One Week Left to Get an 11" iPad Pro, a Surface Go 2, or $300 Off with OnDemand Training

ICS Security Summit & Training 2020

Orlando, FL | Mon, Mar 2 - Mon, Mar 9, 2020
This event is over,
but there are more training opportunities.

ICS Security Summit Agenda

Summit speakers

Monday, March 2 #nearsighted
9:00-9:15 am
Welcome & Opening Remarks

Tim Conway & Robert M. Lee @robertmlee, Summit Co-Chairs, SANS Institute

9:15-10:00 am

Keeping the Lights On in a Dangerous World

Adam S. Lee, VP & CSO, Dominion Energy Services

Adam will share his experiences and wisdom from over two decades leading operations countering terror threats, hostile foreign intelligence operations, cyber attacks, and criminal enterprises, to managing security for a $100 billion energy company which serves as the power company to the Pentagon.

10:05-10:45 am

Security Worst Practices

David Foose @davefoose, Ovation Security Program Manager, Emerson

We hear all the time about “best practices,” but this presentation will present war stories that are examples of organizations approaching various security problems the wrong way – that is, “worst practices” in security. We’ll walk through the reasons why these events occurred and look at improvements that can be made going forward to make sure they don’t happen again.

10:45-11:15 am

Networking Break

11:15-11:55 am

5 Blind Men and an Elephant called ICS Supply Chain Security

Eric Byres @ICS_Secure, CEO, aDolus Inc.

Industrial companies depend on their vendors to supply valid software and firmware for control system implementation and upgrades. If this chain of trust is compromised, then malicious software can be introduced that alters core system functionality, potentially impacting critical operations and human safety. Unfortunately, there are currently few safeguards in place to protect IIoT and ICS devices against the introduction of counterfeit firmware and software. In this session, we discuss the five key supply chain risks to ICS software and firmware, showing specific examples of each of these threats. We'll introduce a framework funded by the DHS to safeguard against ICS supply chain attacks. Finally, we’ll show you how to satisfy security requirements like NERC CIP-013, without introducing onerous or error-prone processes: * Verification of software integrity and authenticity: Learn how to ensure that your staff are not loading counterfeit or tampered software and firmware into critical systems. * Vulnerability detection and disclosure: Learn how to generate a Software Bill of Materials (SBoM) to reveal unexpected sub-components that may contain vulnerabilities or malware. * Validation of firmware versions: Learn how to ensure that firmware is an up-to-date version, tested and approved by the vendor rather than an unauthorized or obsolete version. * Validation of certificate-chains: Learn how to detect fraudulently signed packages masquerading as authentic, avoiding Stuxnet-style attacks where private keys have been stolen. * Detection of blacklisted products: Learn how to uncover sub-components in software from prohibited suppliers.

11:55 am -12:25 pm

The Current Status of Industrial Control Systems in Developing Countries: A Case Study of Argentina and Latin America

Almada Pablo Martin, Director of ICS/IIoT Services, KPMG

While developed countries such as the United States have led the way in the cybersecurity of critical infrastructure, developing countries have fallen behind due to socioeconomic conditions, lack of investment, and difficulties in developing the skills needed in this area. This presentation examines Latin America’s critical infrastructure situation, with Argentina as a case of study. The presentation will start with a brief overview of current cyber regulation and national initiatives, then turn to examining the status of principal industries in the region, with a focus on the energy industry. Finally, we will look at lessons learned from underdeveloped countries, taking into account that industrial control system (ICS) best practices and regulations are often based on ideal scenarios that are not always feasible in developing nations. To address this challenge, the presentation will examine case studies in critical infrastructure cybersecurity and the steps that Argentina and other countries in the region need to take to improve ICS security in the context of the developing world.

12:25-1:30 pm Lunch
1:30-2:00 pm

At Least We Can Agree on This: Working with Legal to Improve Cybersecurity in Standard Agreements

Brent Foster, Founder, Extensible Security

In this interactive session, attorney Brent Foster will share tips to help your attorneys and agreements better secure your environment. Which agreements matter, and what linguistic “red flags” may leave you vulnerable if – or when – a crisis strikes? How can you convince legal to be more cooperative (after all, isn’t everyone on the same side)? Brent will demystify the legalese to help you understand your risks and recourse, and present you with actual industry agreements so you can try your hand at redlining before you have to do the real thing.

