Loading…
Attending this event?
This is a DRAFT Agenda for SecurityWeek’s 2019 ICS Cyber Security Conference. Sessions are being added daily and the final program will include 4 FULL DAYS of content. (View the full conference website here)  (You can Register for ICS Cyber Security Conference Here)

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 21
 

TBA

Advanced ICS/SCADA Hacking Workshop
Monday October 21, 2019 TBA

TBA

Hardening a Modern ICS Environment
Industrial Control System (ICS) devices were initially designed for closed-network or non-networked environments inside of facilities that were thought to be secure. These early systems did not consider cyber threats to be of consequence due to their closed off environment. However, these environments have evolved into technical distributed systems that may be connected to the Internet. These systems are high value targets that are also often infrequently patched or updated, leaving them vulnerable to common exploits. This, in tandem with the rise in threats from state actors willing to invest a large amount of time and money to compromise these high value targets, makes hardening ICS systems a necessity.

During this session, we will look at three fallacies that impact the security postures of industrial control systems and propose some ways to address them. In summary these misconceptions are:

1. Programming languages don’t matter.
2. Keeping the adversary out is all that matters.
3. There is no way the adversary knows enough about my system.

This session will demonstrate some of the concepts talked about above in a Linux 5.2 environment with Fieldbus support. We will demonstrate methods for inhibiting a ”root” shell from accessing a protected file, a encrypted storage and executable vault limiting the potential for RE, and finally a rootkit is unable to be loaded into the kernel.

Speakers
DR

Dan Robertson

Software Engineer, Starlab
Dan Robertson is a Epidemiologist turned Software Engineer. Mr. Robertson is currently workin on a Linux Security Module at Starlab. Before working at StarLab he worked at Tripwire on a Vulnerability Management product where he spent most of his time working with the SMB protocol... Read More →


Monday October 21, 2019 TBA

TBA

IT and OT Join Forces to Secure Smart Cities
This session will demonstrate possible cyber-physical attacks against Smart Cities, by examining the challenges specific to port and maritime systems. By examining lessons learned from these incidents, the speaker will reveal how a layered response covering architectural, procedural, technological, and organizational measures can help mitigate risk efficiently. IT security practitioners from every industry are facing the challenges posed by our connected world. This session will highlight the principal challenges and benefits of integrating Information Technology with Operational Technology.

Learning Objectives - After attending this session you will understand how to:
  • Meld the architectural imperatives of OT – safety and service reliability – with Information Technology – Data shall not be lost, altered or inadvertently disclosed.
  • Integrate IT and OT networks without increasing the attack surfaces of both.
  • Develop processes and systems to bring IoT-enabled capabilities into the SDLC, whether waterfall, Agile, or DevOps.
  • Enhance organizational maturity to reduce re-work, eliminate problem rediscovery, and improve overall quality.

Speakers
WM

William Malik

VP of Infrastructure Strategies, Trend Micro
William Malik is VP of Infrastructure Strategies at Trend Micro. As a founder of Gartner’s Information Security Strategies service in the mid-1990s, Bill has deep expertise in information security matters. He has spoken internationally on information security, identity management... Read More →


Monday October 21, 2019 TBA

TBA

Utilizing A Data Diode for Edge Analytics in Industrial Networks
This vendor-agnostic workshop will help you thoroughly understand Data Diode/Unidirectional Gateway technical mechanisms.
  • Data Diode role in ICS cybersecurity
  • Compare/Contrast Firewall and Data Diode
  •  Data Diode to facilitate Edge Analytics
  • Key Concepts of Edge Analytics
  • Utilization of Data Diode to facilitate 3 rd party, or remote, access to ICS data in near real time
  • Edge-Based Machine Learning/Artificial Intelligence for Predictive Maintenance and Process Optimization

Monday October 21, 2019 TBA

TBA

Creating and Performing a Cybersecurity Tabletop Exercise
Preparing for a cybersecurity incident at your company is important. There are several phases to a successful tabletop exercise. A tabletop exercise provides an opportunity for an organization to test contingency plans. These plans may address a variety of challenges which face an organization. Challenges to business continuity may come from Weather, Terrorism, Cyber incidents, insider threat, or a natural disaster. There are multiple levels of contingency plans, including incident response plans, emergency evacuation plans, business continuity plans.

This presentation will focus on helping you understand why you should perform a cyber exercise, and provide step-by-step guidance on how to create and conduct a cyber exercise from scratch through the following steps.

  • Understand why to perform a cyber exercise
  • Determine the type of exercise to be performed
  • How to build the Exercise Design Team
  • Create the Exercise Plan
  • What drives the story? The narrative
  • One more look at Injects
  • Leading up to the Big Exercise Day
  • Exercise Day
  • Writing the After-Action Report (AAR)
  • Exercise Follow-Up and Process Improvements

Speakers
KJ

Kevin J. Owens

Control Cyber, Inc.
Kevin Owens, from Cerberus Cybersecurity, has more than 20 years of  experience in control systems and cybersecurity, in both the commercial industry and government sector. Kevin is a graduate of the University of Illinois at Chicago with a BS in Electrical Engineering and spent... Read More →


Monday October 21, 2019 TBA

TBA

Industry-Specific Assessment Baselines With NIST CSF
Assessing all control systems against the same metrics and expectations will result in companies focusing on the wrong corrective actions. Different industries such as Consumer Manufactured Goods, Pharmaceuticals, and Critical Infrastructure have different thresholds for risk acceptance. When performing assessments for different clients, the need to create a baseline for specific industries was found to be necessary. This presentation will highlight some of the applications of the NIST Cybersecurity Framework by defining unique baselines for different industry verticals, the potential benefits of defining industry-specific goals, and examples of how those would work within real industries and companies.

