Loading…
This event has ended. Visit the official site or create your own event on Sched.
Welcome to the Interactive Agenda for SecurityWeek’s 2018 ICS Cyber Security Conference! (View the full conference website here)  (You can Register for ICS Cyber Security Conference Here
View analytic

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 22
 

7:30am

Breakfast and Registration
Please join us for contenential breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!



Monday October 22, 2018 7:30am - 10:00am
Pre-function Hallway

9:00am

Developing an Effective ICS Risk Assessment Methodology
There are a number of cybersecurity frameworks in use today, notably the NIST Cybersecurity Framework (CSF), OCTIVE, ISA99/IEC62443 and others. Our experience suggests that the way most organization perform framework-based assessments is inconsistent and generally they server as a point-in-time evaluation of risk. This talk looks at the mechanics of performing risk assessments in an Industrial Control environment with the objectives of: -- analytical consistency and reproducibility -- assessing risk across dissimilar plants and processes, and -- developing the ability to track risk improvements over time Additionally, we will discuss success factors in establishing a recurring Risk Assessment Methodology that supports both Operations Management and the C-Level with current information and allows what-if analysis to support decision making.
 
Presentation Objectives
 
The objectives are:
  • Provide and understand of what “risk” really means and how to think of risk over time.
  • Using a Quantified risk approach vs a Quantitative Risk Assessment
  • Using a Risk Framework and scoring approaches
  • Why this works!

Speakers
avatar for Harry Regan

Harry Regan

Vice President, Security Services, Securicon
Harry Regan is a security, Information Technology (IT), and operations professional with over 30 years of commercial, industrial, federal, and defense experience. He manages the Securicon commercial security consulting team and is responsible for overseeing the successful execution... Read More →


Monday October 22, 2018 9:00am - 9:45am
Windsor DE

9:00am

Protecting ICS With Decentralization + Blockchain
Learning objectives: Industrial control systems need local security to ensure continuous real-time operations, and these security services must fully support any-to-any connections at the edge while preserving central control. Blockchain is uniquely suited for a decentralized security system, as it can be used to ensure data integrity as well as tamper-proof IIoT networks and the distributed devices that comprise them.

In this presentation, Roman Arutyunov will speak to the cruciality of decentralized security for today’s evolving industrial systems. Distributing security is a solution to securing a distributed, autonomous, any-to-any, edge-heavy ecosystem.

Decentralization enables system operators to cover large areas, as well as hundreds of thousands of controllers, sensors, and meters, while facilitating secure addition, removal, and control of resources. In multi-vendor and multi-application IoT networks, decentralization allows smart devices, within utility, energy, manufacturing, and other systems employing a wide variety of devices, sensors and assets, to communicate securely. 

Blockchain is the ideal tool for implementation of a decentralized security system, as well as a way to ensure data integrity and a tamper-proof IIoT network. Blockchain solves a major issue for industrial control systems that are evolving to incorporate the efficiency of Industry 4.0: maintaining security while continuing to add smart devices in a network. A blockchain-protected solution is distributed by nature, making it a uniquely suited approach for decentralized, any-to-any IIoT security. Building on an immutable ledger based on consensus, blockchain’s structure creates a more secure connected network as more smart devices are added––a perfect fit for industries comprised by large operational networks. Distributed security underpins continuous edge-computing operations, even in the face of irregular connectivity, and enables controlled access to existing industrial systems. By providing a communication fabric that integrates security within the devices and applications themselves, industrial control systems can be efficiently deployed in a way that enhances security with every device added to the network. In this instance, blockchain creates a security foundation to protect connected devices on the industrial edge. 



Speakers
avatar for Susanto Irwan

Susanto Irwan

Co-founder & VP of Engineering, Xage
Susanto Irwan is the Co-Founder and Vice President of Engineering at Xage. Prior to founding Xage in 2016, Susanto held senior engineering and product development roles at Shape Security and Arxan Technologies (acquired by TA Associates). Susanto has over 16 years of experience in... Read More →


Monday October 22, 2018 9:00am - 9:45am
Windsor C

9:00am

Red Team/Blue Team Industrial Cyber Security Training (Full Day - Registration Required)
Learn How to Respond to, Adapt, and Defend Against Active Attacks - Full Day Workshop

In order to have an efficient and cost effective risk mitigation strategy, you must understand not only where your vulnerabilities are, but also the tactics that attackers will use to exploit these vulnerabilities. Red Team/Blue Team Training provides the opportunity to learn these adversarial tactics in conjunction with the defensive methods; and then students get to apply the skills they learn as they face off in a head-to-head competition, Blue Team (the defenders) against Red Team (the attackers).

LEO's Red Team/Blue Team training uses cutting edge computer gaming technology developed by the authors of "Hacking Exposed: Industrial Control Systems", to offer all the bet aspects of Red Team/Blue Team training, but in a fraction of the time and without a technical learning curve. Students of all levels can even play part of the Red Team, regardless of experience of skill level.

Students will learn that defending their ICS networks and assets is more than simply deploying "best practices" and "layered defense". By applying the skills they learn against a live opponent who is strategizing against them, they learn how to create targeted defensive strategies and respond to and adapt to active attacks.

What You Will Get Out of This Class:
  • Learn and apply practical industrial cyber security concepts
  • Learn vulnerabilities and attack vectors specific to industrial control systems
  • Learn the methods and strategies hackers use to attack industrial control systems as well as traditional IT systems
  • Learn how to deploy efficient and cost-effective mitigation strategies and security controls
  • Learn how to build a complete cyber security program
  • Apply what you’ve learned against a live adversary using the cutting edge, turn-based computer training simulation/game, ThreatGEN.
  • Learn how to respond to, adapt, and defend against active attacks
  • Participate as the blue team and the red team, regardless of experience or technical skill level

This half-day workshop is available as an option at SecurityWeek’s 2018 ICS Cyber Security Conference - Advanced  Registration is Required.

Speakers
avatar for Clint Bodungen

Clint Bodungen

Vice President, ICS Cyber Security, LEO Cyber Security
Clint is a recognized industrial cybersecurity expert, public speaker, and lead author of the book “Hacking Exposed: Industrial Control Systems”. He has also published dozens of technical papers and training courses on ICS vulnerability assessment, threat research, and risk analysis... Read More →



Monday October 22, 2018 9:00am - 5:00pm
Hope 2 & 3

9:45am

Top-Down or Bottom’s Up: Comparing ICS Cybersecurity Risk Assessment Methodologies
There are probably as many approaches to assessing the cybersecurity of existing ICS systems as there are organizations who offer them.  Many organizations, particularly those with a background in IT security, typically start from the top (e.g. the enterprise/business network) and work down to the ICS network and endpoints.  These assessments typically focus on levels 2 to 3.5 of the Purdue model with an emphasis on networks and Windows endpoint security.  Other organizations, particularly those with a background in automation systems, typically start from the bottom (e.g. level 0 & level 1) and work up.

This presentation will discuss the pro’s and con’s of each approach, provide examples from the field and offer guidance on specifying an ICS cybersecurity risk assessment that will actually identify and rank all risks to the organization.

Speakers
avatar for John Cusimano

John Cusimano

Director of Industrial Cybersecurity, aeSolutions
John Cusimano, CISSP, GICSP, CFSE, is the Director of Industrial Cybersecurity for aeSolutions. John is an industrial control systems cybersecurity and functional safety expert with more than twenty years of experience. He leads the cybersecurity group for aeSolutions, a process safety... Read More →


Monday October 22, 2018 9:45am - 10:30am
Windsor DE

9:45am

Safety First: Active Scanning for ICS Devices
Active network scans may disrupt the operation of sensitive ICS devices, and that is a huge problem. But scanning these devices is necessary for a complete inventory and vulnerability assessment. With smarter handling of ICS devices, we are able to avoid many disruptions and complete an active vulnerability scan.

Attendee Takeaways
  1. OT vulnerability scanning is needed to handle current and future threats
  2. The risks of OT vulnerability scanning and potential improvements with careful probing of devices
  3. Progress that’s already been made toward safer scans, and a look to future developments

Speakers
avatar for Matt Everson

Matt Everson

Manager of Asset Detection, Tenable
Matt is a Research Manager for Nessus at Tenable, and has over 15 years of experience in security, IT, and software development. Before Tenable, Matt worked in the financial industry as a technology executive... Read More →


Monday October 22, 2018 9:45am - 10:30am
Windsor C

10:30am

Morning Break
Monday October 22, 2018 10:30am - 11:00am
Pre-function Hallway

11:00am

Creating an ICS Cyber Security Assurance Program
Today’s Industrial Control Systems (ICS) or Operational Technology (OT) organizations face a vast array of digital threats. The safe and secure operation of these critical infrastructures is dependent on suitable responses to safety, security, and operational priorities being integrated into ICS at design stage and throughout the system life. To protect against those threats, it’s important that organizations understand the initial steps to create an effectiveICS cyber security assurance program and prioritize organizational risks.  

The approaches to these steps and risks are different than the normal processes organizations take in creating a traditional IT cyber security assurance program. ICS/OT operations are vastly different than traditional IT operations with different priorities and concerns. These differences are usually compounded by the fact that knowledge and communication gaps exist between Control System experts/owners and Cyber Security experts.

Through successive consideration of the effect of decisions on pre-determined and prioritized safety, security, and operational functions throughout the design and implementation lifecycle, this presentation proposes a logical and structured approach to achieving:
  • Effective communication and a common understanding across organizational levels and technology.
  • Common differences in OT vs IT and how to bridge the gap.
  • Lessons learned in implementing an assurance program focused on ICS/OT   operations

Speakers
avatar for Justin Christensen

Justin Christensen

Cyber Security Technical Analyst, Idaho National Laboratory
Justin Christensen is currently the Alternate Information Systems Security Manager for the Idaho National Laboratory Industrial Control Systems (ICS) Cyber Assurance Program. Justin has spent the past four years working with ICS at the Advanced Test Reactor and prior to that time... Read More →


Monday October 22, 2018 11:00am - 11:45am
Windsor DE

11:00am

Embracing Compromise: Enhancing ICS Security With The Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework
The idea of embracing compromise might sound unacceptable to some working with industrial control systems and other critical infrastructure. However, today’s systems are too complex with far too many opportunities available for malicious actors to breach an organization’s network. As such, we need to understand the tools and frameworks available for these dreaded yet inevitable times. Fortunately, MITRE has developed a curated knowledge base and framework known as Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). ATT&CK provides knowledge describing behaviors, actions, and processes that a cyber adversary might utilize once initial access has been gained within an organization’s network. This presentation will start with motivating reasons why ATT&CK is important for cybersecurity in general and for ICS networks particularly. Currently, ATT&CK is specifically designed and published for traditional IT networks. However, there is on-going research towards developing an ICS ATT&CK framework. After introducing ATT&CK, the presentation will describe research that is on-going in the research community to implement the ICS ATT&CK framework along with other works that have used ATT&CK specifically for ICS and Operations Technology. The presentation will conclude with ATT&CK based use cases that ICS organizations can use today in order to enhance their existing cybersecurity operations.  

