Loading…
Attending this event?
Welcome to the Interactive Agenda for SecurityWeek’s 2017 ICS Cyber Security Conference! (View the full conference website here)  

This agenda is currently a work in progress and not yet complete, please check back often as our team is making upates and adding sessions DAILY. (You can register for the conference here)
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 23
 

TBA

See and Understand Where Your Most Critical Control Systems Are Vulnerable to Cyberattack

As we know, industrial and critical infrastructure are becoming a more prevalent attack vector for the modern hacker and cybercriminal. Standard security controls implemented on IT networks often don’t translate or interact with the OT environment. This means that malware or malicious attacks that would be detected through next-generation firewalls, packet inspectors and intrusion prevention systems could slip through into ICS or SCADA networks.

There are also risks and vulnerabilities present in the software and firmware of control system networks; their development methodology and security practices were designed and implemented for a very different security and threat landscape. These aging technologies lack encryption capabilities, data validation principles and other widely used security best practices that have evolved since their implementation.

Added to the innate security shortcomings of industrial networks, the threat landscape is rapidly evolving due to the availability of exploits and other attack tools available on the dark web. Cyberattacks can be quickly and easily launched on a global scale. This means future attacks are going to be faster, more frequent and will impact a much broader front and, to top it off, attackers don’t need advanced skills.

Without visibility of the devices, connections and security posture of your industrial networks, critical attack vectors are slipping through the cracks. Visibility, consistency and continuity are key to understanding and mapping your control systems and integrating them with your IT systems for a complete picture of your attack surface.

In this session, we will discuss key security challenges for industrial networks including:

  • What are the vulnerable and weak security technologies affecting industrial networks and devices
  • Lessons learned from industrial security incidents such as Operation Ghoul and the BlackEnergy-Borne power outage
  • How to bolster industrial network security and gain visibility to the overlap with IT networks

Speakers
MJ

Michelle Johnson Cobb

Michelle Johnson Cobb is the chief marketing officer for Skybox Security, a global leader in cybersecurity analytics. She helps to lead the company’s growth in more than 50 countries. For more than 15 years, Cobb has held executive roles in computer security, networking and ent... Read More →


Monday October 23, 2017 TBA
TBA

7:30am

Breakfast and Registration
Please join us for contenential breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!

Monday October 23, 2017 7:30am - 10:00am
TBA

8:00am

Automation Exploitation: Advanced Workshop [8AM-5PM]

Learn how attackers reverse engineer, compromise, and backdoor, control systems.

Brought to you by the Senrio research team, whose custom developed trainings have sold out at Blackhat five years running, this intense hands-on Automation Exploitation workshop is meant to provide an introductory basis to the unique security challenges in the world of Automation. 

Participants will learn how attackers reverse engineer, tamper with,and exploit all parts of an industrial control network. Since Automotive technologies have their roots in Industrial Control and Building Automation (CAN bus) this course will also include "Car Hacking" content. Participants will learn about threats to those systems, perform hand-on attacks themselves, and learn how these insecure design patterns are found throughout the world of Automation (and automotives!).

Who Should Attend:

  • Field Service Engineers, Safety Engineers, Automation Engineers,"Makers", Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.

Student Requirements:

  • Understanding basic computing.
  • Some programming experience a plus.
What to Bring:
  • A laptop (running their favorite OS) capable of connecting to wired and wireless networks. Laptop must also have several available and operational USB Ports
  • Installed and valid VMWare workstation (with working access to USB Ports and network card bridged or NATed)
  • Three button external mouse.

Speakers
avatar for Stephen Ridley

Stephen Ridley

Founder and CEO/CTO, Senrio
Stephen Ridley, Founder and CEO/CTO of Senrio. Stephen has more than 10 years of experience in software development, software security, and reverse engineering. His original research on embedded device vulnerabilities has been featured on NPR, SecurityWeek, Wired and numerous oth... Read More →


Monday October 23, 2017 8:00am - 5:00pm
TBA

8:00am

Cybersecuring Control Systems

The Cybersecuring Control Systems Workshop is geared to help architects, engineers, contractors, owners, facility managers, maintenance engineers, physical security specialists, information assurance professionals—essentially anyone involved with implementing cybersecurity in the Control System (CS) life cycle—to learn the best practice techniques to better protect their CS.

The workshop provides a combination of classroom learning modules to teach control system basics, protocols, how to use the NIST Risk Management Framework and the Cybersecurity of Facility-Related Control Systems Design Guidance, and hands-on laboratory exercises using tools and methods to inventory, diagram, identify, attack, defend, contain, eradicate and report a cyber event/incident. This includes understanding and practicing hacker and defender techniques for footprinting, scanning and enumeration, exploitation, and post exploitation clean up and maintain persistence. Attendees will see how hackers use exploit tools to gain entrance into the control system, pivot through the network, establish beacon command and control channels, modify logs to mask presence, and exfiltrate data. Attendees will also learn how to use the Advanced Control System Tactics, Techniques, and Procedures (TTPs) developed by the U.S. Cyber Command (USCYBERCOM) to create a Recovery Jump-Kit to find and eradicate malware and exploits using tools such as MalwareBytes, Microsoft Internals Suite, and OSForensics to perform data collection for forensics.

Workshop Overview

  • 0800-0900    Unit 1 Overview of Control Systems, Networking and Communication Protocols, NIST/SANS/ISA/ISSO Standards & Drivers
  • 0900-1015    Unit 2 Hacker Methodology
  • 1015-1030    Break
  • 1030-1115    Unit 3 UFC 4-010-06 Cybersecurity of Facility-Related Control Systems (Enclaves, Test and Development Environment, SCAP/STIGS)
  • 1115-1200    Unit 4 Overview of ICS-CERT CSET and GrassMarlin tools
  • 1200-1300    Lunch
  • 1300-1330    Unit 5 Advanced Control System Tactics, Techniques, and Procedures 
  • 1330-1400    Unit 6 Control System Forensics
  • 1400-1430    Unit 7 Acquisition and Procurement Language for Control Systems, Wrap Up Q&A

Monday October 23, 2017 8:00am - 5:00pm
TBA

8:00am

Reversing the CybatiWorks Blackbox

ICS and IT Software and Hardware Hybrid Defined Networks for Education, Testing and Applied Research. (Fee: $1000 - Includes CybatiWorks Mini Kit to take home $595 Value)

Description:  This day long workshop will reverse the freely available CybatiWorks Blackbox.  The Blackbox provides a hybrid software defined network combining software defined services and physical hardware for ICS and IT.  The tools can be used for education, and simulating use cases of models.  Have you ever wanted to expand your company's test network to be more realistic while still being able to maintain it by 1 person?  Are you seeking tools to validate your security controls?  Do you need to demonstrate to management specific examples of risk?  The help is here. 

Knowledge Outcomes:

  • Ability to create ICS hybrid software and hardware defined networks
  • Enable ICS and IT services within the hybrid environment
  • Create monitorable active packet streams within the hybrid model
  • Use the build, break, secure and make methodology to share knowledge with colleagues and validate security controls for ICS and IT

Participant requirements: A laptop with at least an Intel I3 processor and ability to associate 2GB of RAM to a VMWare virtual machine.  The laptop also needs at least one USB interface.  The CybatiWorks educational platform can be downloaded from the Google+ community.  Each participant will use and retain the CybatiWorks Mini Kits ($595 Value).


Monday October 23, 2017 8:00am - 5:00pm
TBA

9:00am

Moving Beyond Defense in Depth Perimeter Defenses with Deep Cyber Controls

Defense in depth defenses as well as standard perimeter defenses are not enough to protect ICS systems from cyber attacks. What are the weaknesses of various detection and protection measures? What surfaces of attack can be reduced through by implementing various cybersecurity controls and approaches such as trusted boot, measured boot, trusted updates, trust chaining, MFA, and secured transport? How will implementing hardware-based roots of trust or secure software enclaves change the cybersecurity posture of a device?


