ICS 2022

The Pandemic brought zero trust to the forefront with the advent of Hybrid work and creating the perimeter less enterprise. Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Zero trust within the industrial space is often misrepresented and there can be confusion on what can or cannot be implemented. This quick overview will provide guidance on:

• What Zero Trust is
• Why Zero Trust can be challenging to implement in OT
• Where Zero Trust applies across an Industrial Architecture
• Starting the Zero Trust Journey while securing ICS with Industrial Standards.

Operational technology/industrial control system (OT/ICS) assets that operate, control, and monitor day-to-day critical infrastructure and industrial processes continue to be an attractive target for malicious cyber actors. Traditional approaches to securing OT/ICS do not adequately address current threats to those systems. However, owners and operators who understand cyber actors’ tactics, techniques, and procedures (TTPs) can use that knowledge when prioritizing hardening actions for OT/ICS.  Join Armis in reviewing the anatomy of a port infrastructure attack and how the lessons of Sun Tzu can help in protecting our critical infrastructure against advanced persistent threat (APT) groups.

The National Renewable Energy Laboratory developed the Distributed Energy Resources Cybersecurity Framework (DERCF) and web application to help federal agencies mitigate gaps in their cybersecurity posture for distributed energy systems. The web-based tool assists a facility’s energy management team by bringing guidance and structure to the extensive array of cybersecurity controls applicable to DERs and walking the user through a three-pillar assessment framework. The three pillars, defined as Cybersecurity Governance, Technical Management, and Physical Security, each contain multiple layers that address key cybersecurity topics and together create a robust and flexible framework specifically designed for DERs. Join this session to learn more about the framework and how it could be utilized to help protect your operation!

The National Renewable Energy Laboratory is a national laboratory of the U.S. Department of Energy, Office of Energy Efficiency and Renewable Energy.

Active monitoring of your ICS network traffic and end points can significantly reduce cyber risk and help ensure stable operations, but establishing a 24/7 OT monitoring solution remains a goal out of reach for many operators. Some have elected to leverage existing IT SOC capabilities or premise alternatives to support OT monitoring while others are turning to MSSP providers for an outsourced solution. In this presentation, we’ll discuss the benefits and challenges of OT/ICS cybersecurity risk monitoring & threat detection in both on-premise and MSS scenarios as well as best practices to drive resilience with 24/7 cyber threats detection and response.

Join this session as we explore various approaches that defenders can take to operationalize valuable ICS threat intelligence and take action to defend critical assets.

Threat intelligence has long been considered an apparatus of militaries and three letter agencies. Unfortunately, given the fact that sophisticated threat groups have shifted to disrupting civilian infrastructure as an objective of their cyber operations, threat intelligence is now a necessary component of every strong OT security program, including those in private industry. Although the term "threat intelligence" can sound nebulous or intimidating to security leaders, receiving and actioning threat intelligence can easily amplify preexisting security processes and enrich security operations, increasing industrial safety and resiliency. This talk will seek to inform OT defenders on the ways in which, with good planning and direction, OT threat intelligence can be implemented into security programs with easy alignment to the NIST Cybersecurity Framework, limited strain on human resources, and improved security posture. The talk will focus on ICS Threats and their implications, key strategic and tactical intelligence workflows, and extraordinary examples of industrial organizations (unattributed) actioning OT threat intelligence to prevent disruption.

Research efforts have demonstrated many critical security weaknesses in modern vehicles, specifically involving their Controller Area Networks (CAN). The CAN bus serves as the main communication network between all control systems in the vehicle. Due to its importance and weak security properties, the CAN Bus presents an attractive attack surface for cyberattacks; but also a useful resource for detecting any attacks or other anomalous vehicle conditions.

We present an overview of three recent contributions. First, we describe a research testbed that allows for replaying, modifying, or generating synthetic CAN traffic. This is complementary to testing approaches that involve real vehicles, allowing simpler and easier development and testing, especially at earlier stages in research and development. Next, we present a method for decoding the (proprietary) encoded contents of CAN messages. This automatically determines what signals are present in each message type, and then uses known (standardized) diagnostic queries to label the meaning and units of these learned signals. Finally, we implement a system to find anomalous network traffic on the CAN bus. This includes monitoring the timing characteristics of CAN messages and detecting missing or unexpected messages. In addition, we used the extracted signals described above to detect unusual or tampered message contents. We then combine these approaches into an ensemble detector to demonstrate its effectiveness.

In August 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released information on Preparing Critical Infrastructure for Post-Quantum Cryptography to help prepare critical infrastructure network owners and operators potential impacts from quantum computing. Join this session as we walk OT asset owners through the Post-Quantum Cryptography Roadmap along with the guidance from CISA and cryptography experts. Attendees will come away with actionable steps to take to prepare for the transition.

