7:30 am - 9:00 am ET 11:30 am - 1:00 pm UTC | Summit Registration (Palm Foyer) For In-Person Summit Attendees
Show More
|
9:00 am - 9:15 am ET 1:00 pm - 1:15 pm UTC | Opening Remarks |
9:15 am - 10:00 am ET 1:15 pm - 2:00 pm UTC | Keynote Discussion with John "Chris" Inglis Chris Inglis, National Cyber Director, Executive Office of the President
Show More
|
10:00 am - 10:15 am ET 2:00 pm - 2:15 pm UTC | Break |
10:15 am - 10:50 am ET 2:15 pm - 2:50 pm UTC | Detection-In-Depth: Out of Band Monitoring for Critical Process Parameters In industrial processes, there are often a set of critical process parameters that are most fundamental to understand the functional status of the process. When considering the potential impacts of a malicious manipulation of the control system that includes the attacker masking their actions by altering process information being transmitted between the controller and the HMI, a possible mitigation is an “out-of-band” monitoring system to identify when the control system is misrepresenting critical process parameters to the operator. In this technique, a 4-20mA signal isolator is used to send a copy of the critical parameter directly from the instrument signal to a separate data logger, which then communicates that signal over independent telemetry to a Data Logger Server. The both the SCADA system and the Data Logger server send the value for the same instrument to the Historian. In the historian, a comparison of the two values for what should be the same signal can be performed so alerts on deviations can be initiated. This talk will cover that technique and then walk through a realistic attack scenario, in the context of the ICS Cyber Kill Chain, to present mechanisms to detect the attack with both traditional network and continuous security monitoring, as well as out-of-band process integrity checking. Then, response scenarios will be presented with and without this advanced detection technique to highlight the benefit of these monitoring techniques.
Show More
|
10:50 am - 11:25 am ET 2:50 pm - 3:25 pm UTC | Making Use of All Those SBOMs Eric Byres, Chief Technology Officer, aDolus Technology Inc.
Our industry has been through numerous high-profile supply chain incidents, prompting an Executive Order mandating the supply of Software Bill of Materials (SBOMs) for all “critical software.” Thanks to a fruitful collaboration between government and industry, SBOM standards are now a reality; however, outstanding questions remain on how SBOMs will actually contribute to better security. This session will discuss how SBOMs can be more than just bureaucratic paperweights: we’ll share how to convert the mountains of data inside SBOMs into actionable threat and risk intelligence. Attend this presentation to: Understand the anatomy of an SBOM Learn what additional data is necessary for SBOMs to be truly useful Discover how industry leaders are using SBOM data today and where they are heading Hear how the industrycan handle the legacy device problem Understand repercussions and alternatives if a vendor can’t (or won’t) generate SBOMs for their clients You will leave this session knowing how to use SBOMs to reduce risk in your industrial control systems.
Show More
|
11:25 am - 12:00 pm ET 3:25 pm - 4:00 pm UTC | Success Starts With Failure: Mitigating OT Security Risks Using Threat-Informed Failure Scenarios Nik Urlaub, Lead Cybersecurity Engineer, MITRE Corporation Adam Hahn, Principal Critical Infrastructure Security Engineer, MITRE Corporation
This presentation will cover a proposed Threat-Informed Failure Scenario methodology to help organizations model the techniques a cyber adversary would need to access, manipulate, and impact their environment. The approach focuses on ways to leverage operational failures and utilize them to provide attack scenarios with realistic operational consequences. It provides a set of organizational-specific ATT&CK and ATT&CK for ICS tactics, techniques, and procedures that can be used to strategically improve a system’s defenses, including prioritizing data sources for detection, response actions, and mitigations against these techniques. The presentation introduces the overall methodology and explains how it can be used to improve an organization’s operational technology security as well as walks through a few use cases of how it has been applied.
Show More
|
12:00 pm - 1:00 pm ET 4:00 pm - 5:00 pm UTC | Lunch & Bonus Session Kim Kafka, Manager of Admissions Outreach, SANS Technology Institute Join the bonus session and receive 1 additional CPE!
12:25 - 1:00 PM - How to Ensure Reliable Protection from Intrusion with Zero Trust in Complex OT Environments
Cut through the jargon and learn what zero trust really means in an OT environment. Understand what is involved in implementing a true zero-trust solution and how it actually protects your connected assets, plus practical advice on how to get such a solution in place.
