Loading…
Welcome to the interactive agenda for SecurityWeek’s 2019 ICS Cyber Security Conference. Sessions are being finalized and the final program will include 4 FULL DAYS of content. (View the full conference website here) (You can Register for the ICS Cyber Security Conference and training here)

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 21
 

7:30am

Breakfast and Registration
Monday October 21, 2019 7:30am - 10:00am

8:00am

Intro to Industrial Automation Security and ISA/IEC 62443 Standards (IC32C) [$]
CEU Credits: 0.7
Fee: $400 - Register
Certification of Completion: A Certificate of Completion indicating the total number of CEUs earned will be provided upon successful completion of the course.

Description:
Understanding how to secure factory automation, process control, and Supervisory Control and Data Acquisition (SCADA) networks is critical if you want to protect them from viruses, hackers, spies, and saboteurs.

This seminar teaches you the basics of the ISA/IEC 62443 standards and how these can be applied in the typical factory or plant. In this seminar, you will be introduced to the terminology, concepts, and models, as well as the element of creating a cybersecurity management system will be explained along with how these should be applied to industrial automation and control systems.

You will be able to:
  • Discuss why improving industrial security is necessary to protect people, property, and profits
  • Define the terminology, concepts, and models for electronic security in the industrial automation and control systems environment
  • Define the elements of the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009)- Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Define the core concepts of risk and vulnerability analysis methodologies
  • Define the concepts of defense in depth and the zone/conduit models of security
  • Explain the basic principles behind the policy development and key risk mitigation techniques
  • Explain why improving industrial security will be necessary to protect people, property, and profits

You will cover:
  • Understanding the Current Industrial Security Environment: What is Electronic Security for Industrial Automation and Control Systems? | Trends in Security Incidents
  • How IT and the Plant Floor are Different and How They are the Same
  • Current Security Standards and Practices
  • Creating A Security Program: Critical Factors for Success/Understanding the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Risk Analysis: Business Rationale |Risk Identification, Classification, and Assessment
  • Addressing Risk with Security Policy, Organization, and Awareness: CSMS Scope | Organizational Security | Staff Training and Security Awareness | Business Continuity Plan | Security Policies and Procedures
  • Addressing Risk with Selected Security Counter Measures: Personnel Security | Physical and Environmental Security | Network Segmentation | Access Control: Account Administration, Authentication, and Authorization
  • Addressing Risk with Implementation Measures: Risk Management and Implementation | System Development and Maintenance | Information and Document Management | Incident Planning and Response
  • Monitoring and Improving the CSMS: Compliance and Review | Improve and Maintain the CSMS
Register Now - Space is Limited

Includes ISA Standards:
  • ANSI/ISA-62443-1-1 (ANSI/ISA-99.00.01-2007) - Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts & Models
  • ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • ANSI/ISA-62443-3-3 - Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels

Monday October 21, 2019 8:00am - 4:00pm
Hope II

8:00am

Advanced ICS/SCADA Hacking Training [$]
This 1 Day Advanced ICS/SCADA Hacking Training teaches security analysis and exploitation methodologies for evaluating the resilience of ICS environments and associated components.

During the course, participants will have the opportunity to engage in real-life attacks against key ICS/SCADA components. The course takes a deep dive into industrial systems and devices, such as Programmable Logic Controllers, Variable Frequency Drives, and Safety Controllers, as well as protocols used in ICS environments such as Profinet and Modbus.

This course is technically advanced in nature, and has been specifically designed for technical staff responsible for securing ICS systems and environments. Typically staff with functions like: Process Automation Engineers, Control Systems Engineers, IT/ OT Security Officers, Network Engineers, Penetration Testers, Forensic Researchers, System Developers as well as Auditing and Security Operations officers.

Requirements: Students must bring their own laptop with VMware Fusion or VMware Workstation Player. Administrative privileges to the host laptop may be required to ensure proper virtual machine functionality. VM images will be provided to students; a minimum of 20GB free disk space is required.

Key Takeaways
  • Methodologies through which security research may be performed against ICS/ SCADA devices in order to abuse known and unknown vulnerabilities
  • Real-life attack experience against key ICS components and protocols
  • Knowledge covering how industrial hacking is executed. This will enable you to better protect your operations against hacking activities

Course Content - The Advanced ICS/SCADA Hacking training consists of the following modules:
  • Overview, trends and threats
  • Securing ICS environments
  • Open Source Intelligence (OSINT)
  • Attacking devices – Identify & exploit
  • Hacking Windows-based systems
  • Fuzzing & abusing industrial protocols
  • Firmware Reverse Engineering

Register Now for the Training

Monday October 21, 2019 8:00am - 5:00pm
Hope I

8:00am

ICS Red Team/Blue Team Training (8AM-5PM) [$]
 (US$400 Fee – Limited to 40 Students – Register Now)

What is red team/blue team training?

Security aware and knowledgeable users serve as the “front line” of your overall security posture. As such, training is one of the most essential components of your risk mitigation strategy and overall cybersecurity program. However, without learning cybersecurity from the “hacker’s” perspective and gaining a true understanding of how adversaries attack and compromise ICS networks and assets, you’re only getting half of the picture. Without that other half, you’re essentially blindly deploying generic security controls and “best practices”. In order to have an efficient and cost-effective risk mitigation strategy, you must understand not only where your vulnerabilities are, but also the tactics that attackers will use to exploit these vulnerabilities. Red Team/Blue Team Training provides the opportunity to learn these adversarial tactics in conjunction with the defensive methods; and then students get to apply the skills they learn as they face off in a head-to-head competition, Blue Team (the defenders) against Red Team (the attackers).

The Gamification Difference: It doesn’t take a hacker to play a hacker!
Traditionally, red team/blue (or red team vs. blue team) training has been a significant time commitment, often upwards of five days or more. This can be taxing on constrained schedules and budgets. This Red Team/Blue Team Training uses cutting edge computer gaming technology developed by authors of “Hacking Exposed: Industrial Control Systems”, to offer all the best aspects of red team/blue team training, but in a fraction of the time and without a technical learning curve. Students of all levels can even play the part of the red team, regardless of experience or skill level.

In the end, students discover that defending their ICS networks and assets is more than simply deploying “best practices” and “layered defense”. Students will learn to create targeted defensive strategies (despite having limited resources) against a live opponent who is strategizing against them.

What you will get out of this class:
  • Gain a comprehensive, “big picture” understanding of how all the cybersecurity pieces work together
  • Learn and apply practical industrial cybersecurity concepts in a one-day class
  • Learn vulnerabilities and attack vectors specific to industrial control systems
  • Learn about the methods and strategies hackers use to attack industrial control systems as well as traditional IT systems (NOTE: This is not a technical hands-on “hacking” class)
  • Learn how to deploy efficient and cost-effective mitigation strategies and security controls
  • Learn how to build a complete ICS cyber security program
  • Apply what you’ve learned against a live adversary using the cutting edge, turn-based computer training simulation/game, ThreatGEN™
  • Learn how to respond to, adapt, and defend against active attacks
  • Participate as the blue team and the red team, regardless of experience or technical skill level
  • Taught by industry-leading, world-class experts with years of real-world experience
Intended Audience:
  • Anyone interested in gaining beginner to intermediate knowledge of ICS cybersecurity
  • Anyone interested in gaining a better understanding over the overall cybersecurity “big picture”
  • Cybersecurity managers
  • Upper management concerned with IT/OT cybersecurity
  • Plant managers and asset owners
  • IT cybersecurity staff tasked with OT cybersecurity
  • Engineers tasked with OT cybersecurity
  • End users looking for a more effective (and entertaining) cybersecurity awareness training
Register Now to Get a Spot in this Class

Speakers
avatar for Clint Bodungen

Clint Bodungen

Founder/CEO, ThreatGEN
Clint is a recognized industrial cybersecurity expert, public speaker, and lead author of the book “Hacking Exposed: Industrial Control Systems”. He is a United States Air Force veteran, has been an INFOSEC (now called “cybersecurity”) professional for more than 20 years... Read More →


Monday October 21, 2019 8:00am - 5:00pm
Hope I

9:00am

The State of OT Cybersecurity: The Good, The Bad, and The Ugly
In OT cybersecurity, the last few years have been a wild ride. In 2015, only the most progressive industrial organizations recognized the threat OT cyber risks pose to industrial safety and reliability. By 2018, most industrial organizations had launched OT security programs. Then, like a scene right out of the Clint Eastwood classic, The Good, the Bad, and the Ugly, OT asset owners were caught in the crossfire, as, like gunslingers, OT security vendors popped up and competed to find their fortunes.

However, despite the chaos in the OT security world, much good has been achieved. For example, many industrial organizations improved their understanding of their OT cyber assets and current risk profiles. However, some bad – and even some ugly – remain.
  • The Good: Boards of directors and business leaders have more knowledge of OT cyber risks. Funding OT security programs is easier. Programs are moving from tire-kicking to solution viability testing.
  • The Bad: The industry’s reception to initial tools/solutions has been mixed. Vendors continue to confuse OT security teams by noisily repeating well-worn but seldom proven mantras – 100% visibility! Single pane of glass! Meanwhile, OT teams struggle to identify which of the existing OT security solutions are viable and which are “all hat, no cattle.”
  • The Ugly: Many of the products currently available will ultimately fail to deliver on their promises. Basics are missing. Scalability challenges exist. Vendor promises remain unfulfilled.
This presentation provides an insightful look at the current state of OT cybersecurity. It focuses on strategies owner operators and IT and OT security teams can use to cut through the noise. It also provides guidance on how to assess the current state of their program, what they should focus on in the next year, and what they should be prepared to achieve in the next 3-5 years.

Speakers
avatar for Mark Carrigan

Mark Carrigan

Chief Operating Officer, PAS Global
Mark Carrigan joined PAS in 2000. As Chief Operating Officer, Mark leads the technology and operations organizations. During his tenure at PAS, Mark has held a variety of positions including Senior Vice President of Technology, Managing Director for the Middle East, and Global Sales... Read More →


Monday October 21, 2019 9:00am - 9:45am
Windsor DE

9:00am

Industry-Specific Assessment Baselines With NIST CSF
Assessing all control systems against the same metrics and expectations will result in companies focusing on the wrong corrective actions. Different industries such as Consumer Manufactured Goods, Pharmaceuticals, and Critical Infrastructure have different thresholds for risk acceptance. When performing assessments for different clients, the need to create a baseline for specific industries was found to be necessary. This presentation will highlight some of the applications of the NIST Cybersecurity Framework by defining unique baselines for different industry verticals, the potential benefits of defining industry-specific goals, and examples of how those would work within real industries and companies.

Speakers
avatar for Brandon Bohle

Brandon Bohle

OT Cybersecurity Analyst, Interstates
Brandon is an OT Cybersecurity Analyst for Interstates. With a BS in Cybersecurity from Dakota State University, a MS in Information Assurance, and  over ten years’ experience working in cybersecurity in the finance and industrial controls industries, Brandon brings a wealth of... Read More →


Monday October 21, 2019 9:00am - 9:45am
Windsor C

9:45am

Social Engineering and Critical Facilities – Attack Methods and Prevention Techniques
Social engineering is a primary method for obtaining unauthorized access to secure environments. Most attacks against critical infrastructure rely on some form of social engineering, with examples being email phishing, vishing, and other various techniques.

Control systems in many critical facilities are isolated from the Internet (air-gapped). This provides a false sense of security as it is common to exploit the human factor to “bridge the gap”. Even for “connected” facilities, it is often much easier to gain access using social engineering techniques than traditional hacking methods. Additionally, many control systems are not configured for proper role-based access control, with the worst offenders sharing credentials across many users with largely open permission sets. This widens the attack surface substantially and proves very helpful to the human hacker. On the other extreme, it is also possible to have a single individual responsible for all the actions in the control system. Even for the most trusted employee, this places them as a target for an Advanced Persistent Threat (APT).

