SANS and Dragos have teamed up once again to develop a custom ICS-focused CtF that provides practitioners an opportunity to test their skills in a real-world OT environment. You can register for the walkthrough here.  

For those that are not familiar with CtFs or need a refresher prior to participating in the CtF competition, join Tim Conway as he walks through several challenges, covers some foundational skills, and shares a few tips and tricks to use during the CtF competition.

This free ICS CtF will feature multiple challenges focused on analyzing logic files, logs, network traffic, ICS protocols, digital forensic artifacts, and more to analyze attacks against an in-depth ICS range. More details and prizes will be announced closer to the event! For those attending in-person, we’ll have food, drinks, and gear for you. Stay tuned!

Level 1

General ICS themed multiple-choice questions and hints to help you progress and learn.

Level 2

Some multiple choice, some exact answer, across varied technical data sets such as packet captures, host files, ladder logic, and device configuration information, but still with hints enabled and very approachable.

Level 3

Questions of increased difficulty and fewer hints that contain data sets from an ICS range with a broad mix of technical components.

Register for the CtF here. 

For In-Person Summit Attendees

After participating in the SANS and Dragos CTF or traveling into Orlando, pick up your badge and join fellow Summit attendees for refreshments in the Palm Foyer and Patio.

In industrial processes, there are often a set of critical process parameters that are most fundamental to understand the functional status of the process. When considering the potential impacts of a malicious manipulation of the control system that includes the attacker masking their actions by altering process information being transmitted between the controller and the HMI, a possible mitigation is an “out-of-band” monitoring system to identify when the control system is misrepresenting critical process parameters to the operator. In this technique, a 4-20mA signal isolator is used to send a copy of the critical parameter directly from the instrument signal to a separate data logger, which then communicates that signal over independent telemetry to a Data Logger Server. The both the SCADA system and the Data Logger server send the value for the same instrument to the Historian. In the historian, a comparison of the two values for what should be the same signal can be performed so alerts on deviations can be initiated. This talk will cover that technique and then walk through a realistic attack scenario, in the context of the ICS Cyber Kill Chain, to present mechanisms to detect the attack with both traditional network and continuous security monitoring, as well as out-of-band process integrity checking. Then, response scenarios will be presented with and without this advanced detection technique to highlight the benefit of these monitoring techniques.

Our industry has been through numerous high-profile supply chain incidents, prompting an Executive Order mandating the supply of Software Bill of Materials (SBOMs) for all “critical software.” Thanks to a fruitful collaboration between government and industry, SBOM standards are now a reality; however, outstanding questions remain on how SBOMs will actually contribute to better security. This session will discuss how SBOMs can be more than just bureaucratic paperweights: we’ll share how to convert the mountains of data inside SBOMs into actionable threat and risk intelligence. Attend this presentation to: Understand the anatomy of an SBOM Learn what additional data is necessary for SBOMs to be truly useful Discover how industry leaders are using SBOM data today and where they are heading Hear how the industrycan handle the legacy device problem Understand repercussions and alternatives if a vendor can’t (or won’t) generate SBOMs for their clients You will leave this session knowing how to use SBOMs to reduce risk in your industrial control systems.

This presentation will cover a proposed Threat-Informed Failure Scenario methodology to help organizations model the techniques a cyber adversary would need to access, manipulate, and impact their environment. The approach focuses on ways to leverage operational failures and utilize them to provide attack scenarios with realistic operational consequences. It provides a set of organizational-specific ATT&CK and ATT&CK for ICS tactics, techniques, and procedures that can be used to strategically improve a system’s defenses, including prioritizing data sources for detection, response actions, and mitigations against these techniques. The presentation introduces the overall methodology and explains how it can be used to improve an organization’s operational technology security as well as walks through a few use cases of how it has been applied.

Join the bonus session and receive 1 additional CPE!