Register & Join Here
12:25 - 1:00 PM- Industrial Controls Systems Security (ICSS) Presentation by Kim Kafka at SANS Technology Institute (SANS.edu)
Please join this summit presentation where Kim Kafka, Manager of Admissions Outreach for SANS.edu will provide an overview of the college. SANS Technology Institute (SANS.edu) is an accredited college offering career-focused graduate and undergraduate programs at the cutting edge of cybersecurity. At this event, she will discuss specifics regarding the Industrial Controls Systems Security (ICSS) curriculum, faculty, and the flexible structure of the SANS.edu programs. In addition, she will outline the admissions process, application deadlines, funding options and how to request qualifying waivers.
*SANS.edu session will be shown on Summit Track One
Show More
|
1:00 pm - 1:35 pm ET 5:00 pm - 5:35 pm UTC | The Underestimated ICS/OT Asset: Printers When ethical hackers think about high value assets in ICS/OT environments, assets like Engineering Workstations, Data Historians, Safety Instrumented Systems (SIS), and others come to mind. In this talk, I’ll present the network-connected Printer as an asset that could prove valuable during an internal penetration test and potential adversaries. I will cover the following discussion topics during this presentation: Why do I target printers during internal penetration tests? What juicy information can be gleaned from compromising printers in ICS/OT environments?
I will round out this talk with hardening and remediation recommendations for printer vulnerabilities in your ICS/OT environments.
Show More
|
1:00 pm - 2:30 pm ET 5:00 pm - 6:30 pm UTC | Cyber42 Industrial Edition Game Day For In-Person Summit Attendees
Cyber42: Industrial Edition will put you through the paces as an industrial control system (ICS) security manager as players adapt to challenges in operational technology (OT) environments. Unlike traditional IT networks, industrial equipment is designed to impact the physical world and require special considerations when deploying security technologies. As threats continue to rise targeting these networks, many of which are vital for critical infrastructure (like power, water, and energy), it is more important than ever to understand the impacts on ICS due to a cyber security event and to invest in resilience and security that promotes both reliability and safety.
Players will step into the world of Cyber42: Industrial Edition, which is being developed for the upcoming ICS418: ICS Security Essentials for Managers, and address real-world industrial cyber threats from the comfort of their own home! This Game Day will focus on balancing security program improvements that impact engineers, operations, and customers all while considering the various technical and cultural implications of an OT security program.
In this simulation, you will compete for the high score across other ICS managers facing the same dilemma: How to protect industrial equipment from shutdowns, failure, damage, or worse!
Do you have what it takes? Find out by playing the game with us!
Show More
|
1:35 pm - 2:10 pm ET 5:35 pm - 6:10 pm UTC | Hunting EtherNet/IP Protocol Stacks Operational technology networks communicate through protocol stacks that are distinct from IT networking protocols. Therefore, we at Team82 (Claroty Research) decided it was important to intimately understand OT protocols in order to uncover vulnerabilities and get them fixed. We want to share one such journey that led to us finding critical vulnerabilities in a few EtherNet/IP protocol stack implementations. This story starts with research into a well-known PLC firmware, writing a PoC that triggered the bug, and how we helped get it fixed. In this talk we dive deeper into how we hunt for vulnerabilities in different third-party OT protocol libraries, focusing specifically on EtherNet/IP and CIP implementations. We will explain how these protocols work, what are the common implementation pitfalls, and how we were able to classify different implementations of these protocols and the devices that are using them in order to understand the scope of the vulnerabilities we found. We will also share to the community the tools we developed during our research.
Show More
|
2:10 pm - 2:25 pm ET 6:10 pm - 6:25 pm UTC | Break |
2:25 pm - 3:00 pm ET 6:25 pm - 7:00 pm UTC | Defining Security Functions to Gain Visibility from PLCs For years, many practitioners in the ICS security community realized that guidelines and best practices around secure PLC programming practices were lacking. To address this problem, ICS security professionals in the community pulled together to develop the Top 20 PLC controls. Beyond these controls, however, it is essential to define abnormality detections to display the information on the HMI clients. This allows operations staff to respond to an incident in an early stage and provide the capability to forward the same information to SIEM systems for further analysis. These functions can be developed by using the PLC’s own capabilities and adding operational conditions that infer cyber events.
This presentation will explain functions to detect specific abnormalities created from the built-in diagnostic functions and explore a few of their implementations. Additionally, it will present some examples of process diagnostics that can be linked more to cyber events than process/safety alarms. These security libraries can significantly enhance the detection of abnormalities to provide needed operational visibility into the status of critical systems and crown jewels. Specific examples covered in the technical talk will include: Controller Performance, Process Operation, and Risk of Misuse or Abuse.
