of memory (Row Hammer) and attacks on cryptographic systems using timing (cache timing attacks).  Recently both of these have been demonstrated to be practical even without direct access to privileged instructions or native code; both have been accomplished from inside a browser’s Javascript “sandbox.”  Dealing with these sort of attacks requires thinking about security at the physical device design stage.


Speakers
avatar for Stacy Prowell, Ph.D.

Stacy Prowell, Ph.D.

Chief Cyber Security Research Scientist, Oak Ridge National Laboratory
Dr. Stacy Prowell serves as the Director of Oak Ridge National Laboratory's Vehicle Security Center. Dr. Prowell is also the laboratory's Chief Cyber Security Research Scientist, leads the Cyber Warfare Research Team, and is the Program Manager for the lab's Cybersecurity for Energy Delivery Systems program. Dr. Prowell's research focuses on exploiting physical sensors and properties to detect and prevent intrusion, and on deep semantic... Read More →


Thursday October 27, 2016 1:45pm - 2:30pm
Grand Ballroom

2:30pm

Security Consequences of Using Cloud-Based Technologies in Industrial Environments

Not so long ago, seasoned control engineers would laugh at the thought of having their industrial control and SCADA systems connected to the Internet. However, times have changed, and today the Industrial Internet of Things (IIoT) is interconnecting industrial control system (ICS) devices and critical infrastructure to the Internet at an unprecedented pace. This in turn is forcing a fast, large-scale convergence of old and new technologies that is reshaping the reliability, availability and security of industrial environments.

Cloud computing is a paradigm that will eventually come into play with Internet-connected industrial environments. Currently, a vast amount of research is being pursued that investigates cloud-computing's role within the industrial and manufacturing space, as well as other critical infrastructures such as the smart grid. Nonetheless, one major consequence of using cloud-based technologies within industrial environments is that of mitigating pervasive cybersecurity risks for industrial systems. This presentation will highlight the current trends and advancements of cloud-based technologies for industrial environments, both from a practical and research perspective. More importantly, however, the session will provide insight into how cloud-based technologies might be used to alleviate complex cybersecurity challenges within industrial environments.

Learning Objectives:

Attendees will get a glimpse into the advancements of Cloud computing based technologies and their integration within industrial environments. The material will provide a balance of advanced research that will impact near-future industrial systems along with real-world implementations and results that are currently in progress around the world.


Speakers
avatar for Lane Thames

Lane Thames

Software Development engineer, Tripwire
Lane Thames is a software development engineer and security researcher with Tripwire’s Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management software. He also spends time looking for new vulnerabilities, contributing to the Tripwire State of Security blog, and understanding emerging cybersecurity... Read More →


Thursday October 27, 2016 2:30pm - 3:15pm
Grand Ballroom

3:15pm

Implementing a Publicly-Accessible Event and Incident Database

In this talk, Bob Radvanovsky will introduce the "SCada Incident Database", or "SCID".

The concept of the project is to include critical infrastructure incidents that have transpired over the years, with a majority of the database made publicly-accessible at no cost. 

The SCID repository will help:

  • Governments Worldwide
  • Private Sector Asset Owners
  • Legal Firms
  • Law Enforcement
  • Regulatory Organizations
  • Insurance Companies

The discussion will include screenshots of the repository, along with relevant field types being collected, and how the data is being ascertained.  Part of the discussion is to engage the audience as part of the project's development, as this is supposed to be a community-based effort. 

Additionally, this talk will address some of the controversial definitions, such as "incident", "cyber incident", "event", and "cyber event", and the reasoning behind the questions.  For this part of the discussion, examples through existing documentation, will be provided.


Speakers
BR

Bob Radvanovsky

Critical Infrastructure Protection and Cyber Security Researcher
Subject matter expert and researcher in Homeland Security, Critical Infrastructure Assurance and Protection; member of DHS CSS-CWG, DHS CSSP ICSJWG, DHS NCIRP Nuclear Sector Working Group, DHS Cybersecurity Nuclear Sector, DHS TSA TSS-CWG, and DHS Cyber UCG.


Thursday October 27, 2016 3:15pm - 3:45pm
Grand Ballroom

4:00pm

Closing Remarks and Open Mic Discussions
The 2016 conference is winding down but there is still time for some great discussions! Please join us for closing remarks and an open discussion where anyone can make comments, share insights, ask questions and engage in a lively discussion. 

Speakers
avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends and and the threat landscape in the enterprise IT security and critical infrastructure space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several leading security conferences.


Thursday October 27, 2016 4:00pm - 5:00pm
Grand Ballroom