ICS Security Summit & Training 2021 - Live Online

SANS ICS Lifetime Achievement Award

Tim Conway, Certified Instructor, SANS Institute

Opening Remarks

Robert M. Lee, @RobertMLee, Senior Instructor, SANS Institute

Tim Conway, Certified Instructor, SANS Institute

Keynote: 2020 Year in Review

Robert M. Lee, @RobertMLee, CEO and co-founder, Dragos

Correlating Alarm and System Events for Security Monitoring in ICS Environments

Uduak Daniels, Cybersecurity Specialist, Saudi Aramco

The objective of this presentation is to highlight the benefits of leveraging process alarm events for security event correlation, significantly improving both the detection and analysis of relationships between events generated from various industrial control systems (ICS). Currently some asset owners have currently implemented Security Information and Event Management (SIEM) technologies in their ICS environments, with varying returns on investment (ROI). A significant challenge with this technology implementation in ICS environments has been the lack of the inclusion of process automation application logs in the security event correlation effort. This lack of ICS system event visibility slows down the security event correlation process, and presents inefficient alerting increasing the time required for analysis and response. The collection, normalization and correlation of application, system, and network logs have been the foundation of most if not all IT SIEM implementations. Unfortunately, in most ICS SIEM implementations, these benefits have been missed due to the lack of clearly defined logging requirements for process automation systems and applications. Fortunately, Open Platform Communication (OPC), as part of its specification, defines alarms and events that contain a wealth of ICS event information, which when carefully correlated with operating system and/or network device events, can be leveraged for event correlation to address the defined inefficiencies.

Exorcising the Ghost in the Machine: A Critical Evaluation of ICS-Focused Supply Chain Attacks

Joe Slowik, @jfslowik, Senior Threat Researcher, DomainTools

Supply chain attacks appear to be among the most concerning threat vectors for many organizations - yet most descriptions of such threats appear to either ignore or be ignorant of the steps required to actualize an implant for offensive purposes. First, this talk will work to disambiguate two distinct attack types often lumped together: software/hardware supply chain attacks via modification, and trusted third-party/vendor/contractor compromise to facilitate access to supported organizations. This distinction is very important and looking at these two event types as event equivalents is deeply confusing.

After setting the groundwork for discussion, physical or software supply chain attack (e.g., modification of device hardware, firmware, "adding a rice-sized chip" to a motherboard, or altering source code) functionality and execution will be analyzed in detail: how these attacks work in practice, and what actions and accesses are required to make these attacks useful. Based on this exploration, defenders will gain insight into the true scope and meaning of such attacks, specifically: how such attacks are overhyped; why such attacks are extremely difficult to execute; and how multiple defensive measures exist to detect or mitigate against such attacks. From this analysis, defenders and information security stakeholders will learn how to precisely orient the risk of supply chain compromise events and exorcise the persistent threat of a “ghost in the machine”.

2021 is CCE's Coming Out Year

Andy Bochman, @andybochman, Grid Strategist, Idaho National Lab

More than a decade ago, legendary SANS ICS Security program leader Mike Assante began thinking that no matter what cyber tools an organization deployed, and no matter how well it ran its security operations, adaptive, well-resourced attackers could and would get through the best defenses, almost always undetected. Mike didn't like this one bit and pledged to do something about it. In recent years, his former colleagues at INL have brought the methodology he pioneered, Consequence-driven Cyber-informed Engineering, to maturity with support from DOE, DoD and DHS. And they've used it to engineer out much of the cyber risk at selected critical infrastructure and military sites. Now with Countering Cyber Sabotage (the first CCE book) just published, and with the CCE @ Scale partner program ramping up throughout 2021, INL is ready to give the SANS ICS community a closer look at CCE than ever before.