Speakers
avatar for Lane Thames

Lane Thames

Senior Security Researcher and Software Engineer, Tripwire
Lane Thames is a senior security researcher and software engineer with Tripwire’s Vulnerability and Exposure Research Team (VERT). As a member of VERT, Lane develops software that detects applications, devices, and operating systems along with vulnerability detection and management... Read More →


Monday October 22, 2018 11:00am - 11:45am
Windsor C

11:00am

Hands-on Workshop: Protecting ICS and SCADA Networks (1/2 Day)
Presented by Palo Alto Networks & CyberX -

*Space is limited and priority will be given to end users. Attendees must be registered 

Securing ICS/SCADA systems in industrial and critical infrastructure environments can be a daunting task. Network defenders face multiple challenges including a larger attack surface resulting from IT/OT convergence, an increasingly sophisticated APT landscape, and legacy devices that are difficult to patch and were developed years ago when security was not a primary design consideration.

During this free, 1/2-day hands-on workshop, practitioners will learn how to apply best practices and the latest technologies to more effectively secure their ICS/SCADA environments using the Palo Alto Networks Security Operating Platform and its integration with CyberX’s purpose-built ICS cybersecurity platform.

Palo Alto Networks Lab Activities
Learn how Next-Generation Firewall and Advanced Endpoint Protection technologies can be used to control ICS protocols, block network threats with native IPS/IDS functions, and stop unknown threats on ICS hosts such as HMIs, engineering workstations, and automation servers.

Activities will include:
  • Overview of ICS/SCADA security basics and the Palo Alto Networks Platform
  • Setup virtualized ICS/SCADA infrastructure (HMI, PLC, Firewall, Kali)
  • Securing legacy environments with VLAN insertion
  • Whitelisting of ICS protocols using App-ID and custom App-IDs
  • Applications for user-level controls in ICS with User-ID
  • Securing ICS hosts (HMIs) with advanced endpoint protection
  • Exploit prevention using integrated IPS/IDS

CyberX Overview
In this workshop, CyberX will demonstrate how its out-of-the-box, API-level integration with Palo Alto Networks Next-Generation Firewalls and Panorama central management provides automated asset tagging and real-time response to ICS-specific threats.

We’ll look at the following scenarios using CyberX’s passive monitoring technology that has zero impact on OT networks:
  • Auto-discovery of all ICS devices and OT network topology by the CyberX platform, including detailed information about device types (manufacturer, model, protocols, etc.) and how devices are communicating with each other
  • Dynamic policy creation for ICS devices, leveraging rich, device-level information and context provided by CyberX to dynamically create and assign granular NGFW policies to devices via “Tags” and “Dynamic Access Groups” (DAGs)
  • Automated ICS threat modeling by CyberX to prioritize and simulate mitigation of attack vectors on critical “crown jewel” OT assets and processes 
  • Continuous monitoring with CyberX using patented, ICS-specific behavioral analytics and self-learning to rapidly identify suspicious or unauthorized activities
  • Automated prevention leveraging CyberX’s integration with Palo Alto Networks to rapidly block or contain malicious activities and devices, such as devices performing cyber reconnaissance, infected with destructive malware, or issuing unauthorized “PLC STOP” commands

Requirements
• Students need to have basic knowledge of ICS/SCADA environments and security concepts, particularly firewalls. No knowledge of Palo Alto products is required.
• Students just need a laptop with WiFi connectivity and browser to participate.

*Space is limited and priority will be given to end users. Attendees must be registered 

Monday October 22, 2018 11:00am - 5:00pm
Solutions Theater (Trippe I & II)

11:45am

OT and IT Integration: A Hacker's Perspective
Cyber attacks get all the front-page news coverage, but increasingly, the lines between the OT and IT security environments are blurring.  This convergence of disciplines and technologies provides the motivated attacker with more opportunities for getting access to critical infrastructure, operational information and the intellectual property of the victim.  This presentation explores the motivation of the advanced hacker, the technologies they employ, the methods they use, and the role the OT environment can play in a successful breach.  Several case studies will be used to demonstrate these techniques and a list of mitigations that can be used to mitigate, or at least deter, these attacks.

Speakers
avatar for Harry Regan

Harry Regan

Vice President, Security Services, Securicon
Harry Regan is a security, Information Technology (IT), and operations professional with over 30 years of commercial, industrial, federal, and defense experience. He manages the Securicon commercial security consulting team and is responsible for overseeing the successful execution... Read More →


Monday October 22, 2018 11:45am - 12:30pm
Windsor DE

12:30pm

Lunch - Windsor Garden
Please join us outside in the Windsor Garden


Monday October 22, 2018 12:30pm - 1:30pm
Windsor Garden

1:30pm

Assessing the Security and Reliability of ICS
This session will describe the considerations for assessing the security and reliability aspects of ICS. The topics he will cover include the interdependence of information and operational technologies (IT and OT), and how they support one another, in both directions. Jack will describe the areas of IT and OT specialization, and how an attack on, or failure in, either IT or OT will impact the other. He will then discuss the application of standards from various organizations to assess security, and how there are a number of common threads. Jack will discuss the determination of the right assessment tools and techniques, and why it is important to connect IT findings to the OT side. Jack will then turn to the assessment of OT, the requirements that must be met, how an assessment moves from looking at those requirements to looking at the as-built plant. He will then describe the documentation of findings and the connection of those findings to IT.  Finally, Jack will discuss making the case to the customer for improvements in IT and OT to ensure security and reliability.

Speakers
avatar for Jack D. Oden

Jack D. Oden

Principal Project Manager, ICS Cybersecurity Subject Matter Expert (SME), Parsons
Jack D. Oden, Principal Project Manager and ICS Cybersecurity Subject Matter Expert (SME), is a self-motivated, energetic, and accomplished team player and speaker with twenty years’ experience in negotiating system improvements between users and engineers; developing projects... Read More →


Monday October 22, 2018 1:30pm - 2:15pm

1:30pm

How NOT to Patch Critical Systems
Patching critical systems can be a double-edged sword. The application of patches may mitigate known cybersecurity threats or support the increased safety, availability and reliability of our systems. They may also adversely impact our systems by interrupting operations or critical processes. Patches represent a point of resistance for systems that are designed to run continuously; but what if there were ways to avoid patching?

The application of a patch may not be the only mitigating technique for reducing cybersecurity risks. Mature security management programs provide additional opportunities for reducing risk aside from installing patches. Cybersecurity standards often account for the inability or non-necessity of installing patches to critical systems with the inclusion of appropriate levels of due diligence and understanding. Detailed knowledge of systems and the changes represented by patches may allow for correspondingly more specific, almost surgical, mitigation techniques.

Security management programs should be purpose built from the ground up to mitigate security risks; particularly those that are self-inflicted. We need to move beyond knowing what we have and reacting to threats and toward intelligent defense-in-depth strategies that also include passive and indirect protection methods. FoxGuard will discuss mature security management program elements specific to critical infrastructure and provide examples of how NOT to patch while managing cybersecurity risk.

Speakers
RR

Roger Rademacher

Solutions Architect, FoxGuard Solutions
Roger Rademacher has over 20 years as an IT Professional, Systems Engineer and self-proclaimed Security Evangelist. Roger has been working to secure Department of Defense and Critical Infrastructure using comprehensive vulnerability management practices and helps drive the development... Read More →


Monday October 22, 2018 1:30pm - 2:15pm

2:15pm

Defense Strategies for the Robotics Ecosystem
Robots are no longer safe unless they are secure - It’s time to work together to secure our robotics ecosystem

In an effort to enable and improve efficiencies, organizations continue to push towards digitization of work processes, systems and equipment. Robotics has been at the forefront of digitalization, with connected robots making up the vast majority of the market. Unfortunately, with this increase in digitalization also comes an increased exposure to threats posed by bad actors. These systems can be unintentionally left unprotected and subsequently made an easy target for hackers.

Taking a collaborative approach in developing and implementing robotics is imperative to ensure safety and security. Within a complex robotic ecosystem, there are multiple parties that have ownership of ensuring security and safety. Understanding the role of the manufacturer, implementor and operator in this effort is critical to address the risks caused by continued digitization and increasing exposure. In this topic, we will discuss methods that would-be attackers use to compromise robotic systems as well as why collaboration between these roles is vital to design, build and deploy secure robot systems.
 
Participants will learn:
  • Common vulnerabilities in robotic systems
  • Attack vectors used by malicious actors
  • Collaborative defense strategies for manufacturers, implementors & operators

Speakers
avatar for Robert Lupo

Robert Lupo

Senior Security Consultant: OT & Industrial Cyber Security, TUV Rheinland OpenSky
Robert is a Senior Security Consultant in the Operational Technology & Industrial Cyber Security Practice at TUV Rheinland OpenSky. As an offensive security practitioner, he has led efforts and provided leadership in testing devices, including robotic systems in an effort to show... Read More →


Monday October 22, 2018 2:15pm - 3:30pm
TBA

2:15pm

Deploying a Local Certificate Authority to Secure Industrial Control Applications
Industrial controls system vendors are adding cybersecurity features to harden embedded components and software applications.  Many of these features require authentication of the identity of a device or user via digital certificates.  Some examples of cybersecurity features enabled by a certificate authority include secure protocols, software signing, and firmware signing.  A certificate authority is a security appliance that has been utilized to create and authenticate X.509 digital certificates in web applications for decades via a connection to the Internet.  

One issue with the deployment of a certificate authority in industrial applications lies in its location.  Critical industrial control systems operate in isolated networks where authentication requests cannot traverse secure network perimeters.  Thus, the certificate authority must be placed within the control network boundary.  
 
This presentation will describe the value of X.509 digital certificates in industrial control applications.  It will demonstrate digital certificates being used in industrial control equipment, and introduce a certificate authority designed for industrial control applications.

Speakers
avatar for Josh Carlson

Josh Carlson

Business Leader, Cybersecurity Services, Schneider Electric
Josh Carlson possesses almost 20 years of diverse cybersecurity experience in engineering and sales roles within high tech companies. Mr. Carlson presently serves as the Business Leader for Cybersecurity Services for Schneider Electric's Industrial Division within the Americas region... Read More →


Monday October 22, 2018 2:15pm - 3:30pm

3:00pm

Afternoon Break
Monday October 22, 2018 3:00pm - 3:30pm
Pre-function Hallway

3:30pm

Increase in CVE Reports vs Long Field-Deployment - How to Manage the Conflict
In the ICS-CERT report for 2017 you can see an increase in the amount of vulnerabilities reported resulting in an increasing number of firmware updates from the vendors.

On the other hand ICS/SCADA operators indicate that a field update cycle for their controllers takes at least 1 year to avoid down-time. This gap actually results in an advantage for the attackers that can use the published CVEs in new attacks before the operators deploy the required fix.

In this session we will present some examples of such recent published vulnerabilities and how they can be used to attack field controllers. We will discuss the dilemmas of publishing and handling such new vulnerabilities by ethical hackers, security and automation vendors and end-customers. We will then present the ways to address this gap using IDSs with configurable signatures and threat intelligence feeds.

Attendees will learn how to manage their feed of new vulnerabilities published and the translation to signatures for IDS tools.

Speakers
avatar for Ilan Barda

Ilan Barda

Founder and CEO, Radiflow
Ilan Barda is a cyber-security and communication executive with 20 yearsof experience in this market. In 2010 he founded Radiflow, a  provider of cyber-securitysolutions for ICS/SCADA networks. Ilan has extensive cyber security from his service in the Cyber-Security division in the... Read More →


Monday October 22, 2018 3:30pm - 4:15pm
Windsor DE

3:30pm

Zero Trust Networking for ICS Environments
Perimeter-focused security programs prescribe a ‘one-size-fits-all’ approach to devices on the internal network, which historically has resulted in marginal effectiveness. The growing business requirement to incorporate IoT, OT, and IIoT devices into these programs means exceptions will become the new norm. A new approach is desperately needed.