In this talk, we will discuss social engineering and related attack methods with a special focus on critical facilities, SCADA systems, Operational Technology (OT) networks, vulnerabilities, and challenges. We will cover an end-to-end scenario, including target identification and reconnaissance via Open-Source Intelligence (OSINT), attack methods and useful devices (with demos) with the ultimate goal of illustrating how some attackers gain access to some of the most secure environments. Prevention strategies to avoid these attacks will then be discussed.

There are many approaches to preventing social engineering attacks on corporate environments (IT networks). These range from advanced email filtering appliances and voice recognition software to rapid credential rotation services with multi-factor authentication. Many of these technical solutions work well for IT networks, but many will pose challenges for their OT network counterparts. For instance, a security appliance should not be configured to heuristically deny traffic in a control system (for safety reasons).

OT networks are fundamentally different from IT networks and efforts to prevent attacks on these systems must consider their unique attributes. These attributes include the ability to require the “two-man rule” and “control escalation” where two people must be involved for a control action to take place (thus making it twice as difficult for the social engineer). Two-factor authentication is becoming more common in SCADA deployments (but remains disabled for various reasons).

This discussion will start with the basics and then quickly progress to more advanced techniques. Is your air-gapped environment secure? Attend this session to get assessment and prevention tips so that you can decide for yourself.

Speakers
avatar for Chad Lloyd

Chad Lloyd

Security Architect, Schneider Electric
Chad Lloyd is a security architect and Senior Fellow with Schneider Electric. Chad has multiple certifications including CISSP (Certified Information Systems Security Professional) and CEH (Certified Ethical Hacker). Chad obtained his M.S. in Computer Science and his M.S. in Computer... Read More →


Monday October 21, 2019 9:45am - 10:30am
Windsor DE

9:45am

Securing Remote Access into ICS Networks with Open Source and Open Source 2-Factor Authentication
Cybersecurity can be a sizable investment.  Companies with large funding can afford well established cybersecurity solutions and the associated annual subscription fees.  This session will discuss using open source software to secure remote access into ICS networks. Open source software can be found running on IT systems, the Cloud and embedded devices in Industrial Control Systems.  In terms of Cybersecurity, Open Source can provide a vast amount of security solutions with low startup costs in developing security solutions, benefiting tight budgets for smaller companies.

With the mindset of finding a solution with very low start-up costs, the first objective was to create a proof-of-concept to secure remote access with two-factor authentication to a jump server. VPNs (Virtual Private Networks) can support a secure channel, but there is nothing stopping a virus or malware to be transmitted from a remote system to the jump server and from the jump server into an ICS network. The second objective was to find a way to mitigate against malware or unwanted software finding its way to the jump server all with open source.

An ICS network was built to emulate a real environment including a host hypervisor running a jump server VM (Virtual Machine) in a DMZ (Demilitarized Zone). 2-Factor authentication was implemented to access the jump server VM. PowerShell scripts were developed to shut down the jump server VM, delete, copy a pristine Jump Server image from a secure location, import the image into the hypervisor, and restart into a ready pristine state via a scheduler.

Files were damaged or corrupted on the jump server to emulate a malicious attack on the system. At 1 AM the scheduler initiated the jump server VM re-imaging process and an email was sent showing successful restore of a pristine image. Multiple vendors providing remote support, each assigned a VM jump server, could be permitted to service or monitor specific systems via 2-Factor Authentication. With the scripting process previously described, malware or unwanted software will be mitigated via the described process.

Speakers
avatar for Daniel Paillet

Daniel Paillet

Cybersecurity Lead Architect, Schneider Electric
Daniel Paillet is currently Cybersecurity Lead Architect within the Schneider Electric, Energy Management Business Unit. His background includes working in the US Department of Defense on various security projects, Operational Technology, Retail, Banking, and Point-of-Sale. He holds... Read More →


Monday October 21, 2019 9:45am - 10:30am
Windsor C

10:30am

Morning Break
Monday October 21, 2019 10:30am - 10:45am
Pre-Function Hallway

10:45am

Creating and Performing a Cybersecurity Tabletop Exercise
Preparing for a cybersecurity incident at your company is important. There are several phases to a successful tabletop exercise. A tabletop exercise provides an opportunity for an organization to test contingency plans. These plans may address a variety of challenges which face an organization. Challenges to business continuity may come from Weather, Terrorism, Cyber incidents, insider threat, or a natural disaster. There are multiple levels of contingency plans, including incident response plans, emergency evacuation plans, business continuity plans.

This presentation will focus on helping you understand why you should perform a cyber exercise, and provide step-by-step guidance on how to create and conduct a cyber exercise from scratch through the following steps.

  • Understand why to perform a cyber exercise
  • Determine the type of exercise to be performed
  • How to build the Exercise Design Team
  • Create the Exercise Plan
  • What drives the story? The narrative
  • One more look at Injects
  • Leading up to the Big Exercise Day
  • Exercise Day
  • Writing the After-Action Report (AAR)
  • Exercise Follow-Up and Process Improvements

Speakers
TR

Teresa Rule

Founder and CEO, Control Cyber
avatar for Patricia Hammar

Patricia Hammar

Founder and COO, Control Cyber
Patricia Hammar, Founder and COO of Control Cyber, has distinguished herself as a renowned expert on technology policy leveraging both her technology and legal expertise to address complex issues such as Cyber Incident Response Planning.  Patricia’s extensive professional experience... Read More →


Monday October 21, 2019 10:45am - 11:30am
Windsor DE

10:45am

Digital Twin Security Analysis and Best Practices
A Digital Twin simulation model is a powerful tool for implementing advanced analytics to support process optimization, predictive failure analysis, and optimally scheduled maintenance.  The unique machine learning software and computational demands of a modern digital twin simulation for complex machines typically require a cloud hosted model.  This presents a challenge for industrial application owners who are concerned about protecting their operations technology (OT) network from cybersecurity threats.  This talk will look at the unique data flows and special security properties of a digital twin deployment for industrial equipment.  The DHS and NIST guidelines will be used to develop a secure operations model that meets the unique demands of industrial control systems.  The resulting model will be used to suggest a set of recommended best practices for an integrated, defense-in-depth strategy security strategy for digital twin analytics.

Learning Objectives:
  • Overview of digital twin architectures and security implications.
  • Review of the DHS and NIST guidelines for ICS networks.
  • Recommended best practices for digital twin applications that rely on hosted analytics services.


Speakers
avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →


Monday October 21, 2019 10:45am - 11:30am
Windsor C

10:45am

Data Diodes to Facilitate Edge Analytics in Industrial Networks (Part 1: Intro)
Securing industrial networks presents a number of unique challenges that will only continue to increase.  As the number of connected devices grow, so does the attack surface.  However, cybersecurity need not be something your company HAS to manage, but, rather, a means to facilitate the efficiency and optimization gains promised by adopting “Industry 4.0”.  

Join this workshop for an in-depth presentation addressing the data diode technology and their usage in securing industrial networks. We will be evaluating a simulated waste water treatment facility, passing asset data (pump, motor, valve, etc) through a data diode for remote condition monitoring, and a detailed discussion on predictive/explanatory analytics. This vendor-agnostic workshop will help you thoroughly understand Data Diode/Unidirectional Gateway technical mechanisms.

Learning Objectives:
• Thoroughly understand Data Diode/Unidirectional Gateway technical mechanisms and their role in ICS cybersecurity
• Compare/Contrast Firewall and Data Diodes
• Key Concepts of Edge Analytics
• Utilization of Data Diode to facilitate 3rd party, or remote, access to ICS data in near real time
• Edge-Based Machine Learning/Artificial Intelligence for Predictive Maintenance and Process Optimization

Speakers
TM

Terry Miller

Siemens
Terry Miller has spent nearly 10 years working with OEMs to evaluate and optimize industrial processes through increased performance of their machines.  After finishing a Master’s Degree in Predictive Analytics, Terry began formally training and deploying Machine Learning algorithms... Read More →


Monday October 21, 2019 10:45am - 12:30pm
Hope III

11:30am

What Is the Darknet and Can It Harm My Process Control Operation?
An underground “hidden market” where illegal activity is difficult to trace lurks beneath the Internet – the public layer where we jump on wi-fi networks, search the web, perform credit card transactions and enter personal information without a second thought. Called the Darknet, this little-known portion of the Internet is home for “hackers for hire” and is a hotbed of activity for those looking to monetize stolen information and privileged system access.

An emerging area on the Darknet are forums where cyber criminals sell access to supervisory control and data acquisition (SCADA) and industrial control systems (ICSs). Imagine if cyber criminals gained access to the control systems for nuclear power plants, chemical plants, oil and gas facilities, hospitals, electrical and power generation stations, water/wastewater plants, food and beverage or pharmaceutical facilities. The results could be disastrous.

Is your control system vulnerable? Learn what the Darknet is and understand its role in potentially allowing intruders to access your control system. The fight against those who would steal the keys to your ICS and sell them on the Darknet starts with cybersecurity awareness. Keep cybersecurity top of mind and get cyber ready to educate your workforce and closely manage consultants and vendors.

Speakers
avatar for Bruce Billedeaux

Bruce Billedeaux

Senior Consultant, MAVERICK Technologies - A Rockwell Automation Company
Bruce Billedeaux is a senior consultant for wireless, energy optimization and cybersecurity at MAVERICK Technologies, a leading platform-independent automation solutions provider offering industrial automation, strategic manufacturing solutions and enterprise integration services for all the process industries... Read More →


Monday October 21, 2019 11:30am - 12:15pm
Windsor DE

11:30am

Project: Best Practices in Cybersecurity for Utilities
ProtectOurPower.org pursues a mission to make the grid more reliant and resilient – sooner.  The NREC Standards are insufficient to protect the grid, and many Utilities pursue processes that provide better protection than these Standards.  ProtectOurPower is pursuing a project that divides the 1000 vendors selling cyber-products to the Utilities into 100 Topics and aligns a University with each to develop vendor comparison matrices. The presentation will focus on this project and its current status.

Speakers
avatar for Paul Feldman

Paul Feldman

Mr. Feldman is past Chairman of the Midcontinent ISO (MISO) and a former Board Director of the Western Electricity Coordinating Council (WECC).  He was CEO of Columbia Energy, CEO of Utilicorp United, and SVP of AES. Presently, Mr. Feldman serves as a Board member at Blattner Energy... Read More →


Monday October 21, 2019 11:30am - 12:15pm
Windsor C

12:15pm

Lunch
Monday October 21, 2019 12:15pm - 1:30pm
Windsor Garden

12:30pm

Hacker Machine Interface – Attacking the Energy & Water Sectors (Lunch Workshop)
The Energy & Water (E&W) sectors are critical to the economy of every nation and need to be secured. During our investigations we found a certain amount of exposed and unprotected E&W systems online accessible via their exposed HMIs, bringing with them a danger to these Critical Infrastructure (CI). We wish to stress that contrary to many sensationalized stories on the vulnerability of Internet connected CI, our findings were limited to small-to-medium sized organizations within these sectors. Large CI organizations have security firmly in mind, but they still consider their ICS infrastructure susceptible to cyber attacks. However, the exposure of these more mid-tier organizations is still cause for concern for two reasons. Firstly, because of CI interdependencies and the distribution network setups, failures in these mid-tier organizations will have cascading and far-reaching after-effects further up the Supply Chain. Secondly, for would-be attackers these mid-tier players act as the perfect test bed for attack strategies to try out their effects in less risky ways. In this talk we present the following:
  • Using OSINT techniques we probe the E&W sectors to see what types of exploitable cyber assets are accessible to would-be attackers
  • Findings from past ICS security research papers to highlight the potential threats faced by exposed cyber assets
  • An analysis of common SCADA HMI vulnerabilities discovered by Trend Micro’s Zero Day Initiative (ZDI)
  • Attempt to identify likely attackers, probe their motives, and assess damage potentials
  • Conclude with a discussion about the challenges faced in securing IT-OT environments

Sponsored by: Trend Micro

Speakers
avatar for Numaan Huq

Numaan Huq

Numaan Huq, Trend Micro
Numaan Huq is a Senior Threat Researcher with Trend Micro’s Forward-Looking Threat Research (FTR) Team. He has been working for over a decade in the Computer Security Industry and has extensive experience analyzing the latest cyber-threats, software exploits, and malware families... Read More →


Monday October 21, 2019 12:30pm - 1:15pm
Hope III

1:30pm

Inside the Mind of a Hacker: How Defending Against Me Can Open New Manufacturing Business Models for You
Additive manufacturing is having an extraordinary impact on the way many products are manufactured. Realizing the full potential of AM requires re-thinking traditional approaches to design and automation - which enables new business models - but is also disrupting supply chain players. This exciting potential for industry is also accompanied by potential for hackers who are actively looking to exploit these advancements. Effectively securing the integrity of AM processes is now absolutely crucial, and data protection for 3D printed files is becoming extremely important.