*This session will be presented remotely

Following the influence of the trade war, the epidemic lockdown and the Ukraine-Russia conflict, the global supply chain has faced surging risks. especially the electronics industry suppliers are unable to provide materials and parts, making it more difficult for enterprises to manage the supply chain. For supply chain security, MITRE and DHS have developed the System of Trust (SoT) framework to improve the trust between supply chain partners. As we know, we should not only evaluate product quality of suppliers, but also understand their geopolitical, national governance, financial, etc.

This research will take the consumer electronics as an example to explore its complete industrial chain, and in-depth analyze the core of the supply chain, including the power industry, semiconductor industry and retail industry. Then find out the security situation and potential threats of above three industries. Finally, we will review the practical mitigations in ICS for different industries. By our research, the organization can fully understand potential threats in their industry, and collaborate with suppliers, manufacturers, and other partners to face the threats from various attack vectors, keeping operation going.

(Access Livestream and On Demand Video Here)

Designing a Zero Trust Architecture can seem like a daunting task. Rome wasn’t built in a day either! As you begin your journey you must start from the basics of what Zero Trust is and what it means to your organization. Then you must identify a starting point and develop an execution plan. In some cases that plan can be as simple as using known strategies from the adversaries to combat the adversaries.

What If I told you that designing a “man-in-the middle” mitigation could start you on your journey of achieving a zero-trust architecture? Join us as we talk about being “in the middle” and how this approach can allow you to broker the trust relationships as we talk about:

• Utilizing an Intermediate System to establishing session controls
• Establishing conditional access policies and parameters
• Doing this with a single tool that will also provide you with situational Awareness.

Modernization of operational technology has brought about significant challenges. Can we justify a wait-and-see approach when it comes to securing OT? The operations in OT/ICS used to be relatively straight forward, but as we become more dependent on connectivity, the challenges securing cyber assets become more complex. We’ll focus on use cases that deal with some of the most prevalent issues organizations encounter today: Legacy systems, insecure protocols, and ‘whose job is it anyway?’ are some of the topics we’ll discuss.

Learn how security segmentation can be a cost-effective and efficient approach to mitigate cyber vulnerabilities for manufacturing environments.

Small manufacturers tend to operate facilities with limited staff and limited resources enabling cybersecurity to fall by the wayside as something that takes too much time or cost. The lack of cybersecurity leaves small manufacturers vulnerable to cyberattack. Some assets used by a manufacturing company need more protection than other assets. The grouping of assets according to the protection they need and placing appropriate cyber protection measures around these groups of assets is security segmentation. This session provides an overview of security segmentation, and then present a systematic yet simple six-step approach for security segmentation design.

Session Objectives: 

• The intended audiences for this session are people managing the IT/OT systems at a manufacturer who could be the operations manager, the network/security architect or a CISO. 
• Learn how common cybersecurity weaknesses present in the OT environment can be mitigated with security segmentation.
• Learn what are the building blocks of security segmentation.
• Learn how to conduct a security segmentation design.

 

Software Bill of Materials (SBOMs) are now recognized as a key component in software supply chain risk management. Executive Order 14028 has mandated them for doing business with the federal government, and critical industries are increasingly adopting this position as well. Unfortunately, SBOMs can result in a significant number of false positive vulnerability reports, creating too much work for too few security experts.

Not every vulnerability merits panic. Just because a vulnerability is reported for a software component doesn't mean the vulnerability is actually exploitable.
 
Cybersecurity and Infrastructure Security Agency (CISA) and the German Cybersecurity and Infrastructure Security Agency (BSI), have developed VEX (Vulnerability Exploitability eXchange) to address this issue. VEX documents allow vendors to preemptively assess the exploitability of vulnerabilities and issue a standardized, machine-readable document that states whether or not their products are “affected” by one or more known component vulnerabilities. 
VEX helps vendors communicate efficiently with their customers and prevents organizations wasting valuable time fruitlessly searching for and patching vulnerabilities in components that are perfectly safe.

This talk will present the results of a supplier of mission-critical ICS equipment using VEX documents to swiftly address customer concerns regarding the high-profile Log4j vulnerability. It will also cover the structure and the standardized formats available for VEX documents. VEX is still early days and there is still work to be done regarding the processing of VEX documents. But the industry needs to understand and be ready for VEX if they are to get vulnerability management under control.

The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

Learning Objectives:
The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

In this talk we will introduce new open-source tools for PLC Ladder Logic forensics, showing how it can be used to analyze code and data blocks.

We will demonstrate how it can be used to detect rogue code blocks and anomalous metadata. The demonstration will be shown on a POC malware that has been simulated in our ICS lab environment.

This talk will also cover the basics of programming and explain how communications and execution concepts works in Ladder Logic programming.

Until recently, most of the focus in the ICS security community has been “bolting on” security to the network in the form of firewalls, data diodes, and network monitoring all at the perimeter. Any mention of touching Level 1 devices like PLCs deep inside the network has traditionally been met with gut reactions saying they are too sensitive to handle any extra security functionality, or it is not an effective investment in security. However, there is a wealth of data inside PLCs that can provide tremendous value both for security detections and for everyday troubleshooting. In this talk we will break down common objections we have heard to Level 1 security so we can learn how to stop worrying and love the PLC change.
                   