Speakers
avatar for Dean Weber

Dean Weber

Chief Technology Officer, Mocana
With more than 30 years of experience in information and physical security, he leads Mocana as Chief Technology Officer after serving as director and CTO at CSC Global CyberSecurity. His background includes Chief Technology Officer at Applied Identity, which was sold to Citrix. E... Read More →


Monday October 23, 2017 9:00am - 9:45am
TBA

10:30am

Morning Break
Monday October 23, 2017 10:30am - 11:00am
Sponsor Hallway

11:00am

How Select and Integrate Products to Create a Secure ICS
Modern Prometheus - Tips to Properly Select and Integrate Products to Create a Secure ICS

This presentation will provide techniques to successfully select security products for ICS systems and integrate products into a functional system.  You’ve completed your vulnerability assessment and created a security plan.  The plan requires the integration of security products (firewall, endpoint protection software, SIEM, Intrusion Detection System, etc.) into your ICS.  Security appliance selection and integration can be a daunting task.  In this session, we will provide concrete tips to assist in vendor selection.  We will then discuss techniques to insure smooth implementation of a solution comprised of products from disparate vendors. 

Monday October 23, 2017 11:00am - 11:45am
TBA

11:45am

Connecting with the National Fusion Center Network to Reduce Uncertainty in ICS Cyber Events
Very few incidents involve only one sector in the modern age and uncertainty often dominates a region in the immediate aftermath of an incident. As organizations attempt to recover, they first have to determine what happened and their appropriate response. This process is further complicated at the ICS-level by regulations, management, vendors, and a host of other problems. Working with one of the 78 fusion centers located around the country can help in these chaotic times. This presentation walks through a real-life cyber incident against a transportation sector organization, an unknown incident against an electrical substation, and the preparation for a major sporting event to demonstrate how a fusion center combines information from dozens of sources and produces intelligence that substantially reduces uncertainty for everyone involved.

Speakers
KW

Kellyn Wagner

Cyber Intelligence Analyst, Northern California Regional Intelligence Center
Kellyn Wagner is a Cyber Intelligence Analyst with the Northern California Regional Intelligence Center (NCRIC). She is responsible for the collection, analysis, and dissemination of cyber threat intelligence and vulnerability disclosures. Her areas of cyber expertise include dar... Read More →


Monday October 23, 2017 11:45am - 12:30pm
TBA

12:30pm

Lunch - Venetian Terrace
Please join us outside at the Venetian Ballroom Terrace for lunch (Weather permitting)

Monday October 23, 2017 12:30pm - 1:30pm
Venetian Ballroom Terrace

1:30pm

Intro to DHS’ Automated Indicator Sharing (AIS)

The Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector at machine speed. AIS participants connect to a DHS-managed system in the Department’s National Cybersecurity and Communications Integration Center (NCCIC) that allows bidirectional sharing of cyber threat indicators

Presented by staff from the NCCIC, this 90-minute workshop will cover the following topics:

  • AIS concept and strategy
  • Operational walk through and technical demo
  • Creating and submitting STIX indicators
  • ICS path forward with AIS

Speakers
avatar for Omar Cruz

Omar Cruz

Project Manager, DHS National Cybersecurity and Communications Integration Center
Mr. Omar Cruz is a Project Manager responsible for leading efforts within the National Cybersecurity & Communications Integration Center (NCCIC) to help improve technology solutions for data analytics that enhances the Computer Network Defense (CND) Mission. Mr. Cruz most recently served as the Branch Chief for Cyber Threat and Information Sharing at US-CERT where he managed a team responsible for researching developments from nation-state Cyber Threat Actors, assessing for changes in their Tactics, Techniques and Procedures (TTPs), and identifying new Indicators of Compromise (IOCs) that could be use for CND Mission. Mr. Cruz contributed to the Information Sharing mission of NCCIC and US-CERT by managing the daily operations supporting the Automated Indicator Sharing (AIS) Program, the Enhanced Cybersecurity Services (ECS) Program, the Cyber Information Sharing... Read More →


Monday October 23, 2017 1:30pm - 3:15pm
TBA

3:15pm

Afternoon Break
Monday October 23, 2017 3:15pm - 3:30pm
Sponsor Hallway

3:30pm

Twisted Haystack: Protecting Industrial Systems with Dynamic Deception

Deception techniques for cybersecurity are not new – honeypots have been used for many years. However, new types of deception techniques are being developed to supplement the classical honeypot approach. Deception can be used in a number of ways and for various end results. In this presentation, we will cover two main areas related to deception-based cybersecurity. Attendees will learn about the early types of deception technology along with recent advancements in the field. In particular, we’ll dive deep into deception technologies that are beneficial to industrial systems and introduce an open-source deception tool called Twisted Haystack that can be used for protecting these systems. Nowadays, industrial systems are becoming highly interconnected to information technology systems. For example, advanced manufacturing environments, healthcare environments, power grids, and many other critical infrastructure environments are now integrating Information Technology (IT) and Operations Technology (OT). An interesting benefit of the tool being discussed and released for this presentation is its extensibility in providing deception techniques for converged IT and OT environments. Lastly, the presentation will provide an overview of the open-source Twisted Haystack tool chain and how it can be deployed for protection services, as well as how it can be extended for environment-specific protections.

Learning Objectives:

The audience will learn about deception technology as related to cybersecurity in general and for securing industrial systems specifically. The open-source tool is built with the Python programming language and utilizes the “Twisted” python-based networking framework. The audience will learn about this new tool and how it utilizes the Twisted networking framework, as well as how it can be extended to add deception capabilities for virtually any Internet Protocol (IP) based industrial communication protocol. The audience will learn the strengths and weaknesses of various deception approaches in order to better understand how, where, and when a particular type of deception technology should be used. 


Speakers
avatar for Lane Thames, PhD

Lane Thames, PhD

Tripwire, Senior Security Researcher
Lane Thames is a senior security researcher and software engineer with Tripwire’s Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and manageme... Read More →


Monday October 23, 2017 3:30pm - 4:15pm
TBA

6:00pm

Welcome Reception at Residence of British Consulate-General
Please join us at the residence of the British Consulate-General for a welcome reception.

Sponsored by: United Kingdom Department for International Trade (DIT)

Monday October 23, 2017 6:00pm - 8:00pm
British Consulate-General Residence
 
Tuesday, October 24
 

TBA

Passive vs. Active Monitoring: What’s The Right Choice for Your ICS Network?

One of the key design decisions to consider when implementing an industrial cyber security solution is which monitoring approach is best suited  for your specific control environment: passive, active or a hybrid model? This session we will present the pros and cons of each approach including  which types of anomalies and threats they can detect and cannot detect, and why. The speaker will also discuss the technical requirements involved in deploying each of these models as well as the challenges and benefits they provide.

Learning Objectives:

  • Learn about the differences between active, passive and hybrid ICS security monitoring approaches

  • Understand the benefits and disadvantages of each

  • Learn which security gaps are addressed and not addressed by each of them

  • Know which approach is best suited  for protecting your ICS network from cyber threats


Moderators
avatar for Chris Grove

Chris Grove

Director of Industrial Security, Indegy
With more than 25 years of experience in the cyber-security industry, Chris Grove is the Director of Industrial Security at Indegy, an industrial security solution for mission-critical infrastructure. Previously, he spent 9 years at Imperva during which time he participated in many of their largest, most critical, and complex security projects for many of the... Read More →

Tuesday October 24, 2017 TBA
TBA

TBA

SCADA Bug Killing: Technologies and Timeline
Finding and remediating a subtle SCADA protocol bug is not easy nor is it immediate. A reputable automation company will already have tested many aspects of the software and hardware. And yet, sometimes bugs do slip through. This is the story of a device that slogged through many software audits and fuzz testing. It had been on the market for a few years already. But there was still an egregious flaw lurking in the device. This presentation is about the timeline and the technologies behind a software flaw detection and remediation effort. It also has relevance to SCADA protocol design, as well as security exploit response.

Keywords: DNP3, PLC, RTU, Vulnerability, fuzzing, SCADA

Speakers
avatar for Jacob Brodsky

Jacob Brodsky

Jacobs Cyber Innovation Lab
Having spent nearly 30 years of his Control Systems Engineering careerat the Washington Suburban Sanitary Commission, Jake Brodsky has a lotof hard won experience (making mistakes), learning to live with his creations. He has eagerly shared this experience with various standards... Read More →


Tuesday October 24, 2017 TBA
TBA

TBA

Securing Control Systems using IEC 62443 Standards

Cybersecurity specifications are in place and are beginning to be required in industrial applications.  How do end users insure that products/systems are compliant to specified standards?  Participants will learn about the structure and content of the international IEC 62443 control systems cybersecurity standards and the value of conformity assessment programs.  Conformity assessment programs certify that Commercial off the Shelf (COTS) automation and control devices and systems and supplier security development lifecycle processes meet the requirements specified by the IEC 62443 standards.  The presentation will also focus on the value of cybersecurity certifications to both end users and equipment vendors.