This session will discuss specific use cases in Additive and Subtractive Manufacturing (Distributed Digital Manufacturing, Integrity/Traceability of the Digital Thread) from the perspective of an experienced hacker, and provide pragmatic strategies to mitigate cyber threats by thwarting the hacker 'business model'. The session will also discuss real-world exploits and mitigated as examples of how a 'common sense' approach to cybersecurity can be used to open new manufacturing business models.

Learning Objectives
  • Understand a cybersecurity methodology for Additive / Subtractive Manufacturing based upon thwarting the hacker 'business model'
  • Understand a pragmatic approach of applying cybersecurity to address relevant quality control issues and repeatability in Distributed Digital Manufacturing models
  • Understand how specific cybersecurity strategies can be used practically to open new business models and provide tangible competitive advantages

Speakers
avatar for Evan O’Regan

Evan O’Regan

Head of Connected Additive Manufacturing, Irdeto


Monday October 21, 2019 1:30pm - 2:15pm
Windsor DE

1:30pm

CISO Case Study: Zero to Hero: From Unknown and Unmanaged to Visible and Resilient
Join Cyberbit and Cecil Pineda, former CISO of Dallas Fort Worth Airport, who will share his experience in managing a complex IT/OT network at DFW International Airport, the fourth-busiest airport in North America.

Major airports are challenged in managing critical OT systems that include transportation (light rail), power, to baggage handling. OT networks converge with IT systems and communication platforms that deliver critical services that are often taken for granted. Mr. Pineda will explain his route to visibility and manageability alongside Cyberbit's VP of Product and OT expert Edy Almer. Together they will share their real-world expertise and proven approaches to OT and IT resiliency.
  • How to get IT/OT teams working together
  • How to automate and orchestrate security incidents across a converged IT/OT network
  • What is an ICS cyber range, and how attack simulation can train OT and IT teams in responding more effectively to security incidents
Sponsored by: Cyberbit

Speakers
CP

Cecil Pineda

CISO and Managing Director, Cyber Watch Systems
Cecil is the CISO and Managing Director at Cyber Watch Systems. Prior to his current job, he was CISO at the Dallas Fort Worth International Airport, where he managed the cybersecurity operations, IT compliance and data privacy of the world’s 3rd largest airport. Mr. Pineda has... Read More →


Monday October 21, 2019 1:30pm - 2:15pm
Windsor C

1:30pm

Demystifying the Complexity of Deploying a Data Diode (Part 2: Hands On)
One often hears the complexity required to “setup” a data diode as an impediment to it being more frequently utilized for securing industrial controls networks. In this hands-on workshop, participants will learn about the network architecture associated with the best practices of data diode deployment.  Additionally, attendees will be able to configure a unit’s interface for two different functions.
 
First, gateway functionality will be explored as users will observe the OPC-UA: data diode interface, configuring the unit to enable the historian-to-server connection from control to open network. Participants will also, then,  configure the data diode in secure “TAP” mode to securely feed network traffic into an Intrusion Detection Software appliance for monitoring network traffic. 

Speakers
TM

Terry Miller

Siemens
Terry Miller has spent nearly 10 years working with OEMs to evaluate and optimize industrial processes through increased performance of their machines.  After finishing a Master’s Degree in Predictive Analytics, Terry began formally training and deploying Machine Learning algorithms... Read More →


Monday October 21, 2019 1:30pm - 4:00pm
Hope III

2:15pm

Bringing DevSecOps to ICS
Bringing industrial control systems and critical infrastructure into the modern age will require more than just software updates. It’ll require continuous software updates. The challenge is that every time new updates to software powering applications or infrastructure are introduced, so too is the potential for new vulnerabilities. Every little change of code creates the potential for a new vulnerability that attackers can exploit, and the demand for updates to be delivered faster and faster only increases the security challenges. Any business that relies on software as a competitive differentiator – in other words, every business today – is facing this issue and trying to figure out ways to deal with it. But for industrial control systems that are already playing catch-up and trying to adapt to a connected world, these challenge will be that much more daunting.

This session will provide an overview of DevOps and DevSecOps cultures to help the people using and managing industrial control systems understand how these practices fit into their organizations. It will empower those tasked to secure critical infrastructure with the knowledge they need to ensure that comprehensive discovery and remediation of software vulnerabilities are in place so they can proactively manage risk.

Speakers
avatar for Aaron Wise

Aaron Wise

Director of Engineering, ZeroNorth


Monday October 21, 2019 2:15pm - 3:00pm
Windsor DE

2:15pm

Dissecting the Industrial Communication Protocols for Cybersecurity Risks
This talk will demonstrate how to analyze an Industrial communication protocol, and write a Lua plugin for Wireshark and exploit code as a hacker. A demo will show how hackers can compromise a PLC through Industrial communication protocols. The demo will point out the common security issues in ICS protocols and demonstrate protection strategy to secure ICS/SCADA devices.


Speakers
avatar for Terence Liu

Terence Liu

GM-VP, TXOne Networks and Trend Micro
Dr. Terence Liu leads TXOne Networks, a joint venture company by Trend Micro and Moxa. TXOne Networks brings pragmatic and practical OT cyber defense to industrial world by integrating Trend Micro’s security technology and Moxa’s ICS hardware and experience. Terence also leads... Read More →
avatar for Mars Cheng

Mars Cheng

Cyber Threat Researcher, IoT/ICS Security Research Labs, TXOne Networks and Trend Micro
Mars Cheng is a Cyber Threat Researcher with TXOne Networks’s IoT/ICS Security Research Labs and Trend Micro. His research interests include ICS/SCADA security, threat hunting for IoT and ICS/SCADA, cryptography, and Web/IoT/Mobile/ICS/SCADA penetration testing. Before joining TXOne... Read More →


Monday October 21, 2019 2:15pm - 3:00pm
Windsor C

3:00pm

Afternoon Break
Monday October 21, 2019 3:00pm - 3:15pm
Pre-Function Hallway

3:15pm

Engineering a Cyber-Resilient Smart Grid
The smart grid is recognized as the most critical infrastructure, where the assumption of reliable and secure availability of electric power underpins the digital revolution that continues to transform our modern lives. The digital transformation of the smart grid is reshaping the interactions between smart grid systems components, between power systems and consumers, and between power systems and other interdependent critical infrastructures. Cybersecurity and resilience of smartgrids are essential enablers for continued innovation, however, existing standards and regulations follow a bottom-up technology-focused approach that may not sufficiently address the risks across the different smart grid operational layers. In this presentation, we expand on the benefits of cyber-physical modeling as a useful tool to capture much of the innovation, cyber-physical threats, risks and uncertainty. We present an operational risk-based model for smart-grids that efficiently captures cyber-physical uncertainties and enables a better resilient operation. This model utilizes a cyber-physical risk metric that can be used as a parameter for operation. We also expand on the need for a data-driven definition of trust between the different smart grid system components.

Speakers
avatar for Eman Hammad, Ph.D.

Eman Hammad, Ph.D.

PwC
Dr. Eman Hammad combines practical experience and theoretical research to shape her vision for resilient-by-design solutions in the connected world. Eman's work focuses on how a deeper understanding of interactions between critical infrastructure systems and enabling technologies... Read More →


Monday October 21, 2019 3:15pm - 4:00pm
Windsor DE

3:15pm

Next-Generation Holistic Visibility for Industrial Networks: Moving Beyond Passive Monitoring
This session introduces a next-generation data collection technique where raw data can be transformed into actionable information, providing holistic visibility across industrial networks, and augmenting existing active, passive, and hybrid data collection methods. Attendees will learn about various practical, non-obtrusive techniques to help identify, mitigate and remediate cyber events—from vulnerabilities and system misconfigurations to unauthorized changes and equipment failure. The session will also cover the benefits and risks of various data collection methods and key considerations to determine the best method to use in a particular environment. While more organizations are starting their cybersecurity journeys with passive monitoring first, then exploring active and hybrid solutions, the next step is to integrate with OT hardware technologies to provide cybersecurity insights across a broader, richer dataset leading to 100% holistic visibility within their environment. Attendees will leave this session understanding how to leverage each data collection method, as well as valuable tools and resources to achieving deep visibility for safe, reliant, resilient industrial networks.

Several open source projects will be mentioned, including Standard Windows and Linux command sets, MITRE ATT&CK Framework, INL STOTS (Structured Threat Observable Tool Set), Kiwi, ELK, OpenVAS and more.

Learning Objectives:
  1. Understand the key benefits of each data collection method.
  2. Understand the gaps or pitfalls present for the various methods.
  3. Learn a risk-based approach to determine where to start and path to take.
  4. Learn how integrating OT technologies can result in holistic visibility.



Speakers
avatar for Zane Blomgren

Zane Blomgren

Senior Security Engineer, Tripwire
Zane Blomgren is a Senior Security Engineer at Tripwire. During his 14-year tenure at Tripwire, he has served a number of roles including Pre-sales Engineer and Post-sales Professional Services Consultant. With over 20 years’ cyber security experience, Zane has been called on to... Read More →


Monday October 21, 2019 3:15pm - 4:00pm
Windsor C

4:00pm

Hardening a Modern ICS Environment
Industrial Control System (ICS) devices were initially designed for closed-network or non-networked environments inside of facilities that were thought to be secure. These early systems did not consider cyber threats to be of consequence due to their closed off environment. However, these environments have evolved into technical distributed systems that may be connected to the Internet. These systems are high value targets that are also often infrequently patched or updated, leaving them vulnerable to common exploits. This, in tandem with the rise in threats from state actors willing to invest a large amount of time and money to compromise these high value targets, makes hardening ICS systems a necessity.

During this session, we will look at three fallacies that impact the security postures of industrial control systems and propose some ways to address them. In summary these misconceptions are:

1. Programming languages don’t matter.
2. Keeping the adversary out is all that matters.
3. There is no way the adversary knows enough about my system.

This session will demonstrate some of the concepts talked about above in a Linux 5.2 environment with Fieldbus support. We will demonstrate methods for inhibiting a ”root” shell from accessing a protected file, a encrypted storage and executable vault limiting the potential for RE, and finally a rootkit is unable to be loaded into the kernel.

Speakers
avatar for Dan Robertson

Dan Robertson

Software Engineer, Starlab
Dan Robertson is a Epidemiologist turned Software Engineer. Mr. Robertson is currently workin on a Linux Security Module at Starlab. Before working at StarLab he worked at Tripwire on a Vulnerability Management product where he spent most of his time working with the SMB protocol... Read More →


Monday October 21, 2019 4:00pm - 4:45pm
Windsor C

4:00pm

Zero Trust Networking Strategies for Greenfield OT/IoT and Legacy OT Environments
This short workshop will cover different approaches to OT segmentation, from brand new networks to more legacy environments. This session will cover:
  • Core Zero Trust Networking concepts
  • OT Perimeter and Plant Core zoning and policy strategies
  • Addressing segmentation in legacy environments with minimal disruption
  • Extending Zero Trust to the Industrial Cloud/IoT
  • Integration with ICS Network Security Monitoring solutions
Sponsored by: Palo Alto Networks

Speakers
avatar for Lionel Jacobs

Lionel Jacobs

Sr. Security Architect , ICS and SCADA Systems, Palo Alto Networks
Lionel Jacobs is part of the Palo Alto Networks ICS and SCADA solutions team working as a  Sr. Security Architect. Coming from the asset-owner side , Lionel has spent the last 20 plus years working in the IT/OT environment with focus on ICS systems design, controls, and implementation... Read More →
avatar for Del Rodillas

Del Rodillas

Director ICS/IIoT Solutions, Palo Alto Networks
Del is currently responsible for the Global ICS/IIoT Solutions initiative at Palo Alto Networks. He leads a team of Cybersecurity Architects focused on helping OT end-users learn about and implement ICS/Security best practices and architectures across different industrial sectors... Read More →


Monday October 21, 2019 4:00pm - 5:00pm
Windsor DE

5:00pm

Welcome Reception
Please join us for a welcome reception as we celebrate Day 1 of SecurityWeek's 2019 ICS Cyber Security Conference

Sponsored by: IndustrialCybersecurity.Com

Monday October 21, 2019 5:00pm - 7:00pm
Venetian Ballroom
 
Tuesday, October 22
 

7:30am

Breakfast and Registration
Please join us for continental breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!


