SANS Institute

The 2009 SCADA and Process Control Summit

Dates:
Summit: February 2 - 3, 2009
Post-Summit Courses: February 4 - 9, 2009

Summit Venue:
Walt Disney World Dolphin
1500 Epcot Resorts Blvd
Lake Buena Vista, FL 32830
Phone: 407-934-4000
Fax: 407-934-4880
Website: http://www.swandolphin.com/

Table of Contents

• Questions to be answered
• Organizing Committee
• Who should attend
• Summit Agenda
• Post Summit Courses
• Immediate registration

Ten Questions for the Summit

1. How has the threat to control systems changed during 2008? Who are the new attackers? What kind of damage have they already done? What can they do?
2. Exactly how do attackers penetrate the defenses that have been established by most control system users? What are the principal vulnerabilities in control systems and how should they be prioritized for mitigation?
3. How will the NERC CIP regulations change in 2009? What can you do now to get ahead of the changes?
4. What are some of the most valuable lessons learned by leading asset owners to improve security of control systems? For example: How one utility enabled outsiders to gain access to their systems during the Hurricane Ike aftermath while maintaining security.
5. How can utilities educate their Public Utility Commissions so that investments in cyber security may be included in the rate base.
6. What techniques are the most advanced control systems users implementing to mitigate the threat? How are they training their people? How are they balancing information technology and control systems needs?
7. How can utilities gain top management support for major security initiatives?
8. Which SCADA security research projects have shown useful results? How can asset owners put those findings to work?
9. Which control system vendors have made the most progress on implementing the new standards for secure configuration of their products?
10. What tools have governments developed that make security of control systems more effective and efficient?

The Organizing Committee

• Michael Assante, NERC
• Rita Wells, Gary Finco and Marty Edwards, Idaho National Laboratories
• Sean Paul McGurk, US Department of Homeland Security
• Ciaran O and Sheridan M, UK Center for the Protection of National Infrastructure (CPNI)
• Ake Holmgren, Swedish Emergency Management Agency (SEMA)
• Hank Kenchington, US Department of Energy
• Will Pelgrin, New York State and the Multi-State ISAC
• Mark Weatherford, State of California
• Marcus Sachs, Verizon
• Alan Paller, SANS Institute

Who should attend

Plant Managers, Engineering and Operations Management, Project Managers, Automation and Control Managers, Process Control and SCADA Engineers, Plant Engineers

Learn the lessons discovered by leading process control user organizations throughout the world, and what your process control vendor may be doing to boost the defenses on systems already deployed, and on new systems.

Information Security and IT Professionals in Organizations That Deploy Industrial Control Systems

Learn why control systems are so difficult to protect and arm yourself with clear case studies showing what has been done and what can be done to protect SCADA and other control systems. Learn the language of control systems so you can be of more help to the engineers who plan and deploy such systems.

Control System Vendor Developers and Integrators

Understand the requirements and constraints faced by owners and operators of automation systems. Determine the state of the art in control system security as a benchmark for your own future planning.

Government Leaders Responsible for Policy and Regulation of Utilities and Other Process Control Users

Better understand what government can and cannot do by learning the requirements, constraints, and current capabilities available to secure critical control systems.

Academic and Research Laboratory Leaders

Determine the most challenging and important questions that will shape your process control security research agendas.

Agenda

Sunday, February 1

4:00 pm - 5:00 pm

Special SCADA Overview - Matt Luallen, Encari

4:00 pm - 8:00 pm

Early Registration

Monday February 2

7:00 am - 8:30 am

Breakfast - Sponsored by Mu Dynamics & Byres Security

8:30 am - 9:10 am

Keynote: The Future of the Smart Grid
Garry Brown, Chair, New York Public Service Commission

9:10 am - 9:50 am

Keynote Discussion: Security Risks and Other Problems with the Smart Grid and AMI.
Asset Owners and security researchers discuss security and cost issues surrounding the smart grid and Automated Metering Systems
Matt Carpenter, InGuardians; Wesley McGrew, Mississippi State Univ.; Gary Finco, Idaho National Lab; Tom Flowers; Jonathan Pollet, Industrial Defender