The presentation will briefly touch on one of major conformity assessment programs – ISASecure.  ISASecure is a globally recognized ISO/IEC 17065 certification scheme that uses certification bodies accredited by ISO/IEC 17011 accreditation bodies such as JAB, ANSI-ANAB, and DAkkS.  ISASecure is structured using the security lifecycle concepts upon which the ISA/IEC 62443 standards are based.  Certifications are conducted by globally recognized labs including TUV Rheinland, exida, CSSC-CL, and others.


Speakers
avatar for Dan Desruisseaux

Dan Desruisseaux

Cyber Security Offer Leader, Schneider Electric
Cyber Security Offer Leader, Industry Business at Schneider-Electric


Tuesday October 24, 2017 TBA
TBA

TBA

Are Your Industrial Systems Lying to you? Protecting Critical Infrastructure in the age of Industrie 4.0

As the world becomes increasingly Smart, we rely more and more on remote sensor data to be our eyes and ears. From fluid pressure measurements in a cooling system to the turbine RPM sensors used by control room operators at a power plant, both humans and algorithms make decisions based on this data, all day, everyday.

But what if that information is wrong? What if an attacker manipulates the decision makers (be it man or machine) into doing the wrong thing? An intelligent adversary can wreak havoc on a Smart system by faking sensor information, thus creating an illusion of a false state. The lie can hide malicious activity by simulating a normal system state, or even worse: fooling the system into damaging itself.

In this talk we’ll discuss several real life scenarios of damage done by state awareness failure, from statewide blackouts to traffic jams. We’ll talk about the unique fingerprint of every physical process and state - and see a demonstration distinguishing 2 identical motors. Then, we’ll use this technique to detect synthetic and fake data by “reading between the lines” of the signal.

Finally, we’ll show a SCADA attack demonstration from a lab that hides the damage it’s causing from the control room operators and demonstrate how such an illusion can be broken using intelligent algorithms.


Speakers
avatar for Yevgeni Nogin

Yevgeni Nogin

Co-Founder & CTO, Aperio Systems
Yevgeni is co-founder and CTO at APERIO Systems. Yevgeni brings a unique blend of expertise in SCADA systems security to his role. He is a graduate of the elite “Talpiot” Israel Defense Forces (IDF) military academy and served over nine years in elite intelligence and R&D units of the IDF. Combining knowledge in the fields of engineering, cybersecurity, and physical sciences, Yevgeni built advanced computational systems and sensor technologies while founding and leading new... Read More →


Tuesday October 24, 2017 TBA
TBA

8:00am

Welcome to SecurityWeek's 2017 ICS Cyber Security Conference | USA

Welcome address and conference introduction for SecurityWeek's 2017 ICS Cyber Security Conference.


 

Speakers
ML

Mike Lennon

For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends and the threat landscape in the enterprise IT security and critical infrastructure space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages several le... Read More →


Tuesday October 24, 2017 8:00am - 8:15am
TBA

9:00am

Aftermath of "CRASHOVERRIDE" Electric Grid Targeted Malware
In June 2017 the world learned of CRASHOVERRIDE (AKA Industroyer), the first ever malware specifically designed to disrupt electric grids; it was successfully used in Ukraine against the Kiev transmission substation in December, 2016 marking the second time ever a cyber attack led to disruption in an electric power grid - the first was the year before in Ukraine as well. Yet, the lessons learned from analyzing CRASHOVERRIDE and the Ukrainian attacks are instantly valuable to industrial infrastructure owners and operators around the world. In this presentation, attendees can expect to learn about CRASHOVERRIDE with a deep analysis on what exactly makes it so alarming while also hearing about why our infrastructures are in a great defensible situation if we take advantage of our resident strengths. Attendees can also expect to leave with an understanding of the different methods of detection to deploy against CRASHOVERRIDE.

Speakers
avatar for Robert M. Lee

Robert M. Lee

CEO and Founder, Dragos, Inc.
Robert M. Lee is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus areas, Robert was named one of... Read More →


Tuesday October 24, 2017 9:00am - 9:45am
TBA

9:00am

Cybersecuring DoD Control Systems Workshop

Over the past several years, the nation’s communities have seen an increasing shift to “smart buildings” that use internet-enabled wireless technology to control building-related systems. Such trends also are being seen in U.S. military facilities. In early 2015, following the release of a Government Accountability Office (GAO) report that called attention to building-related cyber risks, the House Armed Services Committee approved legislative language requiring the U.S. Department of Defense (DoD) to perform a cyber-vulnerability study as part of its fiscal year 2016 defense authorization bill. 

The Cybersecuring DoD Control Systems Workshop is geared to help architects, engineers, contractors, owners, facility managers, maintenance engineers, physical security specialists, information assurance professionals—essentially anyone involved with implementing cybersecurity in the facility life cycle—to learn the best practice techniques to better protect DoD facilities.

Department of Defense Instruction (DoDI) 8500.01 and DoDI 8510.01 incorporate Platform Information Technology (PIT) and PIT systems into the Risk Management Framework (RMF) process. PIT may consist of both hardware and software that is physically part of, dedicated to or essential in real time to the mission performance of special-purpose systems (i.e., platforms). PIT differs from individual or stand-alone IT products in that it is integral to a specific platform type, as opposed to being used independently or to support a range of capabilities (e.g., major applications, enclaves or PIT systems). A Control System (CS) is a specific type of PIT that consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an objective (e.g., transport matter or energy, or maintain a secure and comfortable work environment).  

The Cybersecuring DoD Control Systems Workshop will include hands-on classroom exercises and labs to footprint a CS as a hacker would do; use the Cyber Security Evaluation Tool (CSET) to establish a risk baseline and create a System Security Plan; and use the enterprise Mission Assurance Support System (eMASS) to load projects using the new DoDI 8510.01 RMF process. Attendees will gain in-depth experience on using the Committee on National Security Systems Instruction (CNSSI) 1253; National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 R4; NIST SP 800-82 R2; the Joint Staff Mission Assurance Vulnerability Benchmarks 2015, the USCYBERCOM J-BASICS Advanced Cybersecurity Instructions Tactics, Techniques and Procedures 2016, and other key publications and tools to load and manage a project through the six steps of the RMF.

Workshop Overview (Subject to slight change)

  • 0800-0900 - Unit 1 Overview of DoDI 8500/8510 RMF and PIT ICS, NIST Standards & Drivers, CS Protocols
  • 0900-1000 - Unit 2 Footprinting using Whois, Google Hacking, Google Earth, BING, Shodan, Kali Linux, SamuraiSTFU, NMAP, Sophia, Wireshark, Software Content Automation Program
  • 10:00-10:15 - Break
  • 10:15-12:00 - Unit 3 Using CSET: SAL, Network Arch Diagram, Inventory, Templates, Security Controls Evaluation, Reports, Data Aggregation & Trending, System Security Plan
  • 12:00-13:00 - Lunch
  • 13:00-13:30 - Unit 4 Hacker Methodology, Attacking and Defending, Response and Recovery, Incident Reporting
  • 13:30-14:30 - Unit 5 J-BASICS TTPs, JMA Vulnerability Benchmarks
  • 14:30-14:45 - Break
  • 14:45-15:30 - Unit 5 RMF KS Control Systems Webpage, eMASS; demonstration, Using the Interim Excel files for uploading into eMASS
  • 15:30-16:15 - Create Platform Enclaves and Other PIT IT Registries Examples
  • 16:15-1630 - Wrap Up Q&A

Tuesday October 24, 2017 9:00am - 5:00pm
TBA

10:30am

Morning Break
Tuesday October 24, 2017 10:30am - 11:00am
Sponsor Hallway

11:00am

Incident Response Programs – Lessons from NASA’s Mission Control

Nearly every industry authority or governmental agency that has commented on data security has recommended an Incident Response Plan (IRP), and though these same bodies often loosely suggest the contents of said plan, few provide a concrete structure and even fewer address the unique environment of ICS/SCADA.

