Four Days Left to Get an iPad (32G), Galaxy Tab A, or $250 Off Online Training!

ICS Security Summit & Training 2020

Orlando, FL | Mon, Mar 2 - Mon, Mar 9, 2020
Live Event starts in 43 Days

ICS Security Summit Agenda

Summit speakers

Monday, March 2 #nearsighted
9:00-9:15 am
Welcome & Opening Remarks

Tim Conway & Robert M. Lee @robertmlee, Summit Co-Chairs, SANS Institute

9:15-10:00 am

Keeping the Lights On in a Dangerous World

Adam S. Lee, VP & CSO, Dominion Energy Services

10:05-10:45 am

Security Worst Practices

David Foose @davefoose, Ovation Security Program Manager, Emerson

We hear all the time about “best practices,” but this presentation will present war stories that are examples of organizations approaching various security problems the wrong way – that is, “worst practices” in security. We’ll walk through the reasons why these events occurred and look at improvements that can be made going forward to make sure they don’t happen again.

10:45-11:15 am

Networking Break

11:15-11:55 am

5 Blind Men and an Elephant called ICS Supply Chain Security

Eric Byres @ICS_Secure, CEO, aDolus Inc.

Industrial companies depend on their vendors to supply valid software and firmware for control system implementation and upgrades. If this chain of trust is compromised, then malicious software can be introduced that alters core system functionality, potentially impacting critical operations and human safety. Unfortunately, there are currently few safeguards in place to protect IIoT and ICS devices against the introduction of counterfeit firmware and software. In this session, we discuss the five key supply chain risks to ICS software and firmware, showing specific examples of each of these threats. We'll introduce a framework funded by the DHS to safeguard against ICS supply chain attacks. Finally, we’ll show you how to satisfy security requirements like NERC CIP-013, without introducing onerous or error-prone processes: * Verification of software integrity and authenticity: Learn how to ensure that your staff are not loading counterfeit or tampered software and firmware into critical systems. * Vulnerability detection and disclosure: Learn how to generate a Software Bill of Materials (SBoM) to reveal unexpected sub-components that may contain vulnerabilities or malware. * Validation of firmware versions: Learn how to ensure that firmware is an up-to-date version, tested and approved by the vendor rather than an unauthorized or obsolete version. * Validation of certificate-chains: Learn how to detect fraudulently signed packages masquerading as authentic, avoiding Stuxnet-style attacks where private keys have been stolen. * Detection of blacklisted products: Learn how to uncover sub-components in software from prohibited suppliers.

11:55 am -12:25 pm

The Current Status of Industrial Control Systems in Developing Countries: A Case Study of Argentina and Latin America

Almada Pablo Martin, Director of ICS/IIoT Services, KPMG

While developed countries such as the United States have led the way in the cybersecurity of critical infrastructure, developing countries have fallen behind due to socioeconomic conditions, lack of investment, and difficulties in developing the skills needed in this area. This presentation examines Latin America’s critical infrastructure situation, with Argentina as a case of study. The presentation will start with a brief overview of current cyber regulation and national initiatives, then turn to examining the status of principal industries in the region, with a focus on the energy industry. Finally, we will look at lessons learned from underdeveloped countries, taking into account that industrial control system (ICS) best practices and regulations are often based on ideal scenarios that are not always feasible in developing nations. To address this challenge, the presentation will examine case studies in critical infrastructure cybersecurity and the steps that Argentina and other countries in the region need to take to improve ICS security in the context of the developing world.

12:25-1:30 pm Lunch
1:30-2:00 pm

At Least We Can Agree on This: Working with Legal to Improve Cybersecurity in Standard Agreements

Brent Foster, Counsel, Third Coast Terminals

In this interactive session, attorney Brent Foster will share tips to help your attorneys and agreements better secure your environment. Which agreements matter, and what linguistic “red flags” may leave you vulnerable if – or when – a crisis strikes? How can you convince legal to be more cooperative (after all, isn’t everyone on the same side)? Brent will demystify the legalese to help you understand your risks and recourse, and present you with actual industry agreements so you can try your hand at redlining before you have to do the real thing.

2:05-2:35 pm

Clean Up Your MES: The Bridge between IT and OT

Khalid Ansari @_Khalid_Ansari, Automation & MES Engineer, Qatar Aluminum Ltd.

