Attending this event?
This is a DRAFT Agenda for SecurityWeek’s 2019 ICS Cyber Security Conference. Sessions are being added daily and the final program will include 4 FULL DAYS of content. (View the full conference website here)  (You can Register for ICS Cyber Security Conference Here)

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Monday, October 21


Breakfast and Registration
Monday October 21, 2019 7:30am - 10:00am


Advanced ICS/SCADA Hacking Training [$]
This 1 Day Advanced ICS/SCADA Hacking Training teaches security analysis and exploitation methodologies for evaluating the resilience of ICS environments and associated components.

During the course, participants will have the opportunity to engage in real-life attacks against key ICS/SCADA components. The course takes a deep dive into industrial systems and devices, such as Programmable Logic Controllers, Variable Frequency Drives, and Safety Controllers, as well as protocols used in ICS environments such as Profinet and Modbus.

This course is technically advanced in nature, and has been specifically designed for technical staff responsible for securing ICS systems and environments. Typically staff with functions like: Process Automation Engineers, Control Systems Engineers, IT/ OT Security Officers, Network Engineers, Penetration Testers, Forensic Researchers, System Developers as well as Auditing and Security Operations officers.

Requirements: Students must bring their own laptop with VMware Fusion or VMware Workstation Player. Administrative privileges to the host laptop may be required to ensure proper virtual machine functionality. VM images will be provided to students; a minimum of 20GB free disk space is required.

Key Takeaways
  • Methodologies through which security research may be performed against ICS/ SCADA devices in order to abuse known and unknown vulnerabilities
  • Real-life attack experience against key ICS components and protocols
  • Knowledge covering how industrial hacking is executed. This will enable you to better protect your operations against hacking activities

Course Content - The Advanced ICS/SCADA Hacking training consists of the following modules:
  • Overview, trends and threats
  • Securing ICS environments
  • Open Source Intelligence (OSINT)
  • Attacking devices – Identify & exploit
  • Hacking Windows-based systems
  • Fuzzing & abusing industrial protocols
  • Firmware Reverse Engineering

Register Now for the Training

Monday October 21, 2019 8:00am - 8:15am


Intro to Industrial Automation Security and ISA/IEC 62443 Standards (IC32C) [$]
CEU Credits: 0.7
Fee: $400 - Register
Certification of Completion: A Certificate of Completion indicating the total number of CEUs earned will be provided upon successful completion of the course.

Understanding how to secure factory automation, process control, and Supervisory Control and Data Acquisition (SCADA) networks is critical if you want to protect them from viruses, hackers, spies, and saboteurs.

This seminar teaches you the basics of the ISA/IEC 62443 standards and how these can be applied in the typical factory or plant. In this seminar, you will be introduced to the terminology, concepts, and models, as well as the element of creating a cybersecurity management system will be explained along with how these should be applied to industrial automation and control systems.

You will be able to:
  • Discuss why improving industrial security is necessary to protect people, property, and profits
  • Define the terminology, concepts, and models for electronic security in the industrial automation and control systems environment
  • Define the elements of the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009)- Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Define the core concepts of risk and vulnerability analysis methodologies
  • Define the concepts of defense in depth and the zone/conduit models of security
  • Explain the basic principles behind the policy development and key risk mitigation techniques
  • Explain why improving industrial security will be necessary to protect people, property, and profits

You will cover:
  • Understanding the Current Industrial Security Environment: What is Electronic Security for Industrial Automation and Control Systems? | Trends in Security Incidents
  • How IT and the Plant Floor are Different and How They are the Same
  • Current Security Standards and Practices
  • Creating A Security Program: Critical Factors for Success/Understanding the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • Risk Analysis: Business Rationale |Risk Identification, Classification, and Assessment
  • Addressing Risk with Security Policy, Organization, and Awareness: CSMS Scope | Organizational Security | Staff Training and Security Awareness | Business Continuity Plan | Security Policies and Procedures
  • Addressing Risk with Selected Security Counter Measures: Personnel Security | Physical and Environmental Security | Network Segmentation | Access Control: Account Administration, Authentication, and Authorization
  • Addressing Risk with Implementation Measures: Risk Management and Implementation | System Development and Maintenance | Information and Document Management | Incident Planning and Response
  • Monitoring and Improving the CSMS: Compliance and Review | Improve and Maintain the CSMS
Register Now - Space is Limited

Includes ISA Standards:
  • ANSI/ISA-62443-1-1 (ANSI/ISA-99.00.01-2007) - Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts & Models
  • ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) - Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
  • ANSI/ISA-62443-3-3 - Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels

Monday October 21, 2019 8:00am - 4:00pm


ICS Red Team/Blue Team Training (8AM-5PM) [$]
 (US$400 Fee – Limited to 40 Students – Register Now)

What is red team/blue team training?

Security aware and knowledgeable users serve as the “front line” of your overall security posture. As such, training is one of the most essential components of your risk mitigation strategy and overall cybersecurity program. However, without learning cybersecurity from the “hacker’s” perspective and gaining a true understanding of how adversaries attack and compromise ICS networks and assets, you’re only getting half of the picture. Without that other half, you’re essentially blindly deploying generic security controls and “best practices”. In order to have an efficient and cost-effective risk mitigation strategy, you must understand not only where your vulnerabilities are, but also the tactics that attackers will use to exploit these vulnerabilities. Red Team/Blue Team Training provides the opportunity to learn these adversarial tactics in conjunction with the defensive methods; and then students get to apply the skills they learn as they face off in a head-to-head competition, Blue Team (the defenders) against Red Team (the attackers).

The Gamification Difference: It doesn’t take a hacker to play a hacker!
Traditionally, red team/blue (or red team vs. blue team) training has been a significant time commitment, often upwards of five days or more. This can be taxing on constrained schedules and budgets. This Red Team/Blue Team Training uses cutting edge computer gaming technology developed by authors of “Hacking Exposed: Industrial Control Systems”, to offer all the best aspects of red team/blue team training, but in a fraction of the time and without a technical learning curve. Students of all levels can even play the part of the red team, regardless of experience or skill level.

In the end, students discover that defending their ICS networks and assets is more than simply deploying “best practices” and “layered defense”. Students will learn to create targeted defensive strategies (despite having limited resources) against a live opponent who is strategizing against them.

What you will get out of this class:
  • Gain a comprehensive, “big picture” understanding of how all the cybersecurity pieces work together
  • Learn and apply practical industrial cybersecurity concepts in a one-day class
  • Learn vulnerabilities and attack vectors specific to industrial control systems
  • Learn about the methods and strategies hackers use to attack industrial control systems as well as traditional IT systems (NOTE: This is not a technical hands-on “hacking” class)
  • Learn how to deploy efficient and cost-effective mitigation strategies and security controls
  • Learn how to build a complete ICS cyber security program
  • Apply what you’ve learned against a live adversary using the cutting edge, turn-based computer training simulation/game, ThreatGEN™
  • Learn how to respond to, adapt, and defend against active attacks
  • Participate as the blue team and the red team, regardless of experience or technical skill level
  • Taught by industry-leading, world-class experts with years of real-world experience
Intended Audience:
  • Anyone interested in gaining beginner to intermediate knowledge of ICS cybersecurity
  • Anyone interested in gaining a better understanding over the overall cybersecurity “big picture”
  • Cybersecurity managers
  • Upper management concerned with IT/OT cybersecurity
  • Plant managers and asset owners
  • IT cybersecurity staff tasked with OT cybersecurity
  • Engineers tasked with OT cybersecurity
  • End users looking for a more effective (and entertaining) cybersecurity awareness training
Register Now to Get a Spot in this Class

avatar for Clint Bodungen

Clint Bodungen

Founder & CEO, ThreatGEN
Clint is a recognized industrial cybersecurity expert, public speaker, and lead author of the book “Hacking Exposed: Industrial Control Systems”. He is a United States Air Force veteran, has been an INFOSEC (now called “cybersecurity”) professional for more than 20 years... Read More →

Monday October 21, 2019 8:00am - 5:00pm


The State of OT Cybersecurity: The Good, The Bad, and The Ugly
In OT cybersecurity, the last few years have been a wild ride. In 2015, only the most progressive industrial organizations recognized the threat OT cyber risks pose to industrial safety and reliability. By 2018, most industrial organizations had launched OT security programs. Then, like a scene right out of the Clint Eastwood classic, The Good, the Bad, and the Ugly, OT asset owners were caught in the crossfire, as, like gunslingers, OT security vendors popped up and competed to find their fortunes.

However, despite the chaos in the OT security world, much good has been achieved. For example, many industrial organizations improved their understanding of their OT cyber assets and current risk profiles. However, some bad – and even some ugly – remain.
  • The Good: Boards of directors and business leaders have more knowledge of OT cyber risks. Funding OT security programs is easier. Programs are moving from tire-kicking to solution viability testing.
  • The Bad: The industry’s reception to initial tools/solutions has been mixed. Vendors continue to confuse OT security teams by noisily repeating well-worn but seldom proven mantras – 100% visibility! Single pane of glass! Meanwhile, OT teams struggle to identify which of the existing OT security solutions are viable and which are “all hat, no cattle.”
  • The Ugly: Many of the products currently available will ultimately fail to deliver on their promises. Basics are missing. Scalability challenges exist. Vendor promises remain unfulfilled.
This presentation provides an insightful look at the current state of OT cybersecurity. It focuses on strategies owner operators and IT and OT security teams can use to cut through the noise. It also provides guidance on how to assess the current state of their program, what they should focus on in the next year, and what they should be prepared to achieve in the next 3-5 years.

avatar for Mark Carrigan

Mark Carrigan

Chief Operating Officer, PAS Global
Mark Carrigan joined PAS in 2000. As Chief Operating Officer, Mark leads the technology and operations organizations. During his tenure at PAS, Mark has held a variety of positions including Senior Vice President of Technology, Managing Director for the Middle East, and Global Sales... Read More →

Monday October 21, 2019 9:00am - 9:45am


Industry-Specific Assessment Baselines With NIST CSF
Assessing all control systems against the same metrics and expectations will result in companies focusing on the wrong corrective actions. Different industries such as Consumer Manufactured Goods, Pharmaceuticals, and Critical Infrastructure have different thresholds for risk acceptance. When performing assessments for different clients, the need to create a baseline for specific industries was found to be necessary. This presentation will highlight some of the applications of the NIST Cybersecurity Framework by defining unique baselines for different industry verticals, the potential benefits of defining industry-specific goals, and examples of how those would work within real industries and companies.


