Register here!

This free ICS CtF will feature multiple challenges focused on analyzing logic files, logs, network traffic, ICS protocols, digital forensic artifacts, and more to analyze attacks against an in-depth ICS range. More details and prizes will be announced closer to the event! For those attending in-person, we’ll have food, drinks, and gear for you. Stay tuned!

Level 1

Fun puzzles and challenges with general ICS themed multiple-choice questions and hints to help you progress and learn.

Level 2

Some multiple choice, some exact answer, across varied technical data sets such as packet captures, host files, ladder logic, and device configuration information, but still with hints enabled and very approachable.

Level 3 and Level 4

Scenario based questions of increased difficulty and fewer hints that contain data sets from an ICS range with a broad mix of technical components.

To be announced.

Satellites provide critical time sensitive information everyday 24 hours a day, 7 days a week and they don’t take vacations. Everything from time critical weather information to global communications and navigation for both the private and military sector. But what if, the systems that provided access to those critical assets was vulnerable to compromise, cyber and physical attack, and exploitation and denial of service? The current industry is valued at over $71Billion USD and projected to grow considerably as reliance on space, GPS and communications systems grows. With the entry of private companies into the space race the explosion of companies big and small that are competing for the opportunity to provide access to space and to benefit mankind has grown exponentially. Along with that, rapid growth, and the desire to cut costs while pushing the boundaries of technology and commercial off the shelf systems have caused security risks to also grow. I will discuss the general state of the industry, taking a critical look the ground station architecture and explore old and new risks as technology continues to push into the space frontier extending humankinds access to new and exciting places. We will explore what the recent supply chain attack against small sat systems in Germany can teach us, as well as a long list of risks identified across both commercial, and government systems. What does the future look like? What new jobs can we see coming from this expansion from ground communications into space and beyond? What kind of training would new space defenders need to be successful at protecting corporate and national assets? These are all questions we as leaders and engineers need to be asking ourselves so we can prepare for the expansion into space, to the moon and beyond.

The Five SANS ICS Cybersecurity, Critical Controls whitepaper outlines that developing an ICS-specific Incident Response (IR) plan is a primary control. Therefore, asset owners and operators should be focused on creating an IR plan to support event root cause determination and know how to respond if an ICS-focused cybersecurity incident is raised. Developing and running Tabletop Exercises (TTXs) is a critical element of the overall IR planning process and one that should be carried out regularly. This talk will provide insights into leveraging scenarios to build an effective TTX that will test the response capabilities documented in an IR plan. In addition, the talk will share experiences gained from developing and running TTXs targeting different organizational areas ranging from c-suite to IT/OT cybersecurity staff and engineers/operators.

In 2033, OT security programs will include detailed architecture reviews, dedicated resources for incident response, annual testing of security controls, and a line of accountability that includes the C-Suite and board of directors. The future of OT security will include professionals more skilled and better trained than the teams of today—and our numbers will continue to grow. How do I know this? There’s no crystal ball and there’s no complicated trending algorithm to study. The foundation for the programs of the future were all written… last year. 2022 saw the largest growth in ICS security standards, laws, and regulations—EVER. And unlike previous efforts, a majority of them shared the same themes, security controls, and goals: keep bad guys out of critical infrastructure. Join Jason D. Christopher, SANS Certified Instructor and Author, as he provides a meta-analysis of this exponential growth in ICS security regulations and guidelines. Learn what your program needs to plan for today to be better prepared tomorrow. The future is already here. Attendees of this presentation will learn the following: -- Brief primer on ICS standards to-date -- Why 2022 was so active for ICS standards, regulations, and laws -- Similar themes and meta-analysis of these standards and their impact on future OT programs -- Actionable next steps for owners/operators to prepare.