2:00-3:00pm

A CISO View on the Journey of OT/ICS Cybersecurity

Moderator: Tim Conway, Certified Instructor, SANS Institute

Panelists:

Annessa O. McKenzie, VP of Supply Chain & Chief Security Officer, Calpine

Dr. Reem F. Al-Shammari, CISO of Kuwait Oil Company, Kuwait Oil Company

In this moderated panel discussion three CISOs representing asset owner and operators from different sectors will talk about their companies' journey into building an OT/ICS cybersecurity program covering people, process, and technology. They will take questions on the challenges they see, the role and responsibilities of different parts of the value chain, the wins they've had, and the lessons learned not only in communicating to practitioners but also in educating their boards of directors and other executives.

Their firsthand lessons learned will offer actionable guidance to attendees and openly discuss the victories and hardships they've faced.

Are you under ATT&CK? How to gain OT visibility necessary for MITRE ATT&CK for ICS coverage.

Mike Hoffman, @ICSSecurityGeek, Principle Industrial Consultant, Dragos

Asset owners and operators are faced with the difficult challenge of adequate network visibility, host log visibility, and ICS device log visibility. This talk will pull together Crown Jewel Analysis and Collection Management Framework concepts to help asset owners and operators focus their monitoring strategy to align with known adversarial tactics and techniques.

A tale of two wireless RTUS – sinking titanic and ransoming it.

Ron Brash, @ron_brash, Director of Cyber Security Insights, Verve Industrial Protection

As a technical follow up to my SANS oil & gas session – tale of the lost RTUs, I am going to discuss how a Software Bill of Materials (SBOM) for two commonly used cellular Remote Terminal Units (RTUs) resulted in disclosures using merely their firmware to guide a research process to “sink the titanic”. But! Why stop there?

Well, recently, there has been some small-scale ransomware attacks targeting relatively commodity Network Area Storage (NAS) devices such as those by QNAP or NetGear, and so I thought it would be fitting to see how a ransomware strategy plays into a threat scenario with often directly connected remote devices often seen on Shodan. Using the same target devices, I will use their “sinking” to my advantage, and leverage that information to build malicious firmware, access functionality on hardware using a low-cost probe/logic analyzer and look towards the future – ransoming an embedded ICS device. It may not be a completely greenfield strategy, but it might be among the first to be explored in a public scenario.

Attendees should walk away with an understanding of:
* How the research target was selected, and how a SBOM lead to this further research
* How to scope hardware and begin the process using a scope or serial adapter to find an entrance
* How firmware was created and uploaded to the research targets
* How ransoming is a definitive possibility when dealing with embedded systems
* And some observations about reducing risks in this scenario for OEMs and & asset owners

Future Outlook is a bit Cloudy

David Foose, @Davefoose, Ovation Security Program Manager, Emerson

Love it or Hate it, organizations are moving more of their infrastructure outside their physical control. These same organizations are looking towards their operational environments to see similar benefits in both cost and efficiencies. From diagnostics, control centers, to full SCADA in the cloud, we will explore actual steps in installations entities have been implementing. We will go over what has worked, what has not been realized, and what trends we are seeing as we digitally transform our plants.

Lurking Beneath the Surface... Uncovering Hidden Components in ICS Software

Eric Byres, @ICS_Secure, P.Eng, ISA Fellow, CEO, aDolus Technology inc

Today’s ICS software is never written from scratch. Vendors focus development resources on core competencies and prefer to buy (rather than build) components available off the shelf, such as license managers, installers, and cryptographic libraries. This strategy, while efficient in terms of development effort, entwines the vendor’s security posture with multiple suppliers and open source projects. Ultimately, it makes it difficult to know what exactly is included in a package.

This lack of component visibility directly impacts asset owner vulnerability management processes. For example, in 2019, ICS were exposed to critical vulnerabilities found in the VxWorks TCP Stack. Vendors had used this component in their ICS products, but most operators were unaware of this. Searching vulnerability databases didn’t reveal the problem as the vulnerabilities were listed under WindRiver products rather than ICS vendor products. Automated vulnerability tools using NVD lists failed to detect this issue in deployed products.