Brandon Bohle

OT Cybersecurity Analyst, Interstates
Brandon is an OT Cybersecurity Analyst for Interstates. With a BS in Cybersecurity from Dakota State University, a MS in Information Assurance, and  over ten years’ experience working in cybersecurity in the finance and industrial controls industries, Brandon brings a wealth of... Read More →

Monday October 21, 2019 9:00am - 9:45am


Social Engineering and Critical Facilities – Attack Methods and Prevention Techniques
Social engineering is a primary method for obtaining unauthorized access to secure environments. Most attacks against critical infrastructure rely on some form of social engineering, with examples being email phishing, vishing, and other various techniques.

Control systems in many critical facilities are isolated from the Internet (air-gapped). This provides a false sense of security as it is common to exploit the human factor to “bridge the gap”. Even for “connected” facilities, it is often much easier to gain access using social engineering techniques than traditional hacking methods. Additionally, many control systems are not configured for proper role-based access control, with the worst offenders sharing credentials across many users with largely open permission sets. This widens the attack surface substantially and proves very helpful to the human hacker. On the other extreme, it is also possible to have a single individual responsible for all the actions in the control system. Even for the most trusted employee, this places them as a target for an Advanced Persistent Threat (APT).

In this talk, we will discuss social engineering and related attack methods with a special focus on critical facilities, SCADA systems, Operational Technology (OT) networks, vulnerabilities, and challenges. We will cover an end-to-end scenario, including target identification and reconnaissance via Open-Source Intelligence (OSINT), attack methods and useful devices (with demos) with the ultimate goal of illustrating how some attackers gain access to some of the most secure environments. Prevention strategies to avoid these attacks will then be discussed.

There are many approaches to preventing social engineering attacks on corporate environments (IT networks). These range from advanced email filtering appliances and voice recognition software to rapid credential rotation services with multi-factor authentication. Many of these technical solutions work well for IT networks, but many will pose challenges for their OT network counterparts. For instance, a security appliance should not be configured to heuristically deny traffic in a control system (for safety reasons).

OT networks are fundamentally different from IT networks and efforts to prevent attacks on these systems must consider their unique attributes. These attributes include the ability to require the “two-man rule” and “control escalation” where two people must be involved for a control action to take place (thus making it twice as difficult for the social engineer). Two-factor authentication is becoming more common in SCADA deployments (but remains disabled for various reasons).

This discussion will start with the basics and then quickly progress to more advanced techniques. Is your air-gapped environment secure? Attend this session to get assessment and prevention tips so that you can decide for yourself.


Chad Lloyd

Security Architect, Schneider Electric
Chad Lloyd is a security architect and Senior Fellow with Schneider Electric. Chad has multiple certifications including CISSP (Certified Information Systems Security Professional) and CEH (Certified Ethical Hacker). Chad obtained his M.S. in Computer Science and his M.S. in Computer... Read More →

Monday October 21, 2019 9:45am - 10:30am


Securing Remote Access into ICS Networks with Open Source and Open Source 2-Factor Authentication
Cybersecurity can be a sizable investment.  Companies with large funding can afford well established cybersecurity solutions and the associated annual subscription fees.  This session will discuss using open source software to secure remote access into ICS networks. Open source software can be found running on IT systems, the Cloud and embedded devices in Industrial Control Systems.  In terms of Cybersecurity, Open Source can provide a vast amount of security solutions with low startup costs in developing security solutions, benefiting tight budgets for smaller companies.

With the mindset of finding a solution with very low start-up costs, the first objective was to create a proof-of-concept to secure remote access with two-factor authentication to a jump server. VPNs (Virtual Private Networks) can support a secure channel, but there is nothing stopping a virus or malware to be transmitted from a remote system to the jump server and from the jump server into an ICS network. The second objective was to find a way to mitigate against malware or unwanted software finding its way to the jump server all with open source.

An ICS network was built to emulate a real environment including a host hypervisor running a jump server VM (Virtual Machine) in a DMZ (Demilitarized Zone). 2-Factor authentication was implemented to access the jump server VM. PowerShell scripts were developed to shut down the jump server VM, delete, copy a pristine Jump Server image from a secure location, import the image into the hypervisor, and restart into a ready pristine state via a scheduler.

Files were damaged or corrupted on the jump server to emulate a malicious attack on the system. At 1 AM the scheduler initiated the jump server VM re-imaging process and an email was sent showing successful restore of a pristine image. Multiple vendors providing remote support, each assigned a VM jump server, could be permitted to service or monitor specific systems via 2-Factor Authentication. With the scripting process previously described, malware or unwanted software will be mitigated via the described process.


Daniel Paillet

Cybersecurity Lead Architect, Schneider Electric
Daniel Paillet is currently Cybersecurity Lead Architect within the Schneider Electric, Energy Management Business Unit. His background includes working in the US Department of Defense on various security projects, Operational Technology, Retail, Banking, and Point-of-Sale. He holds... Read More →

Monday October 21, 2019 9:45am - 10:30am


Morning Break
Monday October 21, 2019 10:30am - 10:45am
Pre-Function Hallway


Creating and Performing a Cybersecurity Tabletop Exercise
Preparing for a cybersecurity incident at your company is important. There are several phases to a successful tabletop exercise. A tabletop exercise provides an opportunity for an organization to test contingency plans. These plans may address a variety of challenges which face an organization. Challenges to business continuity may come from Weather, Terrorism, Cyber incidents, insider threat, or a natural disaster. There are multiple levels of contingency plans, including incident response plans, emergency evacuation plans, business continuity plans.

This presentation will focus on helping you understand why you should perform a cyber exercise, and provide step-by-step guidance on how to create and conduct a cyber exercise from scratch through the following steps.

  • Understand why to perform a cyber exercise
  • Determine the type of exercise to be performed
  • How to build the Exercise Design Team
  • Create the Exercise Plan
  • What drives the story? The narrative
  • One more look at Injects
  • Leading up to the Big Exercise Day
  • Exercise Day
  • Writing the After-Action Report (AAR)
  • Exercise Follow-Up and Process Improvements


Kevin J. Owens

Control Cyber, Inc.
Kevin Owens, from Cerberus Cybersecurity, has more than 20 years of  experience in control systems and cybersecurity, in both the commercial industry and government sector. Kevin is a graduate of the University of Illinois at Chicago with a BS in Electrical Engineering and spent... Read More →

Monday October 21, 2019 10:45am - 11:30am


Digital Twin Security Analysis and Best Practices
A Digital Twin simulation model is a powerful tool for implementing advanced analytics to support process optimization, predictive failure analysis, and optimally scheduled maintenance.  The unique machine learning software and computational demands of a modern digital twin simulation for complex machines typically require a cloud hosted model.  This presents a challenge for industrial application owners who are concerned about protecting their operations technology (OT) network from cybersecurity threats.  This talk will look at the unique data flows and special security properties of a digital twin deployment for industrial equipment.  The DHS and NIST guidelines will be used to develop a secure operations model that meets the unique demands of industrial control systems.  The resulting model will be used to suggest a set of recommended best practices for an integrated, defense-in-depth strategy security strategy for digital twin analytics.

Learning Objectives:
  • Overview of digital twin architectures and security implications.
  • Review of the DHS and NIST guidelines for ICS networks.
  • Recommended best practices for digital twin applications that rely on hosted analytics services.

avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →

Monday October 21, 2019 10:45am - 11:30am


Data Diodes to Facilitate Edge Analytics in Industrial Networks (Part 1: Intro)
Securing industrial networks presents a number of unique challenges that will only continue to increase.  As the number of connected devices grow, so does the attack surface.  However, cybersecurity need not be something your company HAS to manage, but, rather, a means to facilitate the efficiency and optimization gains promised by adopting “Industry 4.0”.  

Join this workshop for an in-depth presentation addressing the data diode technology and their usage in securing industrial networks. We will be evaluating a simulated waste water treatment facility, passing asset data (pump, motor, valve, etc) through a data diode for remote condition monitoring, and a detailed discussion on predictive/explanatory analytics. This vendor-agnostic workshop will help you thoroughly understand Data Diode/Unidirectional Gateway technical mechanisms.

Learning Objectives:
• Thoroughly understand Data Diode/Unidirectional Gateway technical mechanisms and their role in ICS cybersecurity
• Compare/Contrast Firewall and Data Diodes
• Key Concepts of Edge Analytics
• Utilization of Data Diode to facilitate 3rd party, or remote, access to ICS data in near real time
• Edge-Based Machine Learning/Artificial Intelligence for Predictive Maintenance and Process Optimization


Terry Miller

Terry Miller has spent nearly 10 years working with OEMs to evaluate and optimize industrial processes through increased performance of their machines.  After finishing a Master’s Degree in Predictive Analytics, Terry began formally training and deploying Machine Learning algorithms... Read More →

Monday October 21, 2019 10:45am - 12:30pm


What Is the Darknet and Can It Harm My Process Control Operation?
An underground “hidden market” where illegal activity is difficult to trace lurks beneath the Internet – the public layer where we jump on wi-fi networks, search the web, perform credit card transactions and enter personal information without a second thought. Called the Darknet, this little-known portion of the Internet is home for “hackers for hire” and is a hotbed of activity for those looking to monetize stolen information and privileged system access.

An emerging area on the Darknet are forums where cyber criminals sell access to supervisory control and data acquisition (SCADA) and industrial control systems (ICSs). Imagine if cyber criminals gained access to the control systems for nuclear power plants, chemical plants, oil and gas facilities, hospitals, electrical and power generation stations, water/wastewater plants, food and beverage or pharmaceutical facilities. The results could be disastrous.

Is your control system vulnerable? Learn what the Darknet is and understand its role in potentially allowing intruders to access your control system. The fight against those who would steal the keys to your ICS and sell them on the Darknet starts with cybersecurity awareness. Keep cybersecurity top of mind and get cyber ready to educate your workforce and closely manage consultants and vendors.


Paul Galeski

Founder, MAVERICK Technologies, a Rockwell Automation Company
Paul J. Galeski, PE, CAP is the Founder of MAVERICK Technologies, LLC, a Rockwell Automation company and a leading platform-independent automation solutions provider offering industrial automation, strategic manufacturing solutions and enterprise integration services for the process... Read More →

Monday October 21, 2019 11:30am - 12:15pm


Rolling in the Deep: OT Specific DPI for Comprehensive Operational Awareness
The increased connectivity between devices and systems has created glaring vulnerabilities in critical infrastructure industries, which are high-priority targets of nation-state threat actors. The emergence and potency of malware such as Triton must shape technology design for cyber-securing critical infrastructure. Triton’s recent attack on a facility’s Triconex safety instrumented system illustrates how disruptions to industrial control system operations can inflict catastrophic consequences to critical infrastructure, national security, public works, health and safety. In combating threats to both automated systems and SCADA systems, cybersecurity must surpass the basic firewall, perimeter and signature-based defense to monitor and protect all networked system endpoints.