Utilizing the Caldera Core, Caldera OT is a cybersecurity framework and associated software that is designed to easily run autonomous breach-and-simulation exercises that are specifically targeted against Operational Technology (OT) / Industrial Control Systems (ICS). Caldera OT enables the creation of plug-ins that can be tailored for specific environments or a generalized system of OT devices and protocols. Like Caldera, Caldera OT is built upon the MITRE ATT&CK™ framework. Caldera OT will enable multiple types of engagements including compliance & certifications, detection engineering support (blue team), adversary emulation support (red team), and as a training tool for both blue and red teams (purple team). Using a standardized tool, users will achieve the benefits of reduced operator workload, consistency in OT, and the ability to develop and capture standard testing metrics. Attendees can expect an overview of the Caldera OT software including plug-in structure, operating requirements, and a deployment tutorial. This will be followed by a demonstration of Caldera OT in a simulated OT system. Actionable takeaways will include an understanding of the extensive capabilities of Caldera OT as well as potential use cases in the individual attendee’s environment.

Operational technology represents a significant challenge for both business and cybersecurity teams. Without proper visibility to the connected device environment and potential threats, security risks multiply quickly. Yet only a handful of security teams have a dedicated operational technology security program. To successfully launch a program and get funding, it is critical to link program objectives and benefits with the overall strategic goals of the organization. This talk will provide insight into what it takes to establish an Operational Technology security program, how to obtain stakeholder (and board) investment, and how to deconstruct the current state of OT security within your organization.

While it’s preferable to prohibit remote access into an OT network, that’s often not the practical choice. This talk will dive a little deeper into some of the considerations around designing and implementing a secure remote access solution.

In this talk I will cover the following points:

 I will present on the de facto remote access standard of a jump server in a DMZ network zone and 6 critical features that should be followed in that architecture.  I will then cover the use of commercial tools for remote access and provide guidance on their selection and configuration enhance the security of that solution.  I will discuss some guidance and best practices on jump server configuration. I will talk about where and how to implement security monitoring for remote access connections. In addition to that, I will cover various additional key aspects to secure remote access for ICS/OT environments. The content of this talk leverages insights from ICS/OT pentesters and what configurations make their jobs more challenging.

Session details to come.

This talk outlines the journey of an European integrated oil & gas corporation in implementing a holistic approach to deliver OT security from European Union-wide legislation (NIS) to harmonized daily business at industrial sites, where process safety is the first priority. The speaker, as the OT Security Officer at a refinery site in Germany, will present the steps taken to establish the OT Security Management System (OSMS) and the investment program (OT Security Roadmap) to cover all cyber security aspects at the site. The key approach was to customize a tool, "OTwin", to fit the needs of the OSMS, using an interdisciplinary team of technical authority, software developers, administrators, and peers from HSSE, operations and maintenance. The talk will present the sequence of realized use cases including Risk Management, Asset & Lifecycle Management, Patch & Vulnerability Management, Qualification-Management, and an interface to Network Security Monitoring tools. The talk is addressed to other operators and technical authorities, as well as managers, vendors, integrators, and consultants to show how sustainable OT security can be implemented. Key takeaways include: the implementation of an OT Security Roadmap as part of process safety, success of a structured investment program, a federal system of security standards, customization of a tool towards the OSMS, importance of integrated small teams in customization, resilience through installation and operation of the tool at major sites, and IT/OT convergence in the light of above-mentioned actions.

Industry 4.0 has made industrial equipment and production machinery more efficient, but this has also introduced security weak spots. This session will share the results of research into the risks that computer numerical control (CNC) machines now face as they’re integrated into today’s networked factories. We will delve into several attack scenarios, including denial-of-service attacks, hijacking and data theft. The session will also review security measures that manufacturers and others in the ecosystem can use to mitigate their risk. Attendees will learn how to: • Gain visibility into their vulnerability risk. • Prevent lateral movement through network segmentation. • Understand the importance of context-aware detection and response.

To be announced.

Let's discuss what it takes for OT owners and operators to shift their cybersecurity mindset from "checking items off a list" to one focused on "what actions will enhance business continuity, increase resilience, minimize downtime, and support safety." If you’re attending SANS Summit, you likely already have a good understanding of the leading frameworks and best practices, whether you're required by regulation or not. But how can we go beyond getting a passing grade on any given framework to focus on the safer, more secure outcomes? The key is deeper insights into our OT systems and assets. By gaining a deeper understanding of the state of our operations, we can better identify threats, risks and prioritize a plan to address them. There's a wealth of valuable data available within our OT infrastructure, at the endpoint level, that significantly enhances the maintaining, protecting, and troubleshooting of industrial operations. It eliminates guesswork and prolonged investigations when an issue arises, and shines light on risks so we can proactively avoid them. During this presentation, we'll explore real-world examples of how industrial organizations have advanced their security journey by maturing their OT data management. We'll go beyond “meeting requirements” and discuss the ways that deeper OT asset data play a crucial role in safety, security and resilience across industrial sectors. We'll delve into specific scenarios such as:

• Knowing you have an issue in the environment, but not knowing where to go to fix it
• How one operator identified an issue by comparing historical context
• How an operator discovered a highly risky attack surface exposure within an asset that had been overlooked
• How enriched endpoint information can assist SOCs in responding to incidents and aid in forensic investigations.

Incident Response in ICS differs from that in traditional IT environments: some investigative techniques are simply not applicable, whereas others might be more effective. This session will explain how to build a database of expected hashes with hashR, then leverage this dataset to speed up forensic analysis, reduce noise, and find relevant data. Attendees will return to their environments capable of utilizing these techniques with open-source software (hashR, Plaso, Timesketch).

While developing a detection for a new cyber-attack scenario in Bechtel’s OT Cybersecurity Technical Center (Lab), the team encountered a challenge often mentioned with Industrial Control Systems: proprietary protocols.  Due to time constraints, several common suggestions for approaching network traffic analysis of proprietary protocols were not feasible for the project.  The team had to look for an alternative, which led to the question, “do we have logs for that?”

This presentation will review the approach taken to detect the cyber-attack.  The key metric needed was tracking logic downloads to a controller from a major Distributed Control System (DCS) vendor.  Like the proprietary protocol used in the communication between equipment, the team also had to determine how to work with a proprietary log file format, how to parse the logs, how to send the data to a SIEM, and more. The presenter will also discuss details of the attack used for the Lab’s cyber demo, including mapping to the MITRE ATT&CK framework. 

This presentation will cover practical experience from both IT and OT Security Engineers in overcoming challenges of systems that use proprietary protocols.  Attendees will learn an approach that is not often discussed at ICS conferences, which can supplement network traffic analysis methods for a better security posture of their systems.  Finally, during the development of the detection, several other data points were found in available logs that enriched the detection dashboards.  The presenter will highlight how these additional data points add more context to a SIEM, allowing for a quicker decision making during an incident response investigation.

Orlando Utilities Commission's (OUC) namesake is "the Reliable One" due to their ongoing commitment to providing OUC customers with the most reliable electricity supply available. A reliable grid requires strong cybersecurity and OUC has embarked on a project to secure remote engineering access and remote work execution for their substation devices. NERC CIP compliance is required for a small portion of OUC's substation infrastructure but OUC's cybersecurity initiative is to secure all OUC substation infrastructure to these same stringent standards. To reduce NERC CIP audit requirements, OUC will utilize two independent systems so as to manage NERC CIP Bulk Electric System (BES) assets separately from non-BES assets. OUC implements many different vendor's products for their projects and continues to pursue a "best in class" mindset when selecting vendors. OUC needs to be able to do more: To more efficiently manage more devices, from more different vendors, for more grid projects, with more cybersecurity threat vectors to address. OUC's security solution will provide Role Based Access Control (RBAC) and layer on Function Based Access Control (FBAC) to provide the greatest level of security to remote users. RBAC and FBAC security are provided by the user only being granted device access to an authorized device and only provided the access needed within the vendor's software based on their Active Directory credentials. OUC needs their device management system to know that each device has the correct firmware and settings, which allows OUC to baseline all their devices to secure proper grid operation. Password management capability is also part of OUC’s device management and security project and provides for a zero-trust environment where passwords are automatically scrambled after every user’s interface to a grid edge device. OUC needs their projects to also save money and securing remote access to substation devices does just that. Reducing or eliminating the need to travel to the substation is a project goal. OUC was often travelling to a substation to acquire outage information and a reduction in these truck rolls is welcomed. Cost savings are also realized by rapidly acquiring outage information and automatically notifying users versus the very manual and costly efforts OUC had in place for acquiring event data. Now OUC automatically and securely acquires event data within just a few minutes allowing targeting of event location and phase therefore reducing the need to drive the whole line. Overall, the project to secure OUC’s remote engineering access has proven to enhance OUC’s cybersecurity posture, improve OUC’s workforce efficiency, reduce costs, speed outage management and secure grid operations. The presentation will provide details of OUC’s business drivers, technical considerations, project implementation and key benefits realized by this project.