Speakers
BB

Brandon Bohle

OT Cybersecurity Analyst, Interstates
Brandon is an OT Cybersecurity Analyst for Interstates. With a BS in Cybersecurity from Dakota State University, a MS in Information Assurance, and  over ten years’ experience working in cybersecurity in the finance and industrial controls industries, Brandon brings a wealth of... Read More →


Monday October 21, 2019 TBA

TBA

Digital Twin Security Analysis and Best Practices
A Digital Twin simulation model is a powerful tool for implementing advanced analytics to support process optimization, predictive failure analysis, and optimally scheduled maintenance.  The unique machine learning software and computational demands of a modern digital twin simulation for complex machines typically require a cloud hosted model.  This presents a challenge for industrial application owners who are concerned about protecting their operations technology (OT) network from cybersecurity threats.  This talk will look at the unique data flows and special security properties of a digital twin deployment for industrial equipment.  The DHS and NIST guidelines will be used to develop a secure operations model that meets the unique demands of industrial control systems.  The resulting model will be used to suggest a set of recommended best practices for an integrated, defense-in-depth strategy security strategy for digital twin analytics.

Learning Objectives:
  • Overview of digital twin architectures and security implications.
  • Review of the DHS and NIST guidelines for ICS networks.
  • Recommended best practices for digital twin applications that rely on hosted analytics services.


Speakers
avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →


Monday October 21, 2019 TBA

TBA

How to Pull Binaries From OT Equipment: JTAG as a Last Resort
Reversing a binary from a piece of OT equipment can provide the best return on investment for a threat hunter. This session will cover techniques to do this increasing in skill, starting with utilizing a companies lack of awareness or best practices, to impersonating a network, using command execution against itself, and finally to actually taking a look at board level techniques.

Monday October 21, 2019 TBA

TBA

Industrial Control Deception Environments – Levels of Simulation
Deception environments are systems designed to focus an attacker’s attention, thereby providing early warning of an intrusion, and allowing for analysis of an attacker’s motivations, tools, tactics, and procedures. They are composed of traditional honeypot and honeynet style components, together with other elements such as ‘breadcrumbs’ that are distributed across a real network to entice a potential intruder. Deception environments differ from honeypots in that they are intended to simulate realistic aspects of an organization, and are designed as a defensive campaign.

This presentation introduces analysis into how a deception environment for an industrial control environment can be created. Using the Purdue model for reference it examines the different levels of simulation that can be constructed – simulation of physical processes, control simulation of OT devices, simulation of supervisory systems, and at the highest level the simulation of enterprise systems and even personnel. The analysis examines what is possible at each level, how different levels can be simulated, and discusses which components should be simulated for a particular deception campaign, and how that offers protection against attacks.

Learning Objectives:
  • The benefits of industrial control deception
  • How to create an industrial control deception environment
  • What systems and processes are suitable for simulation
  • How to build an industrial deception campaign


Speakers
DM

Dr. Mike Westmacott

Senior Cyber Security Researcher, Thales
Mike has worked as a technical cyber security analyst for ten years, at boutique security consultancies, and currently at Thales UK where he holds the position of senior cyber security researcher. His current interests and research topics are deception technologies, psychological... Read More →


Monday October 21, 2019 TBA

TBA

Inside the Mind of a Hacker: How Defending Against Me Can Open New Manufacturing Business Models for You
Additive manufacturing is having an extraordinary impact on the way many products are manufactured. Realizing the full potential of AM requires re-thinking traditional approaches to design and automation - which enables new business models - but is also disrupting supply chain players. This exciting potential for industry is also accompanied by potential for hackers who are actively looking to exploit these advancements. Effectively securing the integrity of AM processes is now absolutely crucial, and data protection for 3D printed files is becoming extremely important.

This session will discuss specific use cases in Additive and Subtractive Manufacturing (Distributed Digital Manufacturing, Integrity/Traceability of the Digital Thread) from the perspective of an experienced hacker, and provide pragmatic strategies to mitigate cyber threats by thwarting the hacker 'business model'. The session will also discuss real-world exploits and mitigated as examples of how a 'common sense' approach to cybersecurity can be used to open new manufacturing business models.

Learning Objectives
  • Understand a cybersecurity methodology for Additive / Subtractive Manufacturing based upon thwarting the hacker 'business model'
  • Understand a pragmatic approach of applying cybersecurity to address relevant quality control issues and repeatability in Distributed Digital Manufacturing models
  • Understand how specific cybersecurity strategies can be used practically to open new business models and provide tangible competitive advantages


Speakers
EO

Evan O’Regan

Director of Business Development, Connected Industries, Irdeto
Evan O'Regan, head of Connected Additive Manufacturing, has over 20 years experience exposing vulnerabilities and providing pragmatic security solutions to protect operations against hackers and cyber threats. He delivers expert guidance on how to leverage cybersecurity investments... Read More →


Monday October 21, 2019 TBA

TBA

Securing Remote Access into ICS Networks with Open Source and Open Source 2-Factor Authentication
Cybersecurity can be a sizable investment.  Companies with large funding can afford well established cybersecurity solutions and the associated annual subscription fees.  This session will discuss using open source software to secure remote access into ICS networks. Open source software can be found running on IT systems, the Cloud and embedded devices in Industrial Control Systems.  In terms of Cybersecurity, Open Source can provide a vast amount of security solutions with low startup costs in developing security solutions, benefiting tight budgets for smaller companies.

With the mindset of finding a solution with very low start-up costs, the first objective was to create a proof-of-concept to secure remote access with two-factor authentication to a jump server. VPNs (Virtual Private Networks) can support a secure channel, but there is nothing stopping a virus or malware to be transmitted from a remote system to the jump server and from the jump server into an ICS network. The second objective was to find a way to mitigate against malware or unwanted software finding its way to the jump server all with open source.

An ICS network was built to emulate a real environment including a host hypervisor running a jump server VM (Virtual Machine) in a DMZ (Demilitarized Zone). 2-Factor authentication was implemented to access the jump server VM. PowerShell scripts were developed to shut down the jump server VM, delete, copy a pristine Jump Server image from a secure location, import the image into the hypervisor, and restart into a ready pristine state via a scheduler.