This presentation will explore how deep packet inspection (DPI) enhances control and visibility to the edge of distributed environments, and fills the voids left by legacy Industrial Control System (ICS) devices and technology in SCADA networks.

Attendees will gain insight on:
  • How to fully parse the protocols used for communications without impacting operations
  • How to enforce an application whitelisting policy to protect embedded devices at the network layer
  • Increasing network visibility for external software-based anomaly detection tools


Chris Guo, Ph.D.

Principal Cybersecurity Architect, Ultra Electronics, 3eTI
Dr. Guo is a principal cybersecurity engineer with Ultra Electronics and brings the company more than 20 years of experience in software/hardware, wireless and communication security. He holds particular expertise in engineering for secure wireless products and industrial cybersecurity... Read More →

Monday October 21, 2019 11:30am - 12:15pm


Monday October 21, 2019 12:15pm - 1:30pm
Windsor Garden


Hacker Machine Interface – Attacking the Energy & Water Sectors
The Energy & Water (E&W) sectors are critical to the economy of every nation and need to be secured. During our investigations we found a certain amount of exposed and unprotected E&W systems online accessible via their exposed HMIs, bringing with them a danger to these Critical Infrastructure (CI). We wish to stress that contrary to many sensationalized stories on the vulnerability of Internet connected CI, our findings were limited to small-to-medium sized organizations within these sectors. Large CI organizations have security firmly in mind, but they still consider their ICS infrastructure susceptible to cyber attacks. However, the exposure of these more mid-tier organizations is still cause for concern for two reasons. Firstly, because of CI interdependencies and the distribution network setups, failures in these mid-tier organizations will have cascading and far-reaching after-effects further up the Supply Chain. Secondly, for would-be attackers these mid-tier players act as the perfect test bed for attack strategies to try out their effects in less risky ways. In this talk we present the following:
  • Using OSINT techniques we probe the E&W sectors to see what types of exploitable cyber assets are accessible to would-be attackers
  • Findings from past ICS security research papers to highlight the potential threats faced by exposed cyber assets
  • An analysis of common SCADA HMI vulnerabilities discovered by Trend Micro’s Zero Day Initiative (ZDI)
  • Attempt to identify likely attackers, probe their motives, and assess damage potentials
  • Conclude with a discussion about the challenges faced in securing IT-OT environments


Numaan Huq

Numaan Huq, Trend Micro
Numaan Huq is a Senior Threat Researcher with Trend Micro’s Forward-Looking Threat Research (FTR) Team. He has been working for over a decade in the Computer Security Industry and has extensive experience analyzing the latest cyber-threats, software exploits, and malware families... Read More →

Monday October 21, 2019 12:30pm - 1:15pm


Inside the Mind of a Hacker: How Defending Against Me Can Open New Manufacturing Business Models for You
Additive manufacturing is having an extraordinary impact on the way many products are manufactured. Realizing the full potential of AM requires re-thinking traditional approaches to design and automation - which enables new business models - but is also disrupting supply chain players. This exciting potential for industry is also accompanied by potential for hackers who are actively looking to exploit these advancements. Effectively securing the integrity of AM processes is now absolutely crucial, and data protection for 3D printed files is becoming extremely important.

This session will discuss specific use cases in Additive and Subtractive Manufacturing (Distributed Digital Manufacturing, Integrity/Traceability of the Digital Thread) from the perspective of an experienced hacker, and provide pragmatic strategies to mitigate cyber threats by thwarting the hacker 'business model'. The session will also discuss real-world exploits and mitigated as examples of how a 'common sense' approach to cybersecurity can be used to open new manufacturing business models.

Learning Objectives
  • Understand a cybersecurity methodology for Additive / Subtractive Manufacturing based upon thwarting the hacker 'business model'
  • Understand a pragmatic approach of applying cybersecurity to address relevant quality control issues and repeatability in Distributed Digital Manufacturing models
  • Understand how specific cybersecurity strategies can be used practically to open new business models and provide tangible competitive advantages


Evan O’Regan

Director of Business Development, Connected Industries, Irdeto
Evan O'Regan, head of Connected Additive Manufacturing, has over 20 years experience exposing vulnerabilities and providing pragmatic security solutions to protect operations against hackers and cyber threats. He delivers expert guidance on how to leverage cybersecurity investments... Read More →

Monday October 21, 2019 1:30pm - 2:15pm


Hardening a Modern ICS Environment
Industrial Control System (ICS) devices were initially designed for closed-network or non-networked environments inside of facilities that were thought to be secure. These early systems did not consider cyber threats to be of consequence due to their closed off environment. However, these environments have evolved into technical distributed systems that may be connected to the Internet. These systems are high value targets that are also often infrequently patched or updated, leaving them vulnerable to common exploits. This, in tandem with the rise in threats from state actors willing to invest a large amount of time and money to compromise these high value targets, makes hardening ICS systems a necessity.

During this session, we will look at three fallacies that impact the security postures of industrial control systems and propose some ways to address them. In summary these misconceptions are:

1. Programming languages don’t matter.
2. Keeping the adversary out is all that matters.
3. There is no way the adversary knows enough about my system.

This session will demonstrate some of the concepts talked about above in a Linux 5.2 environment with Fieldbus support. We will demonstrate methods for inhibiting a ”root” shell from accessing a protected file, a encrypted storage and executable vault limiting the potential for RE, and finally a rootkit is unable to be loaded into the kernel.


Dan Robertson

Software Engineer, Starlab
Dan Robertson is a Epidemiologist turned Software Engineer. Mr. Robertson is currently workin on a Linux Security Module at Starlab. Before working at StarLab he worked at Tripwire on a Vulnerability Management product where he spent most of his time working with the SMB protocol... Read More →

Monday October 21, 2019 1:30pm - 2:15pm


Demystifying the Complexity of Deploying a Data Diode (Part 2: Hands On)
One often hears the complexity required to “setup” a data diode as an impediment to it being more frequently utilized for securing industrial controls networks. In this hands-on workshop, participants will learn about the network architecture associated with the best practices of data diode deployment.  Additionally, attendees will be able to configure a unit’s interface for two different functions.
First, gateway functionality will be explored as users will observe the OPC-UA: data diode interface, configuring the unit to enable the historian-to-server connection from control to open network. Participants will also, then,  configure the data diode in secure “TAP” mode to securely feed network traffic into an Intrusion Detection Software appliance for monitoring network traffic. 


Terry Miller

Terry Miller has spent nearly 10 years working with OEMs to evaluate and optimize industrial processes through increased performance of their machines.  After finishing a Master’s Degree in Predictive Analytics, Terry began formally training and deploying Machine Learning algorithms... Read More →

Monday October 21, 2019 1:30pm - 4:00pm


Bringing DevSecOps to ICS
Bringing industrial control systems and critical infrastructure into the modern age will require more than just software updates. It’ll require continuous software updates. The challenge is that every time new updates to software powering applications or infrastructure are introduced, so too is the potential for new vulnerabilities. Every little change of code creates the potential for a new vulnerability that attackers can exploit, and the demand for updates to be delivered faster and faster only increases the security challenges. Any business that relies on software as a competitive differentiator – in other words, every business today – is facing this issue and trying to figure out ways to deal with it. But for industrial control systems that are already playing catch-up and trying to adapt to a connected world, these challenge will be that much more daunting.

This session will provide an overview of DevOps and DevSecOps cultures to help the people using and managing industrial control systems understand how these practices fit into their organizations. It will empower those tasked to secure critical infrastructure with the knowledge they need to ensure that comprehensive discovery and remediation of software vulnerabilities are in place so they can proactively manage risk.

Monday October 21, 2019 2:15pm - 3:00pm


Dissecting the Industrial Communication Protocols for Cybersecurity Risks
This talk will demonstrate how to analyze an Industrial communication protocol, and write a Lua plugin for Wireshark and exploit code as a hacker. A demo will show how hackers can compromise a PLC through Industrial communication protocols. The demo will point out the common security issues in ICS protocols and demonstrate protection strategy to secure ICS/SCADA devices.

avatar for Mars Cheng

Mars Cheng

Cyber Threat Researcher, IoT/ICS Security Research Labs, TXOne Networks and Trend Micro
Mars Cheng is a Cyber Threat Researcher with TXOne Networks’s IoT/ICS Security Research Labs and Trend Micro. His research interests include ICS/SCADA security, threat hunting for IoT and ICS/SCADA, cryptography, and Web/IoT/Mobile/ICS/SCADA penetration testing. Before joining TXOne... Read More →

Monday October 21, 2019 2:15pm - 3:00pm


Afternoon Break
Monday October 21, 2019 3:00pm - 3:15pm
Pre-Function Hallway


Engineering a Cyber-Resilient Smart Grid
The smart grid is recognized as the most critical infrastructure, where the assumption of reliable and secure availability of electric power underpins the digital revolution that continues to transform our modern lives. The digital transformation of the smart grid is reshaping the interactions between smart grid systems components, between power systems and consumers, and between power systems and other interdependent critical infrastructures. Cybersecurity and resilience of smartgrids are essential enablers for continued innovation, however, existing standards and regulations follow a bottom-up technology-focused approach that may not sufficiently address the risks across the different smart grid operational layers. In this presentation, we expand on the benefits of cyber-physical modeling as a useful tool to capture much of the innovation, cyber-physical threats, risks and uncertainty. We present an operational risk-based model for smart-grids that efficiently captures cyber-physical uncertainties and enables a better resilient operation. This model utilizes a cyber-physical risk metric that can be used as a parameter for operation. We also expand on the need for a data-driven definition of trust between the different smart grid system components.


Eman Hammad, Ph.D.

Dr. Eman Hammad combines practical experience and theoretical research to shape her vision for resilient-by-design solutions in the connected world. Eman's work focuses on how a deeper understanding of interactions between critical infrastructure systems and enabling technologies... Read More →

Monday October 21, 2019 3:15pm - 4:00pm


Next-Generation Holistic Visibility for Industrial Networks: Moving Beyond Passive Monitoring
This session introduces a next-generation data collection technique where raw data can be transformed into actionable information, providing holistic visibility across industrial networks, and augmenting existing active, passive, and hybrid data collection methods. Attendees will learn about various practical, non-obtrusive techniques to help identify, mitigate and remediate cyber events—from vulnerabilities and system misconfigurations to unauthorized changes and equipment failure. The session will also cover the benefits and risks of various data collection methods and key considerations to determine the best method to use in a particular environment. While more organizations are starting their cybersecurity journeys with passive monitoring first, then exploring active and hybrid solutions, the next step is to integrate with OT hardware technologies to provide cybersecurity insights across a broader, richer dataset leading to 100% holistic visibility within their environment. Attendees will leave this session understanding how to leverage each data collection method, as well as valuable tools and resources to achieving deep visibility for safe, reliant, resilient industrial networks.

