ICS 2022

This full-day lab course gives participants hands-on experience attacking and hardening a simulated power plant network to learn about common ICS vulnerabilities and defenses. Participants will attack historians, HMIs, and PLCs to cause a power outage in the 3D simulation, and then implement defenses like firewalls and network monitoring to harden it.

Learning Objectives - In this session attendees will learn:

• Deeper understanding of common vulnerabilities in ICS networks and devices                     
• Techniques for testing ICS devices for various vulnerabilities
• Practical experience hardening ICS device configurations and using network defenses

Topics Covered:

• Scanning ICS networks
• Exploiting web vulnerabilities in the DMZ
• Sniffing industrial network traffic
• Password cracking
• PLC and HMI programming
• Using Yara to scan for ICS malware
• Writing host and network firewall rules for ICS
• ICS network intrusion detection
                             

Requirements
Participants must bring their own laptop with either Chrome or Firefox installed. Some Linux experience is helpful but not required.

(Register) This 8-hour workshop will be a crash course in ICS vulnerabilities and exploitation, providing hands-on, practical training in the carrying out of attacks against various common types of ICS equipment found in the field, including an HMI, PLC and automated circuit breaker. Students will learn:

• Common ICS terminology and system architecture, including inherent flaws and typical mistakes made in system design which should be considered when planning an attack. 
• Modbus and Modbus/TCP architecture and functionality
• Python modules for interacting with Modbus-based systems, and writing scripts to interrogate and attack these systems
• Defensive methodologies and considerations in the face of how simple these attacks can be to carry out

Students should come prepared with the following equipment and knowledge: 

• A laptop running either Virtualbox, VMWare Workstation (not Player), Parallels, or VMWare Fusion
• An available Ethernet port on the laptop
• Ability to read technical documents written in English
• Experience writing basic Python scripts which incorporate modules and leverage functions and loops
• Basic Linux command line experience, including the ability to navigate directories, and launch application

Register Here

(Additional Registration Required - $495 Fee: Register ) This workshop will provide students of any role or skill level (beginners, advanced, and leadership) an immersive and entertaining OT cybersecurity learning experience, by participating as part of a blue team and a red team in a simulated environment. Short lectures cover Red Team topics (OT vulnerabilities, OT attack surface, and “hacker” methods) and Blue Team topics (OT vulnerabilities, security controls, threat monitoring, cyber risk management strategies, incident response, building a cybersecurity program). These topics are then exercised and reinforced in breakout sessions, where students get to compete against each other in “head-to-head” red team vs. blue team matches using the ThreatGEN® Red vs. Blue Cybersecurity Simulation Platform.

What will you get out of this course?

• Gain a comprehensive, “big picture” understanding of how all the OT cybersecurity pieces work together.
• A primer/refresher of Industrial Control Systems (ICS)/Operational Technology (OT)
• Learn OT vulnerabilities and attack vectors
• Learn about the methods and strategies red teams and hackers use to attack OT (High-level, this is not a command line level course)
• Learn OT and cyber risk management concepts and strategies
• Learn how to deploy efficient and cost-effective cyber risk mitigation strategies and security controls
• Learn how to build a complete OT cyber security program.
• Apply what you’ve learned against live adversaries (going head-to-head against other students) in the ThreatGEN® Red vs. Blue Cybersecurity Simulation Platform
• Learn how to respond to, adapt, and defend against active attacks (High-level, this is not a technical incident response or threat hunting class.)
• Participate as the blue team and the red team (no prior experience or technical skill required).
• Taught by Clint Bodungen, world-renowned ICS cybersecurity expert and author of Hacking Exposed: Industrial Control Systems

Requirements
Participants must bring their own laptop with either Chrome, Firefox, or Microsoft Edge installed. Connection to the internet will be required (access provided by the conference). Nothing will be installed onto your laptop.

Open to all conference attendees (no additional fee)

ICS4ICS Exercises are designed to help people understand how ICS4ICS processes and tools are used to improve the response to industrial control system cybersecurity incidents by leverage FEMA and DHS CISA capabilities.

Be part and join the Incident Command System for Industrial Control Systems (ICS4ICS) Exercise at SecurityWeek's ICS Cybersecurity Conference! The ISA Global Cybersecurity Alliance has joined forces with DHS Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity response teams from more than 50 participating companies to adopt FEMA's Incident Command System framework for response structure, roles, and interoperability. This is the system used by First Responders globally when responding to hurricanes, floods, earthquakes, industrial accidents, and other high impact situations. The ICS4ICS program is designed to improve cybersecurity capabilities related to incidents that impact industrial control systems and critical infrastructure supporting countries throughout the world.

Access ICS4ICS Materials

Don't miss the welcome reception as we reconnect with old friends and make new connections. Food and beverages provided. (Venetian Ballroom)

Large or small, cyberattacks are making headlines and elevating executive attention toward cyber resiliency. Preparing for, responding to and recovering from cyberattacks should be a strategic part of any business continuity plan. As recent cyberattacks have demonstrated increased risk to both IT and operational technology (OT) environments, readiness equates to enforcement of rules and policies that provide the visibility, control and situational awareness to respond at the speed of business. Cybercriminals are maximizing their opportunity by exploiting older vulnerabilities and an expanding attack surface. Strategic readiness should be underpinned with the notion that eventually an attack will happen, and when it occurs, you are proactively ready to respond. During this session, we will explore security considerations for developing cyber resilience covering security fundamentals and readiness planning to protect your IT and OT environments.

(Click Here to Register for CTF)

Roll up your sleeves and get ready for some fun and challenges for the 2022 ICS Cybersecurity Conference Capture the Flag (CTF) hacking competition! Competition rules and setup details will be available prior to the conference.

Hack the Plan[e]t is a first-of-its-kind CTF: a slice of modern city life integrating both Internet of Things (IoT) and ICS environments with interactive components for competitors to test their skills and knowledge. Play for a few minutes or plan to stay for many hours as the challenge grows. The ICS Village delivers a compelling experience using real IT and industrial equipment for all skill levels and practitioner types. Open to all levels of experience.

