SANS Institute

SANS Process Control and SCADA Security Summit - Agenda

This agenda will change as new speakers with important messages are identified. Updates will be posted here. The agenda is built around the key questions that control systems engineers and information security professionals are asking:

Tuesday, January 15

5pm - 8pm

Welcome Reception and Registration

Wednesday, January 16

7:00am - 8:30am

Breakfast

8:30am - 9:45am

Keynote Panel - How real is the threat and how is it changing? (Jason Larsen, IOActive, Alan Paller, SANS Institute)

This panel provides three realistic and complementary views of the cyber threat to control systems and the critical infrastructures they manage. First you will hear the newest information that governments have learned about the threat actors and their goals and methods. Second you will see how the current wave of extortion has hit utilities through compromises of control systems. Finally you will get a clearer picture of the future of cyber attacks on control systems from someone who has listened in on what the cyber criminal community is discussing on their private channels and what exploits they are trading.

9:45am - 10:00am

Break

10:00am - 11:00pm

Keynote Panel: Penetration Testing: How the Attackers Get Through Your Defenses (Jeff Fay, Patch Advisors; Jonathan Pollet, Industrial Defender; and Jason Larsen, IOActive)

In 2007, executives in critical infrastructure industries (especially electric utilities) have demanded independent assessments of how well their systems and networks can withstand cyber attacks. This panel includes three of the people most often called in to test those systems to determine whether they can be penetrated and how. These expert penetration testers will help you see exactly where the holes are and how they can bypass your defenses.

11:00am - 12:00pm

Keynote Panel: Asset Owners: How To Implement Security Effectively Without Impacting Reliability: Lessons from the Trenches at BP, Southern Co., and PacifiCorp. (Paul Dorey, Larry A. Spoonemore, Patrick Miller)

Control system owners sometimes claim it is impossible to keep the systems patched, to filter traffic, to turn off unneeded services without breaking the systems. In this panel you will learn that much of that talk is often wrong. Led by the Chief Information Security Officer of BP, this panel demonstrates leadership by example, organizations that have found ways to keep patches up to date and implementing other processes needed to improve security, all without impacting reliability.

12:00pm - 1:15pm

Lunch

1:15 pm - 2:15pm

The Most Critical Vulnerabilities in Control Systems: Findings from the National SCADA Test Bed and the Control Systems Security Project (Rita Wells, Idaho National Laboratory)

Extensive testing of control systems from more than a dozen vendors has uncovered significant numbers of vulnerabilities. In this session INL's Rita Wells will show you each of the most important vulnerabilities and will tell you which ones could lead to the most damage if exploited and are hardest to correct. She'll also show you what can be done about each of them.

2:15 pm - 3:30 pm

Selling Security to Top Management and to Public Utility Commissions and the SCADA Security Survival Kit (The Conference Faculty and a Public Utility Commission manager and Jerry Murray, Oregon Public Utility Commission)

This session attempts involves a large amount of audience interaction to try to answer two of the more difficult questions facing utility managers interested in improved cyber security. It looks first at the work that has been done, particularly by the Australian government, in how to gain top management support for cyber security improvements. Then it turns to the tougher question of how to get the Public Utility Commissions to include security in the rate base so that security costs can be recovered.

3:30pm - 3:45pm

Break

3:45pm - 5:00pm

The most valuable research projects in SCADA security (Ulf Lindqvist, SRI International, Sean Kujawa, Shell Global Solutions; David Nicol, University of Illinois at Urbana-Champaign; Tom Stogdale, Matrikon; Simon Hennin and The-Kuang Lung, Raytheon; Vincent Berk, Process Query Systems LLC)

This session consists of five research briefs: (1) Intrusion Detection Technologies within Process Control. (2) The TCIP Testbed for Power Grid Security. (3) Commercialization of the RiskMAP Technology. (4) SCADA Cyber Attack Alert Tool (CAAT). And (5) Temporal-Structural Security Event Correlation with PQS. The briefs are very short but provide you with sufficient information to know which longer briefing you want to attend in the evening session beginning at 5:30 PM. (Night life in New Orleans doesn't start until later so you have time for both.)

5:30pm - 8:30pm

Research Presentations expanding on the late afternoon briefings and allowing ample time for discussion.