This session explores, as a model for ICS incident response, NASA’s Mission Control framework related to the International Space Station (ISS), which itself boasts 52 onboard computers, 1.8 million lines of code, 100 data networks, and over 400,000 sensors/signals, all onboard an orbiting space vehicle that can never be shut down. During the session, we will break an IRP into Policies, Procedures, Rules/Directives, and Dataset Repositories, and discuss development, uses, and document control management of each. We will also touch upon the organization of the Mission Control room itself, the unique communication structure between its members, and we will show a behind-the-scenes video of how Mission Control handled a vehicle launch incident – all of which provide valuable insight into effective incident response. Your host is a former NASA flight controller, certified to fly both the ISS and the Space Shuttle, and an attorney charged with developing modern incident response programs.

Shared Materials

Attendees will be provided with a sample set of NASA Flight Data File Flight Rules and Flight Procedures. In applying this framework to incident response, we will also provide a sample set of Rules/Directives and Procedures geared toward incident response. In conjunction with our discussion on incident response team structure and communication, attendees will also receive a sample team layout graphic, showing one method for streamlining roles, responsibilities, and communication protocols for the incident response team at a given company.

Key Takeaways

  • Overview of an incident response framework that has been in existence for over 50 years
  • Incident response plan structure and development process for organizations of all sizes
  • Building and strengthening incident response team communication skills

Speakers
avatar for Seth Jaffe

Seth Jaffe

VP, Incident Response Practice, LEO Cyber Security
Seth Jaffe is Vice President of the Incident Response Practice at LEO Cyber Security. In his role at LEO, Seth assists clients in the preparation, maturation, testing, and training of all things incident response, leveraging his fifteen years’ experience in NASA’s Mission Control to bring a unique perspective to the industry. Prior to LEO, Seth held the position of technology attorney at a major U.S. airline, where he was the lead Legal team member on the Incident Response Team, tasked with developing incident response procedures and policies, facilitating effective emergency communication with other team members, | and responding to actual incidents. Seth also sat on an executive steering committee charged with making strategic decisions about the company incident response plan and socializing cyber security issues to executives. Earlier in his career, Seth worked in Mission Control at... Read More →


Tuesday October 24, 2017 11:00am - 11:45am
TBA

12:30pm

Lunch - Venetian Terrace
Please join us outside at the Venetian Ballroom Terrace for lunch (Weather permitting)

Tuesday October 24, 2017 12:30pm - 1:30pm
Venetian Ballroom Terrace

1:30pm

Are You the Next Industrial Automation and Control System (IACS) Breach Headline?

Digitization and the Industrial Internet of Things (IIoT) are accelerating the need for cybersecurity within Industrial Automation and Control System (IACS) environments.  The increased complexity and growing adoption of IIoT means that cybersecurity must be designed into all of the components present in the IACS environment.  But before we start blindly playing whack-a-mole with IACS environment cybersecurity, we need to appreciate that this message has been delivered for many years now.  So why are so many asset owners and operators still unclear on how to improve cybersecurity?  Often it comes down to the lack of a well-defined IACS Cybersecurity Program strategy.  This in turn makes the effective application of administrative, technical, and physical security controls, processes, and procedures even more difficult and less effective.  In our experience, many organizations still lack relevant cybersecurity talent that can help determine vulnerability levels and possible impacts of threats to the IACS environment.

The goal of this presentation is to continue increasing the awareness for cybersecurity needs within the IACS environment (the sky is not falling but…), highlight some of the most common findings that are seen by Cybersecurity Service teams, and explain key considerations that organizations should look for when selecting an external Cybersecurity Services team to help build an effective IACS Cybersecurity Program.

Sponsored by: Schneider Electric


Speakers
avatar for Joshua Carlson

Joshua Carlson

SME and Technical Sales Leader, Cybersecurity, Schneider Electric
Mr. Carlson possesses over 17 years of Cybersecurity experience working with the United States and Middle Eastern governments, global financial institutions, as well as market verticals for bulk energy providers, oil & gas, nuclear, petrochemical, and paper / pulp organizations; regional water / wastewater utilities; and food / beverage companies. He brings a breadth of technology skills including Industrial Control System security, Compliance Assessments and Program Management, and Design / Implementation / Maintenance / Training responsibilities for various... Read More →


Tuesday October 24, 2017 1:30pm - 2:15pm
TBA

1:30pm

How to Measure Security Effectiveness in an ICS System

With the growth of IIoT in the ICS space, there is a need for cybersecurity testing of components, products and systems to mitigate the risk of cyber incidents in operational networks.  Many specifications and guidance documents provide information on secure product development principles, however, even with security built into product development lifecycles; there is still a need to test and measure the security posture of products using comprehensive testing criteria.  So, what should the security testing include, and what are important attributes to measure and evaluate in order to provide confidence in the security posture of components, products and systems?

Sponsored by: UL 


Speakers
avatar for Ken Modeste

Ken Modeste

Principal Engineer, Cybersecurity Technical Lead, UL
Ken Modeste is a Principal Engineer and the Cybersecurity Technical Lead for UL’s Commercial & Industrial Business Unit (C&I).  His global responsibilities cover cybersecurity, interoperability and protocol compliance.  Ken works to ensure the security and interoperability of C&I programs, is... Read More →



Tuesday October 24, 2017 1:30pm - 2:15pm
TBA

2:15pm

Encryption in ICS: Is the Juice Worth the Squeeze?
We all know ICS protocols lack security; no authentication, no integrity, no confidentiality. For the past decade ICS asset owners have been leveraging common IT communication methods such as IPSEC, TLS/SSL to assist them in securing these protocols over untrusted networks such as the Internet or 3rd party WAN circuits. In 2017 we are now seeing ICS/DCS manufacturers incorporating encryption features into their field devices (PLCs, controllers) offering end to end encryption capabilities.  Some ICS security professionals see this as one of the first steps to "secure by design" while others have said this now signals the death to deep packet ICS inspection technologies.             

This talk will focus on how end to end encryption can negatively affect an asset owners' security posture while also creating administrative overheads and introducing new cybersecurity challenges to deal with.  Encryption is a double-edged sword no matter whether you are on the plant floor or the substation LAN; and should only be used where appropriate.  End to end encryption in ICS isn't worth the squeeze; long live clear-text protocols!            

Speakers
avatar for Brian Proctor

Brian Proctor

Business Development Manager, SecurityMatters
Brian’s entire career has been focused on securing electric utility systems, networks, and assets. He spent the majority of his career (13+ years) as a ICS/SCADA cybersecurity engineer and cybersecurity team lead working for two progressive California Investor Owned Utilities (IOUs). In February of 2017 he joined SecurityMatters as their Business Development Manager to help promote passive ICS/SCADA network security monitoring, asset inventory, and situational awareness within the industrial control system security community. | | Brian holds a variety of technical certifications including the Global Industrial Control System Professional (GISCP), Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Control (CRISC), and is certified in project management from University of California at Irvine. In 2013, Brian was presented with the Critical Infrastructure Private Sector award from Securing our eCity a San Diego based Cybersecurity non-profit organization. In 2016, Brian was a co-inventor of a... Read More →


Tuesday October 24, 2017 2:15pm - 3:00pm
TBA

2:15pm

What You Don’t Know Can Hurt You: Keys to Finding and Remediating Hidden Level 1 and 0 ICS Vulnerabilities

Today, industrial process and power companies struggle to identify vulnerabilities at Level 1 or 0 within a process control network (PCN). They have a relatively easier time discovering Level 2 vulnerabilities, because inventorying – and thus providing needed data for assessing ICS-CERT advisory impacts – workstations, servers, routers, and switches is more straightforward than inventorying controllers and smart field instruments. 

Level 1 and 0 cyber assets, which comprise 80% of all the cyber assets in an industrial process facility, are opaquer to today’s manual inventory processes due to their proprietary architectures and lack of standard protocols to interrogate them. This renders vulnerability identification, and ultimately risk mitigation, so much more difficult to achieve. In fact, the method most companies use today is emailing asset owners asking for responses on affected systems. Not surprisingly, this approach falls short.
Here’s a test. How difficult is it for you to know enterprise-wide exposure to these kinds of high and critical Level 1/0 ICS-CERT advisories?

  • ICSA-16-343-05A: A Rockwell Logix5000 controller firmware vulnerability that results in a buffer overflow. When exploited, it allows an attacker to execute malicious code on the controller. There are over 50 controller models impacted including CompactLogix 5370, GuardLogix 5570, SoftLogix 5800, RSLogix Emulate 5000, and many other models, versions, and revisions.
  • ICSA-12-212-02: A Siemens S7-400 controller vulnerability that can force the controller into defect mode rendering it inoperable. There are 8 Siemens products affected that include firmware versions 5, 6.0.1 and 6.0.2 on CPUs 412-2, 414-3, 414F-3, 416-3, and 416F-3.