Lessons from Two Years of ICS Security Assessments

Don C. Weber, @cutaway, Principal Consultant and Founder, Cutaway Security, LLC

ICS environments are under the gun and under the spotlight. Organizations are working hard to determine the best methods for improving security and asking vendors to help them. This presentation will cover two years of ICS security assessments, conducted by Cutaway Security, in a variety of industrial sectors. We will breakdown our assessment process and the common issues it identified during these engagements. Our goal is to provide attendees with an understanding of the common problems that happen before, during, and after an assessment.

Day 1 Wrap-Up

Introductions

Peter Jackson, Engineering Manager – Cyber, SGS ECL

The Collision of ICS Safety and Security in 2021

Peter Jackson, Engineering Manager – Cyber, SGS ECL

The history of safety in industrial control systems (ICS) is rich. We have learnt over decades to build in safety by design as part of good engineering practice. Security in ICS is less mature but there are good things happening with owner/operators, consultants, vendors, and standards to move this forward and grow in maturity. With more than three years since the first known safety instrumented system (SIS) malware (TRISIS/TRITON), this talk is a look back to where we’ve come from, a check-in on where we’re at and a look forward to the future of safety and security in ICS. It should be easy to prioritize safety and security when they align – why don’t we? And what about when they don’t align?

Re-evaluating ICS/OT Procurement Language

Sarah Freeman, ICS Cybersecurity Analyst, Idaho National Laboratory

As demonstrated during the events of 2020, supply chains for almost every product and service have become globalized. Additionally, in spite of several efforts to improve the robustness of supply chain lines, COVID-19 has demonstrated the “failure of imagination” of supply chain engineers to identify potential areas of weakness. In December 2020, the cybersecurity community experienced the SolarWinds hack and, although not the first, the implications of this supply chain attack will likely ripple for years to come. In spite of these events, however, a substantial foundation for supply chain security exists. Previous research by DHS, Idaho National Laboratory and SANS, for example, laid the groundwork by defining base language for procuring secure software and hardware for ICS. DHS’s Cyber Security Procurement Language for Control Systems (2009) and SANS Application Security Procurement Language (2009) serve as a starting point for vendor and asset owner discussions on product security. Still, as supply chain attacks have continued to evolve since 2009, it is necessary to reevaluate these efforts and their language to identify and address gaps in supply chain security.

This presentation is intended to provide the audience with an overview of relevant federal and private sector efforts to define a secure supply chain (e.g., Section 889 of NDAA 2019, Securing the United States Bulk-Power System (EO 13920), etc.) highlight key supply chain attacks (e.g., Havex, NotPetya, RubyGems, etc.), and identify gaps in existing approaches. Some recommendations for product end-users will be identified. This talk is not intended to be prescriptive, but to highlight areas for additional discussions and research.

E-MIMICS: Extended Malware in Modern ICS

Seth Enoka, @seth_enoka, Senior Industrial Incident Responder, Dragos

In 2017, the Dragos team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files within those databases to encourage a discussion around security in modern ICS. Three years later, there is a wealth of new information available in public datasets that you can again use to immediately inform your cyber security postures and strategies. This presentation relates to research conducted recently into ICS-targeted malware, using a much larger dataset from VirusTotal and covering a longer timeframe than the original Project MIMICS. Several new activity groups and adversaries have been identified since 2017, many of which are known to specifically target ICS and OT environments aiming to cause loss of view, loss of control, or loss of life. So, it's time to revisit this research, determine if the findings still hold true, and develop a strategy for mitigating the risks of malware in modern ICS.

Secure System Engineering - Tales from Rail Industry

Saravanakumar G, @Shaunsaravanas, TfNSW

Increasing attacks on industrial control system (ICS) environment have forced communities to invest significant efforts to uplift their cyber defence capabilities. However, the nature of ICS operations brings along inherent limitations to the extent of security controls that could be utilized or enforced. It implies that security should be weaved in as part of the engineering design for ICS. This presentation walks through an approach to factor in security as part of system engineering, based on lessons learnt during implementation of a complex ICS infrastructure. It discusses cybersecurity assurance regime that should be considered across each phase of system engineering, to achieve an operationally reliable, safe and efficient system. It also exemplifies how IEC 62443 standards could be leveraged for such complex engagements.