The Control Systems Cyber Security Association International (CS2AI), in collaboration with a team including KPMG and other supporting organizations, conducts a yearly analysis on the current state of ICS cyber security. Leveraging the participation of multiple stakeholders across roles and industry sectors, the survey is designed to help answer key questions about how we can best protect critical systems in the face of ever-growing and -evolving threats.

The survey results will be shared at SecurityWeek's ICS Cyber Security Conference and can help defenders improve their security posture through greater understanding of the diverse concerns and decision drivers that the industry faces.

(Access Livestream and On Demand Video Here)

Attacks on manufacturing, energy, transportation and other critical infrastructure have escalated in the recent past. Ransomware impacting critical business systems and Industrial Control System (ICS) targeted malware have the capability to bring operations to a halt or even worse place risk to human life. Cybersecurity is now a boardroom priority.

Join this session by Liia Sarjakoski, Global Industry Solutions Director for Manufacturing and Energy at Palo Alto Networks, to hear more about the ever increasing threats ICS, Industry 4.0 and IT/OT environments are facing. She will share insights from the recent Unit 42 Incident Response Report, as well as other threat intelligence, future predictions based on this data, and recommendations to proactively prepare for future threats which are critical to ensuring safety of the critical infrastructure that our society depends on.

ICS (or more broadly OT/Cyber Physical systems) security is now a critical issue for senior management and boards of directors. The increase in ransomware, the spiraling costs of insurance and the necessary reporting requirements to even access coverage, as well as growing regulatory burdens require a change in mindset when it comes to protecting these systems. No longer can organizations “check the box” and say “oh, I have a basic inventory” or “at least I have some network monitoring occurring”. CISOs (driven by their boards, insurers, and regulators) now need to achieve the same level of security in ICS as they have achieved in IT. They need to demonstrate how they are practically improving security….going from red to green on key metrics and security controls. This requires the focus to go beyond the network (firewalls, monitoring, etc.) and get to the endpoint. They need to find a way of protecting and managing those endpoints to improve the overall protection of the control systems.

Join this session to learn how you can practically, efficiently, and safely manage and protect OT endpoints:
• How to gather accurate visibility into all assets across all sites in one place
• Prioritizing remediation based on asset and risk context
• Enabling response, not just detection, in an OT-safe way
• Demonstrating true security progress

The Cyber Incident Reporting Act for Critical Infrastructure Act, which was enacted in March 2022, will require critical infrastructure organizations to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.  This aggressive timeline will require companies to have enhanced identification, escalation, and investigation processes in place.
 
In this session, we will discuss the new Act, and the practical steps companies should take, both proactively and during an incident, to comply with this and other industry-specific regulations and expectations.  We will also discuss the unique cybersecurity threats for critical infrastructure organizations that make the industry particularly vulnerable to a cyberattack and the importance of heightened focus to help prevent and contain incidents.

The Pandemic brought zero trust to the forefront with the advent of Hybrid work and creating the perimeter less enterprise. Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Zero trust within the industrial space is often misrepresented and there can be confusion on what can or cannot be implemented. This quick overview will provide guidance on:

• What Zero Trust is
• Why Zero Trust can be challenging to implement in OT
• Where Zero Trust applies across an Industrial Architecture
• Starting the Zero Trust Journey while securing ICS with Industrial Standards.

One of the biggest challenges for operational technology (OT) system cyber defenders is the lack of open-source information on cyber incidents impacting sector industrial control systems (ICS), systems putting defenders at a knowledge disadvantage. Understanding potential threats to the overall organization and critical infrastructure is crucial to preventing and responding to incidents.  

Credible failure scenarios can be used to augment the available incident information with a focus on attacks that can cause a physical impact on control systems resulting in the loss of availability, equipment damage, human causalities, loss of revenue etc. EPRI and MITRE will present a Framework for the Use of Potential Cyber Attack Scenarios to Guide Incident Response. The framework makes use of potential cyberattack scenarios to guide incident response that includes analyzing potential failure scenarios, defining associated cyber-attack TTPs using the ATT&CK framework, identifying required data sources, defining representative analytics for detection, identifying potential incident response actions and identifying potential mitigations. The results of failure scenario analysis from a cyber adversary perspective have broad application to ICS environments providing valuable data to enable detection and response to significant cyber attack TTP. Performing trend analysis across scenarios provides additional and significant benefits to include the identification of common adversary TTPs that will aid in prioritizing mitigations. EPRI and MITRE will present on this Framework in the context of energy sector scenarios.

Operational technology/industrial control system (OT/ICS) assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for malicious cyber actors. Traditional approaches to securing OT/ICS do not adequately address current threats to those systems. However, owners and operators who understand cyber actors’ tactics, techniques, and procedures (TTPs) can use that knowledge when prioritizing hardening actions for OT/ICS.  Join Armis in reviewing the anatomy of a port infrastructure attack and how the lessons of Sun Tzu can help in protecting our critical infrastructure against advanced persistent threat (APT) groups.

In the last 2 years, over 100 industrial operations have shut down or suffered physical damage from cyber attacks - pipelines obviously, manufacturing plants, rail systems, steel mills and others. In this presentation we review the attacks & outages, identify patterns in attacks and patterns in defensive system failures, and we draw conclusions about the changing threat environment. One important conclusion is that ransomware criminals are trailing nation-state attack tools and techniques by less than 5 years. What we see nation states doing to each other today, we should expect to see ransomware groups doing to everyone with money in just a couple more years. We conclude with a look at the new DOE Cyber-Informed Engineering strategy which highlights engineering as a neglected asset in addressing these risks, and dig into how safety, automation and network engineering should play a role in preventing unacceptable physical outcomes of cyber attacks.