2:05-2:35 pm

Clean Up Your MES: The Bridge between IT and OT

Khalid Ansari @_Khalid_Ansari, Automation & MES Engineer, Qatar Aluminum Ltd.

This talk is directed primarily at owner-operators from the manufacturing sector, although other industries may benefit as well. Khalid Ansari will summarize his experience as an owner-operator and the challenge of securing a manufacturing execution system (MES). The presentation will begin by briefly describing what an MES is, using aluminum smelter as an example. An MES bridges IT and OT networks, typically interfacing with ERP on the IT side and automation layer on the OT side. The MES is the air-gap myth-buster, so it is critical to secure it. The presentation will discuss network segmentation, security options available for legacy OPC-DA and current OPC-UA interfaces; and look at other security controls that may be deployed to increase the security posture of a typical MES. The presentation will conclude by emphasizing the need for strong and verifiable disaster-recovery and business-continuity plans for situations when the MES goes down.

2:35-3:05 pm Networking Break
3:10-3:50 pm

Go-To Analysis for ICS Network Packet Captures

Gabriel Agboruche @ICS_Gabe, Senior ICS/OT Security Consultant, Mandiant

Your plant's production line went down, your corporate IT Historian stopped receiving data from your ICS Historian or you just want to gain a greater understanding of what is happening in your ICS environment. You then go ahead and passively collect a day's worth of network packet data (PCAP), now what? The answer to that "now what?" is the analysis process for peering into the actual activity that's taking place on your ICS network. This presentation will equip individuals with some go-to analysis techniques for ICS network packet capture data.

3:55-4:25 pm

Save the Day: Build an Incident Response Program Now

Steve Winterfeld, Advisory CISO, Akamai

This talk is about building an Incident Response (IR) program based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP), and National Institute of Standards and Technology (NIST) compliance frameworks, that is operational and effective. It will cover the pillars you need for a program, including framework for governance, the plans needed for execution, and how to conduct exercises for validation. We'll talk about the need for plans vs playbooks, IR process, best way to be compliant, and industry frameworks. Finally, we will explore how to manage across the key leadership stakeholders, as well as how to prepare for both internal and third-party incidents for multiple scenarios.

4:30-5:10 pm

ICS Threats and Mapping to ICS ATT&CK

Robert M. Lee @robertmlee, Summit Co-Chair, SANS Institute

This presentation will introduce the ICS ATT&CK framework as a tool for guiding security approaches for ICS security such as threat detection strategies. The presenter will take a few examples of active ICS threats and utilize models such as the ICS Cyber Kill Chain, the Sliding Scale of Cybersecurity, and Collection Management Frameworks in combination with ICS ATT&CK to give the attendees a repeatable way to guide their security approaches for the next year.

5:10-6:10 pm

ICS Summit Networking

Join our event sponsors and your fellow attendees for a little more post-Summit networking.

6:15-8:30 pm

Summit Night Out

Let’s Split!

Hop on the complimentary bus and join us for bowling, billiards, and a buffet at Splitsville Luxury Lanes in Disney Springs! Dinner, drinks, bowling, and round-trip transportation are provided. If you prefer to strike out on your own after bowling to explore more of Disney Springs, you’re welcome to do so.

Tuesday, March 3 #farsighted
9:00-9:20 am
Michael J. Assante ICS Security Lifetime Achievement Award
9:20-10:00 am
Keynote & DEmo

The PLC Made Me Do It!

Tim Conway, Summit Co-Chair, SANS Institute
Jason Dely @JasonJDely, ICS Team, SANS Institute
Jeffrey Shearer, ICS Team, SANS Institute

ICS security programs are typically implemented to provide technical and non-technical controls to the process environment so the ICS can behave in a reliable and predictable manner. ICS-focused attacks have a sliding scale of effect with the largest effect being hardware manipulation to cause product quality issues, product manufacturing disruption or the highest effect of all - loss of life. Recent real-world attacks have shown the effects of ICS hardware manipulation and the impacts it can have on a countries / corporation's physical and psychological well-being. This presentation and demonstration will walk through some common attack techniques observed in ICS environments, detecting those attacks, and some approaches to consider as adversaries will continue to adapt to a defenders capabilities in the future.