Files were damaged or corrupted on the jump server to emulate a malicious attack on the system. At 1 AM the scheduler initiated the jump server VM re-imaging process and an email was sent showing successful restore of a pristine image. Multiple vendors providing remote support, each assigned a VM jump server, could be permitted to service or monitor specific systems via 2-Factor Authentication. With the scripting process previously described, malware or unwanted software will be mitigated via the described process.

Speakers
DP

Daniel Paillet

Cybersecurity Lead Architect, Schneider Electric
Daniel Paillet is currently Cybersecurity Lead Architect within the Schneider Electric, Energy Management Business Unit. His background includes working in the US Department of Defense on various security projects, Operational Technology, Retail, Banking, and Point-of-Sale. He holds... Read More →


Monday October 21, 2019 TBA

TBA

Segregating a Flat Network for Increased Reliability and Security
This presentation discusses the rationale and learnings gained when re-designing a flat Electrical Protection Network (EPN) to a segregated network to increase reliability and security. The electric utility used in this real-world case study has a network of 55 interconnected sub stations varying in voltage from 600 volts to 34.5kV. The original EPN network was designed as a flat network. As a result they had experienced reliability issues, a single fault or cyber event on the network could result in a partial or complete network failure. The project involved segregating the network into smaller logical sections that would prevent network outages and maintain network failure risks to smaller, distinct and controllable regions.

The design criteria for the network included supporting GOOSE high speed protocol with considerations for the large geographic location. Other key requirements of the EPN included: allowing electrical protection relays to communicate with each other for high speed system protection coordination thus reducing system ARC flash values. The network must support operating status and control, alarms, trips and metering information to local HMIs and the T&D High Voltage Control Centre.

The presentation will also focus on the network security aspect including the design, testing and installation of DMZ firewalls used to protect the network and the use of VLANS and network switches for increased network separation, isolation and security. The factory acceptance testing was performed in a IEC 61850 lab environment configured to simulate the field parameters while subjecting the system to numerous cyber-attacks and fault simulations. The reconfiguration of the network was performed on an operating facility.

Speakers
PH

Paul Haughey

Automation and ICS Cybersecurity Specialist, BBA
Mr. Haughey completed Telecommunications Technology from Northern Alberta Institute of Technology. He holds over 35 years of experience specializing in Industrial Control System design, programming and commissioning on a variety of systems. He has worked on projects in Oil & Gas... Read More →


Monday October 21, 2019 TBA

8:00am

Introduction to Industrial Automation Security and the ISA/IEC 62443 Standards (IC32C)
CEU Credits: 0.7
Fee: $400 - Register
Certification of Completion: A Certificate of Completion indicating the total number of CEUs earned will be provided upon successful completion of the course.

Description:
Understanding how to secure factory automation, process control, and Supervisory Control and Data Acquisition (SCADA) networks is critical if you want to protect them from viruses, hackers, spies, and saboteurs.

This seminar teaches you the basics of the ISA/IEC 62443 standards and how these can be applied in the typical factory or plant. In this seminar, you will be introduced to the terminology, concepts, and models, as well as the element of creating a cybersecurity management system will be explained along with how these should be applied to industrial automation and control systems.

You will be able to:
  • Discuss why improving industrial security is necessary to protect people, property, and profits
  • Define the terminology, concepts, and models for electronic security in the industrial automation and control systems environment
  • Define the elements of the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009)- Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Define the core concepts of risk and vulnerability analysis methodologies
  • Define the concepts of defense in depth and the zone/conduit models of security
  • Explain the basic principles behind the policy development and key risk mitigation techniques
  • Explain why improving industrial security will be necessary to protect people, property, and profits

You will cover:
  • Understanding the Current Industrial Security Environment: What is Electronic Security for Industrial Automation and Control Systems? | Trends in Security Incidents
  • How IT and the Plant Floor are Different and How They are the Same
  • Current Security Standards and Practices
  • Creating A Security Program: Critical Factors for Success/Understanding the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Risk Analysis: Business Rationale |Risk Identification, Classification, and Assessment
  • Addressing Risk with Security Policy, Organization, and Awareness: CSMS Scope | Organizational Security | Staff Training and Security Awareness | Business Continuity Plan | Security Policies and Procedures
  • Addressing Risk with Selected Security Counter Measures: Personnel Security | Physical and Environmental Security | Network Segmentation | Access Control: Account Administration, Authentication, and Authorization
  • Addressing Risk with Implementation Measures: Risk Management and Implementation | System Development and Maintenance | Information and Document Management | Incident Planning and Response
  • Monitoring and Improving the CSMS: Compliance and Review | Improve and Maintain the CSMS
Register Now - Space is Limited

Includes ISA Standards:
  • ANSI/ISA-62443-1-1 (ANSI/ISA-99.00.01-2007) - Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts & Models
  • ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • ANSI/ISA-62443-3-3 - Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels

Monday October 21, 2019 8:00am - 4:00pm

8:00am

Introduction to Industrial Automation Security and the ISA/IEC 62443 Standards (IC32C)
Full Day Training Seminar

Understanding how to secure factory automation, process control, and Supervisory Control and Data Acquisition (SCADA) networks is critical if you want to protect them from viruses, hackers, spies, and saboteurs.

Registration Fee: $500
Certification of Completion: A Certificate of Completion indicating the total number of CEUs earned will be provided upon successful completion of the course.
CEU Credits: 0.7

This full-day workshop will teach you the basics of the ISA/IEC 62443 standards and how these can be applied in the typical factory or plant. Students will be introduced to the terminology, concepts, and models, as well as the element of creating a cybersecurity management system will be explained along with how these should be applied to industrial automation and control systems.

