8:30 am - 9:00 am
ET
12:30 pm - 1:00 pm UTC | Awards
Show More
|
9:00 am - 9:10 am
ET
1:00 pm - 1:10 pm UTC | Opening Remarks |
9:10 am - 9:45 am
ET
1:10 pm - 1:45 pm UTC | Hacking the Power Grid in a Virtual City - At Scale Anthony Wallace, Principal Cyber Research Engineer, National Renewable Energy Laboratory The presenter will demonstrate open source tools enabling the audience to rapidly instantiate a co-simulation (distribution and transmission power models) of an urban area of a large US city (approximately 78,000 loads within minutes). This system will include IT systems and OT systems together and run automated attacks using well known attack frameworks to display outcomes of an electric grid attack. Discussion of methods using the tools to develop resilience and recovery plans will conclude the presentation.
Show More
|
9:45 am - 10:20 am
ET
1:45 pm - 2:20 pm UTC | Answering the Big Question: Has My OT Been Compromised? Determining an OT compromise is crucial in incident response, impacting business continuity, safety, and regulatory compliance. This presentation targets the core challenges in recognizing OT breaches: scarcity of EDR deployment, inadequacies in IDS tuning, skill gaps within OT teams, and overlooked security log and telemetry data. Through case studies from OT IR engagements, I will examine these obstacles to pinpoint common threat actor indicators that signal a confirmed OT compromise. The aim is to equip OT and cybersecurity professionals with the necessary tools and confidence for effective response during OT incidents. Our discourse moves from problem exposition to empowerment, enabling practitioners to navigate OT IR engagements with assurance and strategic foresight.
Show More
|
10:20 am - 10:35 am
ET
2:20 pm - 2:35 pm UTC | Break |
10:35 am - 11:10 am
ET
2:35 pm - 3:10 pm UTC | Is Your Operator Ready for a Cyber Attack? ICS operators are on the front lines of critical operations…but are usually the last ones to receive any form of cyber security training. This presentation will explore the use of simple and effective operational practices such as “Toolbox Talks”, developing SOP’s (Standard Operating Procedures) and other operational controls to improve your organizations readiness to identify and respond to an OT cyber security incident.
Show More
|
11:10 am - 11:45 am
ET
3:10 pm - 3:45 pm UTC | Does practice make perfect? Lessons learned from full-scale power system incident response exercise Megan Culler, Power Engineer & Researcher, Idaho National Laboratory While threats to the energy sector occur daily, few utilities get the opportunity to fully test out their detection and response mechanisms to advanced threats in the real world. With the high demand for reliability, few grid operators would allow execution of simulated cyber-attacks on their live systems. The DOE-funded Liberty Eclipse project offers a unique opportunity for small and large utilities and coops to practice their combined IT/OT responses to a live red team executing attacks against an isolated power system on an island in New York. Both cyber teams and power operations teams must work together to detect and respond to attacks, even restoring the power system against extreme impacts. Lessons learned from these exercises reveal key takeaways for understanding what a real attack against the electric sector will look like, gaps in execution of the best-laid plans when the pressure of a real event is bearing down, and how organizations can better prepare for advanced attacks by optimizing participation in exercises. This presentation will discuss successes and opportunities for improvement both in how utilities can prepare for and respond to events, as well as how full-scale IT/OT exercises can be coordinated.
Show More
|
11:45 am - 12:20 pm
ET
3:45 pm - 4:20 pm UTC | Journey to an OT SOC: Case Studies from Expanding Visibility I am thrilled to submit ExxonMobil’s session, "Journey to an OT SOC: Case Studies from Expanding Visibility" where I plan to dive into the hard lessons learned during the establishment of a OT Security Operations Center capability at ExxonMobil. Here's a summation of the key takeaways: We tried to address the critical need for aligning OT and IT in the cybersecurity realm while getting quick wins. Discussed the journey of creating a SOC capability tailored for OT environments. Explored the challenges faced, what tailoring, including technology integration, skillset requirements, and the development of specialized site / assets knowledge. Presented practical case studies highlighting summarized incidents the team worked on that shaped our approach to OT cybersecurity. I will share our insights into incident response strategies and the importance of continuous improvement in the face of evolving threats. I will outline strategies for fostering collaboration between OT and IT teams to enhance overall organizational preparedness. Discussed the role of threat intelligence, monitoring, and incident response in mitigating potential risks. Shared our commitment to continuous improvement, adapting to emerging threats, and refining our OT cybersecurity strategies. The journey to fortify OT cybersecurity requires a proactive approach, collaboration, and a commitment to learning from both successes and challenges. I will have key takeaways for OEMs and for Asset owners. We hope the insights shared during my session contribute to all the members ongoing efforts in securing critical infrastructure.