In this session attendees will learn:

• Common challenges and concerns when deploying Level 1 (PLC) security
• Strategies and tests to ensure Level 1 security solutions don’t affect the process
• Benefits of Level 1 security that far outweigh the costs of deployment

Why are organizations struggling to get the basics of OT Asset Visibility & Detection right?

Due to increasing awareness and/or Board/Compliance requirements, many organizations conduct a preliminary risk assessment to initiate their OT specific Security program. One of the initial steps is to generate an inventory of OT assets, which used to be a rudimentary spreadsheet exercise. With the wide availability of OT asset discovery tools, many go down that path via a proof of concept/value. Besides inventory, asset visibility, network security monitoring and threat detection are evaluated as part of this process. This talk will focus on technical considerations, lessons learnt and best practices from performing these POC/POV, and covers challenges including availability of infrastructure (span ports/tap, routing, bandwidth), archaic protocol implementations, organizational policies for network flows, risk appetite for active probing on low traffic networks and installing agents on HMIs & EWS, and finally the collaboration required of OT & IT personnel for successful implementations.

Due to a speaker travel issue, this session will be presented remotely

The Pandemic brought zero trust to the forefront with the advent of Hybrid work and creating the perimeter less enterprise. Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of a digital interaction. Zero trust within the industrial space is often misrepresented and there can be confusion on what can or cannot be implemented. This quick overview will provide guidance on:

• What Zero Trust is
• Why Zero Trust can be challenging to implement in OT
• Where Zero Trust applies across an Industrial Architecture
• Starting the Zero Trust Journey while securing ICS with Industrial Standards.

Solutions Session Sponsored by Palo Alto Networks

CNC (computer numerical control) machines are largely used in production plants and constitute a critical asset for organizations globally. The strong push dictated by the Industry 4.0 paradigm led to the introduction of technologies for the wide connectivity of industrial equipment, including CNCs. As a result, modern CNCs resemble more to fully fledged systems rather than mechanical machines, offering numerous networking services for smart connectivity. Given this shift into a more complex and software-dependable ecosystem, these machines are left more easily exposed to potential threats.

Our work explored the risks associated with the strong technological development observed in the domain of numerical controls. We conducted an empirical evaluation of four representative controller manufacturers, by analyzing the technologies introduced to satisfy the needs of the Industry 4.0 paradigm, and conducting a series of practical attacks against real-world CNC installations.

Join this session as we share findings showing that malicious users could abuse of such technologies to conduct attacks like denial-of-service, damage, hijacking or theft. We reported our findings to the affected vendors and proposed mitigations. This talk wants to be an opportunity to raise awareness in a domain in which, unfortunately, security is not yet considered an important driver.

This presentation is a report on field tests of a method for authenticating wireless devices based on the polarization characteristics of their signals.Results from monitoring wireless sensors in a factory environment will be presented under various conditions.The tests include the motion of an autonomous robot in the multipath environment and its impact on the polarization characteristics of stationary sensors on the production line. Results will be analyzed for their repercussions of the viability of using polarization for securing wireless devices.

This presentation will highlight the importance of designing and tailoring industrial cybersecurity solutions for critical infrastructure based on lessons learned and best practices obtained across industry sectors, entities, and critical services. Every industrial cybersecurity solution must be unique for every organization because every OT-IoT environment is also unique.

Designing a tailored solution requires specific knowledge, skills and experience in OT/ICS that must include people, processes, and technology. However, many industrial organizations are investing in IT/OT technology tools available on the market without a proper planning and before having a clear understanding of their OT-IoT environments and a development roadmap for their industrial cybersecurity solutions. In many cases, such investments are leading to overspending, disappointment, and lack of expected outcomes.

The goal of this presentation is to provide a practical and hands-on approach to designing and developing industrial cybersecurity solutions that will help organizations within critical infrastructure sectors and their leadership teams in planning, tailoring, and implementing solutions for their OT-IoT environments and Operations.

Recommendations that will be provided for audience during the presentation are based on industrial cybersecurity practical experience, use-cases and lessons learned obtain across industry sectors including public and private organizations.

Electric vehicle (EV) development and associated charging infrastructure are expected to advance rapidly. Most of all global vehicle sales may be EVs and hybrid EVs in years to come, and they will rely on increasingly sophisticated strategies for grid integration. Next-generation EV charging infrastructure is expected to include interconnected renewable resources, such as photovoltaic (PV) arrays and battery storage systems, along with grid-edge devices. These complex interconnections expand the attack surface and could result in attackers acquiring valuable user data or manipulating firmware updates to create malfunctions that could impact power equipment.

In this session, Anuj Sanghvi, Cybersecurity Researcher at the National Renewable Energy Laboratory (NREL), will dive into the some of the cybersecurity work NREL is doing around threat vectors and risk mitigation techniques for Electric vehicle supply equipment (EVSE) and connected and automated vehicles to identify cybersecurity gaps and develop mitigation strategies for the future technologies.