You will be able to:
  • Discuss why improving industrial security is necessary to protect people, property, and profits
  • Define the terminology, concepts, and models for electronic security in the industrial automation and control systems environment
  • Define the elements of the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009)- Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Define the core concepts of risk and vulnerability analysis methodologies
  • Define the concepts of defense in depth and the zone/conduit models of security
  • Explain the basic principles behind the policy development and key risk mitigation techniques
  • Explain why improving industrial security will be necessary to protect people, property, and profits

You will cover:
  • Understanding the Current Industrial Security Environment: What is Electronic Security for Industrial Automation and Control Systems? | Trends in Security Incidents
  • How IT and the Plant Floor are Different and How They are the Same
  • Current Security Standards and Practices
  • Creating A Security Program: Critical Factors for Success/Understanding the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Risk Analysis: Business Rationale |Risk Identification, Classification, and Assessment
  • Addressing Risk with Security Policy, Organization, and Awareness: CSMS Scope | Organizational Security | Staff Training and Security Awareness | Business Continuity Plan | Security Policies and Procedures
  • Addressing Risk with Selected Security Counter Measures: Personnel Security | Physical and Environmental Security | Network Segmentation | Access Control: Account Administration, Authentication, and Authorization
  • Addressing Risk with Implementation Measures: Risk Management and Implementation | System Development and Maintenance | Information and Document Management | Incident Planning and Response
  • Monitoring and Improving the CSMS: Compliance and Review | Improve and Maintain the CSMS


Includes ISA Standards:
  • ANSI/ISA-62443-1-1 (ANSI/ISA-99.00.01-2007) - Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts & Models
  • ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • ANSI/ISA-62443-3-3 - Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels
Register Now


Monday October 21, 2019 8:00am - 4:00pm
 
Tuesday, October 22
 

TBA

State of ICS Cyber Security: CS2AI-KPMG Survey Results
(CS)2AI-KPMG 2019 ICS Security Survey Results

KPMG International, SecurityWeek and other supporting organizations have joined CS2AI’s global collaboration team to conduct a yearly analysis on the current state of ICS cyber security. Leveraging the participation of multiple stakeholders across roles and industry sectors, the survey was designed to help answer key questions about how we can best protect critical systems in the face of ever-growing threats.

Unveiled for the first time at SecurityWeek's ICS Cyber Security Conference, the survey results will help responders improve their security posture through greater understanding of the different concerns and decision drivers that the industry is presenting.

Professionals with experience in ICS cyber security are encouraged contribute to the community and complete the survey, which should take about 15 minutes to do.

Speakers
avatar for Derek Harp

Derek Harp

Founder & Chairman, (CS)2AI


Tuesday October 22, 2019 TBA

TBA

The Past and Future of Integrity-Based Attacks in ICS Environments
Industrial control system (ICS) attacks typically focus on immediate process disruption: turning off the power, shutting down a plant, or something similar. Yet an examination of the history and potential of ICS intrusions shows a far more worrisome attack vector: undermining the integrity (either via process accuracy or process safety) of an industrial environment. While not necessarily immediately evident, such an attack can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.

Historically, such attacks are not new, but instead encapsulate the very first know ICS-targeting malware: Stuxnet. Rather than seeking direct disruption, Stuxnet sought to undermine process integrity by altering the functionality of the plant in question while masking effects to operators. Since that time, the industrial community initially faced a long period focused only on direct disruption, until the emergence of CRASHOVERRIDE in 2016 (whose integrity-impacting effects have not previously been discussed) and the safety-system targeting TRISIS. Each of these sought in certain ways to undermine the very reliability of underlying processes to produce potentially disastrous outcomes.

This presentation will explore these historical examples while presenting potential attack scenarios for future integrity-based attacks. In doing so, attendees will learn more about the risk framework faced by ICS-operating organizations and unique defense and recovery requirements within these environments. This talk will conclude with recommendations for defense and recovery to mitigate against integrity-based attacks, while seeking to educate audiences on the unique risk posed by such events.

Speakers
avatar for Joe Slowik

Joe Slowik

Principal Adversary Hunter, Dragos
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. In this role, Joe provides time-sensitive, actionable threat intelligence to enable ICS asset owners and defenders... Read More →


Tuesday October 22, 2019 TBA

TBA

Keynote: Admiral (Ret.) Mike Rogers
Admiral Mike Rogers retired from the U.S. Navy in 2018 after nearly 37 years of naval service rising to the rank of four-star admiral. He culminated his career with a four-year tour as Commander, U.S. Cyber Command and Director, National Security Agency – creating the DoD’s newest combatant command and running the U.S. government’s largest intelligence organization. In those roles, he worked with the leadership of the U.S. government, the DoD and the U.S. Intelligence community as well as their international counterparts in the conduct of cyber and intelligence activity across the globe. He also assisted in the development of the national and international policy with respect to cyber, intelligence and technology – including extensive work with corporate leadership in the Finance, IT, Telecommunications and Technology sectors.
Admiral Rogers speaks globally to various business and academic groups and is working internationally in the cyber and national security arenas. He is a Senior Fellow and Adjunct Professor with Northwestern University’s Kellogg School of Managements’ Public Private Initiative and a member of the advisory board of the Australian American Leadership Dialogue and NATO’s Cooperative Cyber Defense Center of Excellence. He is also a member of the United States Naval Institute Board of Directors.

Tuesday October 22, 2019 TBA
  • about Admiral Mike Rogers retired from the U.S. Navy in 2018 after nearly 37 years of naval service rising to the rank of four-star admiral. He culminated his career with a four-year tour as Commander, U.S. Cyber Command and Director, National Security Agency – creating the DoD’s newest combatant command and running the U.S. government’s largest intelligence organization. In those roles, he worked with the leadership of the U.S. government, the DoD and the U.S. Intelligence community as well as their international counterparts in the conduct of cyber and intelligence activity across the globe. He also assisted in the development of the national and international policy with respect to cyber, intelligence and technology – including extensive work with corporate leadership in the Finance, IT, Telecommunications and Technology sectors. Admiral Rogers speaks globally to various business and academic groups and is working internationally in the cyber and national security arenas. He is a Senior Fellow and Adjunct Professor with Northwestern University’s Kellogg School of Managements’ Public Private Initiative and a member of the advisory board of the Australian American Leadership Dialogue and NATO’s Cooperative Cyber Defense Center of Excellence. He is also a member of the United States Naval Institute Board of Directors.