Thursday, January 17

7:00am - 8:30am

Breakfast

8:30am - 9:30am | A SPLIT SESSION

Session A: Mitigations for the Aurora Vulnerability (exclusively for full-time employees of companies and government agencies in the critical infrastructure) (Tim Roxey, Constellation Energy; Seth Bromberger, PG&E; and Mike Assante, INL)

Tim Roxey has been the leader among US asset owners in identifying and validating mitigations for the Aurora vulnerability highlighted on CNN.

In this briefing he provides specific mitigation strategies for both small and large organizations. If you work in the critical infrastructure and have an IT security or control system engineering role, this is a very important session. Tim will be assisted by Seth Bromberger and Mike Assante who have also played key roles in development of mitigation strategies.

Session B: The Three Faces of Cyber Crime: who is attacking, how they are getting in, what they are doing once they get in, and the innovative programs that have been developed to stop them. (Alan Paller, SANS)

Regularly updated versions of this briefing have been the highest rated presentations at every conference in which they were presented in 2007. The insiders view youll hear in this presentation is not available from any other speaker outside of classified settings.

9:30am - 9:50am

Break

9:50am - 11:00am

We're From the Government and We're Here to Help You (Cheri McGuire,US Department of Homeland Security; Hank Kenchington, US Department of Energy; Ciaran Osborn, UK Centre for Protection of National Infrastructure)

Governments have spent hundreds of millions of dollars on cyber security and have many products to show for their investments. In this panel leaders of the US and UK government cyber security efforts will show you what they have accomplished and point you to specific resources and tools that are of particular value to control system asset owners in the critical infrastructure. As part of this session, Keith Stouffer will also share information and answer questions about NIST's new publication, 800-82, that he helped author, called "Guide To Industrial Control System (ICS) Security."

11:00am - 12:00pm

The Revolution in the CIP Standards for Control Systems Security In Electric Utilities: FERC's new mandate and how best to navigate the changing landscape (Tim Roxey, Constellation Energy; Mike Peters, FERC)

The CIP standards, under intense Congressional scrutiny in the fall of 2007, have come up short, being characterized as "inadequate for protecting critical national infrastructure" according to a NIST-commissioned technical review). On December 11, 2007 the FERC changed the rules. This session will help you understand what went wrong originally, what FERC has done, and how best to meet the requirement so you actually protect your systems.

12:00pm - 1:15pm

Lunch

1:15 pm - 2:15 pm

The Updated Control System Procurement Standards: How to buy control systems with security baked in. (Mike Assante, INL; Will Pelgrin, New York State; Andy Evans, UK CPNI)

Utilities all over the world have adopted part or all of the new control system security procurement standards sponsored by the Department of Homeland Security and developed by Idaho National Labs. In this session you'll hear about he five new categories that have been added: Remote Access (Dial-up Modems; Dedicated Line and Dial-up Modems; TCP/IP; Web-based Interfaces; Virtual Private Networks; Serial Communication Security); Physical Security (Physical Access; Physical Perimeter Access; Manual Override Control; Intra-perimeter Communications); Network Partitioning (Network Devices; Network Architecture); and Wireless Technologies (Bluetooth; Microwave and Satellite; 802.11; ZigBee) They'll also discuss advances in worldwide adoption - especially in Europe and directions that the standards will go in the future.

2:15pm - 3:15pm

How To Upgrade The Security Of The Control Systems You Already Own. (Joe Bucciero, KEMA; Paul Skare, Siemens; Gary Finco, INL and Sharon Xia, AREVA T&D)

In this session innovative the largest control system integrator joins with leading vendors to show how you can use tools and techniques available today to implement the security improvements detailed in the Scada procurement standards. They'll share the innovations they have added to their product lines and answer questions about what is and is not possible today.

3:15pm - 3:30pm

Break

3:30pm - 4:30pm

Information Sharing in Critical Infrastructure Security: How electric utilities in the West have found ways to work together to share experiences and best practices? (Stacy Bresler, Pacificorp, and Seth Bromberger, PG&E and Ciaran Osborn, UK Centre for Protection of National Infrastructure)

Organizations that are part of the critical infrastructure often find themselves on their own in cyber security. They get little they can use from government and their peers don't share what they are learning. But a group of utilities in the Western United States has solved that problem with an innovative organization that has an enviable record of sharing very sensitive information and making security easier for all its members. Two of the participants in that group with tell you about their experiences and share the formula that made it successful. They will also be available to help you plan similar organizations in your industry and your region of the country or world.

Finally the session closes with a review of the contents of the SCADA Security Survival Kit.