Wrap-Up

Introductions

Kai Thomsen, @kaithomsen, Certified Instructor, SANS Institute

DX Security of Factory Automation

Hiroshi Sasaki, CISSP Special Expert, Industrial Cyber Security Center of Excellence (ICSCoE)

Challenges and good practices of ICS security of Factory Automation (FA) is introduced. Recently, almost all Japanese manufacturers are going to promote the convergence of IT and FA system, accelerated by COVID-19 situation. However, they struggle to move forward due to a lot of challenges such as the flat network architecture of FA system, lack of awareness of OT people, lack of process of incident handling etc. I have supported several manufacturers in Japan by holding the OT security workshop which makes the executive, IT and OT people understand each other of the challenges and consider how to promote DX in Factory Automation.

TTPs from ICS cyber range

Salimah Liyakkathali, CyberSecurity Technology Engineer, iTrust (Centre for Research in Cybersecurity), Singapore University of Technology & Design

iTrust is a host of several world-class testbeds such as Secure Water Treatment, Water Distribution and Electric Power and Intelligent Control grid. Annually, iTrust organizes an ICS cyber range, Critical infrastructure Security Showdown (CISS), where the red teams and blue teams were invited to attack these testbeds and detect those attacks. Last year, CISS was moved to an online platform and this has allowed more participants from varies countries from different background. The red teams were given a unique opportunity to attack a realistic water treatment plant to cause process anomalies. This has given us insights to understand composite Tactics, Techniques and Procedures (TTPs) that can be used for enhanced Operation Security (OpSec). Hence, this presentation focuses on the (TTPs) observed during the event. Attack scenarios and examples are shared with the community that consists of the attacks that lead to disruption of the operation.

You are hacked, what now?

Goran Katava, Network security engineer, Applied Risk

In 2019 I witnessed ransomware attack in large chemical company. Luckily, we just finished project to separate production facilities from the Office. I was lead firewall guy on the project and later in whole company. The firewalls alone, even being new generation, could not stop adversaries. They managed to get access via Citrix and even domain admin account. In the next month we were rebuilding whole environment. Now I had a clean slate to remediate also the firewall rules which we never dared to touch being afraid that some traffic might be broken, like outbound internet traffic. The adversaries were able to use the holes in it to establish 2C traffic.

Engineering for Resilience

Johannes Braams, Senior advisor ICS Cyber Security, Royal HaskoningDHV

Complex systems, such as Tunnel systems, are usually designed and built using Systems Engineering techniques. As the Tunnel Technical Installations tend to encompass several computer and PLC based systems, all interconnected via networks, securing them is vital for the safe and secure operation of the tunnel during it's lifecycle. This talk discusses how we can take cybersecurity into account during the various stages of the requirements formulation, design-, build-, test- and exploitation-stages of these systems.

Wrap-Up

Opening Remarks

Robert M. Lee, @RobertMLee, Senior Instructor, SANS Institute

Tim Conway, Certified Instructor, SANS Institute

Keynote

TBA

The SolarWinds Hack Can Affect Control Systems - what can be done

Joe Weiss, Managing Partner, Applied Control Solutions

A highly sophisticated Russian Intelligence group has compromised the SolarWinds Orion platform. The SolarWinds advisories and webinars have focused on the IT networks, network visibility, and data exfiltration/compromise. However, SolarWinds is also used to directly monitor and CONTROL SNMP devices including building power and cooling systems used in control centers, data centers, laboratories, Ethernet OT network switches etc. The control system issues are not being adequately addressed. The presentation will address the control system issues and possible long-term control system fixes.