TBA

DER Cybersecurity: Investigating the Challenges of Securing IIoT
The need for proactive cybersecurity defense mechanisms is a key concern in the energy sector as distributed energy resources (DERs) and the industrial internet of things (IIoT) introduce new connections and expand the attack surface of traditional energy generation and distribution networks.

In this session, participants will learn how the NIST NCCoE is gearing up to explore various scenarios in which information exchanges among commercial and utility DERs and electric distribution grid operations can be protected from cybersecurity compromises. Their work – informed by a highly-engaged community of thought leaders in the energy industry, cybersecurity community, government, and academia – will result in an open, practical, and standards-based proof-of-concept of cybersecurity capabilities demonstrating data integrity and malware prevention, detection, and mitigation in DER environments.

Speakers
JM

Jim McCarthy

Senior Security Engineer, NIST NCCoE
Jim McCarthy is a senior security engineer at the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE). He currently serves as the lead for NCCoE energy sector projects where his work is focused on security data analytics, secure... Read More →


Tuesday October 22, 2019 TBA

TBA

How to Accurately Gauge Your Current ICS Cybersecurity Posture
The C-Suites of manufacturing and industrial processing companies often think they already have a handle on their ICS Cybersecurity through IT efforts. In actuality (through no fault of their own) IT has not taken into account the unique needs of protecting Operational Technology (OT) assets.
 
Attendees will learn and be able to articulate to their executive teams:
  • The most current threats to ICS Cybersecurity
  • The unique difference in implementing Cybersecurity industry standard best practices in OT vs IT
  • The vulnerabilities of industrial legacy systems that were created before malware
  • The risks of not having a clear understanding of all OT assets
  • How to gauge your current posture to begin to plan and budget appropriately

The goal is this session is to help teams within organizations powerfully and diplomatically articulate their own current risks and the unique needs of ICS Cybersecurity.

Speakers
ST

Scott Timmer

Director of ICS Security, gpa
Scott is a highly accomplished network and security engineering professional with a progressive career in Industrial Controls as well as Information Technology.  He is expert at strategy development, solution architecture, project leadership, and service delivery.  He has exceptional... Read More →


Tuesday October 22, 2019 TBA

TBA

Bringing DevSecOps to ICS
Bringing industrial control systems and critical infrastructure into the modern age will require more than just software updates. It’ll require continuous software updates. The challenge is that every time new updates to software powering applications or infrastructure are introduced, so too is the potential for new vulnerabilities. Every little change of code creates the potential for a new vulnerability that attackers can exploit, and the demand for updates to be delivered faster and faster only increases the security challenges. Any business that relies on software as a competitive differentiator – in other words, every business today – is facing this issue and trying to figure out ways to deal with it. But for industrial control systems that are already playing catch-up and trying to adapt to a connected world, these challenge will be that much more daunting.

This session will provide an overview of DevOps and DevSecOps cultures to help the people using and managing industrial control systems understand how these practices fit into their organizations. It will empower those tasked to secure critical infrastructure with the knowledge they need to ensure that comprehensive discovery and remediation of software vulnerabilities are in place so they can proactively manage risk.

Tuesday October 22, 2019 TBA

TBA

ICS Active Monitoring Using Analytics
Active system monitoring is a core tenant of a well-managed OT environment.  The active system monitoring solution proactively connects to monitored systems and checks them as opposed to passively waiting to get information from monitored systems.  This method of system monitoring is better suited to state of health monitoring because there is no chance that a system will become inaccessible or otherwise non-functional and fail to report a problem.  If the monitored system becomes inaccessible or otherwise impaired, the active monitoring system will discover that the next time it attempts to poll the monitored system or device.   Creating a fully populated active monitoring system creates a foundation around which to structure OT support activities by providing alerting mechanisms that can target specific problem types to specific OT support roles and duties.  To be a reliable source for trouble awareness and to be effective in communicating to OT support staff an active system monitoring solution must be kept maintained with accurate configuration information.  Failure to do so will create a sense that the environment is in a state of health that does not accurately reflect what is happening in the field.  

Passive system monitoring is the collection of information that is reported by configured clients. This is a supplementary form of monitoring that generally provides for detail rich metadata and granular analysis of system behavior. For this reason, it lends itself well to more detailed security and state of health monitoring. Paired with active system monitoring, a passive monitoring solution can provide unparalleled assessment of the overall state of the OT systems environment. The passive monitoring system should receive information from the active monitoring system as well as the systems that the active monitoring system is monitoring in order to create a cyclical check system that reduces the likelihood of systems "going dark" without OT support staff being aware. A SIEM cybersecurity tool has been implemented, creating great value in the areas of general troubleshooting as well as OT activity awareness in multiple Syngenta OT environments to date. The tool provides a means by which to centralize all OT operational intelligence into one place for monitoring and analysis by OT engineers, administrators, technicians and functional managers alike.

Using a combination of both active and passive monitoring to create the concept of “Active Monitoring using Analytics” within a chemical plant’s manufacturing environment.


Speakers
JY

Jeff Young

Principal Engineer - Automation and Controls, Syngenta Engineering


Tuesday October 22, 2019 TBA

TBA

Level 0 Vector of Attack on PLC Based Systems
Level 0 Exploits on Train ICS – (This applies to all industrial control systems)

Train systems are notorious for being extremely safe. Redundancy, fail safe mechanisms, interlocks, etc. The single security aspect that is left untouched on most Train Control Systems these days is Cyber Security. It is true that most existing train safeguard systems have their safety mechanism, but what if someone made great efforts to compromise them? What if this person or group had substantial time, money and knowledge to derail a train in a large city?