Tuesday October 22, 2019 7:30am - 10:00am
Pre-Function Hallway

8:00am

Welcome to SecurityWeek's 2019 ICS Cyber Security Conference | USA
Speakers
avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the cyber threat landscape, and enterprise, critical infrastructure, and national security space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages... Read More →


Tuesday October 22, 2019 8:00am - 8:15am
Windsor Ballroom

8:15am

State of ICS Cyber Security: CS2AI-KPMG Survey Results
(CS)2AI-KPMG 2019 ICS Security Survey Results

The Control Systems Cyber Security Association International (CS2AI), in collaboration with a team including KPMG International, SecurityWeek, Airbus Cyber, and other supporting organizations, is conducting a yearly analysis on the current state of ICS cyber security. Leveraging the participation of multiple stakeholders across roles and industry sectors, the survey is designed to help answer key questions about how we can best protect critical systems in the face of ever-growing and -evolving threats.

Unveiled for the first time at SecurityWeek's ICS Cyber Security Conference, the survey results will help defenders improve their security posture through greater understanding of the diverse concerns and decision drivers that the industry faces.

Professionals with experience in ICS cyber security are encouraged contribute to the community and complete the survey, which should take about 15 minutes to do.

Speakers
avatar for Derek Harp

Derek Harp

Founder & Chairman, (CS)2AI


Tuesday October 22, 2019 8:15am - 9:00am
Windsor Ballroom

9:00am

Keynote: Fireside Chat With Admiral Mike Rogers
Admiral Mike Rogers is the former director of the National Security Agency (NSA), the former chief of the Central Security Service, and the former commander of the U.S. Cyber Command. He retired from the U.S. Navy in 2018 and was responsible for creating the DoD’s newest combatant command and running the U.S. government’s largest intelligence organization.

In this exclusive fireside chat, Rogers will join SecurityWeek's Mike Lennon to discuss a range of topics, ranging from geopolitical tensions and nation-state threats, to protection of U.S. critical infrastructure from cyber threats across the board.



Speakers
avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the cyber threat landscape, and enterprise, critical infrastructure, and national security space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages... Read More →
avatar for Admiral (Ret.) Mike Rogers

Admiral (Ret.) Mike Rogers

Former Head of NSA and U.S. Cyber Command
Admiral Mike Rogers retired from the U.S. Navy in 2018 after nearly 37 years of naval service rising to the rank of four-star admiral. He culminated his career with a four-year tour as Commander, U.S. Cyber Command and Director, National Security Agency – creating the DoD’s newest combatant comm... Read More →


Tuesday October 22, 2019 9:00am - 10:00am

10:00am

Morning Break
Tuesday October 22, 2019 10:00am - 10:15am
Pre-Function Hallway

10:15am

Case Study: Secure Remote Monitoring of Off-Shore Rig Equipment
In order to provide improved predictive maintenance, and head off potential downtime, not to mention possible disasters related to failing equipment, regulations have been put into place to remotely monitor various critical equipment on off-shore drilling rigs. However, off-shore drilling rigs are also a prime example of cyber-physical threat convergence, where cyber threats pose potential safety risks to on-site personnel as well as the surrounding environment. So how can we enable a digital channel for remote monitoring without opening a potential cyber threat vector and exposing the rig to additional risk? This session will outline a real-life case study and implementation of data diode cybersecurity technology to protect and remotely monitor off-shore rig equipment, including the related challenges, benefits, and takeaways.

Speakers
avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →


Tuesday October 22, 2019 10:15am - 11:00am
Hope I

10:15am

The Past and Future of Integrity-Based Attacks in ICS Environments
Industrial control system (ICS) attacks typically focus on immediate process disruption: turning off the power, shutting down a plant, or something similar. Yet an examination of the history and potential of ICS intrusions shows a far more worrisome attack vector: undermining the integrity (either via process accuracy or process safety) of an industrial environment. While not necessarily immediately evident, such an attack can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.

Historically, such attacks are not new, but instead encapsulate the very first know ICS-targeting malware: Stuxnet. Rather than seeking direct disruption, Stuxnet sought to undermine process integrity by altering the functionality of the plant in question while masking effects to operators. Since that time, the industrial community initially faced a long period focused only on direct disruption, until the emergence of CRASHOVERRIDE in 2016 (whose integrity-impacting effects have not previously been discussed) and the safety-system targeting TRISIS. Each of these sought in certain ways to undermine the very reliability of underlying processes to produce potentially disastrous outcomes.

This presentation will explore these historical examples while presenting potential attack scenarios for future integrity-based attacks. In doing so, attendees will learn more about the risk framework faced by ICS-operating organizations and unique defense and recovery requirements within these environments. This talk will conclude with recommendations for defense and recovery to mitigate against integrity-based attacks, while seeking to educate audiences on the unique risk posed by such events.

Speakers
avatar for Joe Slowik

Joe Slowik

Principal Adversary Hunter, Dragos
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. In this role, Joe provides time-sensitive, actionable threat intelligence to enable ICS asset owners and defenders... Read More →


Tuesday October 22, 2019 10:15am - 11:00am
Windsor Ballroom

11:00am

Level 0 Vector of Attack on PLC Based Systems
Level 0 Exploits on Train ICS – (This applies to all industrial control systems)

Train systems are notorious for being extremely safe. Redundancy, fail safe mechanisms, interlocks, etc. The single security aspect that is left untouched on most Train Control Systems these days is Cyber Security. It is true that most existing train safeguard systems have their safety mechanism, but what if someone made great efforts to compromise them? What if this person or group had substantial time, money and knowledge to derail a train in a large city?

The goal of the presentation is to discuss the various ways the Industrial Control Systems onboard a train and on waysides are imminently at risk of cyber-attacks all across North America.

Referring to the Purdue Model for ICS Network Diagrams, we will simulate a Level 0 attack on a train, going from step to steps, until a potentially dramatic event gets demonstrated. This session will demonstrate the ability to impersonate physical and localized sensors using  off the shelf connected micro-controllers (Raspberry PI, Arduinos, etc..) It will go into detail on how Public Transits Systems, Intelligent Cities and Intelligent Military Bases are factual targets when deploying sensors to collect data or monitor situations.

Speakers
avatar for Patrik Chartrand

Patrik Chartrand

Cyber Security Specialist, Rail & Transit, SNC-Lavalin
Mr. Patrik Chartrand is a highly creative, accomplished executive-level professional with over 20 years of experience in innovative IT and Cyber Security initiatives with a track record for problem solving. He is capable of leading and inspiring design and innovation teams for a cutting-edge... Read More →


Tuesday October 22, 2019 11:00am - 11:45am
Windsor Ballroom

11:45am

Consolidating OT and IT Visibility, Security Analytics and Alerting
Many organizations have limited visibility into the potentially malicious activity in their environments, this is especially true in OT environments where many traditional security tools provide little help. In this session we’ll show how IBM Security’s  QRadar, the recognized leader in the SIEM and analytics market, integrates with Nozomi’s SCADAGaurdian which gives deep visibility and insights into activity within your OT environment, drastically improving your ability to detect attacks.

Tuesday October 22, 2019 11:45am - 12:30pm
Hope I

11:45am

Deep-CYBERIA: Towards Automated Discovery of Level 0 Sensors and their Interdependencies
In large cyber-physical systems, the capabilities of mapping and analysis of sensors at levels 0 or 1 behind the programmable logic controllers (PLCs) are very useful for many purposes including triage, verification, audit, misconfiguration detection, intelligence gathering, maintenance, calibration, inaccessible locations, and so on. However, unlike traditional information technology components, sensor information is relatively challenging to infer and analyze because of the inherently indirect nature of their dynamic behavioral effects.  The complexity of the inference problem arises from the undetermined numbers and type of sensors, unique interconnection topologies, protocol heterogeneity and customized interdependencies driven by the physical portion of the cyber-physical system.

Given passive or active modes of interaction with a cyber-physical system, how well can network communication reveal the sensor information behind the PLCs? Is it feasible, and to what extent, can causality patterns among multiple streams of the inferred sensor reveal their actual dependencies of the physical processes driving them? Are there special classifications of sensors that are largely domain-agnostic in nature, yet reveal useful insights? What type of analyses are most effective in uncovering any unexpected, intentional or unintentional effects on the operational dynamics of the sensors?

With the goal of answering these classes of challenging questions, we are developing novel network packet analysis techniques and data analysis methods. These are incorporated and experimented in a novel prototype system called Deep-CYBERIA (Deep Cyber-Physical System Interrogation and Analysis).

Deep-CYBERIA is aimed at developing a network discovery capability (both passive and active) to enhance discovering, monitoring, and diagnosing the identity of cyber-physical system (CPS) components at level 0-1. The interrogation and analysis capabilities are targeted to uncover interdependencies among sensors with respect to cyber and physical process interactions, triggers, and after-effects. Analysis capabilities are aimed at building the foundation for sophisticated forensic features that reach beyond basic data-based inference.

In addition to small CPS testbeds, as a complex case study, the experimental network of the Cold Source portion of the High Flux Isotope Reactor (HFIR) facility at ORNL is exercised with the DEEP-CYBERIA implementation. Experimental results have yielded excellent results. To date DEEP-CYBERIA is capable to (a) extract sensor information from packet-level traces, and (b) uncover key interdependencies among the inferred sensors. Using the causality graphs, we were able to dramatically eliminate the number of false-positive links among the sensor variables. New causality algorithms customized for cyber-physical processes were able to further enhance the interdependencies to match the ground truth. Our approach ultimately aims to provide a broadly applicable, novel approach to deepen understanding and strengthen the resilience of cyber-physical assets.

Speakers
avatar for Juan Lopez Jr., PhD

Juan Lopez Jr., PhD

Cyber-Physical R&D Manager, Oak Ridge National Laboratory
avatar for Kalyan Perumalla

Kalyan Perumalla

Oak Ridge National Laboratory
KALYAN PERUMALLA is a Distinguished Research and Development Staff Member and Manager at the Oak Ridge National Laboratory. Dr. Perumalla founded and currently leads the Discrete Computing Systems Group in the Computer Science and Mathematics Division at the Oak Ridge National Laboratory... Read More →


Tuesday October 22, 2019 11:45am - 12:30pm
Windsor Ballroom

12:30pm

Lunch
Tuesday October 22, 2019 12:30pm - 1:30pm
Windsor Garden

12:45pm

OT and IoT Security in Action (Lunch Workshop)
Come grab a bite and see first-hand why the world’s largest industrial companies have made Nozomi Networks the top solution for OT and IoT Security.  See real-time asset visibility, monitoring and threat detection in action.  Learn how you can quickly identify and protect your networks from threats while accelerating digital transformation and IT/OT convergence for your company.

Sponsored by: Nozomi Networks

Tuesday October 22, 2019 12:45pm - 1:30pm
Trippe I&II

1:30pm

Near Future of OT Attacks
Over recent years we’ve witnessed certain trends and shifts in OT attacks. By extrapolating from these attacks we can predict what the future of OT attacks might look like.