Several open source projects will be mentioned, including Standard Windows and Linux command sets, MITRE ATT&CK Framework, INL STOTS (Structured Threat Observable Tool Set), Kiwi, ELK, OpenVAS and more.

Learning Objectives:
  1. Understand the key benefits of each data collection method.
  2. Understand the gaps or pitfalls present for the various methods.
  3. Learn a risk-based approach to determine where to start and path to take.
  4. Learn how integrating OT technologies can result in holistic visibility.


Zane Blomgren

Senior Security Engineer, Tripwire
Zane Blomgren is a Senior Security Engineer at Tripwire. During his 14-year tenure at Tripwire, he has served a number of roles including Pre-sales Engineer and Post-sales Professional Services Consultant. With over 20 years’ cyber security experience, Zane has been called on to... Read More →

Monday October 21, 2019 3:15pm - 4:00pm
Tuesday, October 22


Breakfast and Registration
Please join us for continental breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the exciting week ahead!

Tuesday October 22, 2019 7:30am - 10:00am


Welcome to SecurityWeek's 2019 ICS Cyber Security Conference | USA
avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the cyber threat landscape, and enterprise, critical infrastructure, and national security space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages... Read More →

Tuesday October 22, 2019 8:00am - 8:15am
Windsor Ballroom


State of ICS Cyber Security: CS2AI-KPMG Survey Results
(CS)2AI-KPMG 2019 ICS Security Survey Results

The Control Systems Cyber Security Association International (CS2AI), in collaboration with a team including KPMG International, SecurityWeek, Airbus Cyber, and other supporting organizations, is conducting a yearly analysis on the current state of ICS cyber security. Leveraging the participation of multiple stakeholders across roles and industry sectors, the survey is designed to help answer key questions about how we can best protect critical systems in the face of ever-growing and -evolving threats.

Unveiled for the first time at SecurityWeek's ICS Cyber Security Conference, the survey results will help defenders improve their security posture through greater understanding of the diverse concerns and decision drivers that the industry faces.

Professionals with experience in ICS cyber security are encouraged contribute to the community and complete the survey, which should take about 15 minutes to do.

avatar for Derek Harp

Derek Harp

Founder & Chairman, (CS)2AI

Tuesday October 22, 2019 8:15am - 9:00am
Windsor Ballroom


Keynote: Fireside Chat With Admiral (Ret.) Mike Rogers
Admiral Mike Rogers retired from the U.S. Navy in 2018 as Director of the National Security Agency (NSA) and Commander of U.S. Cyber Command, and was responsible for creating the DoD’s newest combatant command and running the U.S. government’s largest intelligence organization.

In this exclusive fireside chat, Rogers will join SecurityWeek's Mike Lennon to discuss a range of topics, ranging from geopolitical tensions and nation-state threats, to protection of U.S. critical infrastructure from cyber threats across the board.

avatar for Mike Lennon

Mike Lennon

Managing Director, SecurityWeek
For more than 10 years, Mike Lennon has been closely monitoring and analyzing trends in the cyber threat landscape, and enterprise, critical infrastructure, and national security space. In his role at SecurityWeek he oversees the editorial direction of the publication and manages... Read More →
avatar for Admiral (Ret.) Mike Rogers

Admiral (Ret.) Mike Rogers

Former Head of NSA and U.S. Cyber Command
Admiral Mike Rogers retired from the U.S. Navy in 2018 after nearly 37 years of naval service rising to the rank of four-star admiral. He culminated his career with a four-year tour as Commander, U.S. Cyber Command and Director, National Security Agency – creating the DoD’s newest combatant comm... Read More →

Tuesday October 22, 2019 9:00am - 10:00am


Morning Break
Tuesday October 22, 2019 10:00am - 10:15am
Pre-Function Hallway


The Past and Future of Integrity-Based Attacks in ICS Environments
Industrial control system (ICS) attacks typically focus on immediate process disruption: turning off the power, shutting down a plant, or something similar. Yet an examination of the history and potential of ICS intrusions shows a far more worrisome attack vector: undermining the integrity (either via process accuracy or process safety) of an industrial environment. While not necessarily immediately evident, such an attack can produce significant impacts through undermining a physical process and calling into doubt the viability of a specific facility.

Historically, such attacks are not new, but instead encapsulate the very first know ICS-targeting malware: Stuxnet. Rather than seeking direct disruption, Stuxnet sought to undermine process integrity by altering the functionality of the plant in question while masking effects to operators. Since that time, the industrial community initially faced a long period focused only on direct disruption, until the emergence of CRASHOVERRIDE in 2016 (whose integrity-impacting effects have not previously been discussed) and the safety-system targeting TRISIS. Each of these sought in certain ways to undermine the very reliability of underlying processes to produce potentially disastrous outcomes.

This presentation will explore these historical examples while presenting potential attack scenarios for future integrity-based attacks. In doing so, attendees will learn more about the risk framework faced by ICS-operating organizations and unique defense and recovery requirements within these environments. This talk will conclude with recommendations for defense and recovery to mitigate against integrity-based attacks, while seeking to educate audiences on the unique risk posed by such events.

avatar for Joe Slowik

Joe Slowik

Principal Adversary Hunter, Dragos
Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. In this role, Joe provides time-sensitive, actionable threat intelligence to enable ICS asset owners and defenders... Read More →

Tuesday October 22, 2019 10:15am - 11:00am
Windsor Ballroom


Case Study: Secure Remote Monitoring of Off-Shore Rig Equipment
In order to provide improved predictive maintenance, and head off potential downtime, not to mention possible disasters related to failing equipment, regulations have been put into place to remotely monitor various critical equipment on off-shore drilling rigs. However, off-shore drilling rigs are also a prime example of cyber-physical threat convergence, where cyber threats pose potential safety risks to on-site personnel as well as the surrounding environment. So how can we enable a digital channel for remote monitoring without opening a potential cyber threat vector and exposing the rig to additional risk? This session will outline a real-life case study and implementation of data diode cybersecurity technology to protect and remotely monitor off-shore rig equipment, including the related challenges, benefits, and takeaways.

avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →

Tuesday October 22, 2019 10:45am - 11:30am
Solutions Theater


Level 0 Vector of Attack on PLC Based Systems
Level 0 Exploits on Train ICS – (This applies to all industrial control systems)

Train systems are notorious for being extremely safe. Redundancy, fail safe mechanisms, interlocks, etc. The single security aspect that is left untouched on most Train Control Systems these days is Cyber Security. It is true that most existing train safeguard systems have their safety mechanism, but what if someone made great efforts to compromise them? What if this person or group had substantial time, money and knowledge to derail a train in a large city?

The goal of the presentation is to discuss the various ways the Industrial Control Systems onboard a train and on waysides are imminently at risk of cyber-attacks all across North America.

Referring to the Purdue Model for ICS Network Diagrams, we will simulate a Level 0 attack on a train, going from step to steps, until a potentially dramatic event gets demonstrated. This session will demonstrate the ability to impersonate physical and localized sensors using  off the shelf connected micro-controllers (Raspberry PI, Arduinos, etc..) It will go into detail on how Public Transits Systems, Intelligent Cities and Intelligent Military Bases are factual targets when deploying sensors to collect data or monitor situations.


Patrik Chartrand

Cyber Security Specialist, Rail & Transit, SNC-Lavalin
Mr. Patrik Chartrand is a highly creative, accomplished executive-level professional with over 20 years of experience in innovative IT and Cyber Security initiatives with a track record for problem solving. He is capable of leading and inspiring design and innovation teams for a cutting-edge... Read More →

Tuesday October 22, 2019 11:00am - 11:45am
Windsor Ballroom


Deep-CYBERIA: Towards Automated Discovery of Level 0 Sensors and their Interdependencies
In large cyber-physical systems, the capabilities of mapping and analysis of sensors at levels 0 or 1 behind the programmable logic controllers (PLCs) are very useful for many purposes including triage, verification, audit, misconfiguration detection, intelligence gathering, maintenance, calibration, inaccessible locations, and so on. However, unlike traditional information technology components, sensor information is relatively challenging to infer and analyze because of the inherently indirect nature of their dynamic behavioral effects.  The complexity of the inference problem arises from the undetermined numbers and type of sensors, unique interconnection topologies, protocol heterogeneity and customized interdependencies driven by the physical portion of the cyber-physical system.

Given passive or active modes of interaction with a cyber-physical system, how well can network communication reveal the sensor information behind the PLCs? Is it feasible, and to what extent, can causality patterns among multiple streams of the inferred sensor reveal their actual dependencies of the physical processes driving them? Are there special classifications of sensors that are largely domain-agnostic in nature, yet reveal useful insights? What type of analyses are most effective in uncovering any unexpected, intentional or unintentional effects on the operational dynamics of the sensors?

With the goal of answering these classes of challenging questions, we are developing novel network packet analysis techniques and data analysis methods. These are incorporated and experimented in a novel prototype system called Deep-CYBERIA (Deep Cyber-Physical System Interrogation and Analysis).

Deep-CYBERIA is aimed at developing a network discovery capability (both passive and active) to enhance discovering, monitoring, and diagnosing the identity of cyber-physical system (CPS) components at level 0-1. The interrogation and analysis capabilities are targeted to uncover interdependencies among sensors with respect to cyber and physical process interactions, triggers, and after-effects. Analysis capabilities are aimed at building the foundation for sophisticated forensic features that reach beyond basic data-based inference.