The goal of the presentation is to discuss the various ways the Industrial Control Systems onboard a train and on waysides are imminently at risk of cyber-attacks all across North America.

Referring to the Purdue Model for ICS Network Diagrams, we will simulate a Level 0 attack on a train, going from step to steps, until a potentially dramatic event gets demonstrated. This session will demonstrate the ability to impersonate physical and localized sensors using  off the shelf connected micro-controllers (Raspberry PI, Arduinos, etc..) It will go into detail on how Public Transits Systems, Intelligent Cities and Intelligent Military Bases are factual targets when deploying sensors to collect data or monitor situations.

Speakers
PC

Patrik Chartrand

Cyber Security Specialist, Rail & Transit, SNC-Lavalin
Mr. Patrik Chartrand is a highly creative, accomplished executive-level professional with over 20 years of experience in innovative IT and Cyber Security initiatives with a track record for problem solving. He is capable of leading and inspiring design and innovation teams for a cutting-edge... Read More →


Tuesday October 22, 2019 TBA

1:30pm

An Industrial Immune System: AI Cyber Defense for OT Environments
Between cloud, IoT, 5G, and global supply chains, the modern enterprise is increasingly complex and increasingly vulnerable. Manufacturers in particular have become the target of choice, in part due to the rapid adoption of IIoT devices. Across ICS and SCADA networks, self-learning cyber AI is powering real-time threat detection, autonomous response, and investigation, serving as a force multiplier for strained security teams and enabling businesses to safely keep pace with innovation.

In this session, you will learn:
  • How today's attackers are exploiting increased connectivity between IT and OT to disrupt critical environments
  • How the first AI security system ever deployed across ICS and SCADA networks understands and learns the patterns of life for unique operational environments
  • Where AI shines a light on key blind spots to provide visibility across the digital infrastructure, including ICS, cloud, email, and the on-premise network.
  • How cyber AI has neutralized real-world threats to a medical manufacturing company’s IP, a transportation center’s IoT devices, and a major organization’s assembly line
Sponsored by:  Darktrace

Tuesday October 22, 2019 1:30pm - 2:15pm

1:30pm

Dragos Presents
Tuesday October 22, 2019 1:30pm - 2:15pm
 
Wednesday, October 23
 

TBA

Lunch Workshop: The Three Laws of Industrial Control System Cyber Security
The best cyber security solutions for ICS follow the  three laws. They are not retreads of IT
security but are tailored for ICS. They also use conditions-based monitoring techniques and secondary data
validation instead of relying mainly on malware signature libraries. Finally, the best ICS cyber security
solutions are built on the results of actual cyber attacks against the system being protected, not just compliance with security regulations. Such attacks are done in a lab using a replicated network with the actual hardware and software in the loop, because compliance does not equal security.

Grab a plate and join Ampex Data Systems for this informational session during lunch!

Wednesday October 23, 2019 TBA

TBA

[Panel] Addressing Cyber Risk in Connected Ecosystems
As digital and physical infrastructure continues to converge, enabled by the Internet of Things (IoT) and connected devices creating a complex ecosystem of  municipal services, public and private entities, people, processes, devices, and city infrastructure that constantly interact with each other. This massive amount of data, integration between disparate IoT devices, and dynamically changing processes creates new cyber threats, compounded by complexities of the data governance, lack of common standards etc. To protect these ecosystems and the value they bring, the responsible organizations should have product security programs, practice Security by Design through their products’ and ecosystems’ lifecycles, and ensure consistent coordination between their partners.

This panel discussion will involve stakeholders from the different stages of the product and ecosystem lifecycle including a connected product manufacturer, an organization that implement’s IoT ecosystems, and an IoT system owner. This panel will be led and moderated by Deloitte’s Piyush Pandey to discuss the learning objectives.

Wednesday October 23, 2019 TBA

TBA

Water Safety: It’s the Job of Operations and IT
Safe water and clean water are essential for public health, ecosystem protection and economic strength. Supporting these important functions requires secure information technology (IT) and operational technology (OT).

Gwinnet County Department of Water Resources understood the need to take proactive steps to protect this critical lifeline for their community. They invested in a modernization project to unify their SCADA platforms and bolster their cybersecurity posture across their water plants, waste water facilities and distribution facilities.

During this session, experts from Gwinnet County and Fortinet will
  • Share the journey toward SCADA modernization and the implementation of a cybersecurity platform
  • Review standard practices used to deploy a standard ICS architecture
  • Discuss lessons learned through the modernization journey

Join Sam Paul from Gwinnett County Department of Water Resources as he shares their journey to segment and segregate their OT network – with a vision of standardize and modernizing their SCADA systems – including partnering with IT to embed cybersecurity into their ICS security plan. Hear from Fortinet ICS expert Carlos Sanchez as he speaks to the benefits of the Fortinet Security Fabric to simplify and streamline the cybersecurity needs for industrial control systems.

Speakers
SP

Sam Paul

Section Manager | SCADA Systems & Projects, Gwinnett County, Department of Water Resources
Sam Paul is the Section Manager over SCADA systems and Projects for the Department of Water Resources, Gwinnet County Government.  Sam is a strategic futurist and visionary leader with a drive to learn the challenges and help organizations transform to meet the escalating expectations... Read More →
CS

Carlos Sanchez

Global Sales Enablement, Operational Technology, Fortinet
Carlos-Raul Sanchez is a technologist with 32 years of experience in network, telecommunications, and critical infrastructure security. Carlos specializes in simplifying complex business problems with a pragmatic application of technology. With a wide range of experience ranging from... Read More →


Wednesday October 23, 2019 TBA

TBA

Adventures in IT/OT Convergence
This presentation will share some adventures and challenges of the last few years as OT systems have moved from isolation to integration with corporate business systems.