Introduced in 2010 by Forrester Research, Zero Trust is a conceptual and architectural model for how security teams should redesign networks into secure microperimeters, strengthen data security using obfuscation techniques, limit the risks associated with user privileges and access, and improve security detection and response with analytics and automation. But will this practice work in industrial control system (ICS) environments where most equipment currently operating wasn’t designed for IT-oriented security methods?

Join ICS security expert Wayne Dixon as he discusses the advantages of Zero Trust security, common pitfalls of Zero Trust in converged IT and OT environments, and best practices for consuming a Zero Trust security model in ICS environments.

Speakers
avatar for Wayne Dixon

Wayne Dixon

Director, OT Technology Management, ForeScout Technologies
Wayne Dixon is Director of OT Technology Management at ForeScout Technologies, Inc. Wayne brings 20 years of hands on experience in both ‘boots on the ground’ and consultative roles, supporting commercial, federal, defense, local government, and international customers.


Monday October 22, 2018 3:30pm - 4:15pm
Windsor C

4:15pm

Ghost in the Control Room: How Attackers Use Physical Access Controls Against You
In the world of ICS, physical access is the ultimate goal for attackers. To defend against this threat, sophisticated physical access control systems are installed, but are often misconfigured and not used to their full potential. Even worse, some misconfigurations can turn a multi-million-dollar physical access control implementation into an attacker's best friend; allowing them to essentially become invisible to traditional detection methods. This session will provide the audience with a foundational understanding of a traditional physical security environment, demonstration of trending attacks, and a roadmap to locking down deployed implementations.

Speakers
avatar for Valerie Thomas

Valerie Thomas

Executive Information Security Consultant, Securicon
Valerie Thomas is a Executive Information Security Consultant for Securicon LLC that specializes in social engineering and physical penetration testing. After obtaining her bachelors degree in Electronic Engineering, Valerie led information security assessments for the Defense Information... Read More →


Monday October 22, 2018 4:15pm - 5:00pm
Windsor DE

4:15pm

Introducing the ICS Cyber Range – Case Study
Most OT security practitioners will experience their first cyber-attack while on the job. Many may not even recognize it as such for a long time. This attack will be the first time when processes, people and technologies will be put to test. But when it comes to a cyberattack, organizations do not have a second chance.

The ICS cyber range is a virtual playground which simulates an OT network, and runs simulated OT attack scenarios to train OT security staff. ICS security teams use ICS ranges to practice responding to OT attacks, and to test playbooks and technologies. As a result, organizations using an ICS range are much better prepared for a real-life incident.  This session will demonstrate a live ICS range and its benefits.
   
What the audience will learn:
  • What is the concept of hyper-realistic simulation
  • What is a cyber range
  • What are the unique requirements for an ICS range
  • Demonstration of an OT training session, which includes a simulated IT to OT cyberattack over an ICS cyber range

Speakers
avatar for Edy Almer

Edy Almer

VP Product, Cyberbit
Edy leads Cyberbit’s product strategy. Prior to joining Cyberbit, Almer served as VP of Product for Algosec, during this period the company’s sales grew by over 4X in 5 years. Before Algosec, Edy served as VP of Marketing and Business Development at Wave Systems, an enterprise... Read More →


Monday October 22, 2018 4:15pm - 5:00pm
Windsor C
 
Tuesday, October 23
 

7:30am

Breakfast and Registration
Please join us for contenential breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!



Tuesday October 23, 2018 7:30am - 10:00am
Pre-function Hallway

8:00am

Welcome to SecurityWeek's 2018 ICS Cyber Security Conference | USA
Speakers
ML

Mike Lennon

Managing Director & Conference Chairman, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several... Read More →


Tuesday October 23, 2018 8:00am - 8:15am
Grand Ballroom

8:15am

ICS Manufacturer's Panel – Industrial Cybersecurity Notes from The Field
Despite being fierce competitors, Rockwell Automation, Schneider Electric and Siemens will sit down for a lively discussion on the current state of industrial cybersecurity. The panel will provide a vendor-neutral perspective on ICS cyber, share notes from the field and give their take on the approaches, priorities and problems they are observing as they help customers transition to modern, connected and secure infrastructures.

Takeaways:
  • Strategies for launching industrial cybersecurity efforts; what’s working with management and what is not.
  • The most pressing ICS risks/issues and the most important steps organizations should take.
  • Hurdles organizations are facing when implementing and operationalizing ICS cybersecurity programs and what approaches are working.

Speakers
avatar for Josh Carlson

Josh Carlson

Business Leader, Cybersecurity Services, Schneider Electric
Josh Carlson possesses almost 20 years of diverse cybersecurity experience in engineering and sales roles within high tech companies. Mr. Carlson presently serves as the Business Leader for Cybersecurity Services for Schneider Electric's Industrial Division within the Americas region... Read More →
avatar for Frank Garrabrant

Frank Garrabrant

Product and Solutions Security Officer, Siemens
Frank Garrabrant, of Siemens Industry, Inc., is a Product and Solutions Security Officer and head of the North American Security Hub. In this role he is responsible for representing Siemens within North America for security related issues involving automation and drive products. Since... Read More →
avatar for Umair Masud

Umair Masud

Portfolio Manager, Consulting Services, Rockwell Automation
Umair Masud manages the Consulting Services Portfolio at Rockwell Automation. He holds primary responsibility for the strategic roadmap for industrial cybersecurity services including consulting services such as risk assessments and audits as well as managed security services such... Read More →
avatar for Patrick McBride

Patrick McBride

Chief Marketing Officer, Claroty
Patrick McBride is the Chief Marketing and Chief Strategy Officer of Claroty. Prior to joining the company, he was the Vice President of Marketing and Communications at iSIGHT Partners (now FireEye). At iSIGHT Partners Mr. McBride was responsible for defining the global threat intelligence... Read More →


Tuesday October 23, 2018 8:15am - 9:00am
Grand Ballroom

9:00am

Defending Against Supply Chain Attacks
Supply Chain Attacks and Resiliency Mitigations

Cyber Resiliency Engineering can be applied to systems, missions, business functions, organizations or a cross-organizational mission. In this presentation, MITRE's Ellen Laderman will discuss how cyber resiliency is applied to the problem of mitigating supply chain attacks. The adversary’s goals for attacking a supply chain will be described using the cyber-attack lifecycle framework and the Department of Defense (DoD) Acquisition lifecycle. Resiliency techniques are recommended considering adversary goals and best options to defend against the attacks. The analysis in this document found that the most effective point to apply cyber resiliency mitigations is the Production and Deployment phase because this reduces the number of attacks overall. The best place to gain information about adversary targets and activities are both the Engineering and Manufacturing Development phase and the Production and Deployment phase. An example of how to apply these resiliency techniques is provided based on the Commercial Solutions for Classified capability package for a Wireless Local Area Network (WLAN).



Speakers
avatar for Ellen Laderman

Ellen Laderman

Information Security Lead Engineer, MITRE
Since joining the Cyber Resiliency Team in 2013, Ellen has performed cyber resiliency assessments on sponsor systems being developed or in the process of being upgraded.  Ellen also contributed to the MITRE’s Cyber Resiliency Engineering Aid and authored documents on applying... Read More →


Tuesday October 23, 2018 9:00am - 9:45am
Grand Ballroom

9:45am

Hunting for Xenotime, Creators of TRITON/TRISIS ICS Malware
The activity group responsible for the TRISIS/TRITON malware is identified as XENOTIME. After the attack on the safety instrumented system in 2017 the group remained active targeting other environments with different safety systems in other regions of the world. Hunting for the behaviors of this group allows defenders to not only search for existing threats but also identify new threats leveraging such behaviors and prepare confidently to detect and respond to such incidents. In this presentation audience members will hear unique insights into the threat and how the Threat Hunt Cycle can be leveraged to provide actionable recommendations on building a collection management framework and applying hypothesis-led threat hunting to test out their collection while creating playbooks for how to effectively and efficiently identify and respond to attacks.



Speakers
avatar for Robert Lee

Robert Lee

Chief Executive Officer, Dragos, Inc
Robert M. Lee is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus... Read More →
avatar for Marc Seitz

Marc Seitz

Threat Analyst, Dragos
Marc Seitz is a Threat Analyst, Threat Operations Center, at the industrial cyber security company Dragos, Inc. where he coordinates industrial control system cyber test lab functions as well as performing threat hunting services in ICS networks.  Marc is a specialist in designing... Read More →


Tuesday October 23, 2018 9:45am - 10:30am
Grand Ballroom

10:30am

Morning Break
Tuesday October 23, 2018 10:30am - 11:00am
Pre-function Hallway

11:00am

Approaching Cybersecurity Vendor Selection in OT Environments
The world of Operational Technology (OT) in manufacturing and ICS environments presents its own unique challenges and considerations when selecting cybersecurity vendors. Operational requirements can vary widely from oil and gas to refining, chemical, power generation, and other industrial and critical infrastructure applications. Resources, work practices and procedures, and adoption of standards and best practices as they relate to both cybersecurity and overall operational technology also vary widely. The convergence of Information and Operational technology in manufacturing enterprises is at the forefront of end user concerns as they struggle to implement secure Industrial Internet of Things solutions. Larry O'Brien will share ARC's own approach to cybersecurity vendor selection in the ICS and OT worlds with a focus on lifecycle perspective of the plant or facility and a “future proof” roadmap that reduces risk and provides value to the overall business.

Speakers
avatar for Larry O'Brien

Larry O'Brien

Vice President, ARC Advisory Group
Larry is responsible for providing oversight in ARC's research into process automation markets, including process automation systems, process safety systems, plant asset management systems, intelligent device management strategies, and field networks. Larry first joined ARC in 1993... Read More →


Tuesday October 23, 2018 11:00am - 11:45am
Grand Ballroom

11:00am

Case Study – Mapping and Protecting Application Flows in a G&T Utility
WFEC is a G&T utility that operates tens of sub-stations transmitting the power to its regional utilities.
As part of the preparations for the NERC CIP v6, WFEC had to map all its low-impact assets in the sub-stations and their application flows. After the mapping of the assets and their application flows WFEC continued with the deployment of security gateways at each sub-station achieving security posture well beyond the NERC CIP requirements. In this session we will present how WFEC used an Industrial IDS to perform the mapping. We will then present the requirements for the security gateways for compliance and beyond, and conclude with lessons learned from the deployment process.

Speakers
avatar for Michael Meason

Michael Meason

Senior Manager, Information and Security, Western Farmers Electric Cooperative


Tuesday October 23, 2018 11:00am - 11:45am
Solutions Theatre

11:45am

Network Resiliency in ICS: End User Perspective
Join this session as as Vistra Energy's Ben Stirling provides real world insights on control system network design and resiliency. The discussion will cover control system design and understanding the security implication, looking at lessons learned from two events: (1) a denial of services event of control system processors and (2) a misclassification of control system components. Ben will share the consequences of failure in securing industrial control systems from the perspective of an end user. Attendees will have an opportunity to engage in discussion as well as pose questions.

Vistra Energy (NYSE: VST) is an integrated power company with retail and generation businesses that include TXU Energy, Homefield Energy, Dynegy, and Luminant. Vistra operates in 12 states in the U.S., with about 6,000 employees. Vistra’s retail brands serve approximately 2.9 million residential, commercial, and industrial customers, and its generation fleet totals approximately 41,000 megawatts, with a diverse portfolio of natural gas, nuclear, coal, and solar facilities.

