ICS 2022

Large or small, cyberattacks are making headlines and elevating executive attention toward cyber resiliency. Preparing for, responding to and recovering from cyberattacks should be a strategic part of any business continuity plan. As recent cyberattacks have demonstrated increased risk to both IT and operational technology (OT) environments, readiness equates to enforcement of rules and policies that provide the visibility, control and situational awareness to respond at the speed of business. Cybercriminals are maximizing their opportunity by exploiting older vulnerabilities and an expanding attack surface. Strategic readiness should be underpinned with the notion that eventually an attack will happen, and when it occurs, you are proactively ready to respond. During this session, we will explore security considerations for developing cyber resilience covering security fundamentals and readiness planning to protect your IT and OT environments.

ICS (or more broadly OT/Cyber Physical systems) security is now a critical issue for senior management and boards of directors. The increase in ransomware, the spiraling costs of insurance and the necessary reporting requirements to even access coverage, as well as growing regulatory burdens require a change in mindset when it comes to protecting these systems. No longer can organizations “check the box” and say “oh, I have a basic inventory” or “at least I have some network monitoring occurring”. CISOs (driven by their boards, insurers, and regulators) now need to achieve the same level of security in ICS as they have achieved in IT. They need to demonstrate how they are practically improving security….going from red to green on key metrics and security controls. This requires the focus to go beyond the network (firewalls, monitoring, etc.) and get to the endpoint. They need to find a way of protecting and managing those endpoints to improve the overall protection of the control systems.

Join this session to learn how you can practically, efficiently, and safely manage and protect OT endpoints:
• How to gather accurate visibility into all assets across all sites in one place
• Prioritizing remediation based on asset and risk context
• Enabling response, not just detection, in an OT-safe way
• Demonstrating true security progress

In the last 2 years, over 100 industrial operations have shut down or suffered physical damage from cyber attacks - pipelines obviously, manufacturing plants, rail systems, steel mills and others. In this presentation we review the attacks & outages, identify patterns in attacks and patterns in defensive system failures, and we draw conclusions about the changing threat environment. One important conclusion is that ransomware criminals are trailing nation-state attack tools and techniques by less than 5 years. What we see nation states doing to each other today, we should expect to see ransomware groups doing to everyone with money in just a couple more years. We conclude with a look at the new DOE Cyber-Informed Engineering strategy which highlights engineering as a neglected asset in addressing these risks, and dig into how safety, automation and network engineering should play a role in preventing unacceptable physical outcomes of cyber attacks.

How to securely access and bring together People, Process or Technology is one of the biggest challenges in today’s technology world. With the need to access technology beyond your secure perimeter or in the cloud, how do organizations bridge that last mile to resources such as wind turbines,  ships, remote storage facilities, or drilling platforms? Join this session as we discuss how organizations can connect people and process to those resources in a safe, secure and regulated manner without causing disruptions or safety concerns to these remote OT assets.

If you’ve been around the cybersecurity space for a while now, you’ve probably heard the term “Shadow IT”. But did you know that there is an even bigger blind spot inside your operational technology (OT) infrastructure? Executives and SOC analysts almost always have an incomplete picture of what’s happening at the plant or site level even though these are the critical, moneymaking parts of a business.

The Shadow OT phenomenon is an important problem to solve. If you don’t have 100% visibility into and control of your operational systems (including the legacy ones), you may not be able to identify and respond to cyberthreats quickly enough to avoid the impacts of an attack, which could include anything from process disruption to severe environmental damage or even fatalities.

This session will outline how security practitioners and executives can shine light on their Shadow OT. We’ll cover:

• Different methods for collecting endpoint and network data out of OT environments
• How to use that data to create context for threat and incident response
• What data executive teams should know
• The best formats for sharing OT data internally

Identifying and understanding the risks present in your OT environment is an important component of addressing cybersecurity threats. Utilizing traditional IT risk methods will help organizations address risk but may leave blind spots in your view. Research into risk assessments will be presented with a call to action for those performing audits or assessments to begin to include additional checks and to adapt their approach to evaluating identified risks. To demonstrate the possible improvements, a case study will be reviewed.
 
Attendees should expect a brief overview of current risk assessment techniques, potential gaps, and considerations for improving their own internal processes.

Over the last few years there has been a significant increase in Cybersecurity regulation coming from DHS/CISA that requires Critical Infrastructure owners and operators to improve their reporting mechanisms and overall cyber security posture. For example Airports and Rail operators were required to assign a Cybersecurity POC to report cyber incidents to DHS/CISA. Are these complex ecosystems ready to identify and report cyber incidents? In addition the Infrastructure Investment and Jobs Act (IIJA) is setting up to distribute $1 billion dollars for cybersecurity improvements at the state an local levels. Based on what we’ve seen: are Critical Infrastructure operators and owners ready to comply with the new cybersecurity requirements and are they effectively positioning to submit grant applications to get some of the government help?