This talk is directed primarily at owner-operators from the manufacturing sector, although other industries may benefit as well. Khalid Ansaire will summarize his firm’s experience as an owner-operator and how it approaches the challenge of securing a manufacturing execution system (MES). The presentation will begin by briefly defining what an MES is, using aluminum smelter as an example. An MES bridges IT and OT networks, typically interfacing with ERP on the IT side and automation layer (PLCs, etc.) on the OT side. The MES is the air-gap myth-buster, so it is critical to secure it! This presentation will discuss how careful network segmentation will help secure an MES, with OPC being the most common protocol to do so; examine security options available for legacy OPC-DA and current OPC-UA interfaces; and look at other security controls that can be deployed to increase the security posture of a typical MES. The presentation will conclude by emphasizing the need to develop strong and verifiable disaster recovery and business continuity plans for situations when an MES goes down.

2:35-3:05 pm Networking Break
3:10-3:50 pm

Go-To Analysis for ICS Network Packet Captures

Gabriel Agboruche @ICS_Gabe, Senior ICS/OT Security Consultant, Mandiant

Your plant's production line went down, your corporate IT Historian stopped receiving data from your ICS Historian or you just want to gain a greater understanding of what is happening in your ICS environment. You then go ahead and passively collect a day's worth of network packet data (PCAP), now what? The answer to that "now what?" is the analysis process for peering into the actual activity that's taking place on your ICS network. This presentation will equip individuals with some go-to analysis techniques for ICS network packet capture data.

3:55-4:25 pm

Save the Day: Build an Incident Response Program Now

Steve Winterfeld, Sr Dir Security Strategy, Akamai

This talk will on how to build an Incident response program based on North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) and National Institute of Standards and Technology (NIST) compliance frameworks. It will cover the framework for governance, playbook and process flows for execution, and how to conduct exercises to validate them. It will also touch on the detection lifecycle: Event (log) > SIEM, Alert (correlation) > SOC, Incident (impact analysis and mitigation) > Response (management and investigation). Finally, this talk will explore how to manage across the key stakeholders of leadership, including legal/privacy, public relations, and technology, as well as how to prepare for both internal and third-party incidents for multiple scenarios.

4:30-5:10 pm


Robert M. Lee @robertmlee, Summit Co-Chair, SANS Institute

5:30 pm

ICS Summit Networking Event

details to come

Tuesday, March 3 #farsighted
9:00-9:20 am
Lifetime Achievement Award
9:20-10:00 am
Keynote & DEmo

Tim Conway, Summit Co-Chair, SANS Institute

10:00-10:30 am Networking Break
10:30-11:10 am

2020 ICS Cyber Attack Trends

Sarah G. Freeman, ICS Cybersecurity Analyst, Idaho National Lab

Cyber attacks over the past few years have highlighted the increasing sophistication of adversaries. However, other trends – including the shift toward safety system attacks and the continued blurring of nation-state and non-state actors – can be turned to our advantage by informing cybersecurity strategies, especially within resourced-constrained environments. This talk will focus on recent trends in this area and identify potential security strategies.

11:15-11:55 am

Mission Kill: Process Targeting in Industrial Control System Attacks

Joe Slowik @jfslowik, Principal Adversary Hunter, Dragos

Typical conceptions of industrial control system (ICS) targeting focus on direct disruption of organizations through specific action resulting in complete operational loss, such as opening breakers to interrupt the flow of electricity, or tripping a safety system to shut down a plant. Yet further analysis of ICS events over time indicates adversaries are pursuing far more ambitious attack patterns. Following the 2015 Ukraine power event, ICS-focused attacks began to shift from direct disruption to changing, modifying, or otherwise undermining fundamental ICS processes by either staging more serious attacks or identifying specific process “pain points” with outsized value to the victim environment. There is clear evidence that adversaries are learning about process and operational dependencies in industrial environments and how they can be leveraged to achieve maximum impact. This presentation will examine three case studies: the 2016 Ukraine event, the 2017 TRISIS event, and the 2019 attack on the Abqaiq oil processing facility in Saudi Arabia (relevant for targeting purposes even though it was not a cyber attack). In each case, attackers identified specific operational pain points (protective relays, safety instrumented systems, hydrodesulfurization facilities) to create cascading or outsized impacts from specific device compromise (or destruction). Given these developments, ICS security operations need to move beyond the realm of being IT-centric to fusing IT visibility with industrial process awareness. From a defensive point of view, understanding the process environment and identifying critical path nodes for the defended facility is vital to ensure appropriate defense where it matters most. By understanding how attackers have evolved, ICS and critical infrastructure defenders can better position themselves to counter future attacks.