Speakers
avatar for Ben Stirling

Ben Stirling

Sr. Cyber Security Analyst, Vistra Energy
Benjamin Stirling is a Sr. Cyber Security Analyst with Vistra Energy as well as a member of the ERCOT CIP working group and ISA 99 Workgroup 4. For the last five years, Ben has been deeply integrated with Luminant’s I&C, Operational Technology, and Vistra Cyber Security groups... Read More →


Tuesday October 23, 2018 11:45am - 12:30pm
Grand Ballroom

12:30pm

Lunch - Windsor Garden
Please join us for lunch outside in the Windsor Garden


Tuesday October 23, 2018 12:30pm - 1:30pm
Windsor Garden

1:30pm

Critical Industrial Network Monitoring, an Example From the Field: Gas Distribution
This session starts by detailing the specific context and challenges that the utility industries (Electric, Gas, Hydro, etc.) face versus cybersecurity.  Utilities have certain commonalties:
  • Physically Open: Often in the wild without physical protection
  • Connection through an operator network: telecom
  • Long life cycles: update problems, vulnerabilities
  • Targets for both theft and political attacks (disrupting services)
  • Subcontracting: external maintenance, uncontrolled device connections (e.g. the plug that bypasses the firewall for maintenance)
 
We will then discuss our experiences in working with utility organizations in the area of OT cybersecurity and will use a specific illustrative example from the setting up of a cybersecurity monitoring system on the control network of a medium size gas distribution operator in Europe. This part of the session will cover the specific challenges that the gas operator faced as well as the technical aspect of the solution implemented, the step by step implementation process, the benefits and the lesson learns from this project. 
 
Who is this session for: Industrial Asset owners, control engineering managers and cyber security professionals who want to learn from a real-life experience in setting up an OT monitoring system.

Sponsored by: Sentryo

Speakers
avatar for Bob Foley

Bob Foley

Vice President, North America, Sentryo
Bob has spent the majority of his business career as an entrepreneur and leader in the software industry.  While trained as a lawyer, Bob has focused on building and managing businesses that develop software and services for customers in the areas of data management and cybersecurity... Read More →


Tuesday October 23, 2018 1:30pm - 2:15pm
Windsor DE

1:30pm

Notes from the Field: Using Visibility and Advanced Anomaly Detection to Secure OT Environments
  • Threats and attack patterns seen within industrial networks from real implementations
  • Strategies for how to protect these critical networks based on past attacks, "notes from the field" and attacks yet unseen
  • How visibility and anomaly detection can be used to prevent, detect and respond to targeted and non-targeted attacks
Sponsored by: Claroty

Speakers
avatar for Patrick McBride

Patrick McBride

Chief Marketing Officer, Claroty
Patrick McBride is the Chief Marketing and Chief Strategy Officer of Claroty. Prior to joining the company, he was the Vice President of Marketing and Communications at iSIGHT Partners (now FireEye). At iSIGHT Partners Mr. McBride was responsible for defining the global threat intelligence... Read More →


Tuesday October 23, 2018 1:30pm - 2:15pm
Windsor C

1:30pm

Solutions Theater: Securicon - Next Generation CyberSecurity for OT Networks
Industrial Control Systems and Operational Technology networks pose a different set of cyber security concerns than Enterprise IT networks. ICS such as SCADA mature at much slower rate than classic IT systems, however the threats to these environments are growing in complexity each year.
 
In this session we’ll discuss Securicon’s framework and methodology for using next generation security technology to increase the cybersecurity within your ICS networks, and also improve the resilience required to maintain business continuity. Attendees will learn about the following important topics:
  • The unique challenges security professionals may encounter when operating and securing critical ICS and SCADA networks
  • How bump-in-the-wire firewalls and sustained traffic monitoring can be used to identify and develop business use cases for application- and user-based access control in OT security policy
  • How to combine these ideals with best-practice zoning strategies for OT (Purdue Model / ISA95) and shadow (port/protocol) rules during migration to implement optimized OT segmentation
  • How to develop a structured security policy to create a templatized security policy for ease of deployment and operations management, and reduction of “policy divergence” across multiple devices
  • Using insight into network communications to help identify network performance issues.

Tuesday October 23, 2018 1:30pm - 2:15pm
Solutions Theater (Trippe I & II)

2:15pm

Clear & Present Danger – Addressing Insider Threats in OT Environments
Security used to be simple. Not long ago we deployed security much like medieval castles were built. The good guys were on the inside and the bad guys were on the outside, buffeted by high and thick walls, multiple layers of security, and early warning detection mechanisms. Today however, the threats are within our own environment and it is known as the insider threat. “Castle defenses” do not protect against this insider; and based on the access the insider has to your environment, it can be more damaging than outside hacker ever was.  This session will examine specific cases where insiders caused major security incidents in industrial organizations. This talk will specifically address:

  • The impact of the insider threat 
  • The topology and operations of OT networks and why they are more vulnerable today than they have been in the last 30 years
  • Types of insider threats
  • Anatomy of a breach
  • 5 step approach to reduce/eliminate insider threats to OT networks
  • How to gain visibility, security and control across both the IT and OT environment


Speakers
avatar for Barak Perelman

Barak Perelman

CEO, Indegy
Before founding Indegy, Perelman led several multi-million dollar cyber security projects at the IDF and received commendation for this service and achievements. He is a graduate of the elite Talpiot military academy and has over 15 years of hands-on experience in cybersecurity and... Read More →


Tuesday October 23, 2018 2:15pm - 3:00pm
Windsor DE

2:15pm

Trust No One: Securing 3rd Party Connections to Industrial Control Systems
Unfortunately, even as operators work to secure their internal systems, the security of their control systems and devices is only as strong as the security of the 3rd party vendors, suppliers, and outsourced services that have trusted to access to their networks. Recent vulnerability reports across critical infrastructure have revealed that with the increase of these trusted communications networks, remote access, vendors, and supply chains are the most likely routs of ingress for cyber threats. 3rd parties may also have less stringent security policies in place, allowing attackers to more easily infiltrate the operational network, and the controls, equipment, and data stores within. So how can organizations secure 3rd party connections to their operational networks while still benefitting from new industrial control technologies? Through real life case studies and guidance from the DHS, FBI, and NSA, this presentation will analyze the anatomy of attacks through 3rd party connections and outline the best practices and technologies available to help mitigate external threats to ICS systems.

Speakers
avatar for Mark Toussaint

Mark Toussaint

Product Manager, Owl Cyber Defense
Mark Toussaint joined Owl as Product Manager in 2017, bringing with him a strong technicalbackground and a proven history of taking complex technical concepts and transforming theminto a business value-oriented marketing strategy. With over 30 years of experience at high techand B2B... Read More →


Tuesday October 23, 2018 2:15pm - 3:00pm
Windsor C

2:15pm

Solutions Theater Darktrace: AI Cyber Defense for OT Environments
An Industrial Immune System: AI Cyber Defense for OT Environments

Network-connected robots, sensors, and IoT devices offer improvements in automation, efficiency and safety, but often lack built-in cyber security, and threat-actors are targeting them as a means of getting inside networks. The same wave of AI that is ushering in these innovations can also be used as an approach to protect them. The Immune System approach to AI-powered cyber defense is used by some of the world’s leading companies to detect early indicators of cyber-attacks or vulnerabilities across OT, ICS, sensor, and industrial IoT environments. This fundamentally new approach uses AI to learn the ‘pattern of life’ for any device on the network. Utilizing autonomous, self-learning technologies to detect and respond to emerging threats is an achievable cyber security goal, irrespective of the device or network that the suspicious behavior originated on.

Solutions Theater Darktrace: AI Cyber Defense for OT Environments


Tuesday October 23, 2018 2:15pm - 3:00pm
Solutions Theatre

3:00pm

Afternoon Break
Tuesday October 23, 2018 3:00pm - 3:30pm
Pre-function Hallway

3:30pm

[Panel] The Road to Building and Delivering a Workable IT/OT Program
Successes, Failures, Lessons Learned, and the Road Ahead.




Sponsored by: Deloitte

Speakers
avatar for Ramsey Hajj

Ramsey Hajj

Industrial Control Systems Lead, Deloitte
Ramsey is a senior manager in Deloitte’s cyber risk services practice. He specializes in identity and access management implementation and assessment services. He has more than 20 years of technical experience using emerging technologies to solve business problems. He has significant... Read More →
avatar for Mandy Huth

Mandy Huth

VP of Cybersecurity, Kohler Co.
Mandy Huth, CISSP, is the VP of Cybersecurity at Kohler Co. She is responsible for the company’s cybersecurity strategy and execution, including security for IT and OT in manufacturing. Mandy was formerly Director of Cyber Security At Belden Inc. where she led both IT and OT security... Read More →
avatar for Robert Lee

Robert Lee

Chief Executive Officer, Dragos, Inc
Robert M. Lee is the CEO and Founder of the industrial (ICS/IIoT) cyber security company Dragos, Inc. He is also a non-resident National Cybersecurity Fellow at New America focusing on policy issues relating to the cyber security of critical infrastructure. For his research and focus... Read More →
avatar for Sean Peasley

Sean Peasley

Internet of Things (IoT) Security leader, Deloitte
Sean is a Deloitte Risk and Financial Advisory partner and the Consumer & Industrial Products leader and Internet of Things (IoT) Security leader in Cyber Risk Services at Deloitte & Touche LLP. He has more than 32 years’ in helping clients to become Secure.Vigilant.Resilient.TM by helping organizations address their most pr... Read More →


Tuesday October 23, 2018 3:30pm - 4:15pm
Windsor DE

3:30pm

Side Channel Attacks Against ICS Devices
Side channel attacks are attacks based on information gained by physical access to the device rather than theoretical weaknesses in algorithms, brute force or cryptanalysis. These attacks pose a significant threat to the security of cryptographic modules. An attacker may obtain secret information, like passwords, or encryption keys by monitoring information the device is leaking such as: amount of time required to perform certain computations, power consumption or electromagnetic radiation while performing the cryptographic operation. Although many of these attacks require considerable technical knowledge of the system, the cost and difficulty of the attacks are being reduced with the introduction of cheap hardware, firmware, and software. This presentation discusses case studies showing side channel vulnerabilities in many implementations of crypto algorithms. It investigates typical targets as well as methodologies and techniques that attackers are using to launch a passive, difficult to detect attack, against ICS devices. It also addresses strategies that can be deployed as countermeasures.

Speakers
avatar for Demos Andreou

Demos Andreou

Lead Communications Engineer, Eaton - Power Systems Division
Demos Andreou is a Lead Engineer in the Eaton’s Cooper Power Systems division. He has extensive experience in security. Consulted for organizations in the Financial, Government, Consumer, Utilities and Telecommunications sectors. His technical strengths include compliance, ethical... Read More →


Tuesday October 23, 2018 3:30pm - 4:15pm
Windsor C

3:30pm

Solutions Theater: Skybox Security - See and Understand: Where are Critical Systems Most Vulnerable?
Critical infrastructure — from energy production to manufacturing to public utilities — is becoming a more prevalent attack vector for nation–state threat actors as well as the common cybercriminal. These attackers are frequently exploiting the interconnectedness of IT and operational technology (OT) networks, finding their foothold in the disconnect between their security management.

In response, many organizations are looking to unify and align their IT–OT security programs to understand and tackle cyber risks in both environments. In this session, we’ll cover the challenges to be ready for in such an endeavor, and how to use comprehensive visibility and risk-based approaches to overcome them.