The National Renewable Energy Laboratory developed the Distributed Energy Resources Cybersecurity Framework (DERCF) and web application to help federal agencies mitigate gaps in their cybersecurity posture for distributed energy systems. The web-based tool assists a facility’s energy management team by bringing guidance and structure to the extensive array of cybersecurity controls applicable to DERs and walking the user through a three-pillar assessment framework. The three pillars, defined as Cybersecurity Governance, Technical Management, and Physical Security, each contain multiple layers that address key cybersecurity topics and together create a robust and flexible framework specifically designed for DERs. Join this session to learn more about the framework and how it could be utilized to help protect your operation!

The National Renewable Energy Laboratory is a national laboratory of the U.S. Department of Energy, Office of Energy Efficiency and Renewable Energy.

How to securely access and bring together People, Process or Technology is one of the biggest challenges in today’s technology world. With the need to access technology beyond your secure perimeter or in the cloud, how do organizations bridge that last mile to resources such as wind turbines,  ships, remote storage facilities, or drilling platforms? Join this session as we discuss how organizations can connect people and process to those resources in a safe, secure and regulated manner without causing disruptions or safety concerns to these remote OT assets.

Active monitoring of your ICS network traffic and end points can significantly reduce cyber risk and help ensure stable operations, but establishing a 24/7 OT monitoring solution remains a goal out of reach for many operators. Some have elected to leverage existing IT SOC capabilities or premise alternatives to support OT monitoring while others are turning to MSSP providers for an outsourced solution. In this presentation, we’ll discuss the benefits and challenges of OT/ICS cybersecurity risk monitoring & threat detection in both on-premise and MSS scenarios as well as best practices to drive resilience with 24/7 cyber threats detection and response.

If you’ve been around the cybersecurity space for a while now, you’ve probably heard the term “Shadow IT”. But did you know that there is an even bigger blind spot inside your operational technology (OT) infrastructure? Executives and SOC analysts almost always have an incomplete picture of what’s happening at the plant or site level even though these are the critical, moneymaking parts of a business.

The Shadow OT phenomenon is an important problem to solve. If you don’t have 100% visibility into and control of your operational systems (including the legacy ones), you may not be able to identify and respond to cyberthreats quickly enough to avoid the impacts of an attack, which could include anything from process disruption to severe environmental damage or even fatalities.

This session will outline how security practitioners and executives can shine light on their Shadow OT. We’ll cover:

• Different methods for collecting endpoint and network data out of OT environments
• How to use that data to create context for threat and incident response
• What data executive teams should know
• The best formats for sharing OT data internally

Join this session as we explore various approaches that defenders can take to operationalize valuable ICS threat intelligence and take action to defend critical assets.

Threat intelligence has long been considered an apparatus of militaries and three letter agencies. Unfortunately, given the fact that sophisticated threat groups have shifted to disrupting civilian infrastructure as an objective of their cyber operations, threat intelligence is now a necessary component of every strong OT security program, including those in private industry. Although the term "threat intelligence" can sound nebulous or intimidating to security leaders, receiving and actioning threat intelligence can easily amplify preexisting security processes and enrich security operations, increasing industrial safety and resiliency. This talk will seek to inform OT defenders on the ways in which, with good planning and direction, OT threat intelligence can be implemented into security programs with easy alignment to the NIST Cybersecurity Framework, limited strain on human resources, and improved security posture. The talk will focus on ICS Threats and their implications, key strategic and tactical intelligence workflows, and extraordinary examples of industrial organizations (unattributed) actioning OT threat intelligence to prevent disruption.

Identifying and understanding the risks present in your OT environment is an important component of addressing cybersecurity threats. Utilizing traditional IT risk methods will help organizations address risk but may leave blind spots in your view. Research into risk assessments will be presented with a call to action for those performing audits or assessments to begin to include additional checks and to adapt their approach to evaluating identified risks. To demonstrate the possible improvements, a case study will be reviewed.
 
Attendees should expect a brief overview of current risk assessment techniques, potential gaps, and considerations for improving their own internal processes.

Research efforts have demonstrated many critical security weaknesses in modern vehicles, specifically involving their Controller Area Networks (CAN). The CAN bus serves as the main communication network between all control systems in the vehicle. Due to its importance and weak security properties, the CAN Bus presents an attractive attack surface for cyberattacks; but also a useful resource for detecting any attacks or other anomalous vehicle conditions.

We present an overview of three recent contributions. First, we describe a research testbed that allows for replaying, modifying, or generating synthetic CAN traffic. This is complementary to testing approaches that involve real vehicles, allowing simpler and easier development and testing, especially at earlier stages in research and development. Next, we present a method for decoding the (proprietary) encoded contents of CAN messages. This automatically determines what signals are present in each message type, and then uses known (standardized) diagnostic queries to label the meaning and units of these learned signals. Finally, we implement a system to find anomalous network traffic on the CAN bus. This includes monitoring the timing characteristics of CAN messages and detecting missing or unexpected messages. In addition, we used the extracted signals described above to detect unusual or tampered message contents. We then combine these approaches into an ensemble detector to demonstrate its effectiveness.

Over the last few years there has been a significant increase in Cybersecurity regulation coming from DHS/CISA that requires Critical Infrastructure owners and operators to improve their reporting mechanisms and overall cyber security posture. For example Airports and Rail operators were required to assign a Cybersecurity POC to report cyber incidents to DHS/CISA. Are these complex ecosystems ready to identify and report cyber incidents? In addition the Infrastructure Investment and Jobs Act (IIJA) is setting up to distribute $1 billion dollars for cybersecurity improvements at the state an local levels. Based on what we’ve seen: are Critical Infrastructure operators and owners ready to comply with the new cybersecurity requirements and are they effectively positioning to submit grant applications to get some of the government help?

Some of the structural challenges with IT/OT security to including technological and cultural differences are starting to be evident in this transition. This presentation would explore some of those challenges and identify some of the potential gaps that Critical Infrastructure owners and operators are facing and suggest some actions to be better prepared in the face of increased regulation and significant government investments.
 