In addition to small CPS testbeds, as a complex case study, the experimental network of the Cold Source portion of the High Flux Isotope Reactor (HFIR) facility at ORNL is exercised with the DEEP-CYBERIA implementation. Experimental results have yielded excellent results. To date DEEP-CYBERIA is capable to (a) extract sensor information from packet-level traces, and (b) uncover key interdependencies among the inferred sensors. Using the causality graphs, we were able to dramatically eliminate the number of false-positive links among the sensor variables. New causality algorithms customized for cyber-physical processes were able to further enhance the interdependencies to match the ground truth. Our approach ultimately aims to provide a broadly applicable, novel approach to deepen understanding and strengthen the resilience of cyber-physical assets.

avatar for Juan Lopez Jr., PhD

Juan Lopez Jr., PhD

Cyber-Physical R&D Manager, Oak Ridge National Laboratory
avatar for Kalyan Perumalla

Kalyan Perumalla

Oak Ridge National Laboratory
KALYAN PERUMALLA is a Distinguished Research and Development Staff Member and Manager at the Oak Ridge National Laboratory. Dr. Perumalla founded and currently leads the Discrete Computing Systems Group in the Computer Science and Mathematics Division at the Oak Ridge National Laboratory... Read More →

Tuesday October 22, 2019 11:45am - 12:30pm
Windsor Ballroom


Tuesday October 22, 2019 12:30pm - 1:30pm
Windsor Garden


Near Future of OT Attacks
Over recent years we’ve witnessed certain trends and shifts in OT attacks. By extrapolating from these attacks we can predict what the future of OT attacks might look like.

As AI becomes ubiquitous across every industry, we should expect cyber-criminals to also be looking to leverage AI for malicious purposes. OT attacks are particularly well-suited to benefit from advances in malicious AI; the ability for industrial malware to operate autonomously without communicating with command and control and to blend into its environment is highly desirable for OT attack campaigns. The AI and machine learning techniques necessary to develop AI-powered malware a reality already exist - it’s just a matter of when malware authors will be able to hone these techniques to make AI attacks a reality.

This shift in attack patterns will necessitate a change in defensive strategy. This talk will explore the future use of AI in both industrial attacks and defense.

Sponsored by:  Darktrace

avatar for Jeff Cornelius, Ph.D

Jeff Cornelius, Ph.D

EVP Industrial Control and Critical Infrastructure Solutions, Darktrace

Tuesday October 22, 2019 1:30pm - 2:15pm


Dragos Presents
avatar for Dan Scali

Dan Scali

Director of Channels, Dragos
Dan Scali joins Dragos as Director of Channels. Previously, Dan built and led the ICS cybersecurity consulting practice at Mandiant, a division of FireEye, where he conducted ICS-focused cybersecurity assessments and incident response activities for critical infrastructure globally... Read More →

Tuesday October 22, 2019 1:30pm - 2:15pm
Windsor C


How to Accurately Gauge Your Current ICS Cybersecurity Posture
The C-Suites of manufacturing and industrial processing companies often think they already have a handle on their ICS Cybersecurity through IT efforts. In actuality (through no fault of their own) IT has not taken into account the unique needs of protecting Operational Technology (OT) assets.
Attendees will learn and be able to articulate to their executive teams:
  • The most current threats to ICS Cybersecurity
  • The unique difference in implementing Cybersecurity industry standard best practices in OT vs IT
  • The vulnerabilities of industrial legacy systems that were created before malware
  • The risks of not having a clear understanding of all OT assets
  • How to gauge your current posture to begin to plan and budget appropriately

The goal is this session is to help teams within organizations powerfully and diplomatically articulate their own current risks and the unique needs of ICS Cybersecurity.


Scott Timmer

Director of ICS Security, gpa
Scott is a highly accomplished network and security engineering professional with a progressive career in Industrial Controls as well as Information Technology.  He is expert at strategy development, solution architecture, project leadership, and service delivery.  He has exceptional... Read More →

Tuesday October 22, 2019 2:15pm - 3:00pm


SCADA Device Exploitation and Attack Mitigation Techniques
It's not news that SCADA vendors still have gaping holes in their PLC and HMI development environments.

Research into 7 different PLC vendor software systems details an almost negligent lack of security standards in modern SCADA environments. This lack of security creates great opportunity for future attackers and the next high-profile attack on industrial control systems.

The attack scenario cannot be understated as critical systems such as power, water, transportation, and manufacturing. all rely on major PLC vendors in one way or another. This session will show a theoretical attack that could have happened using recently discovered vulnerabilities and proof of concept code to disrupt a major power industrial system.

Joseph Bingham will share observations on vulnerabilities found in vendors across the board and mitigation techniques for using these required software in highly critical environments where even air-gapping is not enough to remove the threat of a remote attacker.

Learning Objectives
  • SCADA systems are extremely critical and their security needs to be considered much more highly in the future.
  • Some vendors are more reliable than others for a secure environment.
  • Demonstration of actual SCADA attack, practical attack vectors
  • Mitigation techniques for existing SCADA environments.

avatar for Joseph Bingham

Joseph Bingham

Senior Research Engineer, Zero Day Research, Tenable
Before joining Tenable in 2014, Joseph worked at Symantec doing malware reverse engineering. Since joining Tenable as a reverse engineer, Joseph has produced several publications on malware, exploitation and reverse engineering.

Tuesday October 22, 2019 2:15pm - 3:00pm


Afternoon Break
Tuesday October 22, 2019 3:00pm - 3:15pm
Pre-Function Hallway


ICS Active Monitoring Using Analytics
Active system monitoring is a core tenant of a well-managed OT environment.  The active system monitoring solution proactively connects to monitored systems and checks them as opposed to passively waiting to get information from monitored systems.  This method of system monitoring is better suited to state of health monitoring because there is no chance that a system will become inaccessible or otherwise non-functional and fail to report a problem.  If the monitored system becomes inaccessible or otherwise impaired, the active monitoring system will discover that the next time it attempts to poll the monitored system or device.   Creating a fully populated active monitoring system creates a foundation around which to structure OT support activities by providing alerting mechanisms that can target specific problem types to specific OT support roles and duties.  To be a reliable source for trouble awareness and to be effective in communicating to OT support staff an active system monitoring solution must be kept maintained with accurate configuration information.  Failure to do so will create a sense that the environment is in a state of health that does not accurately reflect what is happening in the field.  

Passive system monitoring is the collection of information that is reported by configured clients. This is a supplementary form of monitoring that generally provides for detail rich metadata and granular analysis of system behavior. For this reason, it lends itself well to more detailed security and state of health monitoring. Paired with active system monitoring, a passive monitoring solution can provide unparalleled assessment of the overall state of the OT systems environment. The passive monitoring system should receive information from the active monitoring system as well as the systems that the active monitoring system is monitoring in order to create a cyclical check system that reduces the likelihood of systems "going dark" without OT support staff being aware. A SIEM cybersecurity tool has been implemented, creating great value in the areas of general troubleshooting as well as OT activity awareness in multiple Syngenta OT environments to date. The tool provides a means by which to centralize all OT operational intelligence into one place for monitoring and analysis by OT engineers, administrators, technicians and functional managers alike.

Using a combination of both active and passive monitoring to create the concept of “Active Monitoring using Analytics” within a chemical plant’s manufacturing environment.

avatar for Jeff Young

Jeff Young

Principal Engineer - Automation and Controls, Syngenta Engineering

Tuesday October 22, 2019 3:15pm - 4:00pm


Intelligence Gathering on Critical Infrastructure
Reconnaissance is a first and very important step in planning a cyber attack. Nowadays, adversaries can gather information about Industrial Control Systems in many ways, and one of them is using Open Source Intelligence. Using a relatively easy method, anyone can map the whole exposed ICS infrastructure of any country. Internet-connected ICS devices pose a risk due to vulnerabilities or misconfigurations and are the easiest target for different groups.This research shows the state and statistics of around 26,000 exposed ICS devices in the USA, including detailed information about them - open ports, vulnerabilities, organizations or geolocation. In addition, it proves that some of the devices can be geolocated to specific buildings and companies, which might affect critical infrastructure in a variety of sectors. Moreover, methods of gathering open source data and identifying particular ICS devices will be presented. Industrial control systems are targeted by foreign intelligence services mostly for espionage and potential cyber attacks resulting in disruption of important services for a city or even a country. It’s worth knowing adversaries’ weak points and it might help different Computer Emergency Readiness Teams around the world.

Tuesday October 22, 2019 3:15pm - 4:00pm


DER Cybersecurity: Investigating the Challenges of Securing IIoT
The need for proactive cybersecurity defense mechanisms is a key concern in the energy sector as distributed energy resources (DERs) and the industrial internet of things (IIoT) introduce new connections and expand the attack surface of traditional energy generation and distribution networks.

In this session, participants will learn how the NIST NCCoE is gearing up to explore various scenarios in which information exchanges among commercial and utility DERs and electric distribution grid operations can be protected from cybersecurity compromises. Their work – informed by a highly-engaged community of thought leaders in the energy industry, cybersecurity community, government, and academia – will result in an open, practical, and standards-based proof-of-concept of cybersecurity capabilities demonstrating data integrity and malware prevention, detection, and mitigation in DER environments.


Jim McCarthy

Senior Security Engineer, NIST NCCoE
Jim McCarthy is a senior security engineer at the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE). He currently serves as the lead for NCCoE energy sector projects where his work is focused on security data analytics, secure... Read More →

Tuesday October 22, 2019 4:00pm - 4:30pm


Cocktail & Dinner Reception - Foyer & Exhibitor Hall (5-7PM)
Please join us in the foyer and sponsor hall for a reception with cocktails and amazing food and enjoy networking with industry peers. As part of your conference experience, we have prepared a fantastic menu and premium bar!

Tuesday October 22, 2019 5:00pm - 7:00pm
Pre-Function Hallway



Tuesday October 22, 2019 7:00pm - 9:00pm
Wednesday, October 23


Communication to the Physical Side: A Security View on PLCs Network Interface
Increasing demands in the industrial sector, such as predictive maintenance and remote servicing, also increase the amount of network capable industrial components. Furthermore, these cross-connections from the OT to the IT network increase the attack surface, enabling access to industrial devices for hackers.

This talk will demonstrate how hackers can easily interact with the physical side of PLCs. This means that attackers can cause effects in the real world over the Ethernet communication of the PLC. Then vulnerable devices around the world will be shown along with how they could be impacted by DoS attacks. This session will provide answers to questions on how vulnerabilities of this kind could be searched, how to interact within disclosure processes, and recommendations for manufacturers, operators and penetration testers will be given.

Learning Objectives:
  • Insights into the interaction between the network and real-world physical process of ICS components.
  • How to find and map vulnerabilities to ICS components.
  • How to treat vulnerabilities as a manufacturer, integrator and operator?
  • How to securely scan and monitor industrial network from the viewing angle of device robustness?


Matthias Niedermaier

Embedded Security, HSA_innos

Wednesday October 23, 2019 TBA


Breakfast and Registration
Please join us for  breakfast and pick up your badge at the conference registration desk. Grab some coffee, network with other conference attendees and prepare for the day.

