This talk explores the concept of Defense in Depth (DID), its relevance in OT environments, and a new approach proposing using open-source threat intelligence sources to prioritize the implementation plan of DID in OT. The talk explores the detection and protection mechanisms that suit the unique characteristics of OT environments, ensuring robust cybersecurity in the face of the latest threats discovered (with case studies included).

We will address the practical aspect of prioritizing Defense in Depth strategies within OT networks. With limited resources, the audience is encouraged to critically analyze their cybersecurity investments to the most effective utilization of their budget. If you had only one dollar to allocate, what would be the most impactful step to take?

We will showcase a new, promising Threat-intelligence knowledgebase by MITRE called MITRE D3FEND, and showcase how it can be leveraged it in order to help with that mission.

Key Takeaways:

• Understanding Defense in Depth (DID) and its relevance in OT environments.
• Leveraging DCS and other ICS security features to enhance DID effectiveness.
• Tailoring detection and protection mechanisms to suit the uniqueness of OT environments.
• Prioritizing defense strategies with limited resources for optimal cybersecurity outcomes, based on threat-intelligence knowledgebase like MITRE D3FEND.

The talk will present some case studies of recent incidents we have responded to and highlight what works and what doesn't in providing enough certainty, situational awareness, and a recommended course of action to go back online and back to normal after an incident has either touched an ICS/OT environment directly or forced operators to severe connections to the business network.

Threat hunting to find EVIL can be a difficult endeavor, if you let it. Many people think that they are using threat hunting to find the bad guys in the network. Threat hunting can identify malicious insiders and hackers but it most often identifies misconfigured applications, servers, and network devices. It can also provide context around normal and abnormal user and administrative behaviors. Weather you are a medium sized shop, small shop, or a one-person IT / network / cybersecurity staff your team can use threat hunting to improve operations while also reducing risk.

In this talk, Don will simplify threat hunting activities. The goal will be to provide a repeatable process that can be used by yoru administrators to understand what is really happening on the network. The process will also provide the basis for justifying equipment and work hours to make this important process successful. All of this will, in turn, dramatically reduce the time it takes your team to respond to a compromise.

In the rapidly evolving and interconnected digital landscape of today, safeguarding critical data holds paramount significance. As organisations increasingly rely on robust backup strategies to safeguard sensitive information, a vital aspect of comprehensive data protection involves conducting in-depth security analyses on backup files.

As part of our innovation initiative, we are set to showcase a groundbreaking project that underscores the utility of leveraging open-source GitHub projects to directly scrutinise backup files of Operational Technology (OT) systems or extensive collections of Virtual Machines (VMs) from a hypervisor. The outcomes of this endeavor can be seamlessly integrated into cybersecurity operations, incident response procedures, and compliance audits. The tooling employed in this project drastically reduces the time required for what is conventionally perceived as hours or even days of work to just a few minutes or seconds. This innovation proves especially advantageous for isolated or legacy systems where conventional methods like direct networking, SIEM/EDR tool installation, and network-based log extraction are not feasible.

The versatility of this tool allows it to be executed either locally for ad-hoc operations or centrally in locations with access to backup archives.

We will provide insights into leveraging open-source tools to efficiently orchestrate extensive data collection and analysis, encompassing various backup formats, generate customised security reports and enhancing the capabilities in daily security operations, including configuration and vulnerability management, as well as incident response activities such as response preparation and root cause analysis.

Today industries are highly relying on Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems. It has become paramount that robust cybersecurity measures in these environments are important. This presentation explores comprehensive studies conducted to evaluate and enhance security practices in OT/SCADA systems. Drawing on real-world case studies and experiences, the session will delve into the challenges faced and lessons learned while implementing and managing security measures.

The presentation will cover key aspects such as threat landscapes specific to OT/SCADA, vulnerabilities in legacy systems, and the evolving nature of cyber threats targeting critical infrastructure. Practical insights gained from successful security implementations, incident response strategies, and the role of risk management will be shared. The importance of collaboration between IT and OT teams to establish a holistic security framework will also be emphasized.

Participants can expect to gain a deeper understanding of the unique security considerations in OT/SCADA environments, along with actionable takeaways to fortify their own systems against emerging cyber threats. The presentation aims to contribute valuable insights to professionals involved in industrial control systems, fostering a proactive approach to cybersecurity in critical infrastructure.

Join us for a panel discussion with top ICS practitioners on what you need to know to get your organisation up to speed on the upcoming disclosure requirements for all critical sector organisations doing business in the European Union. 

Some of the items we will cover include: 

• The goals of the NIS II Risk Management, Strategy, Governance and Incident Disclosure.
• What do you need to do to stay compliant from an ICS perspective? 
• What should be included in your yearly report to ENISA?
• What are considered best practices in ICS to avoid cyber incidents? 

