ICS 2022

The Control Systems Cyber Security Association International (CS2AI), in collaboration with a team including KPMG and other supporting organizations, conducts a yearly analysis on the current state of ICS cyber security. Leveraging the participation of multiple stakeholders across roles and industry sectors, the survey is designed to help answer key questions about how we can best protect critical systems in the face of ever-growing and -evolving threats.

The survey results will be shared at SecurityWeek's ICS Cyber Security Conference and can help defenders improve their security posture through greater understanding of the diverse concerns and decision drivers that the industry faces.

(Access Livestream and On Demand Video Here)

Attacks on manufacturing, energy, transportation and other critical infrastructure have escalated in the recent past. Ransomware impacting critical business systems and Industrial Control System (ICS) targeted malware have the capability to bring operations to a halt or even worse place risk to human life. Cybersecurity is now a boardroom priority.

Join this session by Liia Sarjakoski, Global Industry Solutions Director for Manufacturing and Energy at Palo Alto Networks, to hear more about the ever increasing threats ICS, Industry 4.0 and IT/OT environments are facing. She will share insights from the recent Unit 42 Incident Response Report, as well as other threat intelligence, future predictions based on this data, and recommendations to proactively prepare for future threats which are critical to ensuring safety of the critical infrastructure that our society depends on.

The Cyber Incident Reporting Act for Critical Infrastructure Act, which was enacted in March 2022, will require critical infrastructure organizations to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.  This aggressive timeline will require companies to have enhanced identification, escalation, and investigation processes in place.
 
In this session, we will discuss the new Act, and the practical steps companies should take, both proactively and during an incident, to comply with this and other industry-specific regulations and expectations.  We will also discuss the unique cybersecurity threats for critical infrastructure organizations that make the industry particularly vulnerable to a cyberattack and the importance of heightened focus to help prevent and contain incidents.

One of the biggest challenges for operational technology (OT) system cyber defenders is the lack of open-source information on cyber incidents impacting sector industrial control systems (ICS), systems putting defenders at a knowledge disadvantage. Understanding potential threats to the overall organization and critical infrastructure is crucial to preventing and responding to incidents.  

Credible failure scenarios can be used to augment the available incident information with a focus on attacks that can cause a physical impact on control systems resulting in the loss of availability, equipment damage, human causalities, loss of revenue etc. EPRI and MITRE will present a Framework for the Use of Potential Cyber Attack Scenarios to Guide Incident Response. The framework makes use of potential cyberattack scenarios to guide incident response that includes analyzing potential failure scenarios, defining associated cyber-attack TTPs using the ATT&CK framework, identifying required data sources, defining representative analytics for detection, identifying potential incident response actions and identifying potential mitigations. The results of failure scenario analysis from a cyber adversary perspective have broad application to ICS environments providing valuable data to enable detection and response to significant cyber attack TTP. Performing trend analysis across scenarios provides additional and significant benefits to include the identification of common adversary TTPs that will aid in prioritizing mitigations. EPRI and MITRE will present on this Framework in the context of energy sector scenarios.

In this session, Mark Plemmons, Sr. Director for Threat Intelligence at Dragos, will dive deep into the technical details and real-world impact on the modular ICS attack framework know as PIPEDREAM/Incontroller that can be used to disrupt and/or destruct devices in industrial environments. In April 2022, a joint advisory from the Department of Energy, CISA, NSA and the FBI warned that unidentified APT actors have created this suite of specialized tools capable of causing major damage to PLCs from Schneider Electric and OMRON Corp. and servers from open-source OPC Foundation.

Analysts believe the malware has not been deployed yet in the wild and that its operator likely plans on using it in future operations. Based on analysis, the framework has been designed to target equipment in electric power and liquified natural gas (LNG) facilities, but it could easily be adapted for other types of environments, as well as devices beyond Schneider and Omron PLCs. Join this session to learn more!

