The 2006 Process Control and SCADA Security Summit

With free introductory SCADA security course sponsored by DHS and DoE

Caesar's Palace, Las Vegas, NV
September 28-30, 2006 (Pre-conference course on September 28)
The World's Leading Process Control System Security Conference

Table of Contents

General Information

Organizing Committee

Attendee Information

Exhibitor Information

Agenda

General Information

Dates:

Security Summit

September 29-30: 8:00 AM - 5:00 PM plus evening sessions on Sept. 29

• Agenda

Pre-Summit Course

• Introductory SCADA Security Session 1 - September 28 (8am - 12pm) (Sold Out)
• Introductory SCADA Security Session 2 - September 28 (1pm - 5pm)
• Intermediate SCADA Security Session 1 - September 28 (Sold Out)
• Intermediate SCADA Security Session 2 - September 29 (Sold Out)
• Intermediate SCADA Security Session 3 - September 30 (Sold Out)

What Is the Process Control & SCADA Security Summit?

The Summit is a SANS educational program designed to train and empower control system users and vendors to immediately reduce the risk of cyber attacks against control systems. It answers the fundamental questions that are troubling thoughtful users of control systems:

1. What cyber attacks have already occurred against control systems and what damage was done?
2. How do attackers get in?
3. What are the most critical vulnerabilities and which ones are most important?
4. What has to be done to protect current systems?
5. How can we use the new procurement language to ensure that vendors of new control systems deliver state of the art security baked in?
6. What are governments in North America and Europe doing to make the job of securing control systems easier?
7. Are there any useful research projects underway that will impact cyber security of control systems?
8. What patterns are emerging in cyber attacks and what future attacks can be expected to be launched against control systems?

This program is designed to help you understand what can be done now to improve security of SCADA and process control systems.

Who Should Attend?

1. Control system engineers interested in ensuring attackers don't undermine the reliability of their systems. Specific industries include power generation and distribution, pipelines, chemical plants, water systems, dams.
2. System integrators who implement control systems and want to be sure they are delivering safe systems
3. Control system vendors who plan to satisfy user needs for security "baked-in".
4. IT and cybersecurity staff members who understand security issues but are not experts in security of control systems.
5. Cybersecurity policy makers who can guide regulated industries to ensure more rapid improvement of security.
6. Security researchers who want to learn about the best work being done and which needs are not being met.
7. Law enforcement officials who want to get ahead of the next wave of cyber attacks.

This is a global Summit. Delegates from eight countries on four continents are already registered. Most delegates are coming on their own or as part of a corporate team, but delegations of asset owners and government officials were assembled in countries in Europe and Asia/Pacific.

Attendees at the Summit meet the best and brightest in process control security, both decision makers and technologists.

Don't miss this unique opportunity to hear fresh approaches to improving SCADA and control system security that can be implemented now.

Register today to attend and maximize your opportunity to

• Improve your understanding of the threats and challenges.
• Learn What Works in case studies from leading users.
• Learn, in depth, the new common security specifications and how to apply them in your procurements.
• Play a role in defining extensions and improvements to the security specifications.
• Learn about the five most important research programs in SCADA and process control security.
• Learn about other control system security standard initiatives that are ready to be applied now.
• Network with hundreds of skilled process control and information security practitioners who care about securing the critical infrastructure.

Organizing Committee

The most advanced users of SCADA and other controls systems joined with research and government leaders to shape the Summit for you.

Asset Owners

• Ian Henderson, BP
• Andrew Hildick-Smith, Massachusetts Water Resources Authority (MWRA)
• Carlo Rietveld, World Bank (Ret.)
• Tom Good, DuPont Co (Invited)
• Eric Cosman, The Dow Chemical Company
• Ivan Susanto Chevron, Chevron Texaco
• Rene Bourassa, Hydro Quebec
• Tom Bowe, PJM
• Gerald S. Freese, AEP

Government and Industry Groups

• *Will Pelgrin, Chief Information Security Officer, State of New York and Chairman of the Multi-State ISAC
• Karl Williams, National Infrastructure Security Coordination Centre (UK)
• Mark Weatherford, State of Colorado (Invited)
• Mike Torppey, Technical Director, Process Control Systems Forum
• Tom Kropp, EPRI (Electric Power Research Institute)
• Keith Stouffer, NIST
• Bryant Tow, InfraGard

Process Control Manufacturing Leaders

• Ernest Rakaczky, Invensys
• Kevin Staggs, Honeywell
• Brian Singer, Rockwell Automation
• Jeff Potter, Emerson

Research and Engineering Groups

• *Mike Assante, Idaho National Laboratory
• *Marcus Sachs, SRI International (supports the Department of Homeland Security)
• Rita Wells, Idaho National Laboratory
• Jennifer DePoy, Sandia National Laboratory
• Jeff Dagle, Pacific Northwest Laboratory
• *Alan Paller, The SANS Institute

*Executive Committee Members

Attendee Information

WHY ATTEND?