Wednesday October 23, 2019 7:30am - 10:00am


Five Blind Men and the Elephant Called ICS Supply Chain Security
Is a secure ICS software supply chain important to your company’s critical operations? And what does securing your supply chain really involve? A 3-year study sponsored by the US Department of Homeland Security revealed many different perspectives. ICS vendors, asset owners, consultants and security researchers all identified numerous complex priorities including:
  • Counterfeit firmware detection: Asset owners need to validate that firmware is authentic and hasn’t been tampered with. Vendors need to know if counterfeits of their products are circulating on the internet.
  • Mystery sub-component detection: Asset owners are looking for a Software Bill of Materials (SBoM) to reveal unexpected or unapproved sub-components that may contain vulnerabilities or malware. Vendors want to be able to trace back which of their products might contain those sub-components.
  • Version validation: Asset owners want to confirm that firmware is an up-to-date version, tested and approved by the factory rather than an unauthorized or obsolete version. Vendors need to be aware if unapproved versions are being installed in the field.
  • Certification-chain validation: Asset owners need to detect fraudulently signed packages masquerading as authentic. Vendors need to know if their private keys have been stolen and are being used to sign malware.
  • Stability confirmation: Asset owners want reassurance that even valid firmware packages are bug-free and won’t introduce instabilities. Vendors want to know the market perceptions of their upgrades packages to be proactive and protect their reputations.
These are just a few of the perspectives identified in the DHS research project. A common theme among them is the exploitation of trust between ICS vendors and their customers (and other suppliers). This talk will explore specific examples of each of these threats and discuss FACT, a framework for safeguarding against attacks on trust and reliability.

Learning objectives:
  • Identify key cybersecurity risks to critical infrastructure supply chains.
  • Understand existing security strategies (e.g. certificate signing, hashes) and their limitations.
  • Explore tools and solutions for addressing specific supply chain threats.

avatar for Eric Byres

Eric Byres

CEO, aDolus
Eric Byres is widely recognized as one of the world’s leading experts in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed ICS-specific firewall in... Read More →

Wednesday October 23, 2019 8:15am - 9:00am
Windsor Ballroom


Eliminating Blind Spots in Your OT Security Program
Organizations are raising OT security to a high, or in some cases even their highest, priority.  Digital innovation and growth are now business imperatives, and security must be at the forefront of enabling these strategies.  Unfortunately, the underlying expansion in connectivity needed brings with it a wide range of challenges and vulnerabilities. Ones that may not be visible to those monitoring, managing and securing these environments. Learn how to best identify and eliminate these blind spots throughout your infrastructure.

avatar for Robert Dyson

Robert Dyson

Global OT Security Services Business Leader, IBM
With more than 25 years of experience in the Information Technology field, Rob Dyson has held technical and leadership positions while providing IT services for many companies within multiple industries.  Rob is currently the Global OT Security Services Leader for Industrials and... Read More →

Wednesday October 23, 2019 9:00am - 9:45am
Windsor Ballroom


Homogenization of Attacker Toolsets
Attackers, including ICS-targeting adversaries, are increasingly using the same toolsets for a myriad of reasons.  It cuts down on development time, allows for lower attribution rates and gives attackers more “playbooks” to fall back on.  The near ubiquitous nature of Mimikatz -- utilized by the most dangerous ICS-specific adversary, XENOTIME -- is just one example.  Attackers are rapidly integrating other tools such as Metasploit, PowerShell Empire and Cobalt Strike into their tactics, techniques and procedures (TTPs). This presentation will discuss the evolution of ICS attacker techniques and provide defenders with methods to mitigate against them.

avatar for Thomas Pope

Thomas Pope

Adversary Hunter, Dragos
Thomas Pope is an Adversary Hunter at Dragos. He works with prospective and current customers to improve the Dragos threat intelligence offerings while hunting for ICS-specific activity groups and malware. He previously worked at Duke Energy, where he performed many roles in and outside... Read More →

Wednesday October 23, 2019 9:45am - 10:30am
Windsor Ballroom


Securing Smart Sensors in Industrial Machines
Smart sensors enable manufacturers and other operators to view and analyze real-time machine performance. By connecting sensor data to centralized monitoring platforms, engineers can optimize operation and perform predictive maintenance through advance notice of potential problems or anomalies. Unfortunately, as the number of cyber-attacks on ICS and related OT systems continues to increase, these connected sensors also represent possible cyber threat vectors into the plant and potentially into the machines themselves. In this session we'll discuss the various technologies, architectures, and best practices to secure smart sensors in industrial machines without compromising on the benefits of connected technologies within ICS.


Andrew Nix

Owl Cyber Defense

Wednesday October 23, 2019 9:45am - 10:30am
Solutions Theater


Morning Break
Wednesday October 23, 2019 10:30am - 10:45am
Pre-Function Hallway


Water Safety: It’s the Job of Operations and IT
Safe water and clean water are essential for public health, ecosystem protection and economic strength. Supporting these important functions requires secure information technology (IT) and operational technology (OT).

Gwinnet County Department of Water Resources understood the need to take proactive steps to protect this critical lifeline for their community. They invested in a modernization project to unify their SCADA platforms and bolster their cybersecurity posture across their water plants, waste water facilities and distribution facilities.

During this session, experts from Gwinnet County and Fortinet will
  • Share the journey toward SCADA modernization and the implementation of a cybersecurity platform
  • Review standard practices used to deploy a standard ICS architecture
  • Discuss lessons learned through the modernization journey

Join Sam Paul from Gwinnett County Department of Water Resources as he shares their journey to segment and segregate their OT network – with a vision of standardize and modernizing their SCADA systems – including partnering with IT to embed cybersecurity into their ICS security plan. Hear from Fortinet ICS expert Carlos Sanchez as he speaks to the benefits of the Fortinet Security Fabric to simplify and streamline the cybersecurity needs for industrial control systems.


Sam Paul

Section Manager | SCADA Systems & Projects, Gwinnett County, Department of Water Resources
Sam Paul is the Section Manager over SCADA systems and Projects for the Department of Water Resources, Gwinnet County Government.  Sam is a strategic futurist and visionary leader with a drive to learn the challenges and help organizations transform to meet the escalating expectations... Read More →

Carlos Sanchez

Global Sales Enablement, Operational Technology, Fortinet
Carlos-Raul Sanchez is a technologist with 32 years of experience in network, telecommunications, and critical infrastructure security. Carlos specializes in simplifying complex business problems with a pragmatic application of technology. With a wide range of experience ranging from... Read More →

Wednesday October 23, 2019 10:45am - 11:30am
Solutions Theater


Adventures in IT/OT Convergence
This presentation will share some adventures and challenges of the last few years as OT systems have moved from isolation to integration with corporate business systems.

Presented by Mark Brosseau, senior manager of the EPCOR plants control and automation teams, this session will provide a description of what is being implemented and what is being learned with representation from IT and OT groups across the company.


Mark Brosseau

Sr. Manager, Plants Control and Automation, Epcor Water Services
Mark Brosseau P.Eng. is the senior manager of the EPCOR plants control and automation teams responsible for the engineering and support of the Edmonton water and wastewater plant control systems. He has over 25 years of experience in the implementation of control systems in industrial... Read More →

Wednesday October 23, 2019 10:45am - 11:30am
Windsor Ballroom


Industrial Control Deception Environments – Levels of Simulation
Deception environments are systems designed to focus an attacker’s attention, thereby providing early warning of an intrusion, and allowing for analysis of an attacker’s motivations, tools, tactics, and procedures. They are composed of traditional honeypot and honeynet style components, together with other elements such as ‘breadcrumbs’ that are distributed across a real network to entice a potential intruder. Deception environments differ from honeypots in that they are intended to simulate realistic aspects of an organization, and are designed as a defensive campaign.

This presentation introduces analysis into how a deception environment for an industrial control environment can be created. Using the Purdue model for reference it examines the different levels of simulation that can be constructed – simulation of physical processes, control simulation of OT devices, simulation of supervisory systems, and at the highest level the simulation of enterprise systems and even personnel. The analysis examines what is possible at each level, how different levels can be simulated, and discusses which components should be simulated for a particular deception campaign, and how that offers protection against attacks.

Learning Objectives:
  • The benefits of industrial control deception
  • How to create an industrial control deception environment
  • What systems and processes are suitable for simulation
  • How to build an industrial deception campaign


Dr. Mike Westmacott

Senior Cyber Security Researcher, Thales
Mike has worked as a technical cyber security analyst for ten years, at boutique security consultancies, and currently at Thales UK where he holds the position of senior cyber security researcher. His current interests and research topics are deception technologies, psychological... Read More →

Wednesday October 23, 2019 11:30am - 12:15pm
Windsor Ballroom


Lunch - Windsor Garden
Wednesday October 23, 2019 12:15pm - 1:30pm
Windsor Garden


Lunch Workshop: The Three Laws of Industrial Control System Cyber Security
The best cyber security solutions for ICS follow the  three laws. They are not retreads of IT security but are tailored for ICS. They also use conditions-based monitoring techniques and secondary data validation instead of relying mainly on malware signature libraries. Finally, the best ICS cyber security solutions are built on the results of actual cyber attacks against the system being protected, not just compliance with security regulations. Such attacks are done in a lab using a replicated network with the actual hardware and software in the loop, because compliance does not equal security.

Grab a plate and join Ampex Data Systems for this informational session during lunch!

Wednesday October 23, 2019 12:30pm - 1:15pm


Leveraging Cybersecurity to Improve Operations & Situational Awareness
Cybersecurity solutions are becoming more prevalent, and there are significant benefits that can be realized in operations.  This session will discuss the value of technologies not only for Compliance and Cybersecurity but will emphasize how technologies can be leveraged to improve Operations and Situational Awareness from an OT perspective.

Sponsored by: TDi Technologies

avatar for Bill Johnson

Bill Johnson

Founder, CEO, TDi Technologies
Bill Johnson has over 20 years’ experience in the IT/OT infrastructure management field. He is the founder of TDi Technologies and its flagship platform, ConsoleWorks. Bill is a recognized Thought Leader by such prestigious organizations as The SANS Technology Institute and the... Read More →

Wednesday October 23, 2019 1:30pm - 2:15pm


To Protect Your IP, You Must Think Like a Hacker
As the ICS industry moves to more standardized platforms, making use of connectivity and the use of off-the-shelf software, critical software has never been more vulnerable to access by hackers or reverse engineers. Wanting to monetize their high-tech innovations, many industrial companies are productizing digital twins, predictive maintenance, digital diodes, behavioral analytics, AI/ML, Additive Manufacturing, and so much more. However, at the core of these product innovations is the patentable Intellectual Property developed in software, for which the attack surface has exponentially increased by IIoT connectivity. If compromised, this software is as readable as a book to any hacker able to run commonly available reverse engineering tools.