As AI becomes ubiquitous across every industry, we should expect cyber-criminals to also be looking to leverage AI for malicious purposes. OT attacks are particularly well-suited to benefit from advances in malicious AI; the ability for industrial malware to operate autonomously without communicating with command and control and to blend into its environment is highly desirable for OT attack campaigns. The AI and machine learning techniques necessary to develop AI-powered malware a reality already exist - it’s just a matter of when malware authors will be able to hone these techniques to make AI attacks a reality.

This shift in attack patterns will necessitate a change in defensive strategy. This talk will explore the future use of AI in both industrial attacks and defense.

Sponsored by:  Darktrace

Speakers
avatar for Jeff Cornelius, Ph.D

Jeff Cornelius, Ph.D

EVP Industrial Control and Critical Infrastructure Solutions, Darktrace


Tuesday October 22, 2019 1:30pm - 2:15pm
Windsor DE

1:30pm

To See or Not to See – Visibility vs. Connectivity in ICS Environments
Confusion between the concepts of visibility and connectivity frequently leads to suboptimal outcomes in organizations that must defend industrial controls systems from cyberattacks. The naïve view that monitoring a network makes it more exposed to attack ignores the cybersecurity benefits gained from ongoing monitoring and detection of misconfigurations, third-party connectivity, and adversary activity.
To illustrate this point, this session will analyze common ICS reference architectures from various industries, overlay a representative threat model, and the pros, cons, and options for introducing network-based cybersecurity monitoring in each case. We will discuss using a Collection Management Framework (CMF) to develop requirements for ICS defense and translate those requirements into a monitoring strategy. We will review key technical concepts relevant to deploying network monitoring infrastructure such as out-of-band/management networks, Network TAPs, SPAN or monitor port configuration. Lastly, we will consider potential staffing models for a Security Operations Center (SOC) tasked with defending ICS/OT assets.

Sponsored by: Dragos

Speakers
avatar for Dan Scali

Dan Scali

Director of Channels, Dragos
Dan Scali is the Director of Channels at Dragos, where he works closely with Dragos’ channel partners to drive adoption of advanced threat detection and response within the ICS cybersecurity community.Dan has over 10 years of experience in industrial cybersecurity. Prior to joining... Read More →


Tuesday October 22, 2019 1:30pm - 2:15pm
Windsor C

2:15pm

How to Accurately Gauge Your Current ICS Cybersecurity Posture
The C-Suites of manufacturing and industrial processing companies often think they already have a handle on their ICS Cybersecurity through IT efforts. In actuality (through no fault of their own) IT has not taken into account the unique needs of protecting Operational Technology (OT) assets.
 
Attendees will learn and be able to articulate to their executive teams:
  • The most current threats to ICS Cybersecurity
  • The unique difference in implementing Cybersecurity industry standard best practices in OT vs IT
  • The vulnerabilities of industrial legacy systems that were created before malware
  • The risks of not having a clear understanding of all OT assets
  • How to gauge your current posture to begin to plan and budget appropriately

The goal is this session is to help teams within organizations powerfully and diplomatically articulate their own current risks and the unique needs of ICS Cybersecurity.

Speakers
avatar for Scott Timmer

Scott Timmer

Director of OT Infrastructure/Security Services, gpa
Scott is the Director of Security and Operational Technology Services at the national engineering and technology development firm, Global Process Automation (GPA).  Scott is a highly accomplished network and security engineering professional with a progressive career in Industrial... Read More →


Tuesday October 22, 2019 2:15pm - 3:00pm
Windsor DE

2:15pm

SCADA Device Exploitation and Attack Mitigation Techniques
It's not news that SCADA vendors still have gaping holes in their PLC and HMI development environments.

Research into 7 different PLC vendor software systems details an almost negligent lack of security standards in modern SCADA environments. This lack of security creates great opportunity for future attackers and the next high-profile attack on industrial control systems.

The attack scenario cannot be understated as critical systems such as power, water, transportation, and manufacturing. all rely on major PLC vendors in one way or another. This session will show a theoretical attack that could have happened using recently discovered vulnerabilities and proof of concept code to disrupt a major power industrial system.

Joseph Bingham will share observations on vulnerabilities found in vendors across the board and mitigation techniques for using these required software in highly critical environments where even air-gapping is not enough to remove the threat of a remote attacker.

Learning Objectives
  • SCADA systems are extremely critical and their security needs to be considered much more highly in the future.
  • Some vendors are more reliable than others for a secure environment.
  • Demonstration of actual SCADA attack, practical attack vectors
  • Mitigation techniques for existing SCADA environments.

Speakers
avatar for Joseph Bingham

Joseph Bingham

Senior Research Engineer, Zero Day Research, Tenable
Before joining Tenable in 2014, Joseph worked at Symantec doing malware reverse engineering. Since joining Tenable as a reverse engineer, Joseph has produced several publications on malware, exploitation and reverse engineering.


Tuesday October 22, 2019 2:15pm - 3:00pm
Windsor C

3:00pm

Afternoon Break
Tuesday October 22, 2019 3:00pm - 3:15pm
Pre-Function Hallway

3:15pm

Lessons Learned From Testing OT Security Solutions in Cyber Range Excercises
The Critical Infrastructure Security Showdown (CISS) 2019 is the third run of iTrust’s technology assessment exercise that took place at SUTD (The Singapore University of Technology and Design) in August 2019, and involved seven Red Teams and five Blue Teams utilizing an extensive water treatment lab setup.
In this session we’ll present the attacks that were used in this exercise, analyze the popular attack vectors and demonstrate the methods used to analyze such attacks. We’ll also share information from customer evaluations that included such exercises of attack scenarios on lab setups, traffic replay and controlled live networks. We’ll conclude with a discussion on how such exercises can be best used to evaluate and benchmark different tools and their fit to different customer needs.

Speakers
avatar for Ilan Barda

Ilan Barda

CEO, Radiflow
Ilan Barda, founder of Radiflow is a Security and Telecom executive with 20 years of experience in the industry. Mr. Barda’s last position was the CEO of Seabridge, a Siemens subsidiary, with world-wide responsibility for the Siemens/Nokia-Siemens Carrier-Switches portfolio. Ilan... Read More →


Tuesday October 22, 2019 3:15pm - 4:00pm
Windsor DE

3:15pm

ICS Active Monitoring Using Analytics
Active system monitoring is a core tenant of a well-managed OT environment.  The active system monitoring solution proactively connects to monitored systems and checks them as opposed to passively waiting to get information from monitored systems.  This method of system monitoring is better suited to state of health monitoring because there is no chance that a system will become inaccessible or otherwise non-functional and fail to report a problem.  If the monitored system becomes inaccessible or otherwise impaired, the active monitoring system will discover that the next time it attempts to poll the monitored system or device.   Creating a fully populated active monitoring system creates a foundation around which to structure OT support activities by providing alerting mechanisms that can target specific problem types to specific OT support roles and duties.  To be a reliable source for trouble awareness and to be effective in communicating to OT support staff an active system monitoring solution must be kept maintained with accurate configuration information.  Failure to do so will create a sense that the environment is in a state of health that does not accurately reflect what is happening in the field.  

Passive system monitoring is the collection of information that is reported by configured clients. This is a supplementary form of monitoring that generally provides for detail rich metadata and granular analysis of system behavior. For this reason, it lends itself well to more detailed security and state of health monitoring. Paired with active system monitoring, a passive monitoring solution can provide unparalleled assessment of the overall state of the OT systems environment. The passive monitoring system should receive information from the active monitoring system as well as the systems that the active monitoring system is monitoring in order to create a cyclical check system that reduces the likelihood of systems "going dark" without OT support staff being aware. A SIEM cybersecurity tool has been implemented, creating great value in the areas of general troubleshooting as well as OT activity awareness in multiple Syngenta OT environments to date. The tool provides a means by which to centralize all OT operational intelligence into one place for monitoring and analysis by OT engineers, administrators, technicians and functional managers alike.

Using a combination of both active and passive monitoring to create the concept of “Active Monitoring using Analytics” within a chemical plant’s manufacturing environment.


Speakers
avatar for Jeff Young

Jeff Young

Principal Engineer - Automation and Controls, Syngenta Engineering


Tuesday October 22, 2019 3:15pm - 4:00pm
Windsor C

4:00pm

DER Cybersecurity: Investigating the Challenges of Securing IIoT
The need for proactive cybersecurity defense mechanisms is a key concern in the energy sector as distributed energy resources (DERs) and the industrial internet of things (IIoT) introduce new connections and expand the attack surface of traditional energy generation and distribution networks.

In this session, participants will learn how the NIST NCCoE is gearing up to explore various scenarios in which information exchanges among commercial and utility DERs and electric distribution grid operations can be protected from cybersecurity compromises. Their work – informed by a highly-engaged community of thought leaders in the energy industry, cybersecurity community, government, and academia – will result in an open, practical, and standards-based proof-of-concept of cybersecurity capabilities demonstrating data integrity and malware prevention, detection, and mitigation in DER environments.

Speakers
avatar for Jim McCarthy

Jim McCarthy

Senior Security Engineer, NIST NCCoE
Jim McCarthy is a senior security engineer at the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE). He currently serves as the lead for NCCoE energy sector projects where his work is focused on security data analytics, secure... Read More →


Tuesday October 22, 2019 4:00pm - 4:45pm
Windsor DE

4:00pm

Communication to the Physical Side: A Security View on PLCs Network Interface
Increasing demands in the industrial sector, such as predictive maintenance and remote servicing, also increase the amount of network capable industrial components. Furthermore, these cross-connections from the OT to the IT network increase the attack surface, enabling access to industrial devices for hackers.

This talk will demonstrate how hackers can easily interact with the physical side of PLCs. This means that attackers can cause effects in the real world over the Ethernet communication of the PLC. Then vulnerable devices around the world will be shown along with how they could be impacted by DoS attacks. This session will provide answers to questions on how vulnerabilities of this kind could be searched, how to interact within disclosure processes, and recommendations for manufacturers, operators and penetration testers will be given.

Learning Objectives:
  • Insights into the interaction between the network and real-world physical process of ICS components.
  • How to find and map vulnerabilities to ICS components.
  • How to treat vulnerabilities as a manufacturer, integrator and operator?
  • How to securely scan and monitor industrial network from the viewing angle of device robustness?

Speakers
avatar for Matthias Niedermaier

Matthias Niedermaier

Embedded Security, HSA_innos


Tuesday October 22, 2019 4:00pm - 4:45pm
Windsor C

5:00pm

Cocktail & Dinner Reception - Foyer & Exhibitor Hall (5-7PM)
Please join us in the foyer and sponsor hall for a reception with cocktails and amazing food and enjoy networking with industry peers. As part of your conference experience, we have prepared a fantastic menu and premium bar!

Tuesday October 22, 2019 5:00pm - 7:00pm
Pre-Function Hallway

7:00pm

Bourbon-ISAC: Tasting and Networking
Network and share insights at Bourbon-ISAC! Hand-picked from a selection of more than 70 American bourbons from the Southern Art Bourbon Bar, Bourbon-ISAC will offer you a chance to end the day tasting some great Bourbons and networking with conference attendees.

Sponsored by: IOActive & CyberX 


Tuesday October 22, 2019 7:00pm - 9:00pm
 
Wednesday, October 23
 

7:30am

Breakfast and Registration
Please join us for  breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the day.

Wednesday October 23, 2019 7:30am - 10:00am
Pre-Function Hallway

8:15am

Five Blind Men and the Elephant Called ICS Supply Chain Security
Is a secure ICS software supply chain important to your company’s critical operations? And what does securing your supply chain really involve? A 3-year study sponsored by the US Department of Homeland Security revealed many different perspectives. ICS vendors, asset owners, consultants and security researchers all identified numerous complex priorities including:
  • Counterfeit firmware detection: Asset owners need to validate that firmware is authentic and hasn’t been tampered with. Vendors need to know if counterfeits of their products are circulating on the internet.
  • Mystery sub-component detection: Asset owners are looking for a Software Bill of Materials (SBoM) to reveal unexpected or unapproved sub-components that may contain vulnerabilities or malware. Vendors want to be able to trace back which of their products might contain those sub-components.
  • Version validation: Asset owners want to confirm that firmware is an up-to-date version, tested and approved by the factory rather than an unauthorized or obsolete version. Vendors need to be aware if unapproved versions are being installed in the field.
  • Certification-chain validation: Asset owners need to detect fraudulently signed packages masquerading as authentic. Vendors need to know if their private keys have been stolen and are being used to sign malware.
  • Stability confirmation: Asset owners want reassurance that even valid firmware packages are bug-free and won’t introduce instabilities. Vendors want to know the market perceptions of their upgrades packages to be proactive and protect their reputations.
These are just a few of the perspectives identified in the DHS research project. A common theme among them is the exploitation of trust between ICS vendors and their customers (and other suppliers). This talk will explore specific examples of each of these threats and discuss FACT, a framework for safeguarding against attacks on trust and reliability.