Key Takeaways:

• Awareness of new DHS/CISA cybersecurity current and future regulations
• IIJA funding available and requirements for Grant applications
• How structural IT/OT convergence challenges are impacting compliance with regulations (Airports, Rail and transit, Utilities, etc.)
• What Critical Infrastructure owners and Operators should consider to be better prepared to comply with regulation and apply for Grants

In August 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released information on Preparing Critical Infrastructure for Post-Quantum Cryptography to help prepare critical infrastructure network owners and operators potential impacts from quantum computing. Join this session as we walk OT asset owners through the Post-Quantum Cryptography Roadmap along with the guidance from CISA and cryptography experts. Attendees will come away with actionable steps to take to prepare for the transition.

*This session will be presented remotely

Train control systems manage various things, from physical breaking to wayside switching control to railway congestion management. This tabletop exercise will take you on a journey through a compromised train scenario. All are welcome to come, share their experiences, and gain fantastic cyber-physical knowledge.

Note: Participants are required to utilize their own laptops

Following the influence of the trade war, the epidemic lockdown and the Ukraine-Russia conflict, the global supply chain has faced surging risks. especially the electronics industry suppliers are unable to provide materials and parts, making it more difficult for enterprises to manage the supply chain. For supply chain security, MITRE and DHS have developed the System of Trust (SoT) framework to improve the trust between supply chain partners. As we know, we should not only evaluate product quality of suppliers, but also understand their geopolitical, national governance, financial, etc.

This research will take the consumer electronics as an example to explore its complete industrial chain, and in-depth analyze the core of the supply chain, including the power industry, semiconductor industry and retail industry. Then find out the security situation and potential threats of above three industries. Finally, we will review the practical mitigations in ICS for different industries. By our research, the organization can fully understand potential threats in their industry, and collaborate with suppliers, manufacturers, and other partners to face the threats from various attack vectors, keeping operation going.

Please join us in the foyer and sponsor hall for a reception with cocktails and amazing food and enjoy networking with industry peers. As part of your conference experience, we have prepared a fantastic menu and premium bar! This is a reception that you won't want to miss!

Network and share insights at Bourbon-ISAC! Hand-picked from a selection of American bourbons, Bourbon-ISAC will offer you a chance to end the day tasting some great Bourbons and networking with conference attendees.

Security engineering eliminates entire classes of cyber risk to operations, while cyber security only reduces those risks. This makes security engineering and the network engineering sub-discipline essential for industrial operations that must carry the Internet's threat load predictably, affordably, and for decades. In this presentation we take a deep dive into four powerful techniques for network engineering: hard segregation for safe cloud connections, unidirectional networks, hard wiring for safe access to safety systems and the Internet, and the (few) places it still makes sense to use real air gaps. These and other engineering-grade solutions are a blind spot in many cybersecurity programs - for example: where do buckling relief valves fit in the NIST Framework? We must expand our cyber risk programs beyond cybersecurity if we want those programs to be effective in addressing today's steadily-increasing threat loads.

In this session, Mark Plemmons, Sr. Director for Threat Intelligence at Dragos, will dive deep into the technical details and real-world impact on the modular ICS attack framework know as PIPEDREAM/Incontroller that can be used to disrupt and/or destruct devices in industrial environments. In April 2022, a joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created this suite of specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.

Analysts believe the malware has not been deployed yet in the wild and that its operator likely plans on using it in future operations. Based on analysis, the framework has been designed to target equipment in electric power and liquified natural gas (LNG) facilities, but it could easily be adapted for other types of environments, as well as devices beyond Schneider and Omron PLCs. Join this session to learn more!

OT monitoring is one of the essential cybersecurity controls for OT environments. It supports organizations in multiple cybersecurity domains, namely asset management, vulnerability management, and security monitoring. Products within the OT monitoring space have matured immensely over the past few years. These products typically rely on passive network monitoring, and most also utilize some sort of active scanning (although the latter is being masked under different names for marketing purposes). There are multiple vendors in the market, and it is difficult for organizations to select the ‘right’ one.

To devise a repeatable methodology that helps organizations assess the major players in the OT monitoring space, our first step was to create a testbed by means of an OT lab environment. Using different types of devices, including OT, IIoT, and IT, various industrial systems were built to simulate real-life processes. Additionally, the selection of the devices was diversified in terms of technology, vendor, make and model, protocols, and deployment architecture. We then devised a methodology that assesses candidate tools across the following functional areas:

• IT Asset Detection
• OT Asset Detection
• IT Asset Identification
• OT Asset Identification
• IT Vulnerability Detection
• OT Vulnerability Detection
• Threat Detection
• User Interface
• Integrations

Applying a methodology to our testbed environment, over 4 weeks of a PoC, generated interesting and insightful results (as well as questions). The various candidate tools, namely Claroty, CyberVision, Defender for IoT, Nozomi, Tenable.ot, performed to varying degrees, some excelling significantly in certain domains over others. The PoC validated that the methodology used was a practical framework that is customizable for organizations’ needs. Since then, this PoC methodology has been adapted and applied to multiple organizations in various industries.

Join this session as Raphael explains the PoC methodology that helps organizations choose the ‘right’ OT monitoring tool.

(Access Livestream and On Demand Video Here)

Designing a Zero Trust Architecture can seem like a daunting task. Rome wasn’t built in a day either! As you begin your journey you must start from the basics of what Zero Trust is and what it means to your organization. Then you must identify a starting point and develop an execution plan. In some cases that plan can be as simple as using known strategies from the adversaries to combat the adversaries.

What If I told you that designing a “man-in-the middle” mitigation could start you on your journey of achieving a zero-trust architecture? Join us as we talk about being “in the middle” and how this approach can allow you to broker the trust relationships as we talk about:

• Utilizing an Intermediate System to establishing session controls
• Establishing conditional access policies and parameters
• Doing this with a single tool that will also provide you with situational Awareness.

Many of today’s critical infrastructure systems consist of legacy equipment originally designed to be perimeter-protected or air-gapped from unsecure networks. However, while many of these have become connected over time resulting in a strong emphasis on IT and network based cyber security, device and control system cyber security has not received the same attention.