OT monitoring is one of the essential cybersecurity controls for OT environments. It supports organizations in multiple cybersecurity domains, namely asset management, vulnerability management, and security monitoring. Products within the OT monitoring space have matured immensely over the past few years. These products typically rely on passive network monitoring, and most also utilize some sort of active scanning (although the latter is being masked under different names for marketing purposes). There are multiple vendors in the market, and it is difficult for organizations to select the ‘right’ one.

To devise a repeatable methodology that helps organizations assess the major players in the OT monitoring space, our first step was to create a testbed by means of an OT lab environment. Using different types of devices, including OT, IIoT, and IT, various industrial systems were built to simulate real-life processes. Additionally, the selection of the devices was diversified in terms of technology, vendor, make and model, protocols, and deployment architecture. We then devised a methodology that assesses candidate tools across the following functional areas:

• IT Asset Detection
• OT Asset Detection
• IT Asset Identification
• OT Asset Identification
• IT Vulnerability Detection
• OT Vulnerability Detection
• Threat Detection
• User Interface
• Integrations

Applying a methodology to our testbed environment, over 4 weeks of a PoC, generated interesting and insightful results (as well as questions). The various candidate tools, namely Claroty, CyberVision, Defender for IoT, Nozomi, Tenable.ot, performed to varying degrees, some excelling significantly in certain domains over others. The PoC validated that the methodology used was a practical framework that is customizable for organizations’ needs. Since then, this PoC methodology has been adapted and applied to multiple organizations in various industries.

Join this session as Raphael explains the PoC methodology that helps organizations choose the ‘right’ OT monitoring tool.

Many of today’s critical infrastructure systems consist of legacy equipment originally designed to be perimeter-protected or air-gapped from unsecure networks. However, while many of these have become connected over time resulting in a strong emphasis on IT and network based cyber security, device and control system cyber security has not received the same attention.

Join us for an exciting panel discussion that will discuss:

• Executive Order EO 14028 which has brought the requirement of SBOMs to the forefront.
• How SBOMs can play a major role in securing the supply chain, devices and control systems. 
• Where the onus resides for monitoring for vulnerabilities within the supply chain.

Join this session of industry veterans as they discuss the cybersecurity challenges faced in securing the critical operational infrastructure for companies on a digital journey.  Hear lessons learned and insights from their real-world experience on the front lines, building defenses against the evolving and escalating cyber threats to the production networks and industrial control systems they were tasked with protecting.  The discussion will also explore suggestions for moving from a reactive posture to a more proactive stance against the APT’s industry faces today.  And then conclude with Q&A from the audience.

Beginning with a dissertation in 1994, in the subsequent 28 years, Zero Trust has moved from an academic discussion, through struggles that continue with current network and cybersecurity policies and implementation, to the availability of some tools from a wide variety of vendors. ICS often is the last to implement the newest of technology, for very good reason. There are architectures and papers providing much to consider. However, ICS lives in a world where information technology provides the Internet, wide-area and campus-wide communications, as well as some local, dedicated engineering communications. Our goal is to ensure this new technology, like others before it, is useful in an ICS environment. We will see this technology still a concept in development. Alternatively, ICS can be prepared to operate in such an environment provided by others. To those ends, we will examine the information available to carefully consider what should be done.

Key Takeaways:

• Although it can be considered the latest buzzword, Zero Trust offers the next step in cybersecurity
• It’s being implemented, but …
• There is some very good guidance, but it is not mature
• There are tools, but they do not play well together
• Just how it applies to ICS
•  If you have not started, what you can do now to prepare
• Takeaways and thoughts from various presentations and panels throughout the week

Join this session as we discuss takeaways from the week and share insights and thoughts based both on stage presentations and from the great networking discussions throughout the week.

Join us in the Windsor Ballroom for a closing session with an open mic and your chance to ask questions, share insights and network with others for discussions as we wind down a great week!

Thank you for attending SecurityWeek's 2022 ICS Cybersecurity Conference!  We hope you enjoyed the content and made fantastic connections. We look forward to seeing everyone in 2023!