In this session, we will present best practices for effective cybersecurity vulnerability management for your entire PCN, not just Level 2. Companies will understand how to improve their layered defense cybersecurity program by detecting, remediating, and auditing vulnerability risk across all proprietary cyber assets.

Attendees will learn about:  

  • Details on Level 1 and 0 ICS vulnerabilities in recent years
  • Best practices companies should consider for Level 1 and 0 vulnerability management
  • How to overcome common challenges in establishing an ICS vulnerability management program

Speakers
avatar for Nick Cappi

Nick Cappi

Director of Technical Consulting, PAS Global
Nick Cappi joined PAS in 1995. As Director of Technical Consulting, Nick and his team of technologists solve critical business challenges for PAS customers from initial engagement through solutions deployment. During his tenure at PAS, Nick has held a variety of positions includi... Read More →


Tuesday October 24, 2017 2:15pm - 3:00pm
TBA

3:00pm

Afternoon Break
Tuesday October 24, 2017 3:00pm - 3:30pm
Sponsor Hallway

3:30pm

Making Sense of the Myriad Cybersecurity Standards

Cybersecurity standards such as IEC 62443, NERC CIP 003, NIST 800-53, as well as emerging standards from the IIC and Industrie 4.0 can be difficult to understand. What should OEMs and critical infrastructure operators do to meet the cybersecurity standards? In this presentation, we will present an overview of the key elements of the cybersecurity standards and a proposed framework and set of recommendations to maximize compliance. This should help CISOs of OEMs and ICS operators to develop an action plan for brownfield and greenfield devices.


Speakers
avatar for Dean Weber

Dean Weber

Chief Technology Officer, Mocana
With more than 30 years of experience in information and physical security, he leads Mocana as Chief Technology Officer after serving as director and CTO at CSC Global CyberSecurity. His background includes Chief Technology Officer at Applied Identity, which was sold to Citrix. E... Read More →


Tuesday October 24, 2017 3:30pm - 4:15pm
TBA

5:00pm

Cocktail Reception - Sponsor Hallway
Please join us in the sponsor hallway for a recption with cocktails and appetizers and network with industy peers. At this VIP reception we have prepared a fantastic menu and premium bar!

Tuesday October 24, 2017 5:00pm - 7:00pm
Sponsor Hallway
 
Wednesday, October 25
 

TBA

Enhancing CIKR Level-0 Security Using Field Device Distinct Native Attribute Features

The need for improved Critical Infrastructure and Key Resource (CIKR) security is unquestioned and there has been minimal emphasis on Level-0 (PHY Process) security improvements. Wired Signal Distinct Native Attribute (WS- DNA) Fingerprinting is investigated here as a non-intrusive PHY-based security augmentation approach to support an envisioned layered security strategy. Demonstrations here are based on experimental response collections from Highway Addressable Remote Transducer (HART) Differential Pressure Transmitters (DPT) installed in an automated process control system independently controlled by three manufacturers (Yokogawa, Honeywell, and Endress+Hauer). Device discrimination assessments are made using Time Domain (TD) and Slope-Based FSK (SB-FSK) fingerprint features input to Multiple Discriminant Analysis, Maximum Likelihood (MDA/ML) and Random Forest (RndF) classifiers. Considering 12 different classes (two devices per manufacturer at two distinct set points), both classifiers performed reliably and achieved an arbitrary performance benchmark of average cross-class percent correct of %C > 90%. The least challenging Cross-Manufacturer (CM) results included near-perfect %C ≈ 100%, while the more challenging Like-Model/Manufacturer (LM) serial number discrimination results included 90% < %C < 100% with TD Fingerprinting marginally outperforming SB-FSK Fingerprinting; SB-FSK Fingerprinting benefits from having less stringent alignment and registration requirements. Introduction of the RndF classifier was very beneficial and enabled reliable selection of dimensionally reduced fingerprint subsets that minimize data storage and computational requirements. The RndF selected feature sets contained as few as 15% of the full-dimensional feature sets and only suffered a worst case %C∆ = 3% to 4% performance degradation.


Wednesday October 25, 2017 TBA
TBA

TBA

Update from ExxonMobil on Open Process Automation Architecture

Doug Kushnerick, Sr. Scientific Advisor at ExxonMobil Research and Engineering will provide an udpate on the Open Process Automation initiative, a standards-based, open, secure, interoperable process control architecture.  

The next-generation process control framework design and implementation will be based on open architectural standards that will ensure cybersecurity, modularity, interoperability, extensibility, reuse, portability and scalability of the new system.


 


Speakers
avatar for Doug Kushnerick

Doug Kushnerick

Sr. Scientific Advisor, ExxonMobil
Mr. Kushnerick is a Sr. Scientific Advisor at ExxonMobil Research and Engineering where he worked on long-range science based R&D for energy industries.


Wednesday October 25, 2017 TBA
TBA

TBA

Parallels of Using Cyber Assets to Manipulate Physics in Traditional Military Operations

Vulnerabilities such as Aurora use remote access (cyber) controls to initiate physics issues leading to unstable operation and kinetic damage. Reconnaissance efforts to understand the potential targets are often available from public sources in combination with cyber-vulnerable applications that enable downloading malware such as BlackEnergy to map the systems of interest. These types of issues are not readily identified as being cyber-related, can affect multiple locations, and attribution is very difficult.

The parallel issues for military operations would be at the tactical, operational and strategic levels where cyber key terrain is known and unknown, identifying the dependencies missions have on networks and infrastructure vulnerable to automated, complex, physical processes and poorly understood or malicious use of those physical systems.


Speakers
avatar for Neil Holloran

Neil Holloran

OSD Mission Assurance Programs Manager, U.S. Naval Surface Warfare Center
Neil Holloran began his Federal career just after 9/11 at the Naval Surface Warfare Center in Dahlgren VA performing Chemical, Biological, Radiological, and Nuclear Defense Acquisition work for Navy Shipboard Defense Systems.    Prior to his current position he oversaw the deployment of Navy Emergency Management capabilities and CBRN Defense technologies at all Navy installations... Read More →
avatar for Joe Weiss

Joe Weiss

Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss will provide his annual "State of the State" talk, which weighs in on recent industrial cyber incidents, emerging security threats and more.


Wednesday October 25, 2017 TBA
TBA

TBA

Threat Hunting In Industrial Infrastructure

Threat hunting is both proactive and iterative. And many of the traits of industrial environments actually amplify the effects of threat hunting. This talk will introduce SMASH: Systemic Methodology and Attributes for Successful Hunting. SMASH is the framework devised to help guide organizations in a structured and easy to understand way for planning threat hunts within ICS environments. At the end of this presentation the audience will have a clear understanding of how SMASH can be applied in their industrial environments. The presentation will conclude with core concepts of threat hunting and how it applies to industrial environments through examples.


Speakers
avatar for Ben Miller

Ben Miller

Director of Threat Operations, Dragos
Ben is Director of Threat Operations at Dragos and leads a team of analysts in performing active defense, threat hunting, incident response, and malware analysis missions for the industrial community inside of ICS/SCADA networks. | | Previously the Associate Director, Electricity Information Sharing... Read More →


Wednesday October 25, 2017 TBA
TBA

8:15am

All Buildings Are Smart Buildings – The New Risk to the Enterprise [Case Study]

Government and large enterprise facilities are becoming more connected than ever. Elevators, HVAC systems, gates and surveillance systems are all IP-connected and digitally controlled.

This benefit comes with an increased risk, as each of these systems is vulnerable to cyberattacks, bearing potentially disastrous results. A risk largely overlooked by most enterprises. The convergence of IT, OT and IoT systems within a single facility creates new challenges that require a new security approach.

The session will cover the following topics: 

  • The emerging threats risking smart buildings
  • What are the new IT/OT/ IoT threat vectors and kill chain
  • What are the new methodologies required to address these threats
  • Case Study: smart building cyber security project - the case study will review a cyber resilience project at a secure-by-design smart building, for a sensitive government facility.