Join us for an exciting panel discussion that will discuss:

• Executive Order EO 14028 which has brought the requirement of SBOMs to the forefront.
• How SBOMs can play a major role in securing the supply chain, devices and control systems. 
• Where the onus resides for monitoring for vulnerabilities within the supply chain.

Modernization of operational technology has brought about significant challenges. Can we justify a wait-and-see approach when it comes to securing OT? The operations in OT/ICS used to be relatively straight forward, but as we become more dependent on connectivity, the challenges securing cyber assets become more complex. We’ll focus on use cases that deal with some of the most prevalent issues organizations encounter today: Legacy systems, insecure protocols, and ‘whose job is it anyway?’ are some of the topics we’ll discuss.

Join this session of industry veterans as they discuss the cybersecurity challenges faced in securing the critical operational infrastructure for companies on a digital journey.  Hear lessons learned and insights from their real-world experience on the front lines, building defenses against the evolving and escalating cyber threats to the production networks and industrial control systems they were tasked with protecting.  The discussion will also explore suggestions for moving from a reactive posture to a more proactive stance against the APT’s industry faces today.  And then conclude with Q&A from the audience.

ICS networks have traditionally been segmented from the rest of the enterprise network with most cyber threats stemming from human error, accidents, and acts of physical sabotage. The increasing integration of OT with business networks and internet-based applications has vastly increased the prevalence and complexity of cyber threats to ICS networks. As a result, segmentation/air gapping is is no longer the finish line for a good security strategy. To defend against a diverse set of cyber threats, you need a comprehensive ICS security strategy.

Join our lunch and learn session to learn how to go beyond segmentation and bring your OT security strategy to the next level. We’ll cover:

• How to get a clear understanding of all the assets in on your networks and how to identify blindspots
• Advanced threat detection and vulnerability assessment to identify and prioritizes security risks
• How to predict and detect OT process and stability issues giving you early warning signs of possible downtime

The days of a fully “air gapped” system are gone. The convergence of IT and OT and the need for connectivity have greatly increased the attack surface within manufacturing facilities, supply chains, critical infrastructure and travel & transportation. As a result, system reliability and safety are at a greater risk from cyberattacks.

If an incident occurs which causes any type of disruption to a production facility, do we know what caused it? Was it a system/asset failure, or was it a successful cyberattack?

Join us to hear how to establish detailed insights into both aspects, and joining the dots between the two, can greatly improve overall security and reliability.

Learn how security segmentation can be a cost-effective and efficient approach to mitigate cyber vulnerabilities for manufacturing environments.

Small manufacturers tend to operate facilities with limited staff and limited resources enabling cybersecurity to fall by the wayside as something that takes too much time or cost. The lack of cybersecurity leaves small manufacturers vulnerable to cyberattack. Some assets used by a manufacturing company need more protection than other assets. The grouping of assets according to the protection they need and placing appropriate cyber protection measures around these groups of assets is security segmentation. This session provides an overview of security segmentation, and then present a systematic yet simple six-step approach for security segmentation design.

Session Objectives: 

• The intended audiences for this session are people managing the IT/OT systems at a manufacturer who could be the operations manager, the network/security architect or a CISO. 
• Learn how common cybersecurity weaknesses present in the OT environment can be mitigated with security segmentation.
• Learn what are the building blocks of security segmentation.
• Learn how to conduct a security segmentation design.

 

Industrial organizations are constantly changing. Mergers and acquisitions of assets happen on a regular basis, and evaluating cyber risk as part of the standard due diligence process must become a requirement for executives. A significant cybersecurity incident could cost tens of millions of dollars due to lost revenue, ransom payments, legal fees, incident response costs, and increased cyber insurance premiums. Company owners, CEOs and boards of directors are also being held personally liable for a lack of security oversight following a cybersecurity breach.
 
This presentation will guide security executives through:

• How ransomware groups identify their targets 
• What should be done to strengthen the outward cyber appearance of industrial assets to avoid a nation state cyberattack or ransomware attack
• Why you should delay M&A announcements until you have done your cyber due diligence
• Methodologies for evaluating cyber risk as part of your due diligence process

Software Bill of Materials (SBOMs) are now recognized as a key component in software supply chain risk management. Executive Order 14028 has mandated them for doing business with the federal government, and critical industries are increasingly adopting this position as well. Unfortunately, SBOMs can result in a significant number of false positive vulnerability reports, creating too much work for too few security experts.

Not every vulnerability merits panic. Just because a vulnerability is reported for a software component doesn't mean the vulnerability is actually exploitable.
 
Cybersecurity and Infrastructure Security Agency (CISA) and the German Cybersecurity and Infrastructure Security Agency (BSI), have developed VEX (Vulnerability Exploitability eXchange) to address this issue. VEX documents allow vendors to preemptively assess the exploitability of vulnerabilities and issue a standardized, machine-readable document that states whether or not their products are “affected” by one or more known component vulnerabilities. 
VEX helps vendors communicate efficiently with their customers and prevents organizations wasting valuable time fruitlessly searching for and patching vulnerabilities in components that are perfectly safe.

This talk will present the results of a supplier of mission-critical ICS equipment using VEX documents to swiftly address customer concerns regarding the high-profile Log4j vulnerability. It will also cover the structure and the standardized formats available for VEX documents. VEX is still early days and there is still work to be done regarding the processing of VEX documents. But the industry needs to understand and be ready for VEX if they are to get vulnerability management under control.

The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

Learning Objectives:
The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

Cybersecurity is now a real boon for ICS/SCADA operations and maintenance. The talk will create awareness for plant/field teams by detailing various area of focus and measures for improving cyber resiliency for the ICS/plant which would pave way to the overall efficiency and savings.

While cybersecurity is typically thought of as a cost driver, there is mounting evidence that it can lead to a positive return of investment (ROI). Company leaders are spending heavily to protect their networks, systems, and data.