Learning objectives:
  • Identify key cybersecurity risks to critical infrastructure supply chains.
  • Understand existing security strategies (e.g. certificate signing, hashes) and their limitations.
  • Explore tools and solutions for addressing specific supply chain threats.



Speakers
avatar for Eric Byres

Eric Byres

CEO, aDolus
Eric Byres is widely recognized as one of the world’s leading experts in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed ICS-specific firewall in... Read More →


Wednesday October 23, 2019 8:15am - 9:00am
Windsor Ballroom

9:00am

Eliminating Blind Spots in Your OT Security Program
Organizations are raising OT security to a high, or in some cases even their highest, priority.  Digital innovation and growth are now business imperatives, and security must be at the forefront of enabling these strategies.  Unfortunately, the underlying expansion in connectivity needed brings with it a wide range of challenges and vulnerabilities. Ones that may not be visible to those monitoring, managing and securing these environments. Learn how to best identify and eliminate these blind spots throughout your infrastructure.

Presented by Diamond Sponsor IBM

Speakers
avatar for Robert Dyson

Robert Dyson

Global OT Security Services Business Leader, IBM


Wednesday October 23, 2019 9:00am - 9:45am
Windsor Ballroom

9:45am

Securing Smart Sensors in Industrial Machines
Smart sensors enable manufacturers and other operators to view and analyze real-time machine performance. By connecting sensor data to centralized monitoring platforms, engineers can optimize operation and perform predictive maintenance through advance notice of potential problems or anomalies. Unfortunately, as the number of cyber-attacks on ICS and related OT systems continues to increase, these connected sensors also represent possible cyber threat vectors into the plant and potentially into the machines themselves. In this session we'll discuss the various technologies, architectures, and best practices to secure smart sensors in industrial machines without compromising on the benefits of connected technologies within ICS.

Speakers
avatar for Phil Won

Phil Won

Product Manager, Owl Cyber Defense
Phil Won is a Product Manager at Owl Cyber Defense, specifically focusing on product definition, development, and go-to-market strategy for the company's core cybersecurity product platforms for IoT, IIoT, financial services, and healthcare verticals. His main product line is Owl's... Read More →


Wednesday October 23, 2019 9:45am - 10:30am
Solutions Theater

9:45am

Homogenization of Attacker Toolsets
Attackers, including ICS-targeting adversaries, are increasingly using the same toolsets for a myriad of reasons.  It cuts down on development time, allows for lower attribution rates and gives attackers more “playbooks” to fall back on.  The near ubiquitous nature of Mimikatz -- utilized by the most dangerous ICS-specific adversary, XENOTIME -- is just one example.  Attackers are rapidly integrating other tools such as Metasploit, PowerShell Empire and Cobalt Strike into their tactics, techniques and procedures (TTPs). This presentation will discuss the evolution of ICS attacker techniques and provide defenders with methods to mitigate against them.

Speakers
avatar for Thomas Pope

Thomas Pope

Adversary Hunter, Dragos
Thomas Pope is an Adversary Hunter at Dragos. He works with prospective and current customers to improve the Dragos threat intelligence offerings while hunting for ICS-specific activity groups and malware. He previously worked at Duke Energy, where he performed many roles in and outside... Read More →


Wednesday October 23, 2019 9:45am - 10:30am
Windsor Ballroom

10:30am

Morning Break
Wednesday October 23, 2019 10:30am - 10:45am
Pre-Function Hallway

10:45am

Adventures in IT/OT Convergence
This presentation will share some adventures and challenges of the last few years as OT systems have moved from isolation to integration with corporate business systems.

Presented by Mark Brosseau, senior manager of the EPCOR plants control and automation teams, this session will provide a description of what is being implemented and what is being learned with representation from IT and OT groups across the company.

Speakers
avatar for Mark Brosseau

Mark Brosseau

Sr. Manager, Plants Control and Automation, Epcor Water Services
Mark Brosseau P.Eng. is the senior manager of the EPCOR plants control and automation teams responsible for the engineering and support of the Edmonton water and wastewater plant control systems. He has over 25 years of experience in the implementation of control systems in industrial... Read More →


Wednesday October 23, 2019 10:45am - 11:30am
Windsor Ballroom

11:30am

Evolution of ICS Security: How and Why Companies Should Change the Status Quo
Plants have traditionally maintained a level of autonomy over control systems and supporting solutions. Vistra Energy is taking a new path. As one of the largest users of industrial controls in North America, Vistra Energy is not only changing their approach, but also those of their vendors as well. In this session, Ben Stirling, Lead for Generation Cyber Security at Vistra Energy, will discuss how the integrated energy company has taken aim at this from a technical and policy perspective. Further, we will cover design elements of new security tools Vistra has helped to create in the pursuit of refining the overall industry approach.

Examples include:

Removable media and file transfer
  • Architecture
  • Perimeter security
Secure remote access
  • Architecture
  • Risk assessment and plant buy-in
  • Roll out and technical hurdles
Change monitoring / Regulatory compliance automation
  • Architecture
  • Outcomes
  • Next steps
  • Maturing the stack
  • Life-cycle approach

Speakers
avatar for Ben Stirling

Ben Stirling

Lead, Generation Cyber Security, Vistra Energy
Benjamin Stirling is a Lead Generation Cyber Security Analyst with Vistra Energy as well as a member of the ERCOT CIP working group and ISA 99 Workgroup 4. For the last 6 years, Ben has been deeply integrated with Luminant’s I&C, Operational Technology, and Vistra Cyber Security groups. Providing support in cyber security engineering regarding industrial con... Read More →


Wednesday October 23, 2019 11:30am - 12:15pm
Windsor Ballroom

12:15pm

Lunch - Windsor Garden
Wednesday October 23, 2019 12:15pm - 1:30pm
Windsor Garden

12:30pm

Water Safety: It’s the Job of Operations and IT (Lunch Workshop)
Safe water and clean water are essential for public health, ecosystem protection and economic strength. Supporting these important functions requires secure information technology (IT) and operational technology (OT).

Gwinnet County Department of Water Resources understood the need to take proactive steps to protect this critical lifeline for their community. They invested in a modernization project to unify their SCADA platforms and bolster their cybersecurity posture across their water plants, waste water facilities and distribution facilities.

During this session, experts from Gwinnet County and Fortinet will
  • Share the journey toward SCADA modernization and the implementation of a cybersecurity platform
  • Review standard practices used to deploy a standard ICS architecture
  • Discuss lessons learned through the modernization journey

Join Sam Paul from Gwinnett County Department of Water Resources as he shares their journey to segment and segregate their OT network – with a vision of standardize and modernizing their SCADA systems – including partnering with IT to embed cybersecurity into their ICS security plan. Hear from Fortinet ICS expert Carlos Sanchez as he speaks to the benefits of the Fortinet Security Fabric to simplify and streamline the cybersecurity needs for industrial control systems.

Speakers
SP

Sam Paul

Section Manager | SCADA Systems & Projects, Gwinnett County, Department of Water Resources
Sam Paul is the Section Manager over SCADA systems and Projects for the Department of Water Resources, Gwinnet County Government.  Sam is a strategic futurist and visionary leader with a drive to learn the challenges and help organizations transform to meet the escalating expectations... Read More →
avatar for Carlos Sanchez

Carlos Sanchez

Global Sales Enablement, Operational Technology, Fortinet
Carlos-Raul Sanchez is a technologist with 32 years of experience in network, telecommunications, and critical infrastructure security. Carlos specializes in simplifying complex business problems with a pragmatic application of technology. With a wide range of experience ranging from... Read More →


Wednesday October 23, 2019 12:30pm - 1:15pm
Trippe I&II

1:30pm

Leveraging Cybersecurity to Improve Operations & Situational Awareness
Cybersecurity solutions are becoming more prevalent, and there are significant benefits that can be realized in operations.  This session will discuss the value of technologies not only for Compliance and Cybersecurity but will emphasize how technologies can be leveraged to improve Operations and Situational Awareness from an OT perspective.

Sponsored by: TDi Technologies

Speakers
avatar for Bill Johnson

Bill Johnson

Founder, CEO, TDi Technologies
Bill Johnson has over 20 years’ experience in the IT/OT infrastructure management field. He is the founder of TDi Technologies and its flagship platform, ConsoleWorks. Bill is a recognized Thought Leader by such prestigious organizations as The SANS Technology Institute and the... Read More →


Wednesday October 23, 2019 1:30pm - 2:15pm

1:30pm

To Protect Your IP, You Must Think Like a Hacker
As the ICS industry moves to more standardized platforms, making use of connectivity and the use of off-the-shelf software, critical software has never been more vulnerable to access by hackers or reverse engineers. Wanting to monetize their high-tech innovations, many industrial companies are productizing digital twins, predictive maintenance, digital diodes, behavioral analytics, AI/ML, Additive Manufacturing, and so much more. However, at the core of these product innovations is the patentable Intellectual Property developed in software, for which the attack surface has exponentially increased by IIoT connectivity. If compromised, this software is as readable as a book to any hacker able to run commonly available reverse engineering tools.

In this session, Mark Hearn, Sr. Director of Strategic Business Development at Irdeto, will take you through a discussion of how hackers think about their targets, what they look for, and how your product security requirements can combat them. Starting with the maturing of the Secure Software Development Lifecycle, delving deeper on software protection, and highlighting where advances in software protection are headed, Mark will demonstrate how your software businesses would significantly benefit from the protection of the key algorithms and critical data advancing your IIoT ecosystems.

Sponsored by: Irdeto

Speakers
avatar for Mark Hearn

Mark Hearn

Head of IoT Security, Irdeto
Mark Hearn is the Head of IoT Security at Irdeto. He is responsible for leading Business Development strategies to secure organization’s IoT applications and connected devices. Mark has been with Irdeto since 2003, through Irdeto’s acquisition of Cloakware. Mark is a seasoned... Read More →


Wednesday October 23, 2019 1:30pm - 2:15pm

2:15pm

Consolidating OT and IT Visibility, Security Analytics and Alerting
Many organizations have limited visibility into the potentially malicious activity in their environments, this is especially true in OT environments where many traditional security tools provide little help. In this session we’ll show how IBM Security’s  QRadar, the recognized leader in the SIEM and analytics market, integrates with Nozomi’s SCADAGaurdian which gives deep visibility and insights into activity within your OT environment, drastically improving your ability to detect attacks.

Sponsored by IBM

Wednesday October 23, 2019 2:15pm - 3:00pm
Windsor C

2:15pm

Industrial Control Deception Environments – Levels of Simulation
Deception environments are systems designed to focus an attacker’s attention, thereby providing early warning of an intrusion, and allowing for analysis of an attacker’s motivations, tools, tactics, and procedures. They are composed of traditional honeypot and honeynet style components, together with other elements such as ‘breadcrumbs’ that are distributed across a real network to entice a potential intruder. Deception environments differ from honeypots in that they are intended to simulate realistic aspects of an organization, and are designed as a defensive campaign.

This presentation introduces analysis into how a deception environment for an industrial control environment can be created. Using the Purdue model for reference it examines the different levels of simulation that can be constructed – simulation of physical processes, control simulation of OT devices, simulation of supervisory systems, and at the highest level the simulation of enterprise systems and even personnel. The analysis examines what is possible at each level, how different levels can be simulated, and discusses which components should be simulated for a particular deception campaign, and how that offers protection against attacks.