Tuesday October 23, 2018 3:30pm - 4:15pm
Solutions Theater (Trippe I & II)

4:15pm

Securing IIoT Containers, Communications and Storage with TPM 2.0
Industrial control systems (ICS) devices at all levels of the Purdue Model are being connected to the Internet. In some cases, these endpoints and gateways are dual-homed to a control network and the Internet over different physical connections. In this session, you’ll learn about the risks and attack scenarios or IIoT. There will also be a case study on how ABB has secured containers, storage and communications in IIoT devices using TPM 2.0, enabling the highest form of US NIST 800-63 Authentication Assurance. Learn about the design, integration process and the benefits to safety and reliability.

Speakers
avatar for Joe Doetzl

Joe Doetzl

Cyber Security Practice Leader, Grid Automation, ABB
Joe Doetzl has more than 20 years of IT/OT and Cyber Security experience.  In his current role, he has global responsibility for the Cyber Security of ABB’s Grid Automation portfolio of products and solution delivery.  He has created and led cyber security and compliance programs... Read More →
avatar for Dean Weber

Dean Weber

CTO, Mocana
With more than 43 years of experience in information and physical security, he leads Mocana as Chief Technology Officer after serving as director and CTO at CSC Global CyberSecurity. His background includes Chief Technology Officer at Applied Identity, which was sold to Citrix. Earlier... Read More →


Tuesday October 23, 2018 4:15pm - 5:00pm
Windsor C

5:00pm

Cocktail Reception - Foyer & Exhibitor Hall (5-7PM)
Please join us in the foyer and sponsor hall for a reception with cocktails and amazing food and enjoy network with industry peers. At this VIP reception we have prepared a fantastic menu and premium bar!


Tuesday October 23, 2018 5:00pm - 7:00pm
Pre-function Hallway

7:00pm

Nozomi Networks Bourbon Bash Birthday!
Help celebrate Nozomi Networks’ 5th birthday (and 1,000 installations!) with a Bourbon Barrel Birthday Bash from 7:00 – 9:00 pm on Tuesday October 23, immediately following the exhibit hall reception.
 
Blues, Bourbon, Balloons and more!
 


Tuesday October 23, 2018 7:00pm - 9:00pm
Pre-function Hallway
 
Wednesday, October 24
 

7:30am

Breakfast and Registration
Please join us for contenential breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!



Wednesday October 24, 2018 7:30am - 10:00am
Pre-function Hallway

8:15am

Cyber Vulnerability Investigations: How The UK Ministry of Defence Protects Critical Infrastructure
The UK Ministry of Defence has taken major steps to conduct risk-based assessments for all its major land, sea and air systems through a methodology called ‘Cyber Vulnerability Investigations’ (CVIs).

Despite having undergone significant risk reduction exercises to minimize risks – there is still the lingering question “in the event of war will a cyber-attack prevent my vehicle/ship/aircraft from performing its mission”. It doesn’t matter if the risk is low – when an enemy is targeting your
systems you would like to be confident that they can’t cause any unacceptable impacts. This is where CVIs come in.

There is a danger that relying solely on a component-driven approach will give a business owner a false sense of their risk posture and cause unacceptable consequences when they are compromised.

This talk will outline some of the key findings from a number of CVIs for the UK MOD and other Critical Infrastructure operators.

Speakers
RL

Robert Longbottom

Cyber Security Capability Lead, Thales UK


Wednesday October 24, 2018 8:15am - 9:00am
Grand Ballroom

9:00am

Fireside Chat: Cisco's Edna Conway Talks Supply Chain Security With Microsoft Cybersecurity Field CTO Diana Kelley
Edna Conway, Chief Security Officer for Global Value Chain at Cisco, has a fireside chat with Diana Kelley, who currently serves as Cybersecurity Field CTO at Microsoft.

Speakers
avatar for Edna Conway

Edna Conway

Chief Security Officer, Global Value Chain, Cisco
Edna Conway currently serves as Cisco’s Chief Security Officer, Global Value Chain, creating clear strategies to deliver secure operating models for the digital economy. She has built new organizations delivering cyber security, compliance, risk management, sustainability and value... Read More →
avatar for Diana Kelley

Diana Kelley

Cybersecurity Field CTO, Microsoft
Diana is the Cybersecurity Field CTO for Microsoft and a cybersecurity architect, executive advisor and author. At Microsoft she leverages her 25+ years of cyber risk and security experience to provide advice and guidance to CSOs, CIOs and CISOs at some of the world’s largest companies... Read More →


Wednesday October 24, 2018 9:00am - 9:45am
Grand Ballroom

9:45am

What is Consequence-Driven Risk Management? Why Should You Do It, and How.
Ok, stop me if you’ve heard this one: A consultant walks into a plant, looks around, runs some tools, throws you a report with 1000 findings and a heat map… and then says, “We can help you fix all that…“. NIST, ISO, RIPE, Bowtie, FAIR, HASOP, PHA, LOPA… “Oh my”! The bottom line is, asset owner/operators want to know: 1. What/where is the risk to their operations, 2. What’s the potential consequence and impact of that risk, 3. What’s the likelihood of it happening, and 4. How do they deal with that risk with the resources they have access to? Unfortunately, the industry is swamped with a convoluted list of risk assessment and management frameworks, standards, and “best practices”. Many of these aren’t focused on industrial environments and most of them don’t provide a comprehensive solution that spans both operational and IT environments, much less a solution that provides pragmatic easy to follow guidance from data collection and analysis to prioritizing mitigation strategies. How do asset owner/operators make sense of all of this? How can they achieve a truly efficient and cost-effective risk management strategy for operations that includes “cyber”? “This presentation could help you fix all that…”.

Speakers
avatar for Clint Bodungen

Clint Bodungen

Vice President, ICS Cyber Security, LEO Cyber Security
Clint is a recognized industrial cybersecurity expert, public speaker, and lead author of the book “Hacking Exposed: Industrial Control Systems”. He has also published dozens of technical papers and training courses on ICS vulnerability assessment, threat research, and risk analysis... Read More →


Wednesday October 24, 2018 9:45am - 10:30am
Grand Ballroom

10:30am

Morning Break
Wednesday October 24, 2018 10:30am - 11:00am
Pre-function Hallway

11:00am

An Approach to Making Manufacturing Security a Success
This isn’t My First Automount Machine: An Approach to Making Manufacturing Security a Success [End User Perspective]

The current processes of managing security inside a manufacturing environment is badly flawed. Most security programs are based on defined sets of competencies that do not take into effect the manufacturing environment but that of only a corporate office environment. You cannot put a factory into a cage and expect it to behave as any other environment. Manufacturing are living creatures that need a different type of attention, diet and care.  

This session will present a discussion on a holistic approach to manufacturing security assessments and manufacturing security programs, and discuss why we should be looking at process and people before we start to consider technology solutions.

Security Assessments and Audits are conducted solely through questionnaire or interviews: The approach uses observations of process, behaviors, then with a bit of blue and red team work combined; This method will not only identify security gaps but also specifically address priorities to keep costs low for manufacturing environments.

Learning Objectives:
  • A proactive approach to security without having to purchase the latest shiny technology;
  • Using a process approach through observations and learning the manufacturing environment while still applying traditional security methods produces better results; 
  • Recognizing that people are your greatest defense against security but also can be the weakest link over shiny new technology;

Speakers
avatar for Kristin Demoranville

Kristin Demoranville

Sony
Kristin Demoranville is a triple threat in STEM. She holds a Bachelors in Science Degree in Environmental Management, has worked in Information Technology since dial up modems were a thing, and is now currently focusing on Manufacturing Security Risk & Global Policy at Sony Corporation... Read More →
avatar for Stuart King

Stuart King

Sony
Stuart King found a niche in manufacturing security and has been hooked on it ever since. Currently working for Sony defining global security strategy, finding solutions, and driving down risk across electronics and semiconductor production facilities globally. Stuart’s career began... Read More →


Wednesday October 24, 2018 11:00am - 11:45am
Grand Ballroom

11:00am

Solutions Theater Darktrace: AI Cyber Defense for OT Environments
An Industrial Immune System: AI Cyber Defense for OT Environments

Network-connected robots, sensors, and IoT devices offer improvements in automation, efficiency and safety, but often lack built-in cyber security, and threat-actors are targeting them as a means of getting inside networks. The same wave of AI that is ushering in these innovations can also be used as an approach to protect them. The Immune System approach to AI-powered cyber defense is used by some of the world’s leading companies to detect early indicators of cyber-attacks or vulnerabilities across OT, ICS, sensor, and industrial IoT environments. This fundamentally new approach uses AI to learn the ‘pattern of life’ for any device on the network. Utilizing autonomous, self-learning technologies to detect and respond to emerging threats is an achievable cyber security goal, irrespective of the device or network that the suspicious behavior originated on.

Wednesday October 24, 2018 11:00am - 11:45am
Solutions Theatre

11:45am

TRITON Live: Reverse Engineering the Attack & Free Tools to Protect Against Safety System Attacks
The TRITON attack on the safety system of a critical infrastructure facility sent shockwaves through industrial operators and security practitioners worldwide. TRITON is one of a limited, but quickly growing number of publicly identified malicious software families targeted at industrial control systems (ICS) and the first known ICS attack to infiltrate a Safety Instrumented Systems (SIS).
 
In this session, Dr. Andrea Carcano will walk conference attendee through a live demo of the TRITON attack, sharing findings and critical lessons learned from the industry’s most extensive analysis of TRITON to date, including:
  • How the threat actors could have obtained the targeted equipment, firmware and documentation and surprising new findings around the level of resources (time, money, expertise) required to develop the attack
  • A dissection of the advanced methods used by the malware for a multi-stage injection of the backdoor into the controller of the Schneider Electric Triconex safety shutdown system, derived from both static and dynamic analysis of the code
  • Practical tools and guidelines you can use now to protect against these types of attacks
 
This is important information for anyone seeking to secure critical infrastructure. The audience will leave with comprehensive insights into how one of the most sophisticated attacks on an ICS system to date was developed and how it could be detected during and after exploitation.

Speakers
avatar for Dr. Andrea Carcano

Dr. Andrea Carcano

Co-founder and Chief Product Officer, Nozomi Networks
Dr. Andrea Carcano is an expert in industrial network security, artificial intelligence and machine learning, and has published a number of academic paperson the subject. His passion for cyber security and solving the unique challenges around ICS became the focus of his PhD in Co... Read More →


Wednesday October 24, 2018 11:45am - 12:30pm
Grand Ballroom

12:30pm

Lunch - Windsor Garden
Please join us for lunch outside in the Windsor Garden.



Wednesday October 24, 2018 12:30pm - 1:30pm
Windsor Garden

12:45pm

1:30pm

Lessons Learned by Deploying Honeypots to Catch ICS Attacks
Industrial Control Systems (ICS) are often tasked with monitoring and managing highly sensitive processes associated with critical infrastructure. ICS technologies include supervisory control and data acquisition (SCADA), distributed control systems (DCS) and programmable logic controllers (PLCs.) As these systems increasingly connect to IT networks to achieve productivity improvements and cost savings leveraging real time online data, they are becoming targets for cybercriminals looking to cause havoc. In this session, we’ll show how you can use Splunk software to see and respond to real-world threats immediately. Our honeypot deployment, which acted as a decoy to lure cybercriminals, had enabled us to analyze hacker activities closely and to learn how to better protect ICS devices against them. We’ve translated the captured information into a Splunk App which allows you to: understand how these attacks occur, see if your organization has been subject to similar attacks in the past and protect your organization going forward.