10:00-10:30 am Networking Break
10:30-11:10 am

2020 ICS Cyber Attack Trends

Sarah G. Freeman, ICS Cybersecurity Analyst, Idaho National Lab

Cyber attacks over the past few years have highlighted the increasing sophistication of adversaries. However, other trends – including the shift toward safety system attacks and the continued blurring of nation-state and non-state actors – can be turned to our advantage by informing cybersecurity strategies, especially within resourced-constrained environments. This talk will focus on recent trends in this area and identify potential security strategies.

11:15-11:55 am

Mission Kill: Process Targeting in Industrial Control System Attacks

Joe Slowik @jfslowik, Principal Adversary Hunter, Dragos

Typical conceptions of industrial control system (ICS) targeting focus on direct disruption of organizations through specific action resulting in complete operational loss, such as opening breakers to interrupt the flow of electricity, or tripping a safety system to shut down a plant. Yet further analysis of ICS events over time indicates adversaries are pursuing far more ambitious attack patterns. Following the 2015 Ukraine power event, ICS-focused attacks began to shift from direct disruption to changing, modifying, or otherwise undermining fundamental ICS processes by either staging more serious attacks or identifying specific process “pain points” with outsized value to the victim environment. There is clear evidence that adversaries are learning about process and operational dependencies in industrial environments and how they can be leveraged to achieve maximum impact. This presentation will examine three case studies: the 2016 Ukraine event, the 2017 TRISIS event, and the 2019 attack on the Abqaiq oil processing facility in Saudi Arabia (relevant for targeting purposes even though it was not a cyber attack). In each case, attackers identified specific operational pain points (protective relays, safety instrumented systems, hydrodesulfurization facilities) to create cascading or outsized impacts from specific device compromise (or destruction). Given these developments, ICS security operations need to move beyond the realm of being IT-centric to fusing IT visibility with industrial process awareness. From a defensive point of view, understanding the process environment and identifying critical path nodes for the defended facility is vital to ensure appropriate defense where it matters most. By understanding how attackers have evolved, ICS and critical infrastructure defenders can better position themselves to counter future attacks.

11:55 am - 12:25 pm

Cyber Guardian Exercise: A Case Study in Brazil to Address Challenges in Cybersecurity and Protect Critical Infrastructure

Maxli Barroso Campos, Cybersecurity Analyst, Cyber Defense Command, Brazilian Army

This presentation will outline how the Cyber Guardian Exercise is establishing the principles of cyber protection for important national and critical infrastructure sectors in Brazil by building a strong cybersecurity community based on the exchange of experiences and a strong partnership between all parties involved. In 2019, 38 government and military agencies, defense-related firms, academic entities, and representatives from the financial, energy, telecommunications, and other critical sectors participated in Cyber Guardian 2.0. This presentation will examine the lessons learned from exercises using virtual and constructive simulation techniques to protect the financial and nuclear sectors from cyber attacks; virtual simulation using the Cyber Operations Simulator Program; and constructive simulation using a crisis management office for information technology, media, legal, and senior management issues. The presentation will also look at initiatives undertaken to improve cyber protection of critical infrastructure for national defense.

12:25-1:30 pm Lunch
1:30-2:15 pm

Nation-State Supply Chain Attacks for Dummies and You Too -or- Chipping Cisco Firewalls

Monta Elkins @MontaElkins, Security Researcher

Back in October 2018, Bloomberg recounted a Chinese supply-chain attack on Supermicro motherboards used in servers for Amazon, Apple, and more than 20 other companies. is how I replicated it, on a Cisco firewall, with a shoestring budget, and how you can too. Sponsored by TDi technologies.