This presentation will analyze the roots of connected ICS like Industrial IoT, connected process controls, smart meters, etc., It will also make the argument for tangible benefits for plant efficiency, energy savings and process/machinery optimization, which could be a big motivating factor for management teams making budgetary decisions on cybersecurity efforts as well as the operations and maintenance teams implementing them.

Learning objectives for attendees:

While the ICS/OT cybersecurity budgets are growing larger, plant managers tend to believe that these investments don’t yield a direct return of investments. This presentation will attempt to counter that argument by explaining that ICS/OT cybersecurity not only secures networks and data but also helps with prime business protections such as emergency shutdown, disaster recovery, machinery safety and human safety. It contributes to energy safety, plant efficiency and ultimately leads to a healthier bottom line.

                                       

In this talk we will introduce new open-source tools for PLC Ladder Logic forensics, showing how it can be used to analyze code and data blocks.

We will demonstrate how it can be used to detect rogue code blocks and anomalous metadata. The demonstration will be shown on a POC malware that has been simulated in our ICS lab environment.

This talk will also cover the basics of programming and explain how communications and execution concepts works in Ladder Logic programming.

OT networks need to share data with IT for performance monitoring and analytics. However, if an IT network is hacked and is shut down, this prevents the exchange of data from OT to IT. Data can be transferred directly to the cloud, so operators have access to that data even if IT is shut down due to an attack, however it needs to be transferred securely to prevent threats from entering the OT network. Join this session as we discuss best practices for locking down OT networks and enabling secure connections between OT networks and the cloud.

During this session:

• Learn to think vertically about production encompassing ground-to-cloud thinking and the importance of actionable visibility spanning the entire IT and OT business process stack
• Gain an understanding of how IT system outages can impact production directly and indirectly 
• Best practices for enabling secure communications with a locked down OT network architecture for asset visibility and analytics in the cloud

Until recently, most of the focus in the ICS security community has been “bolting on” security to the network in the form of firewalls, data diodes, and network monitoring all at the perimeter. Any mention of touching Level 1 devices like PLCs deep inside the network has traditionally been met with gut reactions saying they are too sensitive to handle any extra security functionality, or it is not an effective investment in security. However, there is a wealth of data inside PLCs that can provide tremendous value both for security detections and for everyday troubleshooting. In this talk we will break down common objections we have heard to Level 1 security so we can learn how to stop worrying and love the PLC change.
                   
In this session attendees will learn:

• Common challenges and concerns when deploying Level 1 (PLC) security
• Strategies and tests to ensure Level 1 security solutions don’t affect the process
• Benefits of Level 1 security that far outweigh the costs of deployment

Since the Colonial Pipeline cyber attack, there has been an abundance of actions taken – from the cybersecurity directives issued by the White House and the Transportation Security Administration (TSA) to the bolstering of IT operations within companies. Despite these preliminary actions from the government, oil and gas organizations, and other industrial sectors within critical infrastructure, it is not enough. 
 
The Colonial incident and the subsequent directives are not only warning bells for the industrial sectors within critical infrastructure but are booming dinner bells for cyber criminals. These adversaries have confirmed that the cyber-physical world is their new battleground and they will continue to find new ways to exploit vulnerabilities and disrupt industrial operations with potentially devastating consequences. They do so by targeting OT networks that run industrial systems instead of IT because the impacts are far-reaching, costly and dangerous. It is important to note that these criminals only need to get it right one time to make a substantial impact and are constantly evolving attack methods.
 
As cyber criminals are strategically changing course to target critical infrastructure, companies must realize that the cyber-physical world is vulnerable and unprotected. Immediate action is necessary to prevent OT networks from being comprised. 
 
This presentation will examine how cyber incidents, like Colonial, Oldsmar Water Plant and the JBS food plant, have highlighted the growing problem of cyber-physical attacks on critical infrastructure and what criminal behavior tells us about future attacks. In addition, this session will explain how the growing convergence of OT and IT cyber have exposed the gaps in OT cybersecurity, why the methods used to protect IT do not work in an OT environment and why all eyes will be focused on OT to prevent growing cyber-physical threats.  
 
Furthermore, this presentation will explain why the current cybersecurity regulations are not enough to spur widespread change while highlighting the market forces that will drive that change. It will also discuss why the private and public sectors need to join forces to advance industrial cybersecurity. Lastly, it will underscore the questions stakeholders must ask and the actions they need to take to fight against criminals in this new battleground, protect their OT environments, and ultimately safeguard their businesses, supply chains, and consumers. The warning bell has sounded but the dinner bell is louder.

Why are organizations struggling to get the basics of OT Asset Visibility & Detection right?

Due to increasing awareness and/or Board/Compliance requirements, many organizations conduct a preliminary risk assessment to initiate their OT specific Security program. One of the initial steps is to generate an inventory of OT assets, which used to be a rudimentary spreadsheet exercise. With the wide availability of OT asset discovery tools, many go down that path via a proof of concept/value. Besides inventory, asset visibility, network security monitoring and threat detection are evaluated as part of this process. This talk will focus on technical considerations, lessons learnt and best practices from performing these POC/POV, and covers challenges including availability of infrastructure (span ports/tap, routing, bandwidth), archaic protocol implementations, organizational policies for network flows, risk appetite for active probing on low traffic networks and installing agents on HMIs & EWS, and finally the collaboration required of OT & IT personnel for successful implementations.

Due to a speaker travel issue, this session will be presented remotely

{This a re-run of the same TTX session that was held on Wednesday to accommodate those who could not attend the previous session}

Train control systems manage various things, from physical breaking to wayside switching control to railway congestion management. This tabletop exercise will take you on a journey through a compromised train scenario. All are welcome to come, share their experiences, and gain fantastic cyber-physical knowledge.

Note: Participants are required to utilize their own laptops
*Capacity Limited - First come, first served 

The Pandemic brought zero trust to the forefront with the advent of Hybrid work and creating the perimeter less enterprise. Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Zero trust within the industrial space is often misrepresented and there can be confusion on what can or cannot be implemented. This quick overview will provide guidance on:

• What Zero Trust is
• Why Zero Trust can be challenging to implement in OT
• Where Zero Trust applies across an Industrial Architecture
• Starting the Zero Trust Journey while securing ICS with Industrial Standards.