12:25 - 1:00 PM - How to Ensure Reliable Protection from Intrusion with Zero Trust in Complex OT Environments

While the rapid adoption of cloud has forced many organizations to shoe-horn their current incident response processes for use in cloud investigations, a better and faster way to investigate and respond to cloud threats exists. This session will explore the role of automation in amplifying your cloud incident response strategy. Join us to discuss best practices for automating triage collection and full disk acquisition to increase efficiency and drastically reduce time to cloud investigation and response.

Register & Join Here

12:25 - 1:00 PM- Industrial Controls Systems Security (ICSS) Presentation by Kim Kafka at SANS Technology Institute (SANS.edu)

Please join this summit presentation where Kim Kafka, Manager of Admissions Outreach for SANS.edu will provide an overview of the college. SANS Technology Institute (SANS.edu) is an accredited college offering career-focused graduate and undergraduate programs at the cutting edge of cybersecurity. At this event, she will discuss specifics regarding the Industrial Controls Systems Security (ICSS) curriculum, faculty, and the flexible structure of the SANS.edu programs. In addition, she will outline the admissions process, application deadlines, funding options and how to request qualifying waivers.

*SANS.edu session will be shown on Summit Track One

When ethical hackers think about high value assets in ICS/OT environments, assets like Engineering Workstations, Data Historians, Safety Instrumented Systems (SIS), and others come to mind. In this talk, I’ll present the network-connected Printer as an asset that could prove valuable during an internal penetration test and potential adversaries. I will cover the following discussion topics during this presentation: Why do I target printers during internal penetration tests? What juicy information can be gleaned from compromising printers in ICS/OT environments?

I will round out this talk with hardening and remediation recommendations for printer vulnerabilities in your ICS/OT environments.

For In-Person Summit Attendees

Cyber42: Industrial Edition will put you through the paces as an industrial control system (ICS) security manager as players adapt to challenges in operational technology (OT) environments. Unlike traditional IT networks, industrial equipment is designed to impact the physical world and require special considerations when deploying security technologies. As threats continue to rise targeting these networks, many of which are vital for critical infrastructure (like power, water, and energy), it is more important than ever to understand the impacts on ICS due to a cyber security event and to invest in resilience and security that promotes both reliability and safety.

Players will step into the world of Cyber42: Industrial Edition, which is being developed for the upcoming ICS418: ICS Security Essentials for Managers, and address real-world industrial cyber threats from the comfort of their own home! This Game Day will focus on balancing security program improvements that impact engineers, operations, and customers all while considering the various technical and cultural implications of an OT security program.

In this simulation, you will compete for the high score across other ICS managers facing the same dilemma: How to protect industrial equipment from shutdowns, failure, damage, or worse!

Do you have what it takes? Find out by playing the game with us!

Operational technology networks communicate through protocol stacks that are distinct from IT networking protocols. Therefore, we at Team82 (Claroty Research) decided it was important to intimately understand OT protocols in order to uncover vulnerabilities and get them fixed. We want to share one such journey that led to us finding critical vulnerabilities in a few EtherNet/IP protocol stack implementations. This story starts with research into a well-known PLC firmware, writing a PoC that triggered the bug, and how we helped get it fixed. In this talk we dive deeper into how we hunt for vulnerabilities in different third-party OT protocol libraries, focusing specifically on EtherNet/IP and CIP implementations. We will explain how these protocols work, what are the common implementation pitfalls, and how we were able to classify different implementations of these protocols and the devices that are using them in order to understand the scope of the vulnerabilities we found. We will also share to the community the tools we developed during our research.

For years, many practitioners in the ICS security community realized that guidelines and best practices around secure PLC programming practices were lacking. To address this problem, ICS security professionals in the community pulled together to develop the Top 20 PLC controls. Beyond these controls, however, it is essential to define abnormality detections to display the information on the HMI clients. This allows operations staff to respond to an incident in an early stage and provide the capability to forward the same information to SIEM systems for further analysis. These functions can be developed by using the PLC’s own capabilities and adding operational conditions that infer cyber events.