9:50 am - 10:10 am

Break

10:10 am - 11:20 am

Track 1:
Control System Cyber Incident Handling: A Law Enforcement Perspective Panel.
Police and law enforcement cyber crime units have to prepare for incidents on SCADA and control systems. This panel focuses on issues such as incident response, forensics, public collaboration, as well as challenges and successes regarding how law enforcement is dealing with these very important issues.
Moderator: Mark Fabro, President & Chief Security Scientist, Lofty Perch. Panelists: Jeff Morgan, Process Control Systems Analyst, Cyber Division, Federal Bureau of Investigation; Susan Ferensic, Supervisory Special Agent, Federal Bureau of Investigation; Corporal Darren Sabourin, RCMP Technological Crime Unit

Track 2:
What's Really Going On Out there in CyberAttacks, and What's Coming Next? - A Conversation with Jason Larsen.
Jason's deep understanding of the attack space, his wide and varied contacts among black and white hats, and his engaging style make this one of the audience's favorite sessions year after year at the SCADA Security Summits. His predictions about future attacks are often eerily accurate.
Jason Larsen, IOActive

11:20 am - 12:30 pm

Track 1:
What Works in Security Control Systems: Panel One. Asset Owners Share Lessons from the Trenches
Tom Flowers, Centerpoint: Security in a Disaster: How to Allow Third Party Access While Protecting Your Systems; Mark Heard, Eastman Chemical, Segmenting Networks for Effective Security; Troy Embree, P & G

Track 2:
Dale Peterson Brings You the Best of S4 2009 (SCADA Security Scientific Symposium). Highlights from the January 2009 gathering of the top SCADA security researchers. You get the most important elements of two days of presentations summarized in this one-hour session at the Summit.
Dale Peterson, Digital Bond

In-Depth Discussion:
Wireless Threats with Matt Carpenter

12:30 pm - 1:40 pm

Lunch

1:40 pm - 2:40 pm

Track 1:
The Most Critical Vulnerabilities in Control Systems
What is the difference between the assessments that Idaho National Laboratory has performed and those performed by industry? Over 100 security assessments on critical infrastructure has exposed trends and patterns due to either cultural issues, or gaps in technology solutions. Common vulnerabilities and recommended mitigations will be presented from the asset owner perspective.
Curtis St. Michel, Idaho National Labs; Jonathan Pollet, Industrial Defender

Track 2:
The Software Patching and Updating Trade Offs for Critical Systems.
Some asset owners report that they have found a way to keep their systems patched without impacting reliability. Vendors are promoting significant improvements. In this panel you'll hear about progress along that front and be able to answer questions.
Kevin Staggs, Honeywell; Kevin Sullivan, Microsoft; Asset Owner (to be named)

In-Depth Discussion:
SCADA HMI Software Security Threats with Wesley McGrew

2:40 pm - 3:40 pm

Track 1:
Public Utility Commissioners Meet the Security Challenge.
This session uses a simulated rate hearing to help asset owners and utility commissioners identify the most productive (and unproductive) means of discussing control system security challenges and helping regulators understand the investments needed to protect the reliability of the critical infrastructure.
Garry Brown, Chair, NY Public Utility Commission; Mike Assante, NERC; Seth Bromberger, Pacific Gas & Electric

Track 2:
The Most Promising Results from the COE Roadmap to Secure Control Systems in the Energy Sector.
Chaired by Tom Flowers, this session highlights Dale Peterson of Digital Bond describing the Bandolier project (that worked with vendors on finding all security-related parameters and created verifications and auditing tools for continuous monitoring of all security parameters) and Bryan Richardson of SANDIA National Labs about the Ant Farm Project (a passive network mapping application displays a 'picture' of your network).
Tom Flowers; Dale Peterson, Digital Bond; Bryan Richardson, Sandia National Labs; Sharla Artz, Schweitzer Engineering Labs

In-Depth Discussion:
Critical Vulnerabilities in Control Systems with Rita Wells and May Chaffin

3:40 pm - 4:00 pm

Break

4:00 pm - 5:15 pm

The Updated Procurement Standards: Buying Security Baked into Control Systems.
Remote Access (Dial-up Modems; Dedicated Line and Dial-up Modems; TCP/IP; Web-based Interfaces; Virtual Private Networks; Serial Communications Security); Physical Security (Physical Access; Physical Perimeter Access; Manual Override Control; Intra-perimeter Communications); Network Partitioning (Network Devices; Network Architecture); and Wireless Technologies (Bluetooth; Microwave and Satellite; 802.11; ZigBee). They'll also discuss advances in worldwide adoption - especially in Europe and directions that the standards will go in the future.
Will Pelgrin, New York State Office of Cybersecurity and Critical Infrastructure; Rita Wells, Idaho National Laboratory; Robert McComber, Telvent; Larry Spoonemore, Southern Co.