Solutions Session Sponsored by Palo Alto Networks

Join us for our 2022 offsite party at the Industry Tavern to enjoy great food, craft beers and vintage cocktails. (Open to all full conference pass holders. Conference badge required for entry)

Cyberattacks and breaches against ICS and OT networks have increased at an alarming rate. As threats grow, the number of companies inquiring about cyber liability insurance coverage has increased heavily...
The 2021 Colonial Pipeline incident and resulting $4 million ransomware payment represented a watershed moment. It led insurance companies to be more vigilant and offer strict and high-premium based insurance coverage especially for ICS industries that seek cyber liability protection.

In contrast to traditional IT cyber liability insurance coverage, ICS cyber liability insurance is still in its nascent stage. It is also seen as particularly complicated due to indirect damage to its productivity and costly ICS machinery. Due to this, some companies have even experienced insolvency due to wrong estimates and incorrect pricing. It has led insurers to tighten their policy terms and conditions to reduce unexpected losses. Traditionally, commercial property and casualty policies could include limited cyber coverage, but now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately.

This paper details how a clear and focused ICS cyber risk assessment can save money on premiums and help underwriters offer more adequate insurance capacity. During an ICS cyber risk assessment, experienced engineers will examine a company’s compliance with multiple industrial cybersecurity standards including NIST CSF, IEC 62443, etc. It also provides a detailed Business Intelligence analytics report for ICS management so they can take an informed approach to risk mitigation that will strengthen their ICS networks and help them better negotiate with insurance carriers. It also helps insurance companies and underwriters make more informed ICS cyber liability insurance coverage decisions.

An ICS risk assessment determines risk percentage, risk scoring and breach probability of all individual key ICS networks and systems. The report determines a clear risk value in terms of dollar value for both the end-user and insurer.

Learning Objectives for Attendees
When insurance companies are making underwriting decisions on ICS cyber liability coverage, they must take many factors into account. They want substantial material and technical evidence. Self-initiated questionnaires won’t suffice. They are cautious about these decisions and thorough in their research. In fact, there have been frequent instances of underwriters rejecting inadequate risk assessment reports/questionnaires because they are too thin and don’t focus enough on ICS cybersecurity.
This paper addresses to the key question of first party revue losses and the third-party claims using ICS risk assessments to assess the breach probability in every stage of ICS to derive the cost of potential business disruption and revenue loss.

CNC (computer numerical control) machines are largely used in production plants and constitute a critical asset for organizations globally. The strong push dictated by the Industry 4.0 paradigm led to the introduction of technologies for the wide connectivity of industrial equipment, including CNCs. As a result, modern CNCs resemble more to fully fledged systems rather than mechanical machines, offering numerous networking services for smart connectivity. Given this shift into a more complex and software-dependable ecosystem, these machines are left more easily exposed to potential threats.

Our work explored the risks associated with the strong technological development observed in the domain of numerical controls. We conducted an empirical evaluation of four representative controller manufacturers, by analyzing the technologies introduced to satisfy the needs of the Industry 4.0 paradigm, and conducting a series of practical attacks against real-world CNC installations.

Join this session as we share findings showing that malicious users could abuse of such technologies to conduct attacks like denial-of-service, damage, hijacking or theft. We reported our findings to the affected vendors and proposed mitigations. This talk wants to be an opportunity to raise awareness in a domain in which, unfortunately, security is not yet considered an important driver.

The NRECA Threat Analysis Center (TAC) is the new Cooperative Operational Technology (OT) cybersecurity threat analysis and sharing platform, designed to improve the speed, coordination, and effectiveness of Co-op threat response. This initiative is designed to serve the small to medium utility community with right sized tools and products – is technology agnostics, and not for profit.  

The TAC is designed to be both a tool and a community, enabling collaboration and assistance among cybersecurity professionals at NRECA, Co-ops, and the wider intelligence community. This vision is dependent on establishing a network of cybersecurity professionals across the Co-op space. Therefore, as part of the TAC program, NRECA will launch the Grow/Keep Initiative, a workforce development initiative to address many of the challenges Co-ops face in hiring and retaining cybersecurity personnel. This center

As small, rural organizations, many Co-ops struggle to compete in the cybersecurity personnel marketplace. As electric utilities with expanding use of DER and IoT devices, Co-ops also require personnel who understand the critical infrastructure they serve and the associated risks of being compromised. Such “unicorns” are rare and expensive. The workforce Initiative will address these challenges by using the collective Co-op strength to compete in the marketplace while also growing cybersecurity expertise from the local Co-op communities. The resulting skilled and expansive network of professionals will act as a semi-shared resource, so every Co-op has the resources they need to resist and recover from threats.


With these efforts, the Threat Center Initiative will help ensure that no Co-op is too small to be protected, every Co-op has a community of support, and the nation’s power grid is safer.

Learning Objectives: 

• Right Sizing of Products and Solutions for Small to Medium Entities 
• Information Sharing initiatives for LMI communities 
• Building a novel workforce

This presentation is a report on field tests of a method for authenticating wireless devices based on the polarization characteristics of their signals.Results from monitoring wireless sensors in a factory environment will be presented under various conditions.The tests include the motion of an autonomous robot in the multipath environment and its impact on the polarization characteristics of stationary sensors on the production line. Results will be analyzed for their repercussions of the viability of using polarization for securing wireless devices.

In todays IIOT world order of standards ( NIST 800-53) and frameworks, and Product Resiliency against cyber attack with IEC 62443 products, there is still room for debate, and even confusion from the myriad of choices a manager in charge of Cybersecurity and protecting critical assets and operation, independent of what industry sector you come from. This lecture unpacks the practices and pitfalls of the Cybersecurity journey from observation of numerous projects over the past 20+ years of digital transformation.  For both new ventures, and organizations well on their journey to defend against today threat groups targeting Manufacturing sectors. There is a practical approach that will be outlined for assessment, monitoring, control, detection & incident response needed in today’s OT environments.. This session focuses on requirements & priorities, rather than today’s latest technologies, but also gives insight to why some of the leading products work, and some times fail to meet targeted return, on investment, or even address todays threat vulnerabilities.  Session is intended for C-level audience, (CISO), as well as technical mangers from IT and Industrial Control and Operations involved in Cybersecurity programs.