This presentation will explain functions to detect specific abnormalities created from the built-in diagnostic functions and explore a few of their implementations. Additionally, it will present some examples of process diagnostics that can be linked more to cyber events than process/safety alarms. These security libraries can significantly enhance the detection of abnormalities to provide needed operational visibility into the status of critical systems and crown jewels. Specific examples covered in the technical talk will include: Controller Performance, Process Operation, and Risk of Misuse or Abuse.

The Defense Industrial Base (DIB) is made up of 300,000+ companies and most of these companies employ some form of Industrial Control Systems (ICS) to manufacture products for the DoD. However, many use the same equipment to provide products and services commercially as well as for their DoD contracts. Historically, the cybersecurity practices of manufacturing companies have not faced a great deal of scrutiny, particularly when it comes to securing their ICS. The DoD recently changed this with the adoption of the Cyber Security Maturity Model Certification (CMMC). The new CMMC 2.0 standard specifically addresses actions required for ICS and other assets that process CUI. This talk covers an overview of CMMC for manufacturing environments, a quick review of steps required to prepare for the CMMC standard, and a deeper dive on ICS/OT requirements.

According to the Australian Cyber Security Centre, one quarter of reported cyber incidents in the 2020/21 period were associated with Australia’s critical infrastructure or essential services. Globally, one third of industrial control systems (ICS) were targeted by malicious activity in the first half of 2021. This is the new normal for ICS security. IT and OT convergence continues to expose decades-old operational technologies to the internet while ICS attacks are no longer the sole domain of sophisticated nation states. Attack kits available on the dark web require no technical knowledge of ICS and SCADA systems. Researchers are paying attention, driving the discovery of more ICS vulnerabilities that are remotely exploitable, and do not require user interaction or specific privileges. While the pandemic has made it easier for attackers to access OT systems through the compromised devices of remote workers, it has also fundamentally altered how critical infrastructure is defined. Until recently, critical infrastructure in Australia fell into one of four categories: electricity, gas, water, or ports. As attackers have increasingly targeted critical sectors beyond these traditional categories, the Australian government has been forced to reassess its conception of what is critical. With the introduction of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SOCI Act), Australia has broadened its legislated critical infrastructure asset classes from 4 to 11 sectors. It has also imposed increased reporting obligations for critical assets in a wide range of industries, and established government assistance and intervention powers to take control of an asset in exceptional circumstances. This presentation will examine the significant challenges for government in crafting such urgent and wide-ranging legislative action to counter the new threat landscape, as well as the impacts these changes are having on industry. We will discuss how the recent legislative changes in Australia compare with the Biden Administration’s National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems, both in scope and degree of government intervention. Australia’s approach has been characterised as governmental over-reach and punitive in its penalties for non-compliance, creating anxiety for both small and large businesses fresh under the banner of critical infrastructure. Attendees can expect to gain an understanding of the strengths and shortcomings of the Australian strategy for protecting critical infrastructure in an evolving threat landscape, as well as valuable insights into how security professionals can work best with regulation and governance to ensure ICS security for critical infrastructure.

We rely on locomotives to move our freight and ourselves throughout the United States both in the country, and in the cities. Modern locomotives contain much of the same technology you might expect to see in any power generating facility, but packed into a mobile platform. In this talk, Emily will discuss some of the lessons learned while penetration testing these powerful machines.

For In-Person Summit Attendees

Unwind and relax poolside while enjoying hand-made cocktails, cheeseburgers (in paradise), and live music.

• Assante Scholars Recognition
• CTF Winners Announcement
• ICS Security Lifetime Achievement Award Presentation

Session details to come.

Within industrial control systems, the process of allocating memory or what is more commonly known as “assigning tags” is done without much fanfare and in most cases without much thought. However, understanding PLC or HMI tags usage will serve you well as you create your system recovery plans. Tags can be assigned as temporary program variables, recipe data, calibration and sensor spanning data as well as be used to store historical artifacts for product quality and genealogy. A tag’s usage has a great impact on not only the running system but also plays a large role during system restore. In this discussion and demonstration, Jeff will walk through the importance of understanding the types of memory allocations within the PLC and HMI in support of creating a thorough recovery plan. We’ll also find out “what the PLC can’t get out of its memory”.

