8 days left to get a GIAC Cert Attempt or $350 Off with OnDemand and vLive Training

ICS Security Summit & Training 2019

Orlando, FL | Mon, Mar 18 - Mon, Mar 25, 2019
Event starts in 90 Days

ICS Security Summit Agenda

Summit speakers

We strive to present the most relevant, timely and valuable content. As a result, this agenda is subject to change. Please check back frequently for changes and updates. The following talks and speakers have been confirmed for SANS ICS Security Summit:

CES-21 Technology Achievements: Grid Security and Cyber Automation

California Energy Systems for the 21st Century, known as CES-21, is a project led by California power generation companies and research partners to perform cutting-edge research to promote secure technologies across transmission and distribution infrastructure. Now in its fifth and final year, the project has produced some impressive technologies that will enable utility providers to improve their grid security posture, secure communications within industrial control systems (ICS), and ultimately provide a path towards automated security response. This talk will focus on the various technologies and protocols that are the core of CES-21’s Machine to Machine Automated Threat Response. These technologies include utility-specific extensions to the STIX protocol that enable integration and communication of threats between utilities; a proposed ICS protocol that fully integrates encryption and authentication; and a working example of Quantum Key Distribution to facilitate broad key management. During this discussion, utility owners and operators can expect to hear about a sample of near-term technologies that will improve their security posture. Original equipment manufacturers and service providers will get a description of the future of integration of grid communications, and agencies will gain insight into private research that is benefiting the ICS community and national infrastructure as a whole.

Jon Taylor, Principal Cyber Security Consultant - SoCal Edison Technical Lead for CES-21, Revolutionary Security for Southern California Edison

Gaining Buy-in & Resources to Manage Cybersecurity Risk in OT Environments

This session will introduce and expand the concept of Risk Debt, which is the compounding relationship of technical and operational vulnerabilities on the cybersecurity posture of an environment, and the impact on ICS environments. We’ll discuss use cases to highlight the importance of knowing existing mitigation measures and how they impact Risk Debt. You’ll take away tips for better telling your own risk story, with a structured approach to answering “so what?” and examples of using this approach to communicate cyber risk to key stakeholders.

Samara Moore, Director – Cyber Strategy & Engagement, Exelon
Jason Tugman, VP – Cyber Risk Engineering, Axio

Coordination, Cooperation, and Cyber-resilience: The Role of Energy Computer Emergency Response Teams in Offensive and Defensive Activities

Cooperation is one of the key elements of effective and efficient reaction to a cyber attack. The exchange of information about threats, vulnerabilities, and attacks provides organizations with the ability to quickly respond. A mature organization should have positions or teams responsible for cooperation, and indeed many institutions have a professional computer emergency response team that has Cyber Threat Intelligence among its competencies. In this presentation, we’ll talk about practical ways that cooperation and the exchange of information can be put in place help protect organizations from real danger and disasters in the energy sector. We have established cooperation at the national and international levels by creating a trusted network of organizations and people who can exchange information on a daily basis about threats and share details on how to protect IT or OT environments. That is the real added value of these contacts.

Jarek Sordyl, CISO/Head of CERT, PSE S.A.

Creating a Security Metrics Program: How to Measure Programmatic Success

We’ve heard it all before: “Our team handles 500,000 cyber-attacks a day.” “Cyber threats are increasing.” “We track cybersecurity as a critical risk for our organization.” But what does any of that really mean? Creating measurements and metrics around cybersecurity is difficult, but so is building a sustainable metrics program, regardless of the subject matter. Early tasks, including measuring what is important and resource management, can be undermined by external pressures to tell a certain narrative or prove certain results. How can our industry create unbiased, yet compelling, metrics? What is the right-sized team or amount of resources for a metrics program? Is such a program sustainable? This presentation will cover not only the basics of cybersecurity metrics, but also lay the foundation for how s security team can create a new metrics program that goes beyond red/yellow/green or compliance. By moving to objective and repeatable metrics, utility security leaders will be able to not only justify programmatic improvements, but also track trends across environments and future projects. With research from the U.S. Department of Energy, the Electric Power Research Institute, and the National Institute of Standards and Technology, practitioners can build a defensible security metrics program across strategic, tactical, and operational levels of the utility.

Jason Christopher, CTO, Axio Global, Inc.

Evolution of ICS Attacks: From BlackEnergy2 to TRISIS

Cyber attacks on industrial control systems (ICS) were once sufficiently rare that years would pass with continued analysis of the same events. But since 2016 the pace of ICS-focused events has increased so dramatically that one event now seems to blur into another, with little time left to place each new incident (and its underlying methodology) into the context of the evolution of ICS attacks. This presentation seeks to address this gap by providing an overview of events ranging from the 2015 BlackEnergy2 grid attack in the Ukraine to CRASHOVERRIDE, the U.S./UK/German grid intrusions, and the TRISIS event. Two primary trends will be analyzed in detail: (1) The shift from custom malware in initial intrusion and entrenchment scenarios to increased dependence on system commands, scripts, and commodity malware; and (2) Increasing software and capability development moving technical proficiency away from on-keyboard operators and embedding ICS expertise in malware. These two seemingly conflicting trends underlie our experience as a community. The result has been an increase in efficiency in ICS-targeting operations, as initial attack phases begin to resemble traditional offensive operations (helped in no small part by the continued convergence of IT technology in OT environments) and final attack scenarios abstract away from the malicious individual to place all ICS-impacting functionality in purpose-built software. This has meant that a large number of malicious operations and actors can be supported by a relatively small number of specialized developers, lowering the overall cost of ICS intrusions and increasing the pace at which such operations can be executed.

Joe Slowik, Adversary Hunter, Dragos

Gaining Endpoint Log Visibility in ICS Environments

This presentation will discuss the reasons why it is important to gain visibility of logs on industrial control system endpoint devices, and examine different methods to achieve that visibility. We’ll review different architectures and technology constraints involved in moving those logs to centralized IT/OT Security Information and Event Management from an oil and gas perspective.

Michael Hoffman, Principal ICS Security Engineer, Shell

ICS Risk Management Approaches: Vulnerability versus Threat versus Engineering, and What Works Best for You

There are a variety of different approaches, methods, and opinions as to how to best defend against industrial control system (ICS) cybersecurity threats. Some of the more popular approaches in the industry focus on vulnerabilities, threats, and engineering. This talk will walk through each of these approaches – that is, where they make sense, where things break down, and how asset owners can apply the approaches in their daily duties. Attendees will walk away with a better understanding of how these approaches can be best combined to strengthen their ICS program given the resource constraints (time, money, resources) faced by most asset owners.

Brian Proctor, Director, SecurityMatters
Dr. Nathan Wallace, Director, Cybirical Engineering

Practical Solutions to Supply Chain Attacks

This presentation will discuss the supply chain in terms of software and networks. We will examine various attacks on supply chains in industrial control systems and other industries that have occurred over the last few years. We’ll then spend time looking at the various unsuccessful attempts by regulators and organizations to address these problems, followed by suggestions on how Emerson or other vendors can work with the end customer.

David Foose, Ovation Security Solutions Program Manager, Emerson