Some of the structural challenges with IT/OT security to including technological and cultural differences are starting to be evident in this transition. This presentation would explore some of those challenges and identify some of the potential gaps that Critical Infrastructure owners and operators are facing and suggest some actions to be better prepared in the face of increased regulation and significant government investments.
 
Key Takeaways:

• Awareness of new DHS/CISA cybersecurity current and future regulations
• IIJA funding available and requirements for Grant applications
• How structural IT/OT convergence challenges are impacting compliance with regulations (Airports, Rail and transit, Utilities, etc.)
• What Critical Infrastructure owners and Operators should consider to be better prepared to comply with regulation and apply for Grants

Security engineering eliminates entire classes of cyber risk to operations, while cyber security only reduces those risks. This makes security engineering and the network engineering sub-discipline essential for industrial operations that must carry the Internet's threat load predictably, affordably, and for decades. In this presentation we take a deep dive into four powerful techniques for network engineering: hard segregation for safe cloud connections, unidirectional networks, hard wiring for safe access to safety systems and the Internet, and the (few) places it still makes sense to use real air gaps. These and other engineering-grade solutions are a blind spot in many cybersecurity programs - for example: where do buckling relief valves fit in the NIST Framework? We must expand our cyber risk programs beyond cybersecurity if we want those programs to be effective in addressing today's steadily-increasing threat loads.

ICS networks have traditionally been segmented from the rest of the enterprise network with most cyber threats stemming from human error, accidents, and acts of physical sabotage. The increasing integration of OT with business networks and internet-based applications has vastly increased the prevalence and complexity of cyber threats to ICS networks. As a result, segmentation/air gapping is is no longer the finish line for a good security strategy. To defend against a diverse set of cyber threats, you need a comprehensive ICS security strategy.

Join our lunch and learn session to learn how to go beyond segmentation and bring your OT security strategy to the next level. We’ll cover:

• How to get a clear understanding of all the assets in on your networks and how to identify blindspots
• Advanced threat detection and vulnerability assessment to identify and prioritizes security risks
• How to predict and detect OT process and stability issues giving you early warning signs of possible downtime

The days of a fully “air gapped” system are gone. The convergence of IT and OT and the need for connectivity have greatly increased the attack surface within manufacturing facilities, supply chains, critical infrastructure and travel & transportation. As a result, system reliability and safety are at a greater risk from cyberattacks.

If an incident occurs which causes any type of disruption to a production facility, do we know what caused it? Was it a system/asset failure, or was it a successful cyberattack?

Join us to hear how to establish detailed insights into both aspects, and joining the dots between the two, can greatly improve overall security and reliability.

Industrial organizations are constantly changing. Mergers and acquisitions of assets happen on a regular basis, and evaluating cyber risk as part of the standard due diligence process must become a requirement for executives. A significant cybersecurity incident could cost tens of millions of dollars due to lost revenue, ransom payments, legal fees, incident response costs, and increased cyber insurance premiums. Company owners, CEOs and boards of directors are also being held personally liable for a lack of security oversight following a cybersecurity breach.
 
This presentation will guide security executives through:

• How ransomware groups identify their targets 
• What should be done to strengthen the outward cyber appearance of industrial assets to avoid a nation state cyberattack or ransomware attack
• Why you should delay M&A announcements until you have done your cyber due diligence
• Methodologies for evaluating cyber risk as part of your due diligence process

Cybersecurity is now a real boon for ICS/SCADA operations and maintenance. The talk will create awareness for plant/field teams by detailing various area of focus and measures for improving cyber resiliency for the ICS/plant which would pave way to the overall efficiency and savings.

While cybersecurity is typically thought of as a cost driver, there is mounting evidence that it can lead to a positive return of investment (ROI). Company leaders are spending heavily to protect their networks, systems, and data.

This presentation will analyze the roots of connected ICS like Industrial IoT, connected process controls, smart meters, etc., It will also make the argument for tangible benefits for plant efficiency, energy savings and process/machinery optimization, which could be a big motivating factor for management teams making budgetary decisions on cybersecurity efforts as well as the operations and maintenance teams implementing them.

