8:30 am - 9:00 am
ET
12:30 pm - 1:00 pm UTC | Available to In Person & Live Online Registrants Awards
Show More
|
9:00 am - 9:10 am
ET
1:00 pm - 1:10 pm UTC | Available to In Person & Live Online Registrants Opening Remarks |
9:10 am - 9:45 am
ET
1:10 pm - 1:45 pm UTC | Available to In Person & Live Online Registrants Hacking the Power Grid in a Virtual City - At Scale Anthony Wallace, Principal Cyber Research Engineer, National Renewable Energy Laboratory The presenter will demonstrate open source tools enabling the audience to rapidly instantiate a co-simulation (distribution and transmission power models) of an urban area of a large US city (approximately 78,000 loads within minutes). This system will include IT systems and OT systems together and run automated attacks using well known attack frameworks to display outcomes of an electric grid attack. Discussion of methods using the tools to develop resilience and recovery plans will conclude the presentation.
Show More
|
9:45 am - 10:20 am
ET
1:45 pm - 2:20 pm UTC | Available to In Person & Live Online Registrants Answering the Big Question: Has My OT Been Compromised? Determining an OT compromise is crucial in incident response, impacting business continuity, safety, and regulatory compliance. This presentation targets the core challenges in recognizing OT breaches: scarcity of EDR deployment, inadequacies in IDS tuning, skill gaps within OT teams, and overlooked security log and telemetry data. Through case studies from OT IR engagements, I will examine these obstacles to pinpoint common threat actor indicators that signal a confirmed OT compromise. The aim is to equip OT and cybersecurity professionals with the necessary tools and confidence for effective response during OT incidents. Our discourse moves from problem exposition to empowerment, enabling practitioners to navigate OT IR engagements with assurance and strategic foresight.
Show More
|
10:20 am - 10:35 am
ET
2:20 pm - 2:35 pm UTC | Available to In Person & Live Online Registrants Break |
10:35 am - 11:10 am
ET
2:35 pm - 3:10 pm UTC | Available to In Person & Live Online Registrants Is Your Operator Ready for a Cyber Attack? ICS operators are on the front lines of critical operations…but are usually the last ones to receive any form of cyber security training. This presentation will explore the use of simple and effective operational practices such as “Toolbox Talks”, developing SOP’s (Standard Operating Procedures) and other operational controls to improve your organizations readiness to identify and respond to an OT cyber security incident.
Show More
|
11:10 am - 11:45 am
ET
3:10 pm - 3:45 pm UTC | Available to In Person & Live Online Registrants Does practice make perfect? Lessons learned from full-scale power system incident response exercise Megan Culler, Power Engineer & Researcher, Idaho National Laboratory While threats to the energy sector occur daily, few utilities get the opportunity to fully test out their detection and response mechanisms to advanced threats in the real world. With the high demand for reliability, few grid operators would allow execution of simulated cyber-attacks on their live systems. The DOE-funded Liberty Eclipse project offers a unique opportunity for small and large utilities and coops to practice their combined IT/OT responses to a live red team executing attacks against an isolated power system on an island in New York. Both cyber teams and power operations teams must work together to detect and respond to attacks, even restoring the power system against extreme impacts. Lessons learned from these exercises reveal key takeaways for understanding what a real attack against the electric sector will look like, gaps in execution of the best-laid plans when the pressure of a real event is bearing down, and how organizations can better prepare for advanced attacks by optimizing participation in exercises. This presentation will discuss successes and opportunities for improvement both in how utilities can prepare for and respond to events, as well as how full-scale IT/OT exercises can be coordinated.
Show More
|
11:45 am - 12:20 pm
ET
3:45 pm - 4:20 pm UTC | Available to In Person & Live Online Registrants Journey to an OT SOC: Case Studies from Expanding Visibility I am thrilled to submit ExxonMobil’s session, "Journey to an OT SOC: Case Studies from Expanding Visibility" where I plan to dive into the hard lessons learned during the establishment of a OT Security Operations Center capability at ExxonMobil. Here's a summation of the key takeaways: We tried to address the critical need for aligning OT and IT in the cybersecurity realm while getting quick wins. Discussed the journey of creating a SOC capability tailored for OT environments. Explored the challenges faced, what tailoring, including technology integration, skillset requirements, and the development of specialized site / assets knowledge. Presented practical case studies highlighting summarized incidents the team worked on that shaped our approach to OT cybersecurity. I will share our insights into incident response strategies and the importance of continuous improvement in the face of evolving threats. I will outline strategies for fostering collaboration between OT and IT teams to enhance overall organizational preparedness. Discussed the role of threat intelligence, monitoring, and incident response in mitigating potential risks. Shared our commitment to continuous improvement, adapting to emerging threats, and refining our OT cybersecurity strategies. The journey to fortify OT cybersecurity requires a proactive approach, collaboration, and a commitment to learning from both successes and challenges. I will have key takeaways for OEMs and for Asset owners. We hope the insights shared during my session contribute to all the members ongoing efforts in securing critical infrastructure.
Show More
|
12:20 pm - 1:15 pm
ET
4:20 pm - 5:15 pm UTC | Available to In Person & Live Online Registrants Lunch |
1:15 pm - 1:50 pm
ET
5:15 pm - 5:50 pm UTC | Available to In Person & Live Online Registrants FuxNet: the New ICS Malware that Targets Critical Infrastructure Sensors Around April 2024 a Ukrainian affiliated hacking group named BlackJack claimed they attacked Russia's Industrial Sensor and Monitoring Infrastructure company called Moscollector. Not only the hackers allegedly destroyed Moscollector's servers and databases, they also deployed a notorious malware called FuxNet (rhymes with Stuxnet) which bricked many sensor gateways, essentially blinding physical operations monitoring capabilities over tens of thousands of sensors deployed across Moscow.