Speakers
SC

Sudhir Chandra

Mr. Chandra is an expert in data analytics and SCADA monitoring with over 12 years of experience. He worked at Emerson Electric on SCADA analytics projects to protect power and cooling systems for top US financial Institutions, at NorseNet Security, monitoring critical Infrastruc... Read More →


Wednesday October 25, 2017 8:15am - 9:00am
TBA

9:00am

Performing ICS Cybersecurity Risk Assessments Across Multiple Plant Sites
Industrial control systems (ICS) cybersecurity programs within manufacturing companies typically involve multiple plant sites spread out geographically. Most involve different processes and product variants. Vulnerability and gap assessments of plant sites (usually a sampling of the plants) are conducted to determine the overall risk profile of each plant, prioritize recommendations, and develop a risk mitigation roadmap. The program management team aggregates the results across multiple plants and develops an implementation plan. Some of the challenges they face are a) resolving differences in the risk profile of each plant (stemming from vulnerabilities and threats unique to the automation platform, production processes, network architecture and engineering, operation and maintenance requirements), b) consolidating best practices and recommendations that apply across multiple plants (considered as quick wins), and c) weighing the benefit of implementing recommendations that are relatively less complex versus the risks they mitigate. Therefore, assessments across multiple plant sites must focus on delivering a consistent view of the vulnerabilities, threats and recommendations based on a common risk analysis methodology and framework. This presentation highlights the requirements for consistency of the risk assessment process, methodology and reporting structure and offers guidelines for performing ICS cybersecurity assessments across multiple plant sites. A risk based framework to align vulnerabilities, threats and consequences will be presented. Learnings from recent risk assessment projects including field level best practices (e.g., alerting on access to remote I/O cabinets), dos and don’ts of DMZ architecture, network segmentation (configuring VLANs with ACLs), securing change management protocols (external key lock, multifactor) will be referenced throughout the presentation.   

Speakers
KS

Krish Sridhar

Krish is a subject matter expert on cybersecurity solutions applied to industrial control systems. He has over 20 years of industry experience with process automation, high availability architectures, industrial networks and application software. Krish has executed many cybersec... Read More →


Wednesday October 25, 2017 9:00am - 9:45am
TBA

9:45am

End User Perspective: Adventures in the World of Industrial Controls

How to build the knowledge and team to secure the Industrial Control Systems environments

Supporting and securing modern control systems requires a unique knowledge and skillset. Presented by Ben Stirling, an Operations Technology Analyst at energy firm Luminant, this session will address the topic of how to build that knowledge and team to secure the ICS environment. This session will also discuss the details of a root cause analysis covering a network packet storm, resulting in the loss of the control system and the recovery. The speaker will share a model for the development of the necessary skill set including relationship building, a shared language to communicate, the consequences of failure, and a call for change. Attendees will have an opportunity to engage in a discussion of the benefits and challenges of implementation of this environment as well as ask questions.

*Luminant has nearly 18,000 megawatts of generation in Texas including 2,300 MW fueled by nuclear power, 8,000 MW fueled by coal and 7,500 MW by natural gas.

Speakers
BS

Ben Stirling

Operations Technology Analyst, Luminant
Benjamin Stirling is an Operations Technology Analyst with Luminant, a subsidiary of Vistra Energy, as well as a member of the ERCOT CIP working group. For the last four years, Ben has been deeply integrated with Luminant’s I&C, Operational Technology, and Vistra Cyber Security g... Read More →


Wednesday October 25, 2017 9:45am - 10:30am
TBA

10:30am

Morning Break
Wednesday October 25, 2017 10:30am - 11:00am
Sponsor Hallway

11:00am

UK and USA: The Special Relationship and ICS Cyber Security Policy

The UK Department for International Trade and Foreign Commonwealth Office presents a thought leadership panel addressing best practices around ICS cybersecurity resiliency between the United Kingdom and United States. This presentation will give a unique UK perspective on the growing global threat of international intrusions and cyberattacks on critical national infrastructure. In response to this emerging trend, a senior figure from the UK’s National Cybersecurity Centre (NCSC) will explain how this division of GCHQ came to be and what they are doing to combat international cyberterrorism along with a panel of public, academic and private sector UK representatives. 


Moderators
avatar for Dr. Chris Hankin

Dr. Chris Hankin

UK ICS cyber security Research Institute (RITICS), Director
Professor Hankin joined Imperial College London in 1984 and was promoted to Professor in 1995.  He is Co-Director of the Institute for Security Science and Technology.  His research is in theoretical computer science, cyber security and data analytics. He leads multidisciplinary projects focussed on developing advanced visual analytics and providing better decision support to defend against cyber... Read More →

Speakers
avatar for Simon Hodgkinson

Simon Hodgkinson

CISO, BP
Simon Hodgkinson is the Chief Information Security Officer (CISO) at BP.  He is responsible for cyber security across the Group, including strategy, governance, architecture, education, counter threat operations and incident response.   Simon joined BP in 2002 and has held a number of senior IT leadership roles in Supply... Read More →
avatar for Dr. Kevin Jones

Dr. Kevin Jones

Head of Cyber Security Architecture, Innovation and Scouting, Airbus
Dr Kevin Jones is Head of Cyber Security Architecture, Innovation and Scouting at Airbus, leading a global network of; teams, projects and collaborations including; research & innovation , state of the art solutions development, and technology scouting for cyber security across; IT, ICS and product security domains. He holds a BSc in Computer Science and MSc in Distributed Systems Integration from De Montfort University, Leicester where he also obtained his PhD: A Trust Based Approach to Mobile Multi-Agent System Security in 2010. He is active in the cyber security research community, has published numerous papers and holds a number of patents within the domain. He is well known as an innovator, thought leader, and is responsible for multiple cyber security demonstrator platforms and laboratories. Kevin has many years of experience in consultancy to aid organisations in achieving accreditation to ISO27001 standard on Information Security Management. Kevin is a recognised expert in Critical National Infrastructure security, SCADA security, and the protection of critical systems. He currently acts as an executive consultant to Airbus on matters of cyber security across multiple domains and platforms and works closely with Government agencies on cyber security topics in addition to European programmes such as the "European Control System Security Incident Analysis... Read More →
avatar for Peter Yapp

Peter Yapp

National Cyber Security Centre (NCSC), Deputy Director
Peter Yapp is a Certified Information Systems Security Professional with nearly 25 years’ experience in the cyber and forensics arena. Peter joined the National Cyber Security Centre in October 2016 as Deputy Director, Incident Management. In April 2017 he became Deputy Director, Private Sector Critical National Infrastructure. Before joining the National Cyber Security Centre, Peter was Deputy Director, Operations for CERT-UK. Prior to this he was the Managing Director for... Read More →


Wednesday October 25, 2017 11:00am - 11:45am
TBA

11:45am

Toxins in Your Software Supply Chain (And What to do About It)

Objectives: Propose OT centric alternatives to traditional IT supply chain risk management methods.

Software underpins modern operational technology from digital field devices to vital control centers. Critical infrastructure operators and governments are rightfully concerned about cyber security across their software supply chains as miscreants show increased willingness to exploit vulnerable OT systems.

Software supply chains can be toxic and, unfortunately, visibility into modern software supply chains is quite limited. This presentation models software ecosystems as potentially toxic to operational systems and explores mechanisms to counter the lack of cyber security supply chain information available to OT risk managers.



Speakers
avatar for Bryan Owen

Bryan Owen

Principal Cyber Security Manager, OSIsoft LLC
Bryan Owen is the principal cyber security manager for OSIsoft LLC, makers of the PI System for real time monitoring. Bryan leads OSIsoft’s global security initiatives such as SDL, incident response task force, and cyber security advisory board. Industry activities include AFPM c... Read More →


Wednesday October 25, 2017 11:45am - 12:30pm
TBA

12:30pm

Lunch - Venetian Terrace
Please join us outside at the Venetian Ballroom Terrace for lunch (Weather permitting)

Wednesday October 25, 2017 12:30pm - 1:30pm
Venetian Ballroom Terrace

1:30pm

An Industrial Immune System: Using Machine Learning for Next Generation ICS Security

As IT and Operational Technology (OT) environments continue to converge, managers of ICS have been faced with the challenge of protecting these crucial systems and data, in spite of inherent security weaknesses and the continual risk of insider threat. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. Existing, legacy approaches have proven inadequate on their own, especially against insiders who, by definition, have authorized access. 