Show More
|
12:20 pm - 1:15 pm
ET
4:20 pm - 5:15 pm UTC | Lunch |
1:15 pm - 1:50 pm
ET
5:15 pm - 5:50 pm UTC | Chasing an Iranian attack on ICS infrastructure and finding new 0-days in the process During the 2023 war in Israel, an IRGC affiliated threat actor, Cyberav3ngers, targeted an Israeli-made controller used in water facilities world-wide, spreading propaganda and fear. The attackers chose to deface and shutdown Unitronics Vision series devices, sabotaging and rendering them unusable. In a conjoined effort with different government agencies and CERT organizations, we researched and developed forensics tools allowing extraction of evidence from attacked PLCs. These tools can be used to attribute the attacking group behind the attacks. Through our research, we managed to gather valuable evidence that could be used to further identify the attackers and shed light on the operation. Throughout our research, we also explored the newer product-line of the PLC, uncovering and disclosing several critical vulnerabilities to the vendor which could have posed a bigger threat if discovered by the attackers. In this talk, we will share our research process, methodologies and findings, along with the tools we developed along the way to help us research and investigate infected devices.
Show More
|
1:50 pm - 2:25 pm
ET
5:50 pm - 6:25 pm UTC | Using ChatGPT to Write ICS/OT Defensive and Offensive Tools During the work on my SANS Master's thesis, I realized two things: I am not a developer and ChatGPT makes a pretty good one. Using ChatGPT to write the Python scripts for my research, I started to branch out and use it to write defensive tools such as for identifying unknown assets on the network as a listening service or offensively such as when taking a PLC out of Run mode remotely. If you can think through the process, ChatGPT (or other GenAI) can help you make it a reality. Want to Live off the Land and don't want to download a Python script which might be spotted? Use ChatGPT to convert it to PowerShell on the spot! Receiving error messages from the code it wrote for you? Don't worry - it can fix those issues too! The presentation will walk attendees through prompt creation for two sample coding projects - both with offensive/defensive capabilities, tools that attendees would be able to use back on the job. And, with inspiration, go out and create their own tools!
Show More
|
1:50 pm - 4:25 pm
ET
5:50 pm - 8:25 pm UTC | Lessons learned building OT SOCs Bruce Large, Operational Technology Cyber Security Team Leader, Powerlink Queensland “Prevention is ideal, but detection is a must” and OT Security Operations Centers are the nerve center for detection and response. With the focus of too many OT security programs primarily focusing on prevention security controls, asset operators are now trying to build the right OT SOC for them. Please join Bruce in this presentation where he outlines his lessons learned from building OT SOCs. The session will be structured by the themes of people, process and technology: • People – How do lead an OT SOC team and make them thrive • Process – How to build the right level of process to support the team and how to use enabling capabilities like soc maturity models and knowledge management • Technology – There is a lot of tech! Where to start and what makes the most sense to build out your OT SOC capability The session will wrap up with general tips and resources that Bruce has found helpful!