In this session, Mark Hearn, Sr. Director of Strategic Business Development at Irdeto, will take you through a discussion of how hackers think about their targets, what they look for, and how your product security requirements can combat them. Starting with the maturing of the Secure Software Development Lifecycle, delving deeper on software protection, and highlighting where advances in software protection are headed, Mark will demonstrate how your software businesses would significantly benefit from the protection of the key algorithms and critical data advancing your IIoT ecosystems.

avatar for Mark Hearn

Mark Hearn

Head of IoT Security, Irdeto
Mark Hearn is the Head of IoT Security at Irdeto. He is responsible for leading Business Development strategies to secure organization’s IoT applications and connected devices. Mark has been with Irdeto since 2003, through Irdeto’s acquisition of Cloakware. Mark is a seasoned... Read More →

Wednesday October 23, 2019 1:30pm - 2:15pm


Supply Chain Cyber Threats: Cooperation Across the Digital Ecosystem
Recent advanced and unexpected threats to supply chains have exposed new cyber-terrorism, malware, and data theft. What are organizations, their suppliers, and regulators doing to counter these threats?

This session will discuss examples of emerging threats in the supply chain landscape and protective measures regulators have taken, along with:

  • Approaches organizations are taking to identify, minimize, and mitigate supply chain cyber risks.
  • Leading practices from industries with advanced cyber supply chain risk management programs.
Participants will gain new insights into securing their supply chains in response to the increasing threat of cyberattacks on an expanding digital ecosystem

avatar for Stephen Batson

Stephen Batson

Senior Manager, Risk and Financial Advisory, Deloitte
Mr. Batson functions as a Senior Manager for Deloitte with 30 years of experience focused on designing and securing utility IT and ICS systems to meet NIST, NRC, NERC, IAEA, IEC, and ISO 27000 series cyber security standards and regulations. Mr. Batson is responsible for strategy... Read More →
avatar for Rob Garry

Rob Garry

Executive Chief Engineer, GE Power
Rob is a career ICS controls engineer for Power Generation, in his current role as Product Cyber Chief he is responsible for securing customer industrial controls systems for application in industrial powerplants.  He works in both the technical and regulatory aspects of the field... Read More →

Wednesday October 23, 2019 2:15pm - 3:00pm


How to Pull Binaries From OT Equipment: JTAG as a Last Resort
Reversing a binary from a piece of OT equipment can provide the best return on investment for a threat hunter. This session will cover techniques to do this increasing in skill, starting with utilizing a companies lack of awareness or best practices, to impersonating a network, using command execution against itself, and finally to actually taking a look at board level techniques.

Wednesday October 23, 2019 2:15pm - 3:00pm


Afternoon Break
Wednesday October 23, 2019 3:00pm - 3:30pm
Pre-Function Hallway


Segregating a Flat Network for Increased Reliability and Security
This presentation discusses the rationale and learnings gained when re-designing a flat Electrical Protection Network (EPN) to a segregated network to increase reliability and security. The electric utility used in this real-world case study has a network of 55 interconnected sub stations varying in voltage from 600 volts to 34.5kV. The original EPN network was designed as a flat network. As a result they had experienced reliability issues, a single fault or cyber event on the network could result in a partial or complete network failure. The project involved segregating the network into smaller logical sections that would prevent network outages and maintain network failure risks to smaller, distinct and controllable regions.

The design criteria for the network included supporting GOOSE high speed protocol with considerations for the large geographic location. Other key requirements of the EPN included: allowing electrical protection relays to communicate with each other for high speed system protection coordination thus reducing system ARC flash values. The network must support operating status and control, alarms, trips and metering information to local HMIs and the T&D High Voltage Control Centre.

The presentation will also focus on the network security aspect including the design, testing and installation of DMZ firewalls used to protect the network and the use of VLANS and network switches for increased network separation, isolation and security. The factory acceptance testing was performed in a IEC 61850 lab environment configured to simulate the field parameters while subjecting the system to numerous cyber-attacks and fault simulations. The reconfiguration of the network was performed on an operating facility.


Paul Haughey

Automation and ICS Cybersecurity Specialist, BBA
Mr. Haughey completed Telecommunications Technology from Northern Alberta Institute of Technology. He holds over 35 years of experience specializing in Industrial Control System design, programming and commissioning on a variety of systems. He has worked on projects in Oil & Gas... Read More →

Wednesday October 23, 2019 3:15pm - 4:00pm


[Panel] Addressing Cyber Risk in Connected Ecosystems
As digital and physical infrastructure continues to converge, enabled by the Internet of Things (IoT) and connected devices creating a complex ecosystem of  municipal services, public and private entities, people, processes, devices, and city infrastructure that constantly interact with each other. This massive amount of data, integration between disparate IoT devices, and dynamically changing processes creates new cyber threats, compounded by complexities of the data governance, lack of common standards etc. To protect these ecosystems and the value they bring, the responsible organizations should have product security programs, practice Security by Design through their products’ and ecosystems’ lifecycles, and ensure consistent coordination between their partners.

This panel discussion will involve stakeholders from the different stages of the product and ecosystem lifecycle including a connected product manufacturer, an organization that implement’s IoT ecosystems, and an IoT system owner. This panel will be led and moderated by Deloitte’s Piyush Pandey to discuss the learning objectives.

Wednesday October 23, 2019 3:30pm - 4:15pm


PHY-Based DNA Fingerprinting to Discriminate WirelessHART Sensor Network Devices
AFIT’s work continues on developing a reliable non-intrusive, non-operably connected PHY-based security
augmentation for IoT, IIoT, ICS/SCADA, and general wireless sensor applications. The successful demonstration and historical maturation of Distinct Native Attribute (DNA) Fingerprinting methods has led to a patent-pending DNA cyber security monitoring capability supporting both pre-attack defense and post-attack forensic objectives. The monitoring system foundation is derived from wired Highway Addressable Remote Transducer (HART) signal work in, with favorable results therein motivating the more recent WirelessHART work being reported upon here. The goal is reliable DNA-based discriminability of device hardware (cross-manufacturer, cross-model, and like-model serial number) and/or device operating state (normal vs. anomalous). The PHY-based physical-layer work here is of particular interest given that a majority of WirelessHART security mechanisms (some would argue all) are implemented exclusively within higher bit-level network layers using some of the same protection mechanisms commonly attacked in IT systems. Most recent results for WirelessHART are sufficiently favorable to motivate continued investigation and include better than 90% 8-class device discrimination of Sitrans AW210 and Pepperl+Fuchs Bullet adapters.

avatar for Christopher M. Rondeau

Christopher M. Rondeau

Air Force Institute of Technology, Air Force Institute of Technology (AFIT)
Chris Rondeau is a PhD Student and researcher at the Air Force Institute of Technology (AFIT) in Dayton, OH. He works under the Radio Frequency Intelligence (RFINT) research area led by Dr. Mike Temple. Chris’ research is an extension of the work previously done by Dr. Juan Lopez... Read More →

Wednesday October 23, 2019 4:00pm - 4:45pm


Offsite Party - South City Kitchen
Don't miss this year's offsite part at South City Kitchen! Attendees will enjoy Southern classics with a sophisticated spin from an iconic bungalow in the heart of Midtown Atlanta. This VIP experience for all full conference pass holders will include signature dishes like fried chicken and shrimp & grits alongside innovative, inspired regional cuisine. Enjoy craft cocktails, local beers and fantastic wines as you network with other conference attendees.

Wednesday October 23, 2019 6:00pm - 9:00pm
South City Kitchen 3350 Peachtree Rd NE, Suite 175 Atlanta, GA 30326
Thursday, October 24


Bridging the Detection Gap by Leveraging the Analog Domain
Current ICS network monitoring defensive strategies include updating/patching, strengthening the periphery, and reusing traditional solutions from the Information Technology world. Unfortunately, these IT approaches provide limited coverage in ICS environments and leave critical systems vulnerable to cyber attacks especially legacy systems using older communications protocols. Traditional approaches include network-based Intrusion Detection Systems (IDS) and signature-based solutions in host computers, such as anti-virus. These approaches have severe limitations and are insufficient for ICS’s.

Recent advances in technology along with government funded research has demonstrated the effectiveness of using unintended analog emissions from ICS/SCADA systems for detection malicious behavior. These unintended analog emission are referred to as side-channels. In electronics the side-channel information is based on the physics of a device, as machine instructions are executed the will emit unique patterns which can be observed.

In this presentation, we will present the fundamental principles behind this technology and how it can be applied to secure critical infrastructure, , Industrial Control Systems/SCADA and legacy PLC’s. We will also describe how this technology can be applied to the ICS/SCADA supply chain, including detection of counterfeit devices and firmware implants. We will provide a brief case study for monitoring lateral of attacks in an OT environment which consists of an IP camera, a Cisco router and a Siemens PLC with sensors and HMI.

Learning Objectives:
  • Understand the principles side-channels in modern electronic devices.
  • Learn how the Analog Domain (side-channels) can be used to illuminate hidden “unknown features” in  your control systems.
  • Learn of the use cases and applications where side-channel information is used in modern and legacy control systems.

Thursday October 24, 2019 TBA
Solutions Theater


Breakfast and Registration
Thursday October 24, 2019 7:30am - 10:00am


The Convergence of Safety and Cybersecurity
Innovation often happens when different disciplines share knowledge.  We’re seeing this today with increased interactions between the risk management, industrial cybersecurity, and process safety disciplines. There is growing recognition of interdependencies between security and safety in control systems that is leading some in industry to expand their use of process safety standards and best practices such as HAZOP analysis and process safety risk matrices.  Combining these risk management approaches with proper work procedures and structured change management techniques can help better protect systems against attacks while also reduce damage or disruption to critical operations.
This session will discuss the relationships between safety and cybersecurity risks, the approaches companies are taking to mitigate these risks, and the benefits that can be gained by coupling the domain knowledge and best practices from the worlds of process safety and cybersecurity alike.
This information will be of benefit to owner-operators, equipment suppliers, solution suppliers, and researchers interested in industrial cybersecurity and safety.

avatar for Larry O’Brien

Larry O’Brien

Vice President of Research, ARC Advisory Group
Larry is part of the cybersecurity and smart cities and infrastructure teams at ARC.  Larry has a 20-year background in process control, process safety, and field devices/field networks.  Over the years, Larry has supported many of our end-user clients in the oil and gas and refining... Read More →

Thursday October 24, 2019 8:15am - 9:00am
Windsor Ballroom


Benefits of Securing ICS With SDN
Thursday October 24, 2019 8:15am - 9:00am


[Panel] Cyber Risk in Connected Ecosystems: Discussion With Organizations on the Front Lines
As digital and physical infrastructure continues to converge, enabled by the Internet of Things (IoT) and connected devices creating a complex ecosystem of  municipal services, public and private entities, people, processes, devices, and city infrastructure that constantly interact with each other. This massive amount of data, integration between disparate IoT devices, and dynamically changing processes creates new cyber threats, compounded by complexities of the data governance, lack of common standards etc. To protect these ecosystems and the value they bring, the responsible organizations should have product security programs, practice Security by Design through their products’ and ecosystems’ lifecycles, and ensure consistent coordination between their partners.