Speakers
avatar for Sebastien Tricaud

Sebastien Tricaud

Product Solutions Architect, Splunk
Sebastien Tricaud is a long-time software developer and security researcher, as well as a technical security advisor to Fortune 100 companies and government agencies. He also is well versed in Linux PAM, Prelude IDS, Picviz, Gnome, and Faup. Sebastien has lectured for Usenix, Rubi... Read More →


Wednesday October 24, 2018 1:30pm - 2:15pm
Windsor DE

1:30pm

Inside the Mind of a Hacker / Security of Digital Twins
Many organizations are failing to learn about what they’re up against. Current business models rely on connectivity and IoT services to meet growing consumer demands for flexibility, ease of access and convenience. However, this connectivity introduces more vulnerabilities from more third-party sources. Hackers exploit these vulnerabilities to bypass any safeguards in place and gain entry into an organization’s infrastructure. As a result, this “check box” security approach that many company’s take today simply isn’t effective.  Without knowing what you’re up against, an organization’s approach to cybersecurity is destined to fail. By knowing how a hacker operates, organizations are more prepared to address cybersecurity challenges head-on by implementing the proper safeguards to ensure that sensitive information, including an organization’s IP and customer data remains secure.
 
Digital Twins: The Answer to the IoT Security Conundrum?
 
According to Deloitte, a digital twin can be defined as “an evolving digital profile of the historical and current behavior of a physical object or process that helps optimize business performance.” A virtual way to inform maintenance on physical equipment and run complex what-if analyses, digital twins are already becoming a key part in the manufacturing industry and could have great potential for security in IoT and connected spaces.

Digital twins are supposed to be as accurate a representation of a real system as possible and, as such, a compelling IoT security use case could be hacker prototyping. For example, a hacker who gains access to a digital twin and disassembles the code can then use this information to identify attack points of the actual system. If the real system includes hardware security built in, these components may be replaced with a software library in the twin. In this way, a digital twin can be used to detect, localize, and neutralize security and performance threats to an IoT asset, as well as optimizing use of critical resources such as bandwidth.

In this session, Mark Hearn and Dave Belt will explore how hackers operate, what they are after and how they gain access despite security measures that are already in place. Digital Twins will then be explored as a specific use case that are a ripe target for these hackers’ techniques, painting an end to end picture of a hackers motivations and methods.

In this session we will discuss use-cases where digital twins can play a role in the security of connected systems, including hacker prototyping, IP protection and protecting against backend system attacks. The presentation will also discuss the wider potential for digital twins in the future security of the IoT and connected environments.

Speakers
avatar for Dave Belt

Dave Belt

Technology Evangelist, Irdeto
Dave currently serves as Product Marketing Director for Irdeto where he is defining the next generation of content security solutions. Dave Belt has been a specialist in cryptography and content protection technologies for the past 20 years. With a strong foundation in the Intelligence... Read More →
avatar for Mark Hearn

Mark Hearn

Director of IoT Security, Irdeto
Mark Hearn is the Director of IoT Security at Irdeto. He is responsible for leading Business Development strategies to secure organization’s IoT applications and connected devices. Mark has been with Irdeto since 2003, through Irdeto’s acquisition of Cloakware. Mark is a seasoned... Read More →


Wednesday October 24, 2018 1:30pm - 2:15pm
Windsor C

2:15pm

Prioritizing Solutions: Balancing Protective, Detective and Corrective Controls in ICS Environments
Although cybersecurity maturity among power generation and oil & gas operations varies, the need for effective cybersecurity exists everywhere. However, differing operational environments, budgets, company mission, regional standards, and your team's talent need consideration to building an effective cybersecurity program. How do you prioritize protective, detective and corrective control solutions to match your environment and available resources?
Baker Hughes, a GE company Ed Turkaly will provide guidance on how to prioritize these types of controls based on your organizations current and future state. The presentation will cover best practices of where to put your time and money, expected outcomes from different solutions, and how to present to a review board or board of directors on the ROI of these solutions.  
Attendees will learn: 
  • Elements of an effective cybersecurity program
  • The differences between foundational and advanced security
  • How to prioritize solutions based on your organization’s operational needs and maturity cycle
  • Best Practices to Focus On: Preventive vs. Detective vs. Corrective Controls
  • How to present to a decision-making body the expected ROI and outcomes

Speakers
avatar for Ed Turkaly

Ed Turkaly

Cyber Security Sales Engineer, Baker Hughes, a GE company
Ed Turkaly is the North America Cyber Security Technical Sales Engineer for Baker Hughes, a GE company. With more than 16 years’ cybersecurity experience, Ed provides strategic solutions and expert guidance grounded in a position of risk management and safety. His expertise lies... Read More →


Wednesday October 24, 2018 2:15pm - 3:00pm
Windsor DE

2:15pm

IIC Endpoint Security Best Practices
The industrial Internet Consortium (IIC) has released the Endpoint Security Best Practices (ESBP) document that provides recommendations on the type of security industrial equipment manufacturers and operators should implement on endpoint devices. In this presentation, the author & industry expert will provide an overview of the recommendations and demonstrate how to approach implementing the guidance.

Speakers
avatar for Dean Weber

Dean Weber

CTO, Mocana
With more than 43 years of experience in information and physical security, he leads Mocana as Chief Technology Officer after serving as director and CTO at CSC Global CyberSecurity. His background includes Chief Technology Officer at Applied Identity, which was sold to Citrix. Earlier... Read More →


Wednesday October 24, 2018 2:15pm - 3:00pm
Windsor C

2:15pm

Solutions Theater: Skybox Security - See and Understand: Where are Critical Systems Most Vulnerable?
Critical infrastructure — from energy production to manufacturing to public utilities — is becoming a more prevalent attack vector for nation–state threat actors as well as the common cybercriminal. These attackers are frequently exploiting the interconnectedness of IT and operational technology (OT) networks, finding their foothold in the disconnect between their security management.


Wednesday October 24, 2018 2:15pm - 3:00pm
Solutions Theater (Trippe I & II)

3:00pm

Afternoon Break
Wednesday October 24, 2018 3:00pm - 3:30pm
Pre-function Hallway

3:30pm

Lessons Learned: Implementation of Cyber Security Programs at Nuclear Plants
Lessons Learned from Initial Full Implementation Inspections of Nuclear Power Plants in the USA

In 2010, the U.S. Nuclear Regulatory Commission issued Regulatory Guide (RG) 5.71 to provide an approach that the NRC staff deemed acceptable for complying with the Commission’s regulations regarding the protection of digital computers, communication systems, and networks from cyber attacks. Currently the NRC staff is performing inspections for the full implementation of cyber security programs at operating nuclear power plants. Feedback from the nuclear industry and the inspection teams and the use of additional guidance documents based on RG 5.71 provided lessons learned regarding the use of RG 5.71 in implementing cyber security plans. The lessons learned shared in this paper can be used for generating guidance for implementation of cyber security plans at facilities using industrial control technology.
 
Learning Objectives for Attendees:
  • Discuss cyber security threats facing nuclear power plants
  • Review and analyze NRC cyber security controls
  • Discuss NRC cyber security inspection techniques and interpretations
  • Discuss key implementation strategies for RG 5.71 and other guidance documents
  • Review lessons learned from initial full implementation inspections at Nuclear Power plants in the USA.

Speakers
avatar for Michael Brown

Michael Brown

Senior Cyber Security Specialist, Nuclear Regulatory Commission (NRC)
Mr. Brown is a Senior Cyber Security Specialist with Cyber Security Branch of the Nuclear Regulatory Commission (NRC) in the United States.  He has 15 years of experience inspecting nuclear power plants in the USA and has been involved with several full implementation inspections... Read More →


Wednesday October 24, 2018 3:30pm - 4:15pm
Windsor DE

3:30pm

Industrial IOT Cross-Layer Forensics for WirelessHART
Presented by researchers from the Air Force Institute of Technology (AFIT) and Oak Ridge National Laboratory, this session will addresses the forensics of Internet of Things (IoT) devices with specific focus on the unique challenges associated with the Industrial IoT (IIoT) subset.

Work continues on developing a reliable non-intrusive PHY-based security augmentation for SCADA/ICS systems and providing the impetus for expanding activity into the forensics arena. The focus remains on associating anomalous process (hardware) behavior with network anomaly detection. Pre-attack defense and post-attack forensics improvements for Industrial Internet of Thing (IIoT) devices presents unique challenges when compared to traditional IT systems given that:
  1. Many IIoT devices in SCADA/ICS applications cannot be powered off
  2. Sensing and control data is generally more volatile
  3. Incident discovery may not occur for weeks or even months
  4. Identifying attack attributes requires expertise in SCADA/ICS system architectures.
Regardless of whether or not post-event data is collected to support future defensive (vulnerability protection) or ongoing investigative (attribution, prosecution, etc.) measures, the detection of a cyber incident may go unreported given limited confidence in successful prosecution and/or concern over customers becoming informed and seeking new vendors to provide their service. The progress in PHY-based security augmentation includes extending wired Highway Addressable Remote Transducer (HART) demonstrations by adapting the recently demonstrated Constellation Based DNA (CB-DNA) Fingerprinting method to ZigBee-like WirelessHART signals supporting SCADA/ICS applications. The goal is to achieve similar device hardware and/or operating state discrimination performance that includes verification-based anomaly detection exceeding 90% on a pulse-by-pulse (command-by-command) basis, and nearing 100% when considering multiple sequential pulses (commands).


Wednesday October 24, 2018 3:30pm - 4:15pm

3:30pm

Solutions Theater: Securicon - Next Generation CyberSecurity for OT Networks
Industrial Control Systems and Operational Technology networks pose a different set of cyber security concerns than Enterprise IT networks. ICS such as SCADA mature at much slower rate than classic IT systems, however the threats to these environments are growing in complexity each year.
 
In this session we’ll discuss Securicon’s framework and methodology for using next generation security technology to increase the cybersecurity within your ICS networks, and also improve the resilience required to maintain business continuity. Attendees will learn about the following important topics:
  • The unique challenges security professionals may encounter when operating and securing critical ICS and SCADA networks
  • How bump-in-the-wire firewalls and sustained traffic monitoring can be used to identify and develop business use cases for application- and user-based access control in OT security policy
  • How to combine these ideals with best-practice zoning strategies for OT (Purdue Model / ISA95) and shadow (port/protocol) rules during migration to implement optimized OT segmentation
  • How to develop a structured security policy to create a templatized security policy for ease of deployment and operations management, and reduction of “policy divergence” across multiple devices
  • Using insight into network communications to help identify network performance issues.

Wednesday October 24, 2018 3:30pm - 4:15pm
Solutions Theatre

4:15pm

Demystifying ICS Cyber Risk
ICS cyber risk needs to be normalized with mechanical operational risk for it to be better communicated, understood and managed.

When ICS cyber risk is accurately modeled, measured, quantified and normalized with mechanical/industrial operational risk, it is then demystified.

Plant operations management needs to make effective comparisons between ICS cyber risk and the fifty other risk issues they have on their plate, ones with a historical impact on operations, to make well informed risk management decisions. Metrics and financial analysis rule the day, management needs more than cyber risk heat maps and gap analysis against control frameworks to know how much $$ they should care. ICS cyber risk needs to be normalized with operational risk for it to be better communicated, understood and managed.

To make effective comparisons between cyber risk and operational risk, it is necessary to normalize the analysis results through the use of a common model that generates quantitative financial metrics. Once quantified in a common metric, cyber risk can be de-mystified and evaluated against other high-priority operational risk issues. The result of applying limited budget in appropriate amounts to properly prioritized risk issues results in optimal risk management and therefore more reliable and safe operations.