Moderated by Brian Correia, Director of Business Development at GIAC, join Tim Conway, SANS curriculum lead in ICS and Kai Thomsen, a certified SANS instructor, on what you need to know and solutions from faculty members in meeting the new requirements by October 2024. 

Packets and payloads and data and stuff. When you're in the middle of an incident, or dealing with an unexpected event, being able to answer questions about your network quickly is a valuable skill. This talk will provide tactical approaches, examples and code for making sense of your ICS environment, with a dash of stats.

Around April 2024 a Ukrainian affiliated hacking group named BlackJack claimed they attacked Russia's Industrial Sensor and Monitoring Infrastructure company called Moscollector.

Not only did the hackers allegedly destroy Moscollector's servers and databases, they also deployed a notorious malware called FuxNet (rhymes with Stuxnet) which bricked many sensor gateways, essentially blinding physical operations monitoring capabilities over tens of thousands of sensors deployed across Moscow.

In this talk we will unfold all the events preceding the final attack and discuss the true meaning of a new ICS malware targeting critical infrastructure sensors in a modern city like Mosocow.

Most industrial companies already implemented many security measures in their environment. But how do you know if these measures a sufficient? If an attack will bypass these measures, will you be able to detect and respond in the shortest possible time?

Honeypots have been around for a while, but deception technology goes well beyond a high interaction honeypot. This presentation will show up why deception technology is a powerful tool for protecting OT infrastructures and that deception technology does not require AI or machine learning and can generate threat intelligence for threat analytics and hunting purposes. The speaker will demonstrate that deception is a technology that includes benefits like non-intrusiveness, ease of installation, lack of false alarms, and cost-effectiveness.

Russian war in Ukraine is the first example of a full-scale cyber war. The dramatic increase in the number of cyberattacks and critical cyber incidents was observed in Ukraine since the beginning of the full-scale invasion.

This talk will discuss the unprecedented massive attacks aimed at wiping out infrastructure through various types of attacks performed, including DDOS, website defacing, data theft and the use of wipers. The cyberattacks were combined with psychological information operations and were often accompanied by kinetic attacks.  Lessons learned will be shared for consideration by defenders working in the critical infrastructure community. 

The convergence of Operational Technology (OT) and Information Technology (IT) landscapes has introduced new challenges for organizations striving to secure critical infrastructure. This presentation aims to share valuable insights and lessons learned from the deployment of OT security monitoring solutions on a global scale, with a focus on challenges on the road for roll-out and integration with Security Operations Center (SOC).

1- Understanding the OT Landscape:

The unique characteristics and challenges of OT environments, emphasizing the need for specialized security measures.

Discussing the importance of gaining a deep understanding of industrial processes, protocols, and equipment to effectively monitor and secure OT assets and obtain management and Operating companies buy-in.

2-Selecting and Deploying OT Security Monitoring Solutions:

Discussing the criteria for selecting appropriate OT security monitoring solutions, considering factors such as compatibility with legacy systems, scalability, and real-time threat detection capabilities.

Sharing practical experiences and challenges encountered during the deployment phase, including strategies for design, site preparation, hardware distribution/logistics, dealing with third parties, minimizing downtime during installations and minimizing disruption to critical operations while fine tuning.

3-Cultural and Organizational Challenges:

Addressing the cultural and organizational challenges encountered when bridging the gap between IT and OT teams and between different countries/regions.

Sharing strategies for fostering collaboration and communication to ensure a cohesive and effective security posture across the organization.

4-Building a Comprehensive Security Strategy:

Highlighting the significance of a holistic security strategy that addresses both IT and OT aspects.

Sharing experiences in developing customized security detection capabilities tailored to the specific needs of diverse OT environments.

5-Integrating OT Security with SOC and handover to operations:

Exploring the integration points between OT security monitoring solutions and global Security Operations Center and educating the SOC team where IT Security teams must cover OT security.

Discussing the importance of aligning incident response processes, collaboration between OT and IT teams, and the role of threat intelligence in a unified security approach.

6-Continuous Improvement and Adaptation:

Emphasizing the iterative nature of OT security, with a focus on continuous improvement and adaptation to evolving threats such as fine tuning, creating additional detections, use cases and workbooks.

Discussing the role of asset identification, vulnerability management, threat hunting, penetration testing, and regular assessments in maintaining a robust security posture.

By sharing these lessons learned, this presentation aims to empower organizations to navigate the complexities of deploying OT security monitoring solutions on a global scale and fostering a cyber-resilient ecosystem that safeguards critical infrastructure.