There is an urgent need for a new approach to combat the next generation of cyber-threats, across both OT and IT environments. While total prevention of compromise is untenable, utilizing automated self-learning technologies to detect and respond to emerging threats within a network is an achievable cyber security goal, irrespective of whether the suspicious behavior originated on the corporate network or ICS. 

Some of the world’s leading energy and manufacturing companies are using these technologies to detect early indicators of cyber-attacks or vulnerabilities across IT and OT environments, without reliance on pre-identified threat feeds, rules, or signatures. These technologies represent an innovative and fundamental step-change in automated cyber-defense.  

In this session, learn: 

  • How new machine learning and mathematics are automating advanced threat detection
  • Why 100% network visibility allows you to preempt emerging situations, in real time, across both IT and OT environments 
  • How smart prioritization and visualization of threats allows for better resource allocation and lower risk 
  • Real-world examples of detected OT threats, from non-malicious insiders to sophisticated cyber-attackers
Sponsored by Darktrace

Speakers
avatar for Jeff Cornelius, Ph.D.

Jeff Cornelius, Ph.D.

EVP, Industrial Control and Critical Infrastructure Solutions, Darktrace
Jeff Cornelius joined Darktrace in February of 2014 as Executive Vice President. His background with large Enterprise Software organizations over the past 18 years lends itself to the needs of an, innovative, market-defining organization. Jeff oversees the strategic direction and growth of... Read More →



Wednesday October 25, 2017 1:30pm - 2:15pm
TBA

2:15pm

A Zero-Trust Approach to Segmenting ICS

Learn from a practitioner with 23 years of hands on experience working in Oil and Gas

In today’s converged IT-OT infrastructure, segmentation is a crucial element to network design and is widely accepted as a recommended best practice.  In fact, many argue that the recent high-profile successful cyber-attacks against ICS/SCADA infrastructures could have been prevented or contained if proper segmentation had been in place.

Working with networks that predate modern day best practices; own-operators of these systems must figure out how to address many issues like:

  • How to implement segmentation given the unique circumstance in which ICS must operate
  • The means to define the level of restriction granularity required to protect the process and still empower users to work
  • New technology integrations and compliancy

And most important, how to address these and other serious issues without negatively impacting production. 

Automation systems built and deployed in an era when air gaps existed, brought into the IP age through the use of commercially available off-the-shelf products (COTS); are now exposed the to the same threats as its enterprise counterpart. Come join us as we discuss ways and discover techniques on how next generation security technology can be used to achieve ideal network segmentation.

Attendees will learn from a practitioner with 23 years of hands on experience working in Oil and Gas:

  • Common pitfalls of segmenting in an ICS/SCADA environment
  • Design considerations for greenfield and brownfield deployments
  • How Zero-Trust design principles and concepts can be safely applied to an automation environment

Speakers
avatar for Lionel Jacobs

Lionel Jacobs

Sr. Security Architect, ICS & SCADA Systems, Palo Alto Networks
Lionel Jacobs is Senior Security Architect on the Palo Alto Networks Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) team. Coming from the asset-owner side, Lionel has spent the last 20 plus years working in the IT/OT environment with a focus on ICS systems design, controls and implementation. During his tenure, he successfully deployed a large-scale ICS/SCADA security architecture comprised of over 100 next-generation firewalls, 100s of advanced endpoint protection clients and SIEM, distributed over dozens of remote plants and a centralized core, all based on a... Read More →


Wednesday October 25, 2017 2:15pm - 3:00pm
TBA

2:15pm

The Insecurity of Industrial Things: Devil's Ivy

Have you heard of the "Devil's Ivy" vulnerability? Did you know it was found in millions of devices? No? Keep reading! When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. We haven’t thought of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. This is a HUGE blind spot. Embedded devices, such as ICS and SCADA systems, are the low-hanging fruit for potential attackers: They are fairly easy to compromise, are connected to high-value networks and detection often only happens after the fact. This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. We'll use the Devil's Ivy vulnerability (which was found by our research team and reported by Wired, Vice and others to afflict millions of devices worldwide) as a case study for how IoT is not that different from ICS. This talk will also catalog our experiences at Senrio exploiting embedded system used in industrial control environments and discuss the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting. Attendees will get an inside view into how attackers operate and walk away knowing what to look for when future-proofing our industrial control systems. 



Speakers
avatar for Stephen Ridley

Stephen Ridley

Founder and CEO/CTO, Senrio
Stephen Ridley, Founder and CEO/CTO of Senrio. Stephen has more than 10 years of experience in software development, software security, and reverse engineering. His original research on embedded device vulnerabilities has been featured on NPR, SecurityWeek, Wired and numerous oth... Read More →


Wednesday October 25, 2017 2:15pm - 3:00pm
TBA

3:30pm

Anatomy of an Attack: Real-World ICS Attack Vectors and How to Defend Against Them

What are your blind spots when it comes to protecting critical ICS from attacks that can impact production and safety? Compromising a Level 1 or 0 Industrial Control System (ICS) cyber asset is a not a difficult thing to do for someone with knowledge of industrial control systems. 

Traditionally, industrial processing facilities have relied on security by obscurity, system complexity, air gapping, network segmentation, and perimeter-based security protection for process control networks (PCNs). Many organizations have put IT-centric security technologies in place that primarily focus on securing Level 3 and 2 systems within the PCN, such as operator systems and workstations.

This IT-centric approach fails to protect Level 1 and 0 production-centric assets sufficiently, thus leaving them vulnerable. This creates a huge blind spot, which leaves industrial processing facilities vulnerable to common ICS attack vectors.

This presentation provides an overview of two simple Level 1 and 0 attack vectors that challenge most industrial processing facilities to defend proactively against. It provides an in-depth examination of the thought processes used by an attacker, along with a detailed anatomy of each attack. It then discusses the required technical controls needed to defend against each type of attack.

Attendees will learn:

  • How an attacker approaches an ICS environment
  • How two real-world attack vectors can lead to process and safety disruption as well as how to defend against them
  • Security controls that protect against these two scenarios

Moderators
avatar for Nick Cappi

Nick Cappi

Director of Technical Consulting, PAS Global
Nick Cappi joined PAS in 1995. As Director of Technical Consulting, Nick and his team of technologists solve critical business challenges for PAS customers from initial engagement through solutions deployment. During his tenure at PAS, Nick has held a variety of positions includi... Read More →

Wednesday October 25, 2017 3:30pm - 4:15pm
TBA

6:00pm

Roof Deck Party: Cocktail and Dinner Reception
Join us for a VIP roof deck recption. Details coming soon!

Wednesday October 25, 2017 6:00pm - 9:00pm
TBA
 
Thursday, October 26
 

TBA

Impact of Mobile Network SS7 Vulnerabilities on GSM-based IIoT Devices
Through the SS7 network, a malicious attacker can locate a mobile device, intercept SMS messages and perform denial of service attacks. These attacks are possible on most mobile networks around the world, including on GSM-based IoT devices used in many industrial control systems.

This session will look at how the SS7 network works, what it is normally used for, what a malicious attacker needs in order to perform attacks on the SS7 network and who has been using the SS7 network to perform attacks. We will also look into detail at various types of attacks such as geo-location, SMS interception and denial of service, and how they would affect GSM-based IoT devices such as smart cars, medical devices, ATMs, security cameras, home automation devices and smart factories. Finally, we will review some of the protection mechanisms that can be implemented, not only on the mobile operator's side, but also those that IoT connectivity providers can implement using various strategies and technologies.

Speakers
avatar for Jean Gottschalk

Jean Gottschalk

Telecom Defense Limited Company, Principal Consultant
Principal Consultant, The Telecom Defense Limited Company


Thursday October 26, 2017 TBA
TBA

TBA

Radio Exploitation: Characterizing, Contextualizing, and Applying Wireless Attack Methods
What do the Dallas tornado siren attack, hacked electric skateboards, and insecure smart door locks have in common?  Vulnerable wireless protocols!  Exploitation of wireless devices is growing increasingly common, thanks to the proliferation of mobile and IoT-focused RF protocols throughout both the consumer and industrial spaces.  While non-Wi-Fi and non-Bluetooth RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think.

Join us as we walk through the fundamentals of radio exploitation.  After introducing essential RF concepts, we will classify and discuss the different types of wireless attacks.  As we introduce each new attack, we will draw parallels to similar wired exploits, and highlight attack primitives that are unique to RF.  To illustrate these concepts, we will show each attack in practice with a series of live demos.