In this talk we will unfold all the events preceding the final attack and discuss the true meaning of a new ICS malware targeting critical infrastructure sensors in a modern city like Moscow.
Show More
|
1:50 pm - 2:25 pm
ET
5:50 pm - 6:25 pm UTC | Available to In Person & Live Online Registrants Using ChatGPT to Write ICS/OT Defensive and Offensive Tools During the work on my SANS Master's thesis, I realized two things: I am not a developer and ChatGPT makes a pretty good one. Using ChatGPT to write the Python scripts for my research, I started to branch out and use it to write defensive tools such as for identifying unknown assets on the network as a listening service or offensively such as when taking a PLC out of Run mode remotely. If you can think through the process, ChatGPT (or other GenAI) can help you make it a reality. Want to Live off the Land and don't want to download a Python script which might be spotted? Use ChatGPT to convert it to PowerShell on the spot! Receiving error messages from the code it wrote for you? Don't worry - it can fix those issues too! The presentation will walk attendees through prompt creation for two sample coding projects - both with offensive/defensive capabilities, tools that attendees would be able to use back on the job. And, with inspiration, go out and create their own tools!
Show More
|
2:25 pm - 3:00 pm
ET
6:25 pm - 7:00 pm UTC | Available to In Person & Live Online Registrants One Team One Fight: How Vulnerability Collaboration Crushes Threat Actors Hopes and Dreams Kate Vajda, Director of Vulnerability Research and Malware Threat Research, Dragos In 2023, Rockwell Automation’s Product Security Incident Response Team was alerted by the government about an exploit targeting the 1756-EN* Communication modules. The Product Security Incident Response Team, with over 100 years of combined expertise, quickly formed a task force to address the threat, which allowed remote code execution and denial-of-service on many module models. The newest model, 1756-EN4*, had protections that mitigated the attack, underscoring the value of security by design. Rockwell swiftly developed firmware updates for all affected devices, including retired products, and coordinated with vendors to provide detection signatures. Dragos, as a partner, deployed analytics to Neighborhood Keeper to monitor exploitation and impact. In addition, these were provided to pre-empt the release to give customers visibility. This type of collaboration across industries was the first of its kind. This case exemplifies effective OEM response and collaboration for critical infrastructure protection, leveraging ICS4ICS principles for incident response transformation.
Show More
|
3:00 pm - 3:15 pm
ET
7:00 pm - 7:15 pm UTC | Available to In Person & Live Online Registrants Break |
3:15 pm - 3:50 pm
ET
7:15 pm - 7:50 pm UTC | Available to In Person & Live Online Registrants Machina Matrix: OT Security & Operations in Cyber Overdrive Building Operational Resilience In the era of smart factories, the convergence of IT and OT systems, and the rise of the distributed workforce, the traditional concept of air gaps has become obsolete. Surprisingly, Operational Technology (OT) security budgets still hover between 3% to 5% of total cybersecurity spend. This presentation delves into the dynamic relationship between OT security and operations teams, exploring the challenges they face in aligning objectives and seizing the opportunities presented by security by design and operation. The session emphasizes how decisions regarding data architecture, system maintenance, and design can yield substantial benefits for both OT security and operations teams. For instance, the shift from traditional VPN architectures to OT data lakes supporting read-only use cases with fine-grained data access controls can enhance collaboration. By creating shared views of system and equipment data, security and operations teams can streamline troubleshooting, reduce Mean Time to Repair (MTTR), and optimize spending on upgrades and maintenance. Additionally, the presentation highlights the critical role of next-gen factories and greenfield projects in integrating cyber resilience into lifecycle budgeting, addressing often overlooked cybersecurity aspects such as End of Life of software products. Attendees will gain insights into strategic investments that promise significant Return on Investment (ROI) for both OT Security and Operations. The session will feature real-world examples of ROI sources and provide guidance on quantifying impact to support investment decisions, ultimately fostering stakeholder engagement and securing leadership buy-in for collaborative cybersecurity initiatives. Join us to explore how collaborative efforts between operations and security can enhance efficiency, reduce labor costs, and mitigate the probability of events impacting operation in the industrial context.
Show More
|
3:50 pm - 4:25 pm
ET
7:50 pm - 8:25 pm UTC | Available to In Person & Live Online Registrants Lessons learned building OT SOCs Bruce Large, Principal OT Cyber Security Architect & Chief Evangelist , Secolve “Prevention is ideal, but detection is a must” and OT Security Operations Centers are the nerve center for detection and response. With the focus of too many OT security programs primarily focusing on prevention security controls, asset operators are now trying to build the right OT SOC for them. Please join Bruce in this presentation where he outlines his lessons learned from building OT SOCs. The session will be structured by the themes of people, process and technology: • People – How to lead an OT SOC team and make them thrive • Process – How to build the right level of process to support the team and how to use enabling capabilities like SOC maturity models and knowledge management • Technology – There is a lot of tech! Where to start and what makes the most sense to build out your OT SOC capability The session will wrap up with general tips and resources that Bruce has found helpful!
Show More
|
4:25 pm - 4:30 pm
ET
8:25 pm - 8:30 pm UTC | Available to In Person & Live Online Registrants End of Day |