Show More
|
2:25 pm - 3:00 pm
ET
6:25 pm - 7:00 pm UTC | One Team One Fight: How Vulnerability Collaboration Crushes Threat Actors Hopes and Dreams It is early in 2023 and you as a Rockwell Automation Product Security Incident Response Team member received a call from a government agency. “We are from the government, and we REALLY are here to help!” What comes next will require you to pull on all your experience over the last 17 years that you have amassed from fighting phishers in the early 2005s to fighting the nation’s most advanced cyber adversaries in the military. In addition, you will be putting your recently granted ICS4ICS Incident Commander credentials to the test. You will be fighting against a clock and a very technically adept enemy who has enormous resources and only has one goal in mind: Attack your customers to destroy, degrade, and deny their ability to operate. Background Government partners notified Rockwell Automation in early 2023 that an Advanced Persistent Threat was developing an exploit to target one of the company's most popular products, the 1756-EN* Communications modules. The 1756-EN* Communication modules are prevalent throughout the globe as they allow the user to connect different PLCs and other devices to a network, making them essential in automation. The government partner reached out immediately to Rockwell Automation. This was a unique opportunity because this exploit had not been seen in the wild by Rockwell Automation. The PSIRT team quickly stood up a task force that had a combined 100+ years of security research and embedded software development expertise to solve this. The presentation will include an overview of the exploit, the investigation process, the remediation efforts, and the coordination efforts leading to the disclosure of the issue. The team discovered that the exploit affected many models of the 1756-EN* communication modules, allowing remote code execution and a denial-of-service condition. The team also found that the newest model (1756-EN4*) had built-in protection mechanisms that mitigated the attack which highlighted the importance of security by design. The team developed and released firmware updates for all affected devices (including retired and end-of-life products) in record time, demonstrating their commitment to customer safety. Rockwell was even able to reach into the retirement pool to bring in one of the original developers of the code base for assistance. The coordination included providing detection signatures to vendors such as Dragos for pre-release analysis to ensure that there was no sign of active exploitation against those who had Neighborhood Keeper. Overall, the case is an example of how an original equipment manufacturer should respond and collaborate with all partners to better protect customers in critical infrastructure. It also demonstrated the importance of the ICS4ICS principles and how they can be leveraged to transform Incident Response in the Product Security space. Dragos perspective: As a recipient of the call-to-action from an OEM, extending urgency from a government agency, we had an even shorter time to respond. Balancing communications with limited information, several vendors worked together to help provide the best response to our collective customers. This response included deploying analytics to Neighborhood Keeper in case exploitation was already taking place and getting a pulse of how many customers and industries are impacted by this threat. In the end, we were extremely impressed with Rockwell Automation’s handling of the vulnerabilities, bringing the community together, and we were honored to have a head-start on the threat before it was public.
Show More
|
3:00 pm - 3:15 pm
ET
7:00 pm - 7:15 pm UTC | Break |
3:15 pm - 3:50 pm
ET
7:15 pm - 7:50 pm UTC | Machina Matrix: OT Security & Operations in Cyber Overdrive Building Operational Resilience In the era of smart factories, the convergence of IT and OT systems, and the rise of the distributed workforce, the traditional concept of air gaps has become obsolete. Surprisingly, Operational Technology (OT) security budgets still hover between 3% to 5% of total cybersecurity spend. This presentation delves into the dynamic relationship between OT security and operations teams, exploring the challenges they face in aligning objectives and seizing the opportunities presented by security by design and operation. The session emphasizes how decisions regarding data architecture, system maintenance, and design can yield substantial benefits for both OT security and operations teams. For instance, the shift from traditional VPN architectures to OT data lakes supporting read-only use cases with fine-grained data access controls can enhance collaboration. By creating shared views of system and equipment data, security and operations teams can streamline troubleshooting, reduce Mean Time to Repair (MTTR), and optimize spending on upgrades and maintenance. Additionally, the presentation highlights the critical role of next-gen factories and greenfield projects in integrating cyber resilience into lifecycle budgeting, addressing often overlooked cybersecurity aspects such as End of Life of software products. Attendees will gain insights into strategic investments that promise significant Return on Investment (ROI) for both OT Security and Operations. The session will feature real-world examples of ROI sources and provide guidance on quantifying impact to support investment decisions, ultimately fostering stakeholder engagement and securing leadership buy-in for collaborative cybersecurity initiatives. Join us to explore how collaborative efforts between operations and security can enhance efficiency, reduce labor costs, and mitigate the probability of events impacting operation in the industrial context.
Show More
|
4:25 pm - 4:30 pm
ET
8:25 pm - 8:30 pm UTC | End of Day |