Attendees will come away from this session with an understanding of the mechanics of wireless network exploitation, an awareness of how they can bridge their IP network exploitation skills to the wireless domain, and an informed perspective on how they can better protect their own wireless systems from radio-enabled malicious actors.

Thursday October 26, 2017 TBA
TBA

TBA

What If You Can’t Patch?

As the latest rash of NotPetya and WannaCry ransomware proved, simply patching systems and device applications can go a long way to reducing the risk of cyberattack. However, within critical infrastructure, there are often systems and applications that cannot be patched because they are outdated, inaccessible, have no free memory, or more commonly because they work as is, and no one wants to risk an update. That being said, even being “up-to-date” doesn’t necessarily mean that all vulnerabilities have been patched. It’s possible that no one outside of a few elite hackers knows the vulnerabilities exist, leading to "zero-day" exploit attacks, for which again, there is no way to patch. So what do you do if you can’t patch? Featuring guidance from the U.S. Department of Homeland Security, FBI, NERC and NRC, this session will cover a variety of cybersecurity technologies, devices, and best practices applied in real life scenarios and use cases to protect critical systems and applications that cannot be patched.



Speakers
avatar for Scott Coleman

Scott Coleman

Director of Product Management, Owl Cyber Defense Solutions
Scott Coleman has a strong technical background with 25+ years of experience working in high tech as a programmer, marketing and product manager, and now as Director of Product Management at Owl Cyber Defense. His experience in real-time network solutions covers a number of indus... Read More →


Thursday October 26, 2017 TBA
TBA

TBA

TBA

Combining IT and OT Security Monitoring to Prevent Cyber Attacks

Intrusion detection principles are different in the OT (IACS, MES…) world and IT world:

  • In the IT domain, the traffic is huge in terms of bandwidth, unpredictable, heterogeneous, and if some way open to the internet. Detection rely on end-points security (which CPU/memory can process heuristics and support anti-malware software) and IoC using signature to detect known attack patterns
  • In the OT domain, the traffic is mostly predictable, with changes related to operational phases (reactive/planned maintenance operation, change/adaptation of production processes…): the most effective intrusion detection is to model the “normal” traffic, and identify any abnormal, possibly malicious, activity

By configuring and connecting an OT Security Monitoring solutions and IT-dedicated systems (such as centralized hosts and firewall logs), it is possible to correlate IT and OT events and raise alerts when suspicious activity is detected both in the IT office environment and on the shop floor at IACS level.

The presentation will include a primer on ISA99/IEC62443 and then one approach on how the standard could have been deployed to minimize the effects of the attack against the Ukrainian electrical distribution in December 2015.


Speakers
BJ

Bill Joss

William (Bill) Joss – ISA Staff member and Patrice Bock: member of ISA 99 workgroup since 2011, experienced cybersecurity IACS consultant on various sectors, contributor to several French national work groups (ANSI, the French authority, CLUSIF, CLUSIR…), co-author of the ref... Read More →


Thursday October 26, 2017 TBA
TBA

TBA

Future Challenges and Changes in Industrial Cybersecurity

While there are still under-protected plants, ARC research shows that most industrial companies have implemented cybersecurity programs to protect their facilities and SCADA systems.  Most of these initiatives have followed recognized standards and guidelines like IEC 62443, NERC CIP, etc.  These documents provide comprehensive guidance for a specific set of use cases given certain scope boundaries. 

These efforts have significantly reduced the risks of cyber-attacks on our critical infrastructure.  However, recent developments and trends suggest that more needs to be done.  Assumptions underlying current programs are too restrictive for the real needs of industry and infrastructure organizations.  The cybersecurity challenges that industrial companies and infrastructure organizations face span the full IT-OT-IoT spectrum.  Broader deployment of automation products in smart cities and commercial operations also demands a broadening of the potential use cases.   

This presentation will include a discussion of these expanded challenges and the gaps that need to be filled.  Recommendations on the kinds of changes that are required will also be presented.  


Speakers
avatar for Sid Snitkin

Sid Snitkin

Vice President, Cybersecurity Services, ARC Advisory Group
Sid is Vice President, Cybersecurity Services at ARC Advisory Group. His responsibilities include leadership of ARC's Industrial Cybersecurity practice, which develops products and services for protecting industrial facilities.  Sid also supports ARC clients in Asset Lifecycle Information Management and the Industrial Internet of Things... Read More →


Thursday October 26, 2017 TBA
TBA

TBA

Holistic Cyber Security: Beyond Defense in Depth

The term “defense in depth” is often used to define extrinsic security measures that are bolted onto existing control and information technology. This approach is necessary because mainstream control systems were designed prior to the emergence and proliferation of cyber security threats. The downside of extrinsic defense is complexity and cost, and the fact that as cyber intruders become increasingly sophisticated, these defenses are too often and too easily compromised.  Going forward, a more intrinsic and holistic approach is required to control the cost, reduce the complexity, and ensure a high level of cyber defense of automation for the factories and infrastructure of a nation.  This presentation defines a simplified intrinsic and holistic approach to ICS cyber security, including:

  • The fundamentals of intrinsic defense required to build a hardware root of trust.
  • Exploration of the open standards available to drive secure embedded system designs 
  • The importance and challenge of a secure manufacturing and supply chain for next generation factories 
  • The fundamentals of securing the edge networks and devices, often described as IIoT. 
  • Approaches to cyber-physical defenses such as anti-tamper, EMP and EFT. 
  • Effective ways to defend the SCADA and Engineering applications. 
  • Other best practices for cyber hygiene to complement intrinsic ICS defense. 

The discussion will address these issues to confirm that the way of the future is open and secure automation platforms that improve safety and security at lower lifecycle costs. 


Speakers
avatar for Albert Rooyakkers

Albert Rooyakkers

Founder, CEO, Bedrock Automation
Albert has more than 30 years of automation and electronics industry experience. Before founding Bedrock Automation, he directed business and application development teams for Maxim Integrated Products, including serving as Japan country manager. Prior to that, he served in produ... Read More →


Thursday October 26, 2017 TBA
TBA

9:00am

Nuclear EMP Attack and Combined-Arms Cyber Warfare

"North Korea may very well have the ability to kill millions of Americans, without directly firing on U.S. soil. For the first time, the pariah country’s state news agency warned it could hit the U.S. with an electromagnetic pulse (EMP) onslaught, a threat that experts contend is both very real and comes with catastrophic consequencesm," Fox News reports

Dr. Peter Vincent Pry, Chief of Staff for the Congressional EMP Commission and Executive Director for the Task Force on National and Homeland Security, will provide a briefing on the vulnerability of the U.S. to electromagnetic pulse (EMP) attacks, which could shut down large sections of the nation's power grids and disable or destroy electronic systems and supply mechanisms. 

As background, North Korea has:

  • Tested nuclear weapons, including reportedly a ‘super EMP’ design 
  • Repeatedly threatened the U.S. with nuclear attack  ­
  • Orbited a satellite that could be used in an EMP strike  ­
  • Collaborated closely with Iran on nuclear arms and missiles 

Speakers
avatar for Dr. Peter Pry

Dr. Peter Pry

Executive Director, Task Force on National and Homeland Security
Dr. Peter Vincent Pry is Executive Director of the Task Force on National and Homeland Security and Chief of Staff for the Congressional EMP Commission. He has served on the Congressional Strategic Posture Commission, the House Armed Services Committee, and the CIA. He is author... Read More →


Thursday October 26, 2017 9:00am - 9:45am
TBA

9:45am

UK Perspectives: Five UK Cyber Companies on the Biggest Issues Facing ICS Cybersecurity

Representatives from five UK-based cybersecurity companies will each spend ten minutes discussing emerging critical risks in ICS Cybersecurity, present a case study on what is being done in the UK and within their own organizations to combat these threats, and  More information to come.

 


Thursday October 26, 2017 9:45am - 10:30am
TBA

12:30pm

Lunch
Thursday October 26, 2017 12:30pm - 1:30pm
Venetian Ballroom Terrace

4:00pm

Closing Remarks and Open Mic Discussions
SecurityWeek's 2017 ICS Cyber Security Conference is winding down, but there is still time for some great discussions! Please join us for closing remarks and an open discussion where anyone can make comments, share insights, ask questions and engage in a lively discussion. 

Thursday October 26, 2017 4:00pm - 5:00pm
TBA