Learning Objectives:
  • The benefits of industrial control deception
  • How to create an industrial control deception environment
  • What systems and processes are suitable for simulation
  • How to build an industrial deception campaign

Speakers
avatar for Dr. Mike Westmacott

Dr. Mike Westmacott

Senior Cyber Security Researcher, Thales
Mike has worked as a technical cyber security analyst for ten years, at boutique security consultancies, and currently at Thales UK where he holds the position of senior cyber security researcher. His current interests and research topics are deception technologies, psychological... Read More →


Wednesday October 23, 2019 2:15pm - 3:00pm
Windsor C

3:00pm

Afternoon Break
Wednesday October 23, 2019 3:00pm - 3:30pm
Pre-Function Hallway

3:30pm

OT Security - Where to Focus First? [Panel]
As organizations are putting more resources into OT Security, where should we initially focus those efforts to get the biggest immediate reductions in risk? Should it be identifying and prioritizing critical vulnerabilities or gaining deeper visibility into OT environment network activity and applying sophisticated analytics? Many non-Industrial organizations start with locating, classifying and securing their critical data as well as controlling who has access to it, these are high return options too. Join us and our panel of industry experts to discuss how this can be done in your environments.

Moderators
avatar for Robert Dyson

Robert Dyson

Global OT Security Services Business Leader, IBM

Speakers
avatar for Jim Tassell

Jim Tassell

Sr. Security Architect - Manufacturing & OT, Kellogg Company
MM

Mark McCollum

IT/OT Cyber Security Advisor, ExxonMobil
avatar for Dennis Reitz

Dennis Reitz

Lead, OT & Lab Security, Takeda Pharmaceuticals
Dennis Reitz has been a professional in Information Technology for 24 years and has worked at Takeda for 15 of those.  During that time, he has held numerous technical and leadership positions in both Infrastructure and IT Security.  His current role is focused on securing Takeda’s... Read More →
avatar for Rick Wilson

Rick Wilson

Senior Manager, Industrial Control Cyber Security, CP Kelco


Wednesday October 23, 2019 3:30pm - 4:15pm
Windsor DE

3:30pm

Segregating a Flat Network for Increased Reliability and Security
This presentation discusses the rationale and learnings gained when re-designing a flat Electrical Protection Network (EPN) to a segregated network to increase reliability and security. The electric utility used in this real-world case study has a network of 55 interconnected sub stations varying in voltage from 600 volts to 34.5kV. The original EPN network was designed as a flat network. As a result they had experienced reliability issues, a single fault or cyber event on the network could result in a partial or complete network failure. The project involved segregating the network into smaller logical sections that would prevent network outages and maintain network failure risks to smaller, distinct and controllable regions.

The design criteria for the network included supporting GOOSE high speed protocol with considerations for the large geographic location. Other key requirements of the EPN included: allowing electrical protection relays to communicate with each other for high speed system protection coordination thus reducing system ARC flash values. The network must support operating status and control, alarms, trips and metering information to local HMIs and the T&D High Voltage Control Centre.

The presentation will also focus on the network security aspect including the design, testing and installation of DMZ firewalls used to protect the network and the use of VLANS and network switches for increased network separation, isolation and security. The factory acceptance testing was performed in a IEC 61850 lab environment configured to simulate the field parameters while subjecting the system to numerous cyber-attacks and fault simulations. The reconfiguration of the network was performed on an operating facility.

Speakers
PH

Paul Haughey

Automation and ICS Cybersecurity Specialist, BBA
Mr. Haughey completed Telecommunications Technology from Northern Alberta Institute of Technology. He holds over 35 years of experience specializing in Industrial Control System design, programming and commissioning on a variety of systems. He has worked on projects in Oil & Gas... Read More →


Wednesday October 23, 2019 3:30pm - 4:15pm
Windsor C

4:15pm

Supply Chain Cyber Threats: Cooperation Across the Digital Ecosystem
Recent advanced and unexpected threats to supply chains have exposed new cyber-terrorism, malware, and data theft. What are organizations, their suppliers, and regulators doing to counter these threats?

This session will discuss examples of emerging threats in the supply chain landscape and protective measures regulators have taken, along with:

  • Approaches organizations are taking to identify, minimize, and mitigate supply chain cyber risks.
  • Leading practices from industries with advanced cyber supply chain risk management programs.
Participants will gain new insights into securing their supply chains in response to the increasing threat of cyberattacks on an expanding digital ecosystem

Speakers
avatar for Stephen Batson

Stephen Batson

Senior Manager, Risk and Financial Advisory, Deloitte
Mr. Batson functions as a Senior Manager for Deloitte with 30 years of experience focused on designing and securing utility IT and ICS systems to meet NIST, NRC, NERC, IAEA, IEC, and ISO 27000 series cyber security standards and regulations. Mr. Batson is responsible for strategy... Read More →
avatar for Rob Garry

Rob Garry

Executive Chief Engineer, GE Power
Rob is a career ICS controls engineer for Power Generation, in his current role as Product Cyber Chief he is responsible for securing customer industrial controls systems for application in industrial powerplants.  He works in both the technical and regulatory aspects of the field... Read More →


Wednesday October 23, 2019 4:15pm - 5:00pm
Windsor DE

4:15pm

Effective OT Security Monitoring: a Cyber Kill Chain Approach
As the number of high profile OT security incidents increases (or at least their visibility) there has been a vast increase in cyber security investment for organizations operating in this domain.  Much of this investment has gone towards improving security monitoring capability.  A common question that we often hear from organizations, however, is how can they ensure that the decisions they are looking to make (or have made) provide the intended return on investment? That is, how can we ensure that these investments result in effective OT security monitoring? This talk will answer these questions while providing the following key contributions:
  • Based on experiences of simulating real world attackers and their Tools, Techniques and Procedures (TTPs) we will demonstrate through visualized attack paths the most effective locations for detection security controls.
  • A roadmap will be provided for organizations looking to improve their OT security monitoring capability, which will be targeted not only at the “ideal”, but will also provide guidance for organizations operating with tighter budget constraints.

Speakers
WK

William Knowles

Senior ICS Security Consultant, Applied Risk
William Knowles is a Senior ICS Security Consultant at Applied Risk.  He specializes in goal-oriented security testing, and works to help organizations improve both their prevention and detection capabilities.  His research interests primarily revolve around the breadth of post... Read More →


Wednesday October 23, 2019 4:15pm - 5:00pm
Windsor C

6:00pm

Offsite Party - South City Kitchen
Don't miss this year's offsite part at South City Kitchen! Attendees will enjoy Southern classics with a sophisticated spin from an iconic bungalow in the heart of Midtown Atlanta. This VIP experience for all full conference pass holders will include signature dishes like fried chicken and shrimp & grits alongside innovative, inspired regional cuisine. Enjoy craft cocktails, local beers and fantastic wines as you network with other conference attendees.

Sponsored by ThreatGen


Wednesday October 23, 2019 6:00pm - 9:00pm
South City Kitchen 3350 Peachtree Rd NE, Suite 175 Atlanta, GA 30326
 
Thursday, October 24
 

7:30am

Breakfast and Registration
Thursday October 24, 2019 7:30am - 10:00am

8:15am

The Convergence of Safety and Cybersecurity
Innovation often happens when different disciplines share knowledge.  We’re seeing this today with increased interactions between the risk management, industrial cybersecurity, and process safety disciplines. There is growing recognition of interdependencies between security and safety in control systems that is leading some in industry to expand their use of process safety standards and best practices such as HAZOP analysis and process safety risk matrices.  Combining these risk management approaches with proper work procedures and structured change management techniques can help better protect systems against attacks while also reduce damage or disruption to critical operations.
 
This session will discuss the relationships between safety and cybersecurity risks, the approaches companies are taking to mitigate these risks, and the benefits that can be gained by coupling the domain knowledge and best practices from the worlds of process safety and cybersecurity alike.
 
This information will be of benefit to owner-operators, equipment suppliers, solution suppliers, and researchers interested in industrial cybersecurity and safety.

Speakers
avatar for Larry O’Brien

Larry O’Brien

Vice President of Research, ARC Advisory Group
Larry is part of the cybersecurity and smart cities and infrastructure teams at ARC.  Larry has a 20-year background in process control, process safety, and field devices/field networks.  Over the years, Larry has supported many of our end-user clients in the oil and gas and refining... Read More →


Thursday October 24, 2019 8:15am - 9:00am
Windsor Ballroom

8:15am

Benefits of Securing ICS With SDN
Speakers
avatar for Jeff Smith

Jeff Smith

CTO, DYNICS
A longtime advocate, pioneer and leader in the design and implementation of Ethernet based control systems. Jeff has spent the last 25 years architecting plant floor control systems and networks with the goal of safely and securely moving data from the manufacturing space to the enterprise... Read More →


Thursday October 24, 2019 8:15am - 9:00am
Windsor C

9:00am

Security Concerns Around End of Life/Sales/Support (EOL/S/S)
Speakers
avatar for Jack D. Oden

Jack D. Oden

Principal Project Manager and ICS Cybersecurity SME, Parsons
Jack D. Oden, Principal Project Manager and ICS Cybersecurity Subject Matter Expert (SME), is a self-motivated, energetic, and accomplished team player and speaker with twenty years’ experience in negotiating system improvements between users and engineers; developing projects... Read More →


Thursday October 24, 2019 9:00am - 9:45am
Windsor DE

9:00am

Using Virtual Network TAPs in an ICS Environment
Network visibility provides situational awareness in an Industrial Control System (ICS). The use of physical network TAPs or SPAN ports to provide information to an out-of-band monitoring solution is critical to increasing the security posture of an ICS network. However, as more ICS vendors incorporate virtual machines (VMs) into their designs, an additional layer of tapping is necessary to ensure no blind spots are present. Communication between VMs can provide an opportunity for malicious actors to remain undetected, due to traditional tapping methods not being able to see the traffic.

One solution to capture inter-VM communication is the use of Virtual Network TAPs. This software solution monitors traffic flows between VMs and mirrors the traffic to be forwarded to security tools for analysis. The presentation will cover how Virtual Network TAPs can be installed on a typical ICS network which uses virtualization, what are typical capabilities of Virtual Network TAPs, and ways the data can be used if your project has a limited cybersecurity budget. Increased hardware virtualization is on the horizon and being able to setup and use Virtual Network TAPs will ensure your control system can be monitored effectively.

Speakers
avatar for Nikolas Upanavage

Nikolas Upanavage

Senior Control Systems Engineer, Bechtel Corporation
Nikolas Upanavage is a Senior Control Systems Engineer working at Bechtel’s ICS Cybersecurity Technical Center.  He has held roles on several Bechtel Engineering projects supporting the design and construction of Nuclear Power Plants, Chemical Agent Destruction Facilities, and... Read More →


Thursday October 24, 2019 9:00am - 9:45am
Windsor C

9:45am

Consolidating OT and IT Visibility, Security Analytics and Alerting
Many organizations have limited visibility into the potentially malicious activity in their environments, this is especially true in OT environments where many traditional security tools provide little help. In this session we’ll show how IBM Security’s  QRadar, the recognized leader in the SIEM and analytics market, integrates with Nozomi’s SCADAGaurdian which gives deep visibility and insights into activity within your OT environment, drastically improving your ability to detect attacks.

Thursday October 24, 2019 9:45am - 10:30am
Solutions Theater

9:45am

IT and OT Join Forces to Secure Smart Cities
This session will demonstrate possible cyber-physical attacks against Smart Cities, by examining the challenges specific to port and maritime systems. By examining lessons learned from these incidents, this talk will reveal how a layered response covering architectural, procedural, technological, and organizational measures can help mitigate risk efficiently. IT security practitioners from every industry are facing the challenges posed by our connected world. This session will highlight the principal challenges and benefits of integrating Information Technology with Operational Technology.