This presentation will demonstrate by case study the evaluation of both cyber risk and operational risk scenarios for a power plant and how risk mitigation options were evaluated and chosen based on their risk-reduction and cost-benefit merits.

The risk model and analysis methodology used to achieve this normalization is published by The Open Group in 2008 as The Open Group Risk Taxonomy (O-RA, Standard C13K) and the Standard for Risk Analysis.

Using these resources, the audience will learn how to answer the most challenging cyber risk management questions facing the plant operations today: How much cyber risk is there? How much less cyber risk will there be if certain measures are taken? What is the cost-benefit impact and how does this compare to my other risk issues I have to manage?

Speakers
avatar for Mike Radigan

Mike Radigan

OT Strategy | Strategic Partners, Leidos Cyber
Mike Radigan has a 17 year career in the cyber risk management and network security industries. His subject matter expertise in expressing cyber risk in financial or “business terms” provides a unique and highly valued perspective to decision makers. Mike joined Leidos Cyber... Read More →


Wednesday October 24, 2018 4:15pm - 5:00pm
Windsor DE

4:15pm

Assessing Device-based Risk to Secure ICS Environments
Industrial environments, previously air-gapped from the outside world, are now being connected to IT networks to optimize operations management. However, these operational technology (OT) networks lack even basic security controls. In this session, Dr. Mukkamala will explain why conventional control and mitigation assumptions are not suited to address OT security challenges. He will present a new approach to assessing security risk at the device level that chains together multiple vulnerabilities and potential exploit paths to dynamically analyze threats, predict attacks and take remediation actions to protect against them.

Learning Objectives - Attendees Will Learn:
  • The unique challenges associated with protecting ICS networks from threats that previously were not able to traverse the air gap
  • Why traditional security risk management models are not suited for protecting OT environments
  • How to implement a new approach to threat and vulnerability detection, prioritization and remediation for OT networks

Speakers
avatar for Dr. Srinivas Mukkamala

Dr. Srinivas Mukkamala

Co-founder and CEO, RiskSense
Dr. Srinivas Mukkamala, co-founder and CEO of RiskSense, is a recognized expert on artificial intelligence (AI) and neural networks. He was part of a think tank that collaborated with the U.S. Department of Defense and U.S. Intelligence Community on applying these concepts to cybersecurity... Read More →


Wednesday October 24, 2018 4:15pm - 5:00pm
Solutions Theatre

4:15pm

Finding the Weakest Link in Your ICS Network Using Exploit Path Analysis (EPA)
Most cybersecurity risk management practices are centered around identifying and mitigating
vulnerabilities of individual IT/OT hardware and software assets, instead of on aggregated vulnerabilities of interconnected assets in an ICS environment. Very often, the company CISO and his/her security team are interested in knowing what the weakest link (the most vulnerable
path) in an ICS network would be, in order to allocate the right resources and achieve defense-in-depth cost-effectively with maximized return on investment. The current techniques of attack or exploit path analysis are mostly conducted at an abstract level and have little relevance to real ICS assets and control networks.

In this session, we will present a quantitative model of exploit path analysis (EPA) in complex
ICS networks. An exploit path represents a potential route through a network an adversary may
use to exploit IT and OT assets and launch attacks. The aggregated vulnerability of a path depends not only on the vulnerabilities of individual assets along the path, but also on asset compositions and their connective relationships in a network. Our approach integrates various security techniques, including consolidated asset management, automated vulnerability discovery, and dynamic network analysis, into an extensible framework. We will review several existing attack or exploit path models and introduce the analysis metrics and concepts based on probabilities for identifying the weakest link. We will demonstrate the use of EPA through some sample use cases and how it can be used to support quantitative decision making in enhancing an organization’s ICS cybersecurity readiness.

The EPA development is sponsored by the Department of Energy (DOE) through a research
grant.

LEARNING OBJECTIVES
  • What is EPA and what are its benefits for ICS?
  • What are the important analysis factors and metrics for EPA?
  • How are threat and vulnerability modeled in EPA?
  • How the EPA can be used to support quantitative cybersecurity risk analysis?
  • How to apply EPA in organizational decision making with respect to ICS cybersecurity?


Speakers
avatar for Dr. Nick Duan

Dr. Nick Duan

CTO, D-Tech
Dr. Nick Duan is the President and Chief Information Officer of D-Tech, LLC, an R&D firmspecializing in cybersecurity products and services. He has over 30 years of experience insoftware design and project development, with a wide range of expertise in cybersecurity,identify and access management, data modeling, and system design and development. Prior to D-Tech... Read More →


Wednesday October 24, 2018 4:15pm - 5:00pm
Windsor C

6:00pm

Offsite Party - South City Kitchen
Sponsored by ThreatGen

Wednesday October 24, 2018 6:00pm - 9:00pm
 
Thursday, October 25
 

7:30am

Breakfast and Registration
Please join us for contenential breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!



Thursday October 25, 2018 7:30am - 10:00am
Pre-function Hallway

8:15am

Leadership, Security, and Support at the Clinton White House
How would you handle leadership in this the most stressful Chief Information Officer (CIO) job in the World – being the CIO at The White House? Colonel Gelhardt will answer this question, and will talk about the leadership and mentorship he used and how you can use the same skills in the civilian world.  If he can do it so can you!

Colonel Gelhardt is a retired Army Officer and war veteran.  While in the Army, he was nominated and selected to work at the White House as the CIO equivalent for the Clinton White House from 1995 through 1999.  Colonel Gelhardt was responsible for all classified Information Technology and Communications used by the President, Vice President, White House Staff, and the Secret Service.  Colonel Gelhardt's mission was to provide safe and secure instantaneous communications and 5 minute hard copy, anytime, anywhere in the world to the Commander-in-Chief.   If the Information Technology and Communications at the White House failed millions of people would be affected and people could have died.  This was a zero tolerant environment where you could not fail.

Speakers
avatar for Colonel Mark Gelhardt – Former CIO for President Clinton

Colonel Mark Gelhardt – Former CIO for President Clinton

Former White House CIO/CISO
While a Lieutenant Colonel in the US Army, Mark was nominated and selected to be the Commander of the Data Systems Unit (Chief Information Officer civilian equivalent) for the Clinton White House from 1995 to 1999.   His mission was to provide safe and secure, Information Technology... Read More →


Thursday October 25, 2018 8:15am - 9:00am
Grand Ballroom

9:00am

Making Sense of Machine Learning Analytics for Situational Awareness & Threat Monitoring in ICS
The ICS cybersecurity market is swirling with hot buzzwords. More than 20 startups have emerged in the ICS market in response, offering products that attempt to meet this demand. But what do  terms like “anomaly detection” and “machine learning” actually mean in the context of ICS threat monitoring? What does machine learning do and how does it work? Is it providing real value or is it yet again clever marketing? Is machine learning really even being used? If so, how can anomaly detection and machine learning enhance ICS threat monitoring? Is it really needed? What strategies, tools, and techniques can really help you with your ICS environment situational awareness and threat monitoring? Are there options for budget-constrained organizations? In this presentation, Clint Bodungen will explore how anomaly detection and machine learning work, and how they can be deployed for effective ICS situational awareness. The audience will be armed with what they need to cut through the buzzwords and confusion. They will be introduced to several open source tools available that will help them learn more about passive asset identification, anomaly detection, and threat monitoring, and potentially even deploy their own “DIY” situational awareness solution.

Speakers
avatar for Clint Bodungen

Clint Bodungen

Vice President, ICS Cyber Security, LEO Cyber Security
Clint is a recognized industrial cybersecurity expert, public speaker, and lead author of the book “Hacking Exposed: Industrial Control Systems”. He has also published dozens of technical papers and training courses on ICS vulnerability assessment, threat research, and risk analysis... Read More →


Thursday October 25, 2018 9:00am - 9:45am
Grand Ballroom

9:00am

Solutions Theater: Securicon - Next Generation CyberSecurity for OT Networks
Industrial Control Systems and Operational Technology networks pose a different set of cyber security concerns than Enterprise IT networks. ICS such as SCADA mature at much slower rate than classic IT systems, however the threats to these environments are growing in complexity each year.
 
In this session we’ll discuss Securicon’s framework and methodology for using next generation security technology to increase the cybersecurity within your ICS networks, and also improve the resilience required to maintain business continuity. Attendees will learn about the following important topics:
  • The unique challenges security professionals may encounter when operating and securing critical ICS and SCADA networks
  • How bump-in-the-wire firewalls and sustained traffic monitoring can be used to identify and develop business use cases for application- and user-based access control in OT security policy
  • How to combine these ideals with best-practice zoning strategies for OT (Purdue Model / ISA95) and shadow (port/protocol) rules during migration to implement optimized OT segmentation
  • How to develop a structured security policy to create a templatized security policy for ease of deployment and operations management, and reduction of “policy divergence” across multiple devices
  • Using insight into network communications to help identify network performance issues.

Thursday October 25, 2018 9:00am - 9:45am
Solutions Theatre

9:45am

ICS Security Researchers & Automation Vendors: Building Mutual Trust
In this collaborative session with representatives from Emerson Automation Solutions and CyberX, we'll discuss a real-world example of how security researchers uncovered a vulnerability in an ICS product and worked cooperatively with the ICS automation vendor including: how contact was made, responsible vulnerability disclosure, patch development & distribution, and finally public disclosure of the vulnerability via ICS-CERT. We'll also discuss how Emerson has implemented Secure Development Lifecycle Assurance (SLDA) to prevent such vulnerabilities in future development projects. CyberX and Emerson will discuss how asset owners can secure assets and processes through threat modeling and defense-in-depth – including with compensating controls such as continuous monitoring.

Speakers
avatar for Phil Neray

Phil Neray

VP of Industrial Cybersecurity, CyberX
Phil is the VP of Industrial Cybersecurity for CyberX. Prior to CyberX, Phil held executive roles at enterprise security leaders including IBM Security/Q1 Labs, Symantec, Veracode, and Guardium. Phil began his career as a Schlumberger engineer on oil rigs in South America and as an... Read More →
avatar for Neil Peterson

Neil Peterson

DeltaV Product Marketing Director, Emerson Automation Solutions


Thursday October 25, 2018 9:45am - 10:30am
Grand Ballroom

9:45am

10:30am

Morning Break
Thursday October 25, 2018 10:30am - 11:00am
Pre-function Hallway

11:00am

Analysis of Russian Cyber Activity Against U.S. Critical Infrastructure
Presentation from Jonathon Briney, Sr. Lead Analyst for the Industrial Control Systems Group at the DHS NCCIC/Hunt and Incident Response Team,  will provide the aggregate timeline and specific steps (or TTP’s) detected and that were directly attributable to this specific concentrated campaign and its goals.  

Speakers
avatar for Jonathan Briney

Jonathan Briney

Sr. Lead Analyst – ICS Group, Hunt & Incident Response Team, DHS National Cybersecurity and Communications Integration Center
Jonathan Briney, CISSP, is the Sr. Lead Analyst of the Industrial Control Systems Group within the Hunt & Incident Response Team (previously ICS-CERT) at the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center (NCCIC). He has spent the... Read More →


Thursday October 25, 2018 11:00am - 11:45am
Grand Ballroom

11:00am

Rethinking Our Approach to Protecting Vulnerable Brownfield Devices
The vast majority of industrial control systems (ICS) are comprised of legacy, brownfield devices that use insecure industrial protocols (Modbus, Bacnet, DNP3) or rely on single-factor password only authentication. These devices are vulnerable to physical and lateral attacks, and we have to assume that hackers may already be in the network. This session will explore traditional and new approaches to protecting these systems.