The Process Control & SCADA Security Summit is a must-attend event for the technical and procurement managers of any organization that relies on automated industrial control systems, and for the system integrators and system vendors that support them. It is focused on what can be done now and in the near future to secure control systems, and on understanding and using the new security procurement specifications. This is a unique opportunity to learn the state of the art in protecting control systems. You'll also learn how leading control system vendors are improving the security of the systems they sell and learn about promising new technologies that are ready to be employed to protect your control systems. No other SCADA or process control security conference draws even half as many industry leaders as the Summit.

Who Should Attend

Plant Managers, Engineering and Operations Management, Project Managers, Automation and Control Managers, Process Control and SCADA Engineers, Plant Engineers

Learn the lessons discovered by leading process control user organizations throughout the world. Learn what your process control vendor may be doing to boost the defenses on systems that have already been deployed and on new systems. Understand what is included in the new common security procurement specifications and how to use them.

Information Security and IT Professionals in Organizations that Deploy Industrial Control Systems

Learn why control systems are so difficult to protect and arm yourself with clear case studies showing what has been done and what can be done to protect SCADA and other control systems. Learn the language of control systems so you can be of more help to the engineers who plan and deploy such systems.

Control System Vendor Developers

Understand the requirements and constraints faced by owners and operators of automation systems. Determine the state of the art in control system security as a benchmark for your own future planning.

Process Control System Integrators

Learn how to apply the new common procurement specifications and attend a special session exclusively for system integrators on how to become a leading integrator in applying the new procurement specifications for your clients.

Government Leaders Responsible For Policy And Regulation Of Utilities And Other Process Control Users

Better understand what government can and cannot do by learning the requirements, constraints, and current capabilities available to secure critical control systems.

Academic and Research Laboratory Leaders

Meet the top researchers in cyber security for control systems and review their projects.

Exhibitor Information

Control system vendors and security vendors will be part of the technical program at the Summit, participating in joint presentations with leading asset owners who have deployed or evaluated their technology. In addition control system vendors and integrators that want to share more details about their security initiatives may reserve one of the hospitality suites for the evenings of September 28 and 29. Only a few hospitality suites are available and several have already been spoken for. Contact Mason Brown at mbrown@sans.org to see whether any are still available.

Agenda

Friday - September 29

1: Updated Process Control Security Threat Briefing

The nation's top technical expert on SCADA and process control security vulnerabilities provides an authoritative review of the principal attack vectors hackers can use to penetrate and control SCADA and control systems and how those attack vectors will change over the next year or two. His presentation will be complemented by an update on international cyber crime and terrorist activity. SCADA related cyber extortion examples will also be discussed.

2: The Process Control Security Top Vulnerabilities

An authoritative presentation illuminating and prioritizing the most important cyber security risks associated with process control and SCADA systems along with estimates of the damage that can be done by exploiting each of them and lists of the most effective methods of countering them.

3: Understanding and Using the Standard Procurement Language and Minimum Security Specifications for Securing New SCADA and Process Control Systems

A review of the ground-breaking project that has created a consensus set of security specifications for use by asset owners when they buy new control systems - ensuring that the control system vendors deliver security "baked-in".

4: Understanding and Using the new Security Procurement Specifications

A panel of experts who helped draft the procurement specifications will share their insights into each of the major components of the new specifications, suggestions of which elements are most important, and recommendations on how you might adapt the specifications to your own needs.

5: What to do about Legacy Systems

This session will focus on how to apply the consensus process to securing legacy systems - what control system vendors can be asked to do, what security vendors can be asked to do, how buyers can work together to ensure cost effectiveness.

Saturday - September 30

6: Government Leadership in Cyber Security of Control Systems

A panel of US, UK, Swedish and other national and state government leaders providing short talks about their most important initiatives in this area. Includes introduction of a new one-hour short course, sponsored by DHS.

7: New Technologies Being Introduced into Control Systems

This session focuses on the new technologies being woven into control systems, from Windows to wireless. The panelists discuss not only what the new technology adds to the effectiveness, but also the added risks introduced with the new technologies and the most effective mitigation strategies for reducing that risk, along with procurement language you can use to ensure the vendors build the risk mitigation into the products they deliver.

8: Lessons learned and best practices in managing security of control systems

A panel of users share the lessons they have learned in implementing comprehensive security programs. What works, what fails, and why.

9: The Top Five Process Control Security Research Initiatives

Lightning talks by researchers selected by the research subcommittee of the organizing committee as representative of the best cybersecurity research projects directly relevant to users of SCADA and process control systems.

10: Process Control Vendor Security Initiatives

A panel highlighting outstanding examples of vendors that have baked security into their products to reduce the security burden on their users.

11: Wrap Up

Last word on threats. What are the next steps?

Evening Programs

The Summit provides a unique opportunity for networking, and the organizing committee is planning a rich set of programs to foster that networking.

• Control system vendor hospitality suites
• Industry user group birds of a feather sessions
• Security vendor "Munch and Learn"
• Opportunities to ask more questions of Summit speakers.
• If you have ideas for other evening sessions, we'll give you a chance to suggest them after you have registered for the Summit.