Show More
|
3:00 pm - 3:35 pm ET 7:00 pm - 7:35 pm UTC | Are You Prepared for CMMC? Ian Frist, Director, Proactive Services, BlueVoyant The Defense Industrial Base (DIB) is made up of 300,000+ companies and most of these companies employ some form of Industrial Control Systems (ICS) to manufacture products for the DoD. However, many use the same equipment to provide products and services commercially as well as for their DoD contracts. Historically, the cybersecurity practices of manufacturing companies have not faced a great deal of scrutiny, particularly when it comes to securing their ICS. The DoD recently changed this with the adoption of the Cyber Security Maturity Model Certification (CMMC). The new CMMC 2.0 standard specifically addresses actions required for ICS and other assets that process CUI. This talk covers an overview of CMMC for manufacturing environments, a quick review of steps required to prepare for the CMMC standard, and a deeper dive on ICS/OT requirements.
Show More
|
3:35 pm - 3:50 pm ET 7:35 pm - 7:50 pm UTC | Break |
3:50 pm - 4:25 pm ET 7:50 pm - 8:25 pm UTC | Navigating Australia’s New Critical Infrastructure Threat Landscape: Challenges for Government and Industry Paresh Kerai, Head of Product Strategy and Security, Sapien Cyber According to the Australian Cyber Security Centre, one quarter of reported cyber incidents in the 2020/21 period were associated with Australia’s critical infrastructure or essential services. Globally, one third of industrial control systems (ICS) were targeted by malicious activity in the first half of 2021. This is the new normal for ICS security. IT and OT convergence continues to expose decades-old operational technologies to the internet while ICS attacks are no longer the sole domain of sophisticated nation states. Attack kits available on the dark web require no technical knowledge of ICS and SCADA systems. Researchers are paying attention, driving the discovery of more ICS vulnerabilities that are remotely exploitable, and do not require user interaction or specific privileges. While the pandemic has made it easier for attackers to access OT systems through the compromised devices of remote workers, it has also fundamentally altered how critical infrastructure is defined. Until recently, critical infrastructure in Australia fell into one of four categories: electricity, gas, water, or ports. As attackers have increasingly targeted critical sectors beyond these traditional categories, the Australian government has been forced to reassess its conception of what is critical. With the introduction of the Security Legislation Amendment (Critical Infrastructure) Act 2021 (Cth) (SOCI Act), Australia has broadened its legislated critical infrastructure asset classes from 4 to 11 sectors. It has also imposed increased reporting obligations for critical assets in a wide range of industries, and established government assistance and intervention powers to take control of an asset in exceptional circumstances. This presentation will examine the significant challenges for government in crafting such urgent and wide-ranging legislative action to counter the new threat landscape, as well as the impacts these changes are having on industry. We will discuss how the recent legislative changes in Australia compare with the Biden Administration’s National Security Memorandum (NSM) on Improving Cybersecurity for Critical Infrastructure Control Systems, both in scope and degree of government intervention. Australia’s approach has been characterised as governmental over-reach and punitive in its penalties for non-compliance, creating anxiety for both small and large businesses fresh under the banner of critical infrastructure. Attendees can expect to gain an understanding of the strengths and shortcomings of the Australian strategy for protecting critical infrastructure in an evolving threat landscape, as well as valuable insights into how security professionals can work best with regulation and governance to ensure ICS security for critical infrastructure.
Show More
|
4:25 pm - 5:00 pm ET 8:25 pm - 9:00 pm UTC | Livin' La Vida Loco(motive): Lessons Learned From Pentesting Locomotives We rely on locomotives to move our freight and ourselves throughout the United States both in the country, and in the cities. Modern locomotives contain much of the same technology you might expect to see in any power generating facility, but packed into a mobile platform. In this talk, Emily will discuss some of the lessons learned while penetration testing these powerful machines.
Show More
|
5:00 pm - 5:15 pm ET 9:00 pm - 9:15 pm UTC | Day 1 Wrap-Up |
5:45 pm - 8:00 pm ET 9:45 pm - 12:00 am UTC | It's 5 O'clock Somewhere! - ICS Summit Night Out For In-Person Summit Attendees
Unwind and relax poolside while enjoying hand-made cocktails, cheeseburgers (in paradise), and live music.
Show More
|