This presentation will highlight the importance of designing and tailoring industrial cybersecurity solutions for critical infrastructure based on lessons learned and best practices obtained across industry sectors, entities, and critical services. Every industrial cybersecurity solution must be unique for every organization because every OT-IoT environment is also unique.

Designing a tailored solution requires specific knowledge, skills and experience in OT/ICS that must include people, processes, and technology. However, many industrial organizations are investing in IT/OT technology tools available on the market without a proper planning and before having a clear understanding of their OT-IoT environments and a development roadmap for their industrial cybersecurity solutions. In many cases, such investments are leading to overspending, disappointment, and lack of expected outcomes.

The goal of this presentation is to provide a practical and hands-on approach to designing and developing industrial cybersecurity solutions that will help organizations within critical infrastructure sectors and their leadership teams in planning, tailoring, and implementing solutions for their OT-IoT environments and Operations.

Recommendations that will be provided for audience during the presentation are based on industrial cybersecurity practical experience, use-cases and lessons learned obtain across industry sectors including public and private organizations.

ICS and OT devices have historically been viewed as black boxes, especially by the end users of these devices. Tools and capabilities are incredibly limited in terms of how they can provide visibility and risk identification to these devices, so what are end users to do? The only recourse end users/asset owners have is to leverage existing knowledge bases such as the NVD and by reaching out to the device manufacturers themselves to identify any vulnerabilities and risks. In this presentation, Tom Pace, co-founder & CEO of NetRise will highlight how this is not enough. These datasets and even the knowledge from the manufacturer are insufficient to properly ascertain the level of risk that is present. Thousands of well-known vulnerabilities exist in ICS and OT devices that asset owners are completely blind to. Tom will highlight the true vulnerability disparity that exists for these devices and will explain how to shine a light on true device risk with real world data and techniques that everyone can use when they go back to their organizations.

Attendees will learn how to shine a light on the black box that is ICS/OT devices. Attendees will learn that software vulnerabilities are not the only risks that they should be concerned about. Attendees will walkway with practical recommendations on how to approach this problem on their own.

Electric vehicle (EV) development and associated charging infrastructure are expected to advance rapidly. Most of all global vehicle sales may be EVs and hybrid EVs in years to come, and they will rely on increasingly sophisticated strategies for grid integration. Next-generation EV charging infrastructure is expected to include interconnected renewable resources, such as photovoltaic (PV) arrays and battery storage systems, along with grid-edge devices. These complex interconnections expand the attack surface and could result in attackers acquiring valuable user data or manipulating firmware updates to create malfunctions that could impact power equipment.

In this session, Anuj Sanghvi, Cybersecurity Researcher at the National Renewable Energy Laboratory (NREL), will dive into the some of the cybersecurity work NREL is doing around threat vectors and risk mitigation techniques for Electric vehicle supply equipment (EVSE) and connected and automated vehicles to identify cybersecurity gaps and develop mitigation strategies for the future technologies.

The "defense in depth" concept is widely used inside the Industrial Control systems (ICS) space, which proposes different layers of defense to make penetration difficult for an outside attacker perspective. While this concept is still important, the rapid growth in sophistication and number of cyberattacks shows this may not be enough to face the current challenges. This talk presents a complementary methodology to enhance the defense in depth approach, supported by international frameworks such as NIST, CIS CSC and ISA/IEC 62443, among others. Available topologies for centralized and decentralized  monitoring and the advantages and disadvantages of active or passive approaches will also be discussed.

We are often asked how relevant Zero Trust is for critical infrastructure/operational technology (CI/OT). The answer is not only is it highly relevant but, when done properly, will safeguard against what would otherwise be catastrophic attacks. The principles of Zero Trust are ideal in large part because CI/OT's purpose-built nature and correspondingly predictable network traffic (as well as being unpatched for long periods of time and therefore creating vulnerability).  Join Rob Rachwald, Director of Zero Trust Strategy at Palo Alto Networks, for a panel discussion on how others are leveraging the principles of Zero Trust to tackle cyber security's toughest challenge: what's next.  We'll ask panelists to share insights on how Zero Trust is helping them achieve higher levels of security and operational resilience in CI/OT technologies.

Beginning with a dissertation in 1994, in the subsequent 28 years, Zero Trust has moved from an academic discussion, through struggles that continue with current network and cybersecurity policies and implementation, to the availability of some tools from a wide variety of vendors. ICS often is the last to implement the newest of technology, for very good reason. There are architectures and papers providing much to consider. However, ICS lives in a world where information technology provides the Internet, wide-area and campus-wide communications, as well as some local, dedicated engineering communications. Our goal is to ensure this new technology, like others before it, is useful in an ICS environment. We will see this technology still a concept in development. Alternatively, ICS can be prepared to operate in such an environment provided by others. To those ends, we will examine the information available to carefully consider what should be done.

Key Takeaways:

• Although it can be considered the latest buzzword, Zero Trust offers the next step in cybersecurity
• It’s being implemented, but …
• There is some very good guidance, but it is not mature
• There are tools, but they do not play well together
• Just how it applies to ICS
•  If you have not started, what you can do now to prepare
• Takeaways and thoughts from various presentations and panels throughout the week

Join this session as we discuss takeaways from the week and share insights and thoughts based both on stage presentations and from the great networking discussions throughout the week.

Join us in the Windsor Ballroom for a closing session with an open mic and your chance to ask questions, share insights and network with others for discussions as we wind down a great week!

Thank you for attending SecurityWeek's 2022 ICS Cybersecurity Conference!  We hope you enjoyed the content and made fantastic connections. We look forward to seeing everyone in 2023!