Learning objectives for attendees:

While the ICS/OT cybersecurity budgets are growing larger, plant managers tend to believe that these investments don’t yield a direct return of investments. This presentation will attempt to counter that argument by explaining that ICS/OT cybersecurity not only secures networks and data but also helps with prime business protections such as emergency shutdown, disaster recovery, machinery safety and human safety. It contributes to energy safety, plant efficiency and ultimately leads to a healthier bottom line.

                                       

OT networks need to share data with IT for performance monitoring and analytics. However, if an IT network is hacked and is shut down, this prevents the exchange of data from OT to IT. Data can be transferred directly to the cloud, so operators have access to that data even if IT is shut down due to an attack, however it needs to be transferred securely to prevent threats from entering the OT network. Join this session as we discuss best practices for locking down OT networks and enabling secure connections between OT networks and the cloud.

During this session:

• Learn to think vertically about production encompassing ground-to-cloud thinking and the importance of actionable visibility spanning the entire IT and OT business process stack
• Gain an understanding of how IT system outages can impact production directly and indirectly 
• Best practices for enabling secure communications with a locked down OT network architecture for asset visibility and analytics in the cloud

Since the Colonial Pipeline cyber attack, there has been an abundance of actions taken – from the cybersecurity directives issued by the White House and the Transportation Security Administration (TSA) to the bolstering of IT operations within companies. Despite these preliminary actions from the government, oil and gas organizations, and other industrial sectors within critical infrastructure, it is not enough. 
 
The Colonial incident and the subsequent directives are not only warning bells for the industrial sectors within critical infrastructure but are booming dinner bells for cyber criminals. These adversaries have confirmed that the cyber-physical world is their new battleground and they will continue to find new ways to exploit vulnerabilities and disrupt industrial operations with potentially devastating consequences. They do so by targeting OT networks that run industrial systems instead of IT because the impacts are far-reaching, costly and dangerous. It is important to note that these criminals only need to get it right one time to make a substantial impact and are constantly evolving attack methods.
 
As cyber criminals are strategically changing course to target critical infrastructure, companies must realize that the cyber-physical world is vulnerable and unprotected. Immediate action is necessary to prevent OT networks from being comprised. 
 
This presentation will examine how cyber incidents, like Colonial, Oldsmar Water Plant and the JBS food plant, have highlighted the growing problem of cyber-physical attacks on critical infrastructure and what criminal behavior tells us about future attacks. In addition, this session will explain how the growing convergence of OT and IT cyber have exposed the gaps in OT cybersecurity, why the methods used to protect IT do not work in an OT environment and why all eyes will be focused on OT to prevent growing cyber-physical threats.  
 
Furthermore, this presentation will explain why the current cybersecurity regulations are not enough to spur widespread change while highlighting the market forces that will drive that change. It will also discuss why the private and public sectors need to join forces to advance industrial cybersecurity. Lastly, it will underscore the questions stakeholders must ask and the actions they need to take to fight against criminals in this new battleground, protect their OT environments, and ultimately safeguard their businesses, supply chains, and consumers. The warning bell has sounded but the dinner bell is louder.

Cyberattacks and breaches against ICS and OT networks have increased at an alarming rate. As threats grow, the number of companies inquiring about cyber liability insurance coverage has increased heavily...
The 2021 Colonial Pipeline incident and resulting $4 million ransomware payment represented a watershed moment. It led insurance companies to be more vigilant and offer strict and high-premium based insurance coverage especially for ICS industries that seek cyber liability protection.

In contrast to traditional IT cyber liability insurance coverage, ICS cyber liability insurance is still in its nascent stage. It is also seen as particularly complicated due to indirect damage to its productivity and costly ICS machinery. Due to this, some companies have even experienced insolvency due to wrong estimates and incorrect pricing. It has led insurers to tighten their policy terms and conditions to reduce unexpected losses. Traditionally, commercial property and casualty policies could include limited cyber coverage, but now, carriers are becoming less likely to include it, and are instead offering cyber coverage separately.

This paper details how a clear and focused ICS cyber risk assessment can save money on premiums and help underwriters offer more adequate insurance capacity. During an ICS cyber risk assessment, experienced engineers will examine a company’s compliance with multiple industrial cybersecurity standards including NIST CSF, IEC 62443, etc. It also provides a detailed Business Intelligence analytics report for ICS management so they can take an informed approach to risk mitigation that will strengthen their ICS networks and help them better negotiate with insurance carriers. It also helps insurance companies and underwriters make more informed ICS cyber liability insurance coverage decisions.

An ICS risk assessment determines risk percentage, risk scoring and breach probability of all individual key ICS networks and systems. The report determines a clear risk value in terms of dollar value for both the end-user and insurer.