This panel discussion will involve stakeholders from the different stages of the product and ecosystem lifecycle including a connected product manufacturer, an organization that implement’s IoT ecosystems, and an IoT system owner.


Thursday October 24, 2019 9:00am - 9:45am
Windsor Ballroom


Using Virtual Network TAPs in an ICS Environment
Network visibility provides situational awareness in an Industrial Control System (ICS). The use of physical network TAPs or SPAN ports to provide information to an out-of-band monitoring solution is critical to increasing the security posture of an ICS network. However, as more ICS vendors incorporate virtual machines (VMs) into their designs, an additional layer of tapping is necessary to ensure no blind spots are present. Communication between VMs can provide an opportunity for malicious actors to remain undetected, due to traditional tapping methods not being able to see the traffic.

One solution to capture inter-VM communication is the use of Virtual Network TAPs. This software solution monitors traffic flows between VMs and mirrors the traffic to be forwarded to security tools for analysis. The presentation will cover how Virtual Network TAPs can be installed on a typical ICS network which uses virtualization, what are typical capabilities of Virtual Network TAPs, and ways the data can be used if your project has a limited cybersecurity budget. Increased hardware virtualization is on the horizon and being able to setup and use Virtual Network TAPs will ensure your control system can be monitored effectively.


Nikolas Upanavage

Senior Control Systems Engineer, Bechtel Corporation
Nikolas Upanavage is a Senior Control Systems Engineer working at Bechtel’s ICSCybersecurity Technical Center. He has held roles on several Bechtel Engineering projectssupporting the design and construction of Nuclear Power Plants, Chemical Agent DestructionFacilities, and Waste... Read More →

Thursday October 24, 2019 9:00am - 9:45am


IT and OT Join Forces to Secure Smart Cities
This session will demonstrate possible cyber-physical attacks against Smart Cities, by examining the challenges specific to port and maritime systems. By examining lessons learned from these incidents, the speaker will reveal how a layered response covering architectural, procedural, technological, and organizational measures can help mitigate risk efficiently. IT security practitioners from every industry are facing the challenges posed by our connected world. This session will highlight the principal challenges and benefits of integrating Information Technology with Operational Technology.

Learning Objectives - After attending this session you will understand how to:
  • Meld the architectural imperatives of OT – safety and service reliability – with Information Technology – Data shall not be lost, altered or inadvertently disclosed.
  • Integrate IT and OT networks without increasing the attack surfaces of both.
  • Develop processes and systems to bring IoT-enabled capabilities into the SDLC, whether waterfall, Agile, or DevOps.
  • Enhance organizational maturity to reduce re-work, eliminate problem rediscovery, and improve overall quality.


William Malik

VP of Infrastructure Strategies, Trend Micro
William Malik is VP of Infrastructure Strategies at Trend Micro. As a founder of Gartner’s Information Security Strategies service in the mid-1990s, Bill has deep expertise in information security matters. He has spoken internationally on information security, identity management... Read More →

Thursday October 24, 2019 9:45am - 10:30am


Removable Media as a Perimeter Security Control
Traditionally controls around removable media (commonly referred to as RM) have been focused on data loss prevention and/or insider threat; however, in ICS environments, RM controls should also be considered as a perimeter control to provide a heightened security approach.  Since Stuxnet, RM has proven that even air gaped networks are vulnerable, and today, Sneaker net is still relevant causing potential vulnerabilities. In this session, Ben Stirling, Lead for Generation Cyber Security at Vistra Energy, will discuss how the integrated energy company took aim at this threat from a technical and policy perspective.

avatar for Ben Stirling

Ben Stirling

Lead, Generation Cyber Security, Vistra Energy
Benjamin Stirling is a Sr. Cyber Security Analyst with Vistra Energy as well as a member of the ERCOT CIP working group and ISA 99 Workgroup 4. For the last five years, Ben has been deeply integrated with Luminant’s I&C, Operational Technology, and Vistra Cyber Security groups... Read More →

Thursday October 24, 2019 9:45am - 10:30am


Morning Break
Thursday October 24, 2019 10:30am - 10:45am
Pre-Function Hallway


Security Concerns Around End of Life/Sales/Support (EOL/S/S)
avatar for Jack D. Oden

Jack D. Oden

Principal Project Manager and ICS Cybersecurity SME, Parsons
Jack D. Oden, Principal Project Manager and ICS Cybersecurity Subject Matter Expert (SME), is a self-motivated, energetic, and accomplished team player and speaker with twenty years’ experience in negotiating system improvements between users and engineers; developing projects... Read More →

Thursday October 24, 2019 10:45am - 11:30am


War-Boarding a Cyber/Physical System and the Efficacy of Small-Board Computers and 'Dirty LANs'
This presentation describes some experimental work concerning the uses and efficacy of small-board computers (SBC), penetration tools and applications security tests for cyber/physical systems. The war-board of these networked devices have proven useful in isolated networks to validate computer threat intelligence concerning vulnerabilities, risks, remediation techniques and resilience.  A short demonstrated scenario will be presented.

Learning objectives:
  • Critically assess the application of CTI frameworks to Cyber/physical systems.
  • Recognize the benefits and risk of CTI, risks and penetration testing.
  • Assess the efficacy of validation for CTI threat reports and feeds
  • Review the nature of systems war-boarding.
  • Consider the utility of SBCs, ‘dirty LANs’ and CTI reporting.


Dr. Larry Leibrock

Research Affiliate, University Professor, Idaho National Lab

Thursday October 24, 2019 10:45am - 11:30am


Securing IIoT/Cloud Data Communications
With the rise of the IIoT and cloud platforms interacting with ICS equipment, OT-IT separation is no longer a valid form of security. Internet and cloud connectivity are basic staples, if not requirements in the modern industrial enterprise. Endpoints are spread out across machines, networks, user devices, organizations (for example, cloud vendors, third-party asset owners, and contract manufacturers). Data is being pushed out of the entire organization from IT systems all the way down to devices attached to process equipment. This paradigm shift calls for a new approach – one that won’t fit in the previous layered, separated model. This session will discuss cybersecurity methods and technologies to build a new, secure framework outside and above the traditional models of ICS data communications, to incorporate new platforms and account for the increasing connectivity of systems and devices in today's industrial enterprises.

avatar for Brian Romansky

Brian Romansky

Chief Technology Officer, Owl Cyber Defense
Brian Romansky has over 25 years' experience in security technology and innovation in industrial and automotive security, payment systems, healthcare and logistics. He is currently Chief Technology Officer at Owl Cyber Defense, focused on shaping and executing the company's growth... Read More →

Thursday October 24, 2019 11:30am - 12:15pm
Solutions Theater


Recycling Industrial Attacks – Five Things You Need To Secure Your Operation
One of the newest trends in the OT security space is the recycling of OT attacks that make a second or third appearance. This session will cover 3 real examples of OT attack recycling. We will explain the role IT has played in making OT attack recycling possible, why attacks are making return appearances with examples, and what the security community must do to keep OT safe from these threats now and in the future.

Session Objectives
  • Gain insight into recent recycled OT attacks (ie: Shamoon, LockerGoga and others), how they were perpetrated and the etiology of these attacks.
  • Ramifications of future attacks
  • Learn five measures IT and OT security teams can take to protect against these new generation attacks

Thursday October 24, 2019 11:30am - 12:15pm


Thursday October 24, 2019 12:30pm - 1:30pm


The Myths of IIoT Security
During this talk, Cisco Talos will discuss some of the prominent myths that surround IIoT Security and shed light on how enterprises can learn to separate hype from reality.  Topics included will be IIoT reverse engineering practices, device vulnerabilities, calculating risk, and best practices to ensure your oganization remains safe.

Thursday October 24, 2019 1:30pm - 2:15pm


CyberBit Presents
Thursday October 24, 2019 1:30pm - 2:15pm


Industrial Control Systems: Comparing Methodologies to Reduce Risk
Organizations and professionals are challenged to protect industrial control systems (ICS). Industrial control systems have been and continue to be the target of advanced cyber-attacks. These systems run the infrastructures that power the electric grid, natural gas supply, transportation, and other vital commodities. Cyber-security professionals have enumerated various techniques and methods to protect ICS against cyber-attacks. Despite these protective methods, ICS still suffer from breaches.

This study conducted a deep dive into three of the most advanced ICS cyber-attacks (Stuxnet, TRISYS, BlackEnergy 3)

The tactics of penetration and attack of each cyber-attack were reviewed. The study then examined several of the methods of protection recommended by regulatory and industry professionals. Each of these protection methods was matched against each of the advanced cyber-attacks to establish the efficacy of the method to protect the ICS.

The results of this study found that not all methods of ICS protection worked against advanced ICS cyber-attacks. In addition, there was a noticeable difference of protection among the methods against first-time attacks, when the malware was unknown, versus attacks when the malware was known to the cyber community and steps were taken to defend against the attack.

The study recommended further research into current ICS cyber-attacks. Additional exploration should be done to select and examine other documented methods of protection. Adding further results to the tables in the study will sharpen the determination of the effectiveness of each method against cyber-attacks.

Thursday October 24, 2019 2:15pm - 3:00pm


Charter of Trust in the Industrial World: Principles of Building a Safer Ecosystem
The Charter of Trust is a global initiative designed to transform the way we engage with Cybersecurity. There are ten principles designed to harmonize and simplify efforts and raise the level of maturity of Cybersecurity. During this session, we will talk about a subset of principles and how they help co-create in a more secure industrial sector. There will also be examples of success.  

Members of the Charter of Trust include: Siemens, IBM, AES, NXP, Daimler, Dell, Cisco, T-Mobile. Enel, MSC, Allianz, Atos, SGS, Tuv Sud, Total, Airbus, MHI.


Kurt John

Chief Cybersecurity Officer, Siemens USA

Thursday October 24, 2019 3:00pm - 3:30pm


[PANEL] Insights and Observations on #ICSCC19
Thursday October 24, 2019 3:45pm - 4:30pm
Windsor Ballroom