Speakers
BC

Bill Cotter

Master System Engineering Specialist, 3M
–40+ years in the field–Rocket Engineer ( Aerospace Engr )–Mechanical Engr – Rotating Equipment–Maintenance Engr – Had to Follow Many Skills–Bio Plant Engr – Had to Do Many Skills–Control Systems Engr – 36 years 3M–MsMUG–ISA 99 / IEC 62443 – WG6 Patch Ma... Read More →
avatar for Dean Weber

Dean Weber

CTO, Mocana
With more than 43 years of experience in information and physical security, he leads Mocana as Chief Technology Officer after serving as director and CTO at CSC Global CyberSecurity. His background includes Chief Technology Officer at Applied Identity, which was sold to Citrix. Earlier... Read More →


Thursday October 25, 2018 11:00am - 11:45am
Grand Ballroom

11:00am

Solutions Theater Darktrace: AI Cyber Defense for OT Environments
An Industrial Immune System: AI Cyber Defense for OT Environments

Network-connected robots, sensors, and IoT devices offer improvements in automation, efficiency and safety, but often lack built-in cyber security, and threat-actors are targeting them as a means of getting inside networks. The same wave of AI that is ushering in these innovations can also be used as an approach to protect them. The Immune System approach to AI-powered cyber defense is used by some of the world’s leading companies to detect early indicators of cyber-attacks or vulnerabilities across OT, ICS, sensor, and industrial IoT environments. This fundamentally new approach uses AI to learn the ‘pattern of life’ for any device on the network. Utilizing autonomous, self-learning technologies to detect and respond to emerging threats is an achievable cyber security goal, irrespective of the device or network that the suspicious behavior originated on.

Thursday October 25, 2018 11:00am - 11:45am
Solutions Theater (Trippe I & II)

11:45am

Tamper-Proof Rootkit Detection for ICS Through Power Consumption Analysis
Rootkits are dangerous pieces of malware that exert a persistent, stealthy influence on a system by subverting its kernel functions and objects. It does this by first achieving, and then maintaining, administrative or root privileges on an infected system, effectively giving an attacker complete control over that system. Rootkits can further use their privilege to disable or tamper with logic-based malware detection solutions, making them ineffective for dealing with these threats. A rootkit detection solution that provides accurate, real-time, tamper-proof alerts is needed.
 
Our system, called Heartbeat, provides just such a capability. By measuring and analyzing the power consumption behavior of a device both before and after infection, Heartbeat is able to provide timely, accurate indicators of rootkit installation. Furthermore, because the power data is collected directly from the power rails, it is completely immune to on-system rootkit tampering.
 
Our system improves upon past work in this area by collecting data only during the regular, periodic invocation of a system function or set of functions. This method is attractive because it is efficient, versatile, and scalable, and because system functions are tempting targets for alteration by sophisticated malware. Analysis of this data is technique-agnostic, so this presentation will describe analysis techniques that have worked for our experiments, and outline directions for future investigation.

Speakers
avatar for Joel Dawson

Joel Dawson

Research Associate, Oak Ridge National Laboratory
Joel Dawson received the B.A. degree magna cum laude in Communication from Messiah College in 2008, and the M.S. degree in Computer and Information Sciences from the University of South Alabama in 2017.  Prior to graduation, he interned at ICS-CERT at Idaho National Laboratory in... Read More →
avatar for Dr. Stacy Prowell

Dr. Stacy Prowell

Chief Cyber Security Research Scientist, Oak Ridge National Laboratory
Dr. Stacy Prowell serves as the Chief Cyber Security Research Scientist and is the Program Manager for the lab's Cybersecurity for Energy Delivery Systems program. Dr. Prowell's research focuses on exploiting physical sensors and properties to detect and prevent intrusion, and on... Read More →


Thursday October 25, 2018 11:45am - 12:30pm
Grand Ballroom

12:30pm

Lunch - Windsor Garden
Please join us outside for lunch in the Windsor Garden.



Thursday October 25, 2018 12:30pm - 1:30pm
Windsor Garden

1:30pm

Learning from Mistakes of Others and Achieving the Biggest, Immediate Reduction in Risk
There is much talk of “advanced threats”, but the vast majority of attacks succeed by exploiting basic, fundamental gaps in our defenses. As OT infrastructure is becoming more connected, it is entering the domain of attackers that have had decades of experience in exploiting vulnerabilities to cause all kinds of damage, disruption and cost.

Organizations such as large banks and retailers still struggle to secure their environments, so how can we learn from their mistakes? We’ll discuss where to focus your initial efforts to get the biggest immediate reduction in exposure and risk, concentrating on the following critical areas:

Visibility: You can’t secure what you can’t see.
Log Management: All malicious activity leaves a trace, so track it.
Access Control: Provide access only to those that are authorized.
Network and Endpoint Security: You have no security if you’ve left all the doors and windows open.

Sponsored by IBM

Speakers
avatar for Edgard Capdevielle

Edgard Capdevielle

Chief Executive Officer, Nozomi Networks
Edgard brings an extensive background in successfully managing and expanding markets for both start-ups and established technology companies to his role as CEO. Previously he was Vice President of Product Management and Marketing for Imperva, where he led teams that made the company’s... Read More →
avatar for Robert Dyson

Robert Dyson

Global OT Security Services Leader, IBM
With more than 25 years of experience in the Information Technology field, Rob Dyson has held technical and leadership positions while providing IT services for many companies within multiple industries.  Rob is currently the Global OT Security Services Leader for Industrials and... Read More →


Thursday October 25, 2018 1:30pm - 2:15pm
Windsor DE

1:30pm

Visibility to Protective Controls
Discussion of how to pragmatically get to implementation of protective controls through visibility and continuous monitoring.

Sponsored by: Tripwire

Speakers
avatar for Gary DiFazio

Gary DiFazio

Strategic Marketing Director, Industrial Cyber Security, Tripwire
Gary has been in the technology space for over 25 years, spanning experience with systems, applications, networking, and cyber security through a number of industry verticals including telecommunications, manufacturing, retail, industrial, federal government, financial services, electric... Read More →


Thursday October 25, 2018 1:30pm - 2:15pm
Windsor C

2:15pm

Reducing Industrial Risk in a Converging IT/OT World
Rapid adoption of Industrial IoT requires tight integration between IT and OT. CISOs and corporate OT leaders are now scrambling to develop strategies, secure budget, and implement solutions to secure their mission-critical industrial control systems against burgeoning cyber threats. Effective integration of IT and OT cybersecurity strategies is essential to address risks successfully. To secure industrial facilities and ensure safe, reliable production, IT and OT security teams – traditionally two separate disciplines with different priorities – must collaborate and share cybersecurity and risk management best practices.

In a series of interviews in late 2017 and early 2018, more than 20 different experts on the front lines
of OT cybersecurity risk mitigation shared practical advice for making control systems more secure.
These experts represented a diverse range of industries including oil and gas, chemicals and refining, and power generation.

In their interviews, they shared their insights into how to leverage IT/OT convergence and develop an effective OT cybersecurity program that meets challenges in real-world ICS environments. Technology plays an important role, but as these experts also point out, more technology isn’t always the solution.
Just as important is the need to establish effective communication and trust between cybersecurity professionals and OT engineers.

Security project teams must make a concerted effort to create alignment between business
management, the cybersecurity community, and OT professionals. Without alignment, security
initiatives will fail to attain the support required to ensure success.
In this presentation, attendees will learn:  
  • Practical, real-world recommendations from OT cybersecurity experts
  • Best practices for breaking down barriers and building trust between cybersecurity professionals and OT engineers
  • How to align business management and plant operations on cybersecurity strategies

Speakers
avatar for Jason Haward-Grau

Jason Haward-Grau

CISO, PAS Global
As the CISO at PAS, Jason oversees corporate cybersecurity and ensures PAS technologies address the needs of the CISO community. Jason brings a proven track record of successful delivery in Cybersecurity, IT Development & Operations, IT & Cyber Shared Services, Consulting and Change... Read More →


Thursday October 25, 2018 2:15pm - 3:00pm
Windsor DE

2:15pm

Digital Twin Framework for Power Grid Cyber Resilience​
The electric power grid is realizing tremendous growth in the integration of technology-enabled solutions to improve system performance, reduce costs related to both operational and life-cycle maintenance, reduce environmental impact, improve the fidelity and accuracy of measurements and monitoring, integrate renewable energy and associated energy resources, and improve overall reliability. These technology advances collectively increase the attack surface of the electric power grid ecosystem. As the level of automation in critical energy infrastructure increases, the ability to detect cyber intrusions and attacks becomes even more critical as well as challenging. Coordinated cyberattacks can maximize damage by making use of multiple grid control techniques. One approach to prevent such attacks is to continuously compare grid state time series sensor measurements with continuously running real-time simulations to detect unexpected deviations early in the cyberattack process. This presentation will discuss a Digital Twin Framework (DTF) implementation designed specifically to prevent such attacks. The DTF and model implementation are validated through comparison of experimentally collected data from a scaled three-phase transmission system.  The hardware sensor data and controls are provided by embedded controllers which support standard IP communications. Results indicate that the DTF implementation presented here performs well and extends current DT capabilities in the areas of modularity, interoperability, and running in real-time along-side the cyber-physical system parent.  

Speakers
avatar for Juan Lopez Jr

Juan Lopez Jr

Cyber-Physical R&D Manager, Oak Ridge National Laboratory


Thursday October 25, 2018 2:15pm - 3:00pm
Windsor C

3:00pm

Afternoon Break
Thursday October 25, 2018 3:00pm - 3:15pm

3:15pm

IT Malware Threats to OT systems – Case Study of Cryptojacking and Related Exploits to ICS
In February 2018, cryptojacking malware was found in the operational network of a European water utility.  This presentation will go into the details of that attack including results of forensic activity and deeper analysis that have taken place since discovery.  While details of the attack vector, how the malware was discovered, the impact on the controls network will be presented, we will also look at what this means in term of ICS networks now being collateral damage for IT malware.  In addition to the cryptojacking attack,  attempts to exploit remote maintenance channels with embedded device vulnerabilities were discovered, suggesting more targeted OT attack plans. Such attempts were initiated shortly after an Internet connection was established, using scanning servers and Shodan in conjunction with attack automation tools such as AutoSploit. This session will also provide recommendations for mitigation and prevention of such attacks in the future.

Speakers
avatar for TJ Roe

TJ Roe

VP Business Development, Radiflow
TJ Roe is an industry veteran with 20 years’ experience in the design and sales of Industrial Automation Networks and Security for Power and Water Utilities, Intelligent Traffic Systems and more. Previously TJ was Director of Strategic Markets for the industrial networking division... Read More →


Thursday October 25, 2018 3:15pm - 4:00pm
Windsor DE

4:00pm

Open Mic Discussions & Closing Remarks
SecurityWeek's 2018 ICS Cyber Security Conference is winding down, but there is still time for some great discussions! Please join us for closing remarks and an open discussion where anyone can make comments, share insights, ask questions and engage in a lively discussion.



Thursday October 25, 2018 4:00pm - 5:00pm
Grand Ballroom

5:00pm

Conclusion of SecurityWeek's 2018 Cyber Security Conference
Thank You Sponsors and Attendees. Please join us for our APAC event in Singapore in April 2019, or again in Atlanta in October 2019.



Thursday October 25, 2018 5:00pm - 5:00pm
Grand Ballroom