Learning Objectives for Attendees
When insurance companies are making underwriting decisions on ICS cyber liability coverage, they must take many factors into account. They want substantial material and technical evidence. Self-initiated questionnaires won’t suffice. They are cautious about these decisions and thorough in their research. In fact, there have been frequent instances of underwriters rejecting inadequate risk assessment reports/questionnaires because they are too thin and don’t focus enough on ICS cybersecurity.
This paper addresses to the key question of first party revue losses and the third-party claims using ICS risk assessments to assess the breach probability in every stage of ICS to derive the cost of potential business disruption and revenue loss.

The NRECA Threat Analysis Center (TAC) is the new Cooperative Operational Technology (OT) cybersecurity threat analysis and sharing platform, designed to improve the speed, coordination, and effectiveness of Co-op threat response. This initiative is designed to serve the small to medium utility community with right sized tools and products – is technology agnostics, and not for profit.  

The TAC is designed to be both a tool and a community, enabling collaboration and assistance among cybersecurity professionals at NRECA, Co-ops, and the wider intelligence community. This vision is dependent on establishing a network of cybersecurity professionals across the Co-op space. Therefore, as part of the TAC program, NRECA will launch the Grow/Keep Initiative, a workforce development initiative to address many of the challenges Co-ops face in hiring and retaining cybersecurity personnel. This center

As small, rural organizations, many Co-ops struggle to compete in the cybersecurity personnel marketplace. As electric utilities with expanding use of DER and IoT devices, Co-ops also require personnel who understand the critical infrastructure they serve and the associated risks of being compromised. Such “unicorns” are rare and expensive. The workforce Initiative will address these challenges by using the collective Co-op strength to compete in the marketplace while also growing cybersecurity expertise from the local Co-op communities. The resulting skilled and expansive network of professionals will act as a semi-shared resource, so every Co-op has the resources they need to resist and recover from threats.


With these efforts, the Threat Center Initiative will help ensure that no Co-op is too small to be protected, every Co-op has a community of support, and the nation’s power grid is safer.

Learning Objectives: 

• Right Sizing of Products and Solutions for Small to Medium Entities 
• Information Sharing initiatives for LMI communities 
• Building a novel workforce

In todays IIOT world order of standards ( NIST 800-53) and frameworks, and Product Resiliency against cyber attack with IEC 62443 products, there is still room for debate, and even confusion from the myriad of choices a manager in charge of Cybersecurity and protecting critical assets and operation, independent of what industry sector you come from. This lecture unpacks the practices and pitfalls of the Cybersecurity journey from observation of numerous projects over the past 20+ years of digital transformation.  For both new ventures, and organizations well on their journey to defend against today threat groups targeting Manufacturing sectors. There is a practical approach that will be outlined for assessment, monitoring, control, detection & incident response needed in today’s OT environments.. This session focuses on requirements & priorities, rather than today’s latest technologies, but also gives insight to why some of the leading products work, and some times fail to meet targeted return, on investment, or even address todays threat vulnerabilities.  Session is intended for C-level audience, (CISO), as well as technical mangers from IT and Industrial Control and Operations involved in Cybersecurity programs.

ICS and OT devices have historically been viewed as black boxes, especially by the end users of these devices. Tools and capabilities are incredibly limited in terms of how they can provide visibility and risk identification to these devices, so what are end users to do? The only recourse end users/asset owners have is to leverage existing knowledge bases such as the NVD and by reaching out to the device manufacturers themselves to identify any vulnerabilities and risks. In this presentation, Tom Pace, co-founder & CEO of NetRise will highlight how this is not enough. These datasets and even the knowledge from the manufacturer are insufficient to properly ascertain the level of risk that is present. Thousands of well-known vulnerabilities exist in ICS and OT devices that asset owners are completely blind to. Tom will highlight the true vulnerability disparity that exists for these devices and will explain how to shine a light on true device risk with real world data and techniques that everyone can use when they go back to their organizations.

Attendees will learn how to shine a light on the black box that is ICS/OT devices. Attendees will learn that software vulnerabilities are not the only risks that they should be concerned about. Attendees will walkway with practical recommendations on how to approach this problem on their own.

The "defense in depth" concept is widely used inside the Industrial Control systems (ICS) space, which proposes different layers of defense to make penetration difficult for an outside attacker perspective. While this concept is still important, the rapid growth in sophistication and number of cyberattacks shows this may not be enough to face the current challenges. This talk presents a complementary methodology to enhance the defense in depth approach, supported by international frameworks such as NIST, CIS CSC and ISA/IEC 62443, among others. Available topologies for centralized and decentralized  monitoring and the advantages and disadvantages of active or passive approaches will also be discussed.