Learning Objectives - After attending this session you will understand how to:
  • Meld the architectural imperatives of OT – safety and service reliability – with Information Technology – Data shall not be lost, altered or inadvertently disclosed.
  • Integrate IT and OT networks without increasing the attack surfaces of both.
  • Develop processes and systems to bring IoT-enabled capabilities into the SDLC, whether waterfall, Agile, or DevOps.
  • Enhance organizational maturity to reduce re-work, eliminate problem rediscovery, and improve overall quality.

Speakers
avatar for William Malik

William Malik

VP of Infrastructure Strategies, Trend Micro
William Malik is VP of Infrastructure Strategies at Trend Micro. As a founder of Gartner’s Information Security Strategies service in the mid-1990s, Bill has deep expertise in information security matters. He has spoken internationally on information security, identity management... Read More →


Thursday October 24, 2019 9:45am - 10:30am
Windsor DE

9:45am

Recycling Industrial Attacks – Five Things You Need To Secure Your Operation
One of the newest trends in the OT security space is the recycling of OT attacks that make a second or third appearance. This session will cover 3 real examples of OT attack recycling. We will explain the role IT has played in making OT attack recycling possible, why attacks are making return appearances with examples, and what the security community must do to keep OT safe from these threats now and in the future.

Session Objectives
  • Gain insight into recent recycled OT attacks (ie: Shamoon, LockerGoga and others), how they were perpetrated and the etiology of these attacks.
  • Ramifications of future attacks
  • Learn five measures IT and OT security teams can take to protect against these new generation attacks

Speakers
avatar for Juan Lara

Juan Lara

Global Vice President of Sales Engineering, Indegy
Juan Lara is the Global Vice President of Sales Engineering for Indegy, Inc. Juan has worked in the cyber security field since his initial training in the United States Army in 1990.   He has architected and deployed of data security solutions to meet the requirements of customers... Read More →


Thursday October 24, 2019 9:45am - 10:30am
Windsor C

10:30am

Morning Break
Thursday October 24, 2019 10:30am - 10:45am
Pre-Function Hallway

10:45am

Securing IIoT/Cloud Data Communications
With the rise of the IIoT and cloud platforms interacting with ICS equipment, OT-IT separation is no longer a valid form of security. Internet and cloud connectivity are basic staples, if not requirements in the modern industrial enterprise. Endpoints are spread out across machines, networks, user devices, organizations (for example, cloud vendors, third-party asset owners, and contract manufacturers). Data is being pushed out of the entire organization from IT systems all the way down to devices attached to process equipment. This paradigm shift calls for a new approach – one that won’t fit in the previous layered, separated model. This session will discuss cybersecurity methods and technologies to build a new, secure framework outside and above the traditional models of ICS data communications, to incorporate new platforms and account for the increasing connectivity of systems and devices in today's industrial enterprises.

Speakers
avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →


Thursday October 24, 2019 10:45am - 11:30am
Solutions Theater

10:45am

Hidden Vulnerabilities: A look Into Global IoT/ICS Risk Trends
CyberX's Global IoT/ICS 2020 Risk Report presents a data-driven analysis of real-world vulnerabilities based on network traffic collected from actual production networks, as opposed to results derived from opinion-based surveys. Including the data presented in previous reports, CyberX has now analyzed over 3,000 IoT/ICS networks worldwide.

Gaining visibility into IoT/ICS risk and mitigating these "hidden" vulnerabilities is critical to protecting organizations from costly production downtime, safety and environmental incidents, and theft of sensitive intellectual property.

This session will unveil the findings from the 2020 report spanning diverse IoT/ICS systems -- including robotics, refrigeration, chemical and pharmaceutical production, power generation, oil & gas production, and building management systems (HVAC, CCTV, etc.) -- across all industrial verticals worldwide.

It will quantify the prevalence of critical vulnerabilities such as outdated operating systems, unencrypted passwords, remotely accessible devices, direct internet connections, lack of automatic antivirus updates, and indicators of threats (malware, malicious DNS queries, abnormal HTTP headers, etc.).

This session will also compare median security score across industries and conclude with a series of practical recommendations based on mitigation strategies developed by Idaho National Labs (INL).

Speakers
avatar for Phil Neray

Phil Neray

VP of Industrial Cybersecurity, CyberX


Thursday October 24, 2019 10:45am - 11:30am
Windsor DE

11:30am

The Myths of IIoT Security
During this talk, Joe Marshall of Cisco Talos will discuss some of the prominent myths that surround IIoT Security. Topics included will be IIoT research and vulnerabilities, calculating risk, and best practices to ensure your enterprise remains safe.

Sponsored by Cisco

Speakers
avatar for Joe Marshall

Joe Marshall

ICS Security Research Manager, Cisco Talos
Joe is a security researcher for the Outreach Team, one of the largest commercial threat intelligence teams in the world. Specializing in ICS, critical infrastructure protection, and IoT device security. Joe has worked with public and private industry around the world to help secure... Read More →


Thursday October 24, 2019 11:30am - 12:15pm
Windsor DE

11:30am

PHY-Based DNA Fingerprinting to Discriminate WirelessHART Sensor Network Devices
The Air Force Institute of Technology's (AFIT) work continues on developing a reliable non-intrusive, non-operably connected PHY-based security augmentation for IoT, IIoT, ICS/SCADA, and general wireless sensor applications. The successful demonstration and historical maturation of Distinct Native Attribute (DNA) Fingerprinting methods has led to a patent-pending DNA cyber security monitoring capability supporting both pre-attack defense and post-attack forensic objectives. The monitoring system foundation is derived from wired Highway Addressable Remote Transducer (HART) signal work in, with favorable results therein motivating the more recent WirelessHART work being reported upon here. The goal is reliable DNA-based discriminability of device hardware (cross-manufacturer, cross-model, and like-model serial number) and/or device operating state (normal vs. anomalous). The PHY-based physical-layer work here is of particular interest given that a majority of WirelessHART security mechanisms (some would argue all) are implemented exclusively within higher bit-level network layers using some of the same protection mechanisms commonly attacked in IT systems. Most recent results for WirelessHART are sufficiently favorable to motivate continued investigation and include better than 90% 8-class device discrimination of Sitrans AW210 and Pepperl+Fuchs Bullet adapters.

Speakers
avatar for Christopher M. Rondeau

Christopher M. Rondeau

Air Force Institute of Technology, Air Force Institute of Technology (AFIT)
Chris Rondeau is a PhD Student and researcher at the Air Force Institute of Technology (AFIT) in Dayton, OH. He works under the Radio Frequency Intelligence (RFINT) research area led by Dr. Mike Temple. Chris’ research is an extension of the work previously done by Dr. Juan Lopez... Read More →


Thursday October 24, 2019 11:30am - 12:15pm
Windsor C

12:15pm

Lunch
Thursday October 24, 2019 12:15pm - 1:30pm

1:30pm

Why and How Choose an OT MSSP
Edy leads Cyberbit’s product strategy. Prior to joining Cyberbit, Almer served as VP of Product for Algosec, during this period the company’s sales grew by over 4X in 5 years. Before Algosec, Edy served as VP of Marketing and Business Development at Wave Systems, an enterprise security software provider, following its acquisition of Safend where he led business development, marketing and product management. Prior to Safend, Edy managed encryption and endpoint DLP products within the Endpoint Security Group at Symantec. Edy also was CTO for Partner Future Comm, Orange's Corporate VC arm, and served in the IDF intelligence corps.  Edy holds a B. Sc. in Electrical Engineering from the Technion and an MBA from Tel Aviv University.

Speakers
avatar for Edy Almer

Edy Almer

VP Product, Cyberbit
Edy leads Cyberbit’s product strategy. Prior to joining Cyberbit, Almer served as VP of Product for Algosec, during this period the company’s sales grew by over 4X in 5 years. Before Algosec, Edy served as VP of Marketing and Business Development at Wave Systems, an enterprise... Read More →


Thursday October 24, 2019 1:30pm - 2:15pm
Windsor DE

1:30pm

Industrial Control Systems: Comparing Methodologies to Reduce Risk
Organizations and professionals are challenged to protect industrial control systems (ICS). Industrial control systems have been and continue to be the target of advanced cyber-attacks. These systems run the infrastructures that power the electric grid, natural gas supply, transportation, and other vital commodities. Cyber-security professionals have enumerated various techniques and methods to protect ICS against cyber-attacks. Despite these protective methods, ICS still suffer from breaches.

This study conducted a deep dive into three of the most advanced ICS cyber-attacks (Stuxnet, TRISYS, BlackEnergy 3)

The tactics of penetration and attack of each cyber-attack were reviewed. The study then examined several of the methods of protection recommended by regulatory and industry professionals. Each of these protection methods was matched against each of the advanced cyber-attacks to establish the efficacy of the method to protect the ICS.

The results of this study found that not all methods of ICS protection worked against advanced ICS cyber-attacks. In addition, there was a noticeable difference of protection among the methods against first-time attacks, when the malware was unknown, versus attacks when the malware was known to the cyber community and steps were taken to defend against the attack.

The study recommended further research into current ICS cyber-attacks. Additional exploration should be done to select and examine other documented methods of protection. Adding further results to the tables in the study will sharpen the determination of the effectiveness of each method against cyber-attacks.

Speakers
avatar for Nathan Katzenstein

Nathan Katzenstein

Nathan is an IT professional with 20+ years of experience in Operations, Departmental Director, IT Project Management & Project development. He will be presenting his research paper "ICS Protection Methodologies - What works for your site?" Completed a Masters in Cyber Security... Read More →


Thursday October 24, 2019 1:30pm - 2:15pm
Windsor C

2:15pm

Charter of Trust in the Industrial World: Principles of Building a Safer Ecosystem
The Charter of Trust is a global initiative designed to transform the way we engage with Cybersecurity. There are ten principles designed to harmonize and simplify efforts and raise the level of maturity of Cybersecurity. During this session, we will talk about a subset of principles and how they help co-create in a more secure industrial sector. There will also be examples of success.  

Members of the Charter of Trust include: Siemens, IBM, AES, NXP, Daimler, Dell, Cisco, T-Mobile. Enel, MSC, Allianz, Atos, SGS, Tuv Sud, Total, Airbus, MHI.

Speakers
avatar for Kurt John

Kurt John

Chief Cybersecurity Officer, Siemens USA
Kurt John is Chief Cybersecurity Officer of Siemens USA, where he is responsible for the Cybersecurity strategy, governance and implementation for the company’s largest market - ~$23B in annual revenues.  In this role Kurt oversees the coordination of Cybersecurity for our products... Read More →


Thursday October 24, 2019 2:15pm - 3:00pm
Windsor C

3:00pm

Afternoon Break
Grab a snack, a coffee, or even a beer to take to your seat as we get ready for the closing discussion and wind down a great week at the 2019 ICS Cyber Security Conference!

Thursday October 24, 2019 3:00pm - 3:15pm
Pre-Function Hallway

3:15pm

[Panel Discussion] Insights and Observations on #ICSCC19 - Grab a Beer and Join the Conversation!
Moderators
avatar for Phil Neray

Phil Neray

VP of Industrial Cybersecurity, CyberX

Speakers
avatar for Mark Brosseau

Mark Brosseau

Sr. Manager, Plants Control and Automation, Epcor Water Services
Mark Brosseau P.Eng. is the senior manager of the EPCOR plants control and automation teams responsible for the engineering and support of the Edmonton water and wastewater plant control systems. He has over 25 years of experience in the implementation of control systems in industrial... Read More →
IM

Imran Mohiuddin

Microsoft’s Datacenter Cybersecurity, Microsoft
Imran Mohiuddin heads Microsoft’s Datacenter Cybersecurity program management team responsible for keeping datacenters secure holistically. Microsoft datacenters constitute a complex industrial-scale facility sitting at the intersection of operational technologies (OT) and information... Read More →


Thursday October 24, 2019 3:15pm - 4:00pm
Windsor C

4:00pm

Conclusion of SecurityWeek's 2019 Cyber Security Conference
Thank You Sponsors and Attendees. Please join us for our APAC event in Singapore in April 2020, or again in Atlanta in October 2020.


Thursday October 24, 2019 4:00pm - 4:30pm