Speakers
MB

Mark Brosseau

Sr. Manager, Plants Control and Automation, Epcor Water Services
Mark Brosseau P.Eng. is the senior manager of the EPCOR plants control and automation teams responsible for the engineering and support of the Edmonton water and wastewater plant control systems. He has over 25 years of experience in the implementation of control systems in industrial... Read More →


Wednesday October 23, 2019 TBA

TBA

Supply Chain Cyber Threats: Cooperation Across the Digital Ecosystem
Recent advanced and unexpected threats to supply chains have exposed new cyber-terrorism, malware, and data theft. What are organizations, their suppliers, and regulators doing to counter these threats?

This session will discuss examples of emerging threats in the supply chain landscape and protective measures regulators have taken, along with:

  • Approaches organizations are taking to identify, minimize, and mitigate supply chain cyber risks.
  • Leading practices from industries with advanced cyber supply chain risk management programs.
Participants will gain new insights into securing their supply chains in response to the increasing threat of cyberattacks on an expanding digital ecosystem

Speakers
SC

Sharon Chand

Principal, Deloitte
Sharon is a principal with Deloitte & Touche LLP's Cyber Risk Services practice, helping critical infrastructure providers be secure, vigilant, and resilient. Sharon is a CISSP with more than 20 years of experience helping her global clients manage their cyber risks. She focuses on... Read More →
RG

Rob Garry

VP of Product Security, GE Power
Experienced Chief Executive with a demonstrated history of working in the oil & energy industry. Skilled in Power Plants, Root Cause Analysis, Power Systems, Renewable Energy, and Engineering. Strong finance professional with a BS focused in Electrical Engineering from Union Coll... Read More →


Wednesday October 23, 2019 TBA

TBA

The Convergence of Safety and Cybersecurity
Innovation often happens when different disciplines share knowledge.  We’re seeing this today with increased interactions between the risk management, industrial cybersecurity, and process safety disciplines. There is growing recognition of interdependencies between security and safety in control systems that is leading some in industry to expand their use of process safety standards and best practices such as HAZOP analysis and process safety risk matrices.  Combining these risk management approaches with proper work procedures and structured change management techniques can help better protect systems against attacks while also reduce damage or disruption to critical operations.
 
This session will discuss the relationships between safety and cybersecurity risks, the approaches companies are taking to mitigate these risks, and the benefits that can be gained by coupling the domain knowledge and best practices from the worlds of process safety and cybersecurity alike.
 
This information will be of benefit to owner-operators, equipment suppliers, solution suppliers, and researchers interested in industrial cybersecurity and safety.

Speakers
avatar for Larry O’Brien

Larry O’Brien

Vice President of Research, ARC Advisory Group
Larry is part of the cybersecurity and smart cities and infrastructure teams at ARC.  Larry has a 20-year background in process control, process safety, and field devices/field networks.  Over the years, Larry has supported many of our end-user clients in the oil and gas and refining... Read More →


Wednesday October 23, 2019 TBA

TBA

Five Blind Men and the Elephant Called ICS Supply Chain Security
Is a secure ICS software supply chain important to your company’s critical operations? And what does securing your supply chain really involve? A 3-year study sponsored by the US Department of Homeland Security revealed many different perspectives. ICS vendors, asset owners, consultants and security researchers all identified numerous complex priorities including:
  • Counterfeit firmware detection: Asset owners need to validate that firmware is authentic and hasn’t been tampered with. Vendors need to know if counterfeits of their products are circulating on the internet.
  • Mystery sub-component detection: Asset owners are looking for a Software Bill of Materials (SBoM) to reveal unexpected or unapproved sub-components that may contain vulnerabilities or malware. Vendors want to be able to trace back which of their products might contain those sub-components.
  • Version validation: Asset owners want to confirm that firmware is an up-to-date version, tested and approved by the factory rather than an unauthorized or obsolete version. Vendors need to be aware if unapproved versions are being installed in the field.
  • Certification-chain validation: Asset owners need to detect fraudulently signed packages masquerading as authentic. Vendors need to know if their private keys have been stolen and are being used to sign malware.
  • Stability confirmation: Asset owners want reassurance that even valid firmware packages are bug-free and won’t introduce instabilities. Vendors want to know the market perceptions of their upgrades packages to be proactive and protect their reputations.
These are just a few of the perspectives identified in the DHS research project. A common theme among them is the exploitation of trust between ICS vendors and their customers (and other suppliers). This talk will explore specific examples of each of these threats and discuss FACT, a framework for safeguarding against attacks on trust and reliability.

Learning objectives:
  • Identify key cybersecurity risks to critical infrastructure supply chains.
  • Understand existing security strategies (e.g. certificate signing, hashes) and their limitations.
  • Explore tools and solutions for addressing specific supply chain threats.



Speakers
avatar for Eric Byres

Eric Byres

CEO, aDolus
Eric Byres is widely recognized as one of the world’s leading experts in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed ICS-specific firewall in... Read More →


Wednesday October 23, 2019 TBA

TBA

Homogenization of Attacker Toolsets
Attackers, including ICS-targeting adversaries, are increasingly using the same toolsets for a myriad of reasons.  It cuts down on development time, allows for lower attribution rates and gives attackers more “playbooks” to fall back on.  The near ubiquitous nature of Mimikatz -- utilized by the most dangerous ICS-specific adversary, XENOTIME -- is just one example.  Attackers are rapidly integrating other tools such as Metasploit, PowerShell Empire and Cobalt Strike into their tactics, techniques and procedures (TTPs). This presentation will discuss the evolution of ICS attacker techniques and provide defenders with methods to mitigate against them.