5G is a technology that is expected to be used in industrial applications, and the option of 4G/5G campus network will allow an organization to retain its telecom infrastructure. However, the security risks associated with 4G/5G campus network deployment are not clear, and most ICS security professionals have only passing familiarity with the structure of mobile communication systems. This presentation will share the findings of Trend Micro’s experiments with 4G/5G campus network in a model ICS environment simulating a steel mill. We will explain the "four intrusion routes to the core network" and "three interception points in the core network" revealed in this research, and introduce attack scenarios that affect the industrial process. Specifically, We have identified in this research 6 types of attacks that can be conducted on the TCP/UDP/SCTP layers and 5 types that can only be delivered via a cellular network. Audience will learn what kind of physical damage can be induced by 2 attack scenarios as follows: 1) Tampering with monitored readings by MQTT hijacking, and 2) Disabling alerts by Modbus/TCP hijacking. We’ll also propose a unified security concept to deal with these risks.

Over the past couple of years, cyber risk management has embraced the notion that industrial organizations need to know the impacts of a cyber security incident. How bad is your worst bad day? This can be measured in production outage minutes, health and safety impacts, environmental damages—even in dollars and cents. While this is absolutely one of the best ways to start your organization’s discussions for risk management, it will, over time, not be enough. Every day you do not suffer from your “worst day,” begs the question “how often will this worst day occur?” Which is quickly followed by, “are we investing in our security program smartly?” Following up from previous SANS ICS Summit talks on industrial risk management, this presentation will explore how to improve your qualified risk assessments with actionable information from threat intelligence to answer executive and board room questions around feasibility for risk-based attack scenarios. Jason D. Christopher (Certified SANS Instructor and co-author for ICS418: ICS Security Essentials for Managers, and Director of Cyber Risk for Dragos Inc.) will outline practical solutions for measuring threat capabilities mapped to potential industrial attacks that can be built into a sustainable risk management process. Using real-world use cases from actual asset owners, learn how to mature your industrial organization’s risk metrics to both increase security budgets and influence the overall culture to prevent, detect, and respond to cyber threats.

Asset owners are burdened with the weight of ever-expanding vulnerability management programs to address exposure to potential Cyber-attacks targeting Industrial Automation and Controls System (IACS). Efforts to reduce exposure introduced during the design and construction phases of life cycle engineering continues to be a major challenge. The establishment of global consortiums providing the basis for the certification of manufacturer components and systems to cybersecurity standards are well established and continuing. One of the challenges being tackled is the adoption of cybersecurity controls during the operation and maintenance phases. These phases have the longest duration and potential for hazardous outcomes during a facilities life cycle. Obsolescence, facility upgrades and expansions have the potential to introduce significant cybersecurity implications during these life cycle phases. This presentation attempts to highlight an approach to address these short comings and provide assurance of a resilient cybersecurity program for IACS supply chains.

David Foose spent the last 10 years leading a suppliers Cyber Emergency Response Team (CERT). This talk will reveal what went on behind the scenes during a few of the most notable newsworthy events of the last decade. We will explore mis-opportunities, lessons learned, and how your organization can be better prepared to triage the next ‘big hack’.

For many years, Programmable Logic Controllers (PLCs) have been insecure by design. Several years into customizing and applying best practices from IT gave rise to secure protocols, encrypted communications, network segmentation etc. However, to date, there has not been a focus on using the characteristic features in PLCs (or SCADA/DCS) for security, or how to program PLCs with security in mind.

The top 20 secure PLC coding project – inspired by the existing Secure Coding Practices for IT – fills that gap. The idea sparkled during the S4 conference thanks to Jake Brodsky’s presentation. The project was then led by Sarah Fluchs & Vivek Ponada with the support of Dale Peterson & ISA. An online collaborative platform was set up and gathered more than 900 participants in total to identify the top 20 security measures for PLC security.