Security is defined by the threat (our real world supervillains); resilience is the concrete result of your action (or inaction). And the threat is always changing across your multiverse. Which Spiderperson will you be? The young Peter Parker still building your test capabilities for insights or Mayday Parker (Spider-Girl) beating supervillains with proactive adversary emulation in real world asset owners to measure across IT and OT. Achieving resilience in industrial operations Understanding what an attack against your organization will look like (deconstructing real-world ICS attacks and technical threats) Live attack demonstrations & the defenses needed to stop them Case studies and lessons learned performing security in OT/ICS networks System and organizational investment opportunities that reduce attacker effects.

As Industrial Control System (ICS) cyber threats continue to grow in scale and sophistication the O&G industry must ensure the unique requirements of the Oil and Gas Unconventional development business are accounted for within cyber security programs which includes both detection and protective measures. Developing and executing cybersecurity and design segmentation strategies must progress together for operating environments in aging Brownfields and Greenfield facilities. Solutions must also consider the large number of external connections that provide key aspects of business operations which also introduces dynamic and mobile threat vectors into the environment. Solutions must ensure a combination of fit-for- risk and cost effective security improvements which will enable business capabilities and meet unique operations requirements. •This presentation will focus on unique challenges of the Unconventional business and ExxonMobil’s journey towards cyber security improvements. Next generation firewalls will be discussed as they were selected for their deep packet inspection technology and centralized management and monitoring capabilities. These expanded technologies increase security and enable centralized cybersecurity support capabilities that were not previously present. We will provide an overview of the architecture and technology capabilities while also highlighting the people and process elements which are all fundamental in protecting the Unconventional SCADA environment. •The intended audiences are industry members interested in secure ICS design and those working through challenges of adding security capabilities in existing operating facilities.

Manufacturing companies have been left behind as ICS cybersecurity has advanced. The large players in the ICS/OT industry have been working to better secure their environments for years. Those organizations have covered the basics and are working to implement advanced security solutions that help them to identify and respond to threats more quickly and efficiently. Meanwhile, most manufacturing companies have only just recently started to secure their ICS and OT systems. For some, this is driven by regulatory requirements like CMMC, and for others it is due to greater understanding the threats that ICS/OT environments face. Security vendors in the ICS space have developed advanced security solutions that help monitor and prevent threats. These solutions use the latest technologies to help secure ICS/OT environments, but they aren’t a starting point in a cybersecurity program. Instead, these solutions are designed for companies that have covered the fundamentals. Ian Frist will discuss how manufacturing companies need to pause and consider mastering the basics before purchasing a buzzword-heavy product and attempting to automate their way to better security. Sometimes there is no substitute to a boots-on-ground, back to fundamentals approach.

Critical infrastructure cyber protection correlates 16 different sectors with no way to actually compare a standardized metric from a municipal water facility in Wyoming to a large commercial energy provider in Florida to a rural hospital in Texas to a train operator in New York. Hypothetical scenarios are quickly convoluted with technical contingencies, competing priorities, overlapping authorities, analysis gaps, and a domino effect of potential cascading real world consequences. This complex tapestry of risk is shared by a myriad of stakeholders with a mission to avoid cyber scenarios which cause physical impacts, environmental impacts, and harm or loss of life. This paper, written for the Atlantic Council, discusses the limitations in current standards for prioritization and associated methodology, focusing on operational technology (OT), and outlines a methodology for prioritizing scenarios and entities across sectors and local, state, and federal jurisdictions. This methodology has two primary use cases:

1. A way to rank relevant cyber scenarios to prioritize for a single entity, organization, facility, or site in scope, allowing any entity, organization, facility, or site to choose scenarios to exercise based on analysis beyond cyber incident severity

2. A Standardized Priority Score which can be used to compare different entities, locations, facilities, or sites within a given jurisdiction.

Session details to come.