Speakers
avatar for Thomas Pope

Thomas Pope

Adversary Hunter, Dragos
Thomas Pope is an Adversary Hunter at Dragos. He works with prospective and current customers to improve the Dragos threat intelligence offerings while hunting for ICS-specific activity groups and malware. He previously worked at Duke Energy, where he performed many roles in and outside... Read More →


Wednesday October 23, 2019 TBA

TBA

PHY-Based DNA Fingerprinting to Discriminate WirelessHART Sensor Network Devices
AFIT’s work continues on developing a reliable non-intrusive, non-operably connected PHY-based security
augmentation for IoT, IIoT, ICS/SCADA, and general wireless sensor applications. The successful demonstration and historical maturation of Distinct Native Attribute (DNA) Fingerprinting methods has led to a patent-pending DNA cyber security monitoring capability supporting both pre-attack defense and post-attack forensic objectives. The monitoring system foundation is derived from wired Highway Addressable Remote Transducer (HART) signal work in, with favorable results therein motivating the more recent WirelessHART work being reported upon here. The goal is reliable DNA-based discriminability of device hardware (cross-manufacturer, cross-model, and like-model serial number) and/or device operating state (normal vs. anomalous). The PHY-based physical-layer work here is of particular interest given that a majority of WirelessHART security mechanisms (some would argue all) are implemented exclusively within higher bit-level network layers using some of the same protection mechanisms commonly attacked in IT systems. Most recent results for WirelessHART are sufficiently favorable to motivate continued investigation and include better than 90% 8-class device discrimination of Sitrans AW210 and Pepperl+Fuchs Bullet adapters.

Speakers
avatar for Christopher M. Rondeau

Christopher M. Rondeau

Air Force Institute of Technology, Air Force Institute of Technology (AFIT)
Chris Rondeau is a PhD Student and researcher at the Air Force Institute of Technology (AFIT) in Dayton, OH. He works under the Radio Frequency Intelligence (RFINT) research area led by Dr. Mike Temple. Chris’ research is an extension of the work previously done by Dr. Juan Lopez... Read More →


Wednesday October 23, 2019 TBA

TBA

Using Virtual Network TAPs in an ICS Environment
Network visibility provides situational awareness in an Industrial Control System (ICS). The use
of physical network TAPs or SPAN ports to provide information to an out-of-band monitoring
solution is critical to increasing the security posture of an ICS network. However, as more ICS
vendors incorporate virtual machines (VMs) into their designs, an additional layer of tapping is
necessary to ensure no blind spots are present. Communication between VMs can provide an
opportunity for malicious actors to remain undetected, due to traditional tapping methods not
being able to see the traffic.

One solution to capture inter-VM communication is the use of Virtual Network TAPs. This
software solution monitors traffic flows between VMs and mirrors the traffic to be forwarded to
security tools for analysis. The presentation will cover how Virtual Network TAPs can be
installed on a typical ICS network which uses virtualization, what are typical capabilities of
Virtual Network TAPs, and ways the data can be used if your project has a limited cybersecurity
budget. Increased hardware virtualization is on the horizon and being able to setup and use
Virtual Network TAPs will ensure your control system can be monitored effectively.

Speakers
NU

Nikolas Upanavage

Senior Control Systems Engineer, Bechtel Corporation
Nikolas Upanavage is a Senior Control Systems Engineer working at Bechtel’s ICSCybersecurity Technical Center. He has held roles on several Bechtel Engineering projectssupporting the design and construction of Nuclear Power Plants, Chemical Agent DestructionFacilities, and Waste... Read More →


Wednesday October 23, 2019 TBA
 
Thursday, October 24
 

TBA

Industrial Control Systems: Comparing Methodologies to Reduce Risk
Organizations and professionals are challenged to protect industrial control systems (ICS). Industrial control systems have been and continue to be the target of advanced cyber-attacks. These systems run the infrastructures that power the electric grid, natural gas supply, transportation, and other vital commodities. Cyber-security professionals have enumerated various techniques and methods to protect ICS against cyber-attacks. Despite these protective methods, ICS still suffer from breaches.

This study conducted a deep dive into three of the most advanced ICS cyber-attacks (Stuxnet, TRISYS, BlackEnergy 3)

The tactics of penetration and attack of each cyber-attack were reviewed. The study then examined several of the methods of protection recommended by regulatory and industry professionals. Each of these protection methods was matched against each of the advanced cyber-attacks to establish the efficacy of the method to protect the ICS.

The results of this study found that not all methods of ICS protection worked against advanced ICS cyber-attacks. In addition, there was a noticeable difference of protection among the methods against first-time attacks, when the malware was unknown, versus attacks when the malware was known to the cyber community and steps were taken to defend against the attack.

The study recommended further research into current ICS cyber-attacks. Additional exploration should be done to select and examine other documented methods of protection. Adding further results to the tables in the study will sharpen the determination of the effectiveness of each method against cyber-attacks.


Thursday October 24, 2019 TBA

TBA

TBA

War-Boarding a Cyber/Physical System and the Efficacy of Small-Board Computers and 'Dirty LANs'
This presentation describes some experimental work concerning the uses and efficacy of small-board computers (SBC) , penetration tools and applications security tests for cyber/physical systems. The ‘war-board of these networked devices have proven useful in isolated networks to validate computer threat intelligence concerning vulnerabilities, risks, remediation techniques and resilience.  A short demonstrated scenario will be presented.

Learning objectives:
  • Critically assess the application of CTI frameworks to Cyber/physical systems.
  • Recognize the benefits and risk of CTI, risks and penetration testing.
  • Assess the efficacy of validation for CTI threat reports and feeds
  • Review the nature of systems war-boarding.
  • Consider the utility of SBCs, ‘dirty LANs’ and CTI reporting.

Speakers
DL

Dr. Larry Leibrock

Research Affiliate, University Professor, Idaho National Lab
Dr. Larry Leibrock in an Idaho National Lab Research affiliate, university professor and clinical practitioner in digital forensics – incident response and computer threat intelligence.  He has over 30 peer reviewed papers and publications and has presented at BLACKHAT, FIRST... Read More →


Thursday October 24, 2019 TBA