In this presentation, I will introduce the results of this community-led effort, the TOP20 project (plc-security.com), then explain a sample of its rules:

• Rule #13: Disable unneeded / unused communication ports and protocols
• Rules #6 (Validate timers and counters) & rule #8 (Validate HMI input variables at the PLC level, not only at HMI)
• Rule #5: Use cryptographic and / or checksum integrity checks for PLC code

Demonstrations will be performed to show how these rules can prevent or make attacks more difficult.

As much as can be shared, we will use real asset owner examples. Takeaways: How far down the Purdue Model can you go when emulating threats? Plus, we present an alternative architecture from the threat perspective. How much detail do you share? Based on can versus want? Balancing expectations with internal/external partners (compliance included), Building towards a successful assessment including lessons learned from previous ICS security implementations, Realistic results. Abstract Outline: The role/growth of adversary emulation in enterprises. Need for OT adversary emulation: Evaluate tools (there’s a lot of tools), Train your workforce in your environment, Technical and Business, Test IR, DR, BC processes across business units. One does not go 0-100 in an OT environment (we’ll talk IT vs OT culture): Leveraging the ICS Kill Chain as a guide, Series of adversary emulation (thread modeling, considerations/trade-offs for creating threat behaviors) to get to the door of the OT environment, Teaches business leaders and OT stakeholders defense in depth and criticality of enterprise environment, Managing the risk of adversary emulation in sensitive networks, Pwning a dev/test environment for fun and budget commitment, Tie to organization resiliency goals / how much does downtime cost you? Can you detect attacks on your security tools themselves? What does an ICS attack actually look like? Do organizations need to get to Level 0? Alternate Model for ICS attack architecture. Continuous Improvement Regular adversary emulation gives the following: Ensure tools are properly tuned, Validate Collection Management Framework. How does adversary emulation complement and/or hinder compliance activities?

Cyber-informed engineering (CIE) is an emerging method to “engineer out” cyber risk across the ICS device or system lifecycle. CIE promotes the use of design decisions and engineering controls to mitigate or ideally eliminate avenues for cyber-enabled attack—reducing reliance on after-the-fact cybersecurity controls. Integrating cybersecurity into early-stage engineering decisions often delivers lower cost and more effective cybersecurity approaches. The early stages of ICS design, engineering, and installation are also where seemingly innocuous engineering decisions can permit hidden vulnerabilities or overlook opportunities to close cyber attack pathways that operators must monitor and defend down the road. CIE is defined by a set of design and operational principles (including engineered controls, secure information architecture, design simplification, and layered and active defense) and organizational principles (including interdependency evaluation, digital asset awareness, supply chain controls, planned resilience, engineering information control, and cybersecurity culture) that build resilience into system engineering. This presentation introduces CIE concepts, delves into engineering principles, and backs up those principles with real-world examples of common engineering decisions that are cyber-informed—or not—and the security outcomes that result.

Cybersecurity researchers at Idaho National Laboratory (INL) spend thousands of hours each year focused on identifying defensive measures for industrial control systems and operational technology. This focus has allowed INL to develop extensive capabilities to assist government and commercial cyber defenders of critical infrastructure. This presentation will give an overview of some of these capabilities along with two demonstrations of how INL uses these capabilities to build process control systems and train industry professionals on cybersecurity practices. One demonstration includes the “Little Arc Flash” platform, which represents a layout for an electric generation and transmission network, coupled with a model representing the final distribution substation to power a residential neighborhood and shows the potential effects of a specific cyberattack against this network. The other demonstration shows potential effects of a cyberattack against a gas/oil separator platform that includes two product tanks, a PLC, an HMI, and multiple accompanying pumps and valves that operate the representative gas/oil separation process.

For In-Person Summit Attendees

As we wrap up and welcome those arriving for courses, we're inviting attendees and their families to come play games and enjoy sweets from the dessert bar.