Also featured on wired

2:15-2:50 pm

Vulnerabilities on the Wire:Mitigations for Insecure ICS Protocols

Michael Hoffman, Principal ICS Security Engineer, Shell

Insecure Modbus TCP and other legacy ICS protocols are still widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. The question now is what can asset owners and operators do to secure their environments today? This presentation attempts to answer that question by examining the viability of deploying PLC configuration modifications, programming best practices, and network security controls to show that it is possible to increase the difficulty for attackers to exploit these systems and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluation of ICS protocols, device configurations, and network security controls.

2:50-3:15 pm Networking Break
3:15-3:45 pm

“Project Runaway:” How the World’s Largest Manufacturers Are Unknowingly Leaking Their Secrets Online

Matan Dobrushin, Head of Research, OTORIO
Yoav Flint Rosenfeld @YoavfFlint, Head of Services, OTORIO

Project files are the blueprints of the industrial process. They can contain network configurations, screen definitions, hardware and software configurations, and the actual automation logic of the controllers. Access to project file means access to knowledge about the most important elements of the production floor. Because of their sensitivity, these files should be kept in a well-secured location such as an internal vault. However, the growing need to share and collaborate with suppliers makes it difficult to keep track of the files, and the data can end up in the wrong hands. A large amount (>500!) of highly confidential industrial data is located on an Internet research site and available to every registered user. The data involve multiple manufacturers, suppliers, and orchestrators from different sectors and geographical locations. The amount of the data and the companies involved suggests that the widespread availability of such data is not a one-time event but rather a systematic issue caused by the security tools that are not protecting companies as they should. This presentation will explain the basic components and structures of certain project files; outline the threat landscape connected to the data and the inherent insecurity of the supply chain; show how an attacker might use these data to target a company’s operations and processes; look at what can be derived from automation logic by examining past research and proposing new approaches; share statistics about the amount of companies, sectors, and geolocations of the affected companies; and propose options to address the potential sources of the leaks and put in place different security methods to fix the problem.

3:50-4:20 pm

Where Did You Come up with That Idea? - Sharing is the Key

Justin Opatrny, Manager, Cyber Security Engineering, General Mills, Inc.
Sanford Rice, Manager - Technical Control Systems, Atmos Energy

Threats to ICS environments continue to advance requiring us as defenders to keep up with all the things (threats, training, technology, etc.). No one person or organization can do it all, leaving many opportunities to try, learn, develop, and most importantly, SHARE. This talk will cover a variety of methods for how individuals can contribute back to the overall ICS security community and beyond. Whether the contribution is big or small, from our individual critical infrastructure vertical or not, we are all in the same fight.

4:25-5:00 pm


RADICS: The DARPA Project to Restart the Power Grid after a Significant Cyber Attack

  • Gary D. Seifert, EE PE, ICS Cyber, Microgrid, Power Systems, and Energy Systems
  • Tim Yardley, Principal Research Scientist, University of Illinois Urbana-Champaign Information Trust Institute

The Department of Defense (DOD) shares the national concern regarding a cyber-attack on the U.S. power grid. As such, the Defense Advanced Research Projects Agency (DARPA)'s Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program has challenged researchers over the past 4 years to develop technologies to enable the black start recovery of the U.S. power grid amidst a cyber-attack on the electrical sector's critical infrastructure.
Early into the RADICS program, researchers moved from simulated and synthetic data to practical exercises around cyber-physical systems to validate their research. Additionally, the RADICS team integrated utilities and cyber first responders as another validation vector and research relevance. In November 2018, RADICS supported Department of Energy's (DOE) Liberty Eclipse exercise, and measured the challenges around black start restoration during cyber-attack, and has continued its
partnership with DOE into the National Level Exercise in 2020.
This presentation will discuss the results of the program, our efforts to transition these vital technologies to private and public sector stewards, our lessons learned in cyber incident response for electric power systems, and the importance of exercising our cyber recovery capabilities as a nation.

5:00-6:00 pm

Networking Reception hosted by

SANS Security Awareness

6:00-8:00 pm

GIAC Reception

This exclusive event brings together a recognized community of ICS security professionals (holders of GICSP, GRID, and GCIP certifications) for an evening of drinks, hors d'oeuvres, and networking.