In-Depth Discussion:
S4 with Dale Peterson

Tuesday, February 3

7:00 am - 8:30 am

Breakfast

8:30 am - 9:40 am

Keynote Panel: Penetration Testing; How the Attackers Get Through Your Defenses.
In 2008, executives in critical infrastructure industries (especially electric utilities) have demanded independent assessments on how well their systems and networks can withstand cyber attacks. This panel features the people most often called in to test those systems to determine whether they can be penetrated and how. These expert penetration testers will help you see exactly where the holes are and how they can bypass your defenses.
Top Penetration Testers from Idaho National Laboratory; Jason Larsen, IOActive; Ken Rohde, Idaho National Lab, and others to be named

9:40 am - 10:00 am

Break

10:00 am - 11:10 am

Track 1:
The Real Vulnerabilities and Risks in Serial Communication. Serial Communications Yesterday, Today and Tomorrow; Newly released research results that prove the vulnerabilities in Serial Communications; With the World Focused on TCP/IP Does Serial Become THE Target; Serial Vulnerability Mitigations - Promising Practices Plus a bonus discussion of the critical vulnerabilities being exploited through USB worms.
Perry Pederson, Wurldtech; Eric Byres, and others to be named

Track 2:
Combination Session: The Three Faces of Cyber Crime and What Works in Security Information Sharing in Cyber Security.
A very fast paced session that first introduces you to the attackers who are developing, using and enhancing the cyber attack tools - discussion what they are after, how they make their money, and what we can expect from them in the future. This is followed by a fascinating discussion of how and why companies in the UK actually share their attacks, vulnerabilities and mitigations.
Alan Paller, SANS; Sheridan, CPNI

In-Depth Discussion:
Red Team with Pen Testing Experts

11:10 am - 12:20 pm

Track 1:
Major Changes Coming in the NERC CIP Standards and Auditing
NERC has made enormous progress during the past few months in helping the electric sector to become leaders in understanding the threat and in mitigating the risks. But much more needs to be done and the CIP standards will be modified to help utilities do what is necessary. In this session, you'll hear from the people most responsible for making the needed changes and ensuring they are implemented fully and effectively and how they will be measured.
Mike Assante, NERC [plus others to be named by NERC]

Track 2:
The Three Most Important Things You can Do to Secure Your Control Systems.
Multiple perspectives on the most cost effective actions asset owners can take to improve security on control systems.
Eric Byres; Craig Dupler, Boeing

In-Depth Discussion:
Conversations with your Utility with Garry Brown

12:20 pm - 1:30 pm

Lunch

1:30 pm - 2:40 pm

What Works in Security Control Systems.
Seth Bromberger, Pacific Gas & Electric; Stacy Bresler, Pacificorp; Mike Firstenberg, American Water; Joel Garmon, Florida Power & Light

In-Depth Discussion:
CIP Standards with Mike Assante

2:40 pm - 3:40 pm

How to Upgrade the Security of the Control Systems You Already Own.
Three of the control system vendors who are doing the best job of baking security in. In this session leading vendors show you how you can use tools and techniques available today to implement the security improvements detailed in the SCADA procurement standards. They'll share the innovations they have added to their product lines and services and answer questions about what is and is not possible today.
Markus Braendle, ABB Power Systems

3:40 pm - 3:50 pm

Break

3:50 pm - 4:50 pm

Research Panel: What are the most promising research projects underway to improve security in cyber systems.
Lightning presentations and discussion about research projects funded by I3P, DHS, and DOE.
Ulf Lindqvist, SRI International and the I3P (moderator); Bryan Richardson, Sandia National Laboratories; David Nicol, University of Illinois at Urbana-Champaign; Mauricio Papa, University of Tulsa; Alfonso Valdes, SRI International

4:50 pm - 5:00 pm

Closing

5:00 pm - 6:00 pm

R & D Reception - This is a unique opportunity to discuss Process Control Research Initiatives. Please join us to find out what's new, what's being worked on and how you can benefit from it.

Register Now!