11:55 am - 12:25 pm

Cyber Guardian Exercise: A Case Study in Brazil to Address Challenges in Cybersecurity and Protect Critical Infrastructure

Maxli Barroso Campos, Cybersecurity Analyst, Cyber Defense Command, Brazilian Army

This presentation will outline how the Cyber Guardian Exercise is establishing the principles of cyber protection for important national and critical infrastructure sectors in Brazil by building a strong cybersecurity community based on the exchange of experiences and a strong partnership between all parties involved. In 2019, 38 government and military agencies, defense-related firms, academic entities, and representatives from the financial, energy, telecommunications, and other critical sectors participated in Cyber Guardian 2.0. This presentation will examine the lessons learned from exercises using virtual and constructive simulation techniques to protect the financial and nuclear sectors from cyber attacks; virtual simulation using the Cyber Operations Simulator Program; and constructive simulation using a crisis management office for information technology, media, legal, and senior management issues. The presentation will also look at initiatives undertaken to improve cyber protection of critical infrastructure for national defense.

12:25-1:30 pm Lunch
1:30-2:05 pm

Nation-State Supply Chain Attacks for Dummies and You Too -or- Chipping Cisco Firewalls

Monta Elkins @MontaElkins, Security Researcher

Back in October 2018, Bloomberg recounted a Chinese supply-chain attack on Supermicro motherboards used in servers for Amazon, Apple, and more than 20 other companies. is how I replicated it, on a Cisco firewall, with a shoestring budget, and how you can too. Sponsored by TDi technologies.

Also featured on wired

2:10-2:40 pm

Ways to Mitigate Insecure ICS Device Communications

Michael Hoffman, Principal ICS Security Engineer, Shell

Industrial control system (ICS) devices are well known for their insecure-by-design communications protocols. What can be done to ensure that these protocols operate as intended if an attacker is trying to exploit the devices? To answer that question, this presentation will first look at how easily many ICS protocols can be manipulated and at some initiatives that can be undertaken at the network, controller, and logic levels to mitigate such manipulation. As a backdrop for the discussion, student kits from SANS ICS515 and ICS612 courses will be used in a combined ICS application to show how logic values can be overwritten due to insecure ICS communication. Mitigating controls for the PLC logic and network will be deployed to raise the level of difficulty for the protocol attack, and the attacks will be re-performed to understand how effective the controls are and highlight what folks can do today to protect their ICS devices.

2:40-3:10 pm Networking Break
3:15-3:45 pm

“Project Runaway:” How the World’s Largest Manufacturers Are Unknowingly Leaking Their Secrets Online

Matan Dobrushin, Head of Research, OTORIO
Yoav Flint Rosenfeld @YoavfFlint, Head of Services, OTORIO

Project files are the blueprints of the industrial process. They can contain network configurations, screen definitions, hardware and software configurations, and the actual automation logic of the controllers. Access to project file means access to knowledge about the most important elements of the production floor. Because of their sensitivity, these files should be kept in a well-secured location such as an internal vault. However, the growing need to share and collaborate with suppliers makes it difficult to keep track of the files, and the data can end up in the wrong hands. A large amount (>500!) of highly confidential industrial data is located on an Internet research site and available to every registered user. The data involve multiple manufacturers, suppliers, and orchestrators from different sectors and geographical locations. The amount of the data and the companies involved suggests that the widespread availability of such data is not a one-time event but rather a systematic issue caused by the security tools that are not protecting companies as they should. This presentation will explain the basic components and structures of certain project files; outline the threat landscape connected to the data and the inherent insecurity of the supply chain; show how an attacker might use these data to target a company’s operations and processes; look at what can be derived from automation logic by examining past research and proposing new approaches; share statistics about the amount of companies, sectors, and geolocations of the affected companies; and propose options to address the potential sources of the leaks and put in place different security methods to fix the problem.

3:50-4:20 pm

Where Did You Come up with That Idea? Sharing is the Key

Justin Opatrny, Manager, Cyber Security Engineering, General Mills, Inc.
Sanford Rice, Lead ICS Engineer, Atmos Energy

Threats to ICS environments continue to advance requiring us as defenders to keep up with all the things (threats, training, technology, etc.). No one person or organization can do it all, leaving many opportunities to try, learn, develop, and most importantly, SHARE. This talk will cover a variety of methods for how individuals can contribute back to the overall ICS security community and beyond. Whether the contribution is big or small, from our individual critical infrastructure vertical or not, we are all in the same fight.

4:25-5:00 pm Demo to be announced.