ARMOR for OT Security Leaders

Jason Christopher, Certified Instructor, SANS Institute

As OT security leaders, we need to be experts on ICS technology trends, cyber security threats, and process engineering impacts—all while managing daily alerts, cultural silos, and disparate resources from our IT-centric peers. The real-world implications can be painful. To minimize that pain, leaders should put on some ARMOR, or Augmented Risk Management for Operational Resilience. Building on the concepts from the 2020 DISC-SANS presentation “The ICS Security Crucible,” this talk deep-dive into the programmatic elements needed to link OT security to other business objectives. This ARMOR can be adapted to any industrial organization, regardless of size or sector, as presented in several use cases from real industry examples. Similar programs are already used in mature aspects of industrial organizations, including safety and finance, to secure budgets, track progress, and highlight concerns to executives and boards. As OT security continues to mature, leaders will need to tackle difficult business-level topics, beyond their daily tasks, to make meaningful changes. While not easy, ARMOR will help. So suit up and get ready for battle!

Unit Operations for ICS security professionals (one big and expensive “Lego”)

Oscar J. Delgado-Melo, @lijantropique, Process Engineer, ICS Student

ICS security teams usually include security professionals and operations personnel (i.e., engineers, operators, and technicians) with diverse and particular backgrounds. Effective team communication requires some "common ground" where Operations personnel understand basic network concepts (e.g., data flow, network areas, subnets), and security professionals understand basic process concepts (units, equipment, and controls). While it is not mandatory to become Process Engineers (PE), security professionals will benefit from a refresher of what a PE does and which tools they use.

Cyber-Physical Safety Systems for Water Utilities

Andrew Hildick-Smith, Principal, OT Sec, LLC
Gus Serino, Principal ICS Security Consultant, Dragos

Anyone responsible for the reliable, safe, and cyber-secure operation of a water utility should assume they will be breached at some point. If the adversary is targeting the control system, it is likely that they can find a way in. If they spend the time to fully understand the system and its physics, they may also find a way to physically damage the water infrastructure. A core goal of every water utility is to maintain basic service. Armed with a manual operations plan and an incident response plan, a utility that is dealt a severe cyber blow can maintain service and minimize recovery time, as long as they can prevent physical damage to their system.

This talk will discuss operational vulnerabilities in water systems that could lead to physical infrastructure damage. It will then present possible cyber-physical safety systems designed to mitigate the risk of cyber-attacks leading to physical damage. Where process response is slow enough, out-of-band monitoring can provide protection. The talk will close with advice on how to initiate and lead a similar program in your utility.

Network-independent cyber-physical safety systems are similar to equipment protection systems but are considered safety systems because of their ultimate role in protecting public health. Important advantages of this approach include: system retrofitting that provides an element of robust cyber security and operator error protection, low cost opportunities, and solutions that can be designed and implemented by in-house staff without cyber security skills.

Building Cyber Security in the Water and Wastewater Industry

Kenneth G. Crowther, Product Security Leader, Xylem Inc
Estelle Feider-Blazer, Strategy and Market Analyst , Xylem Inc

The water and wastewater sector is moving towards digitization due to the millions of dollars of savings derived from remote monitoring, predictive maintenance, and improved control Digitization of water and wastewater infrastructure can potentially help resolve problems of access to clean water, sanitation, and sustainability if we can find the right partnership model to build security in while controlling costs. However, due to the highly distributed nature of water and wastewater operations (municipal treatment, industrial wastewater treatment, agricultural, commercial buildings, etc.), the smaller average size of operating companies, and the cost constraints, the emerging technology and architecture is increasingly appearing more like an internet of things than traditional industrial control systems (ICS) following a Purdue model-type segmentation.

A survey by BRIDGE Energy Group of over 20,000 water and wastewater utility employees showed that cyber threats are among their top fears of what could adversely impact operations, which threatens to slow the acquisition of digital technologies that could improve maintenance cycles and make water more accessible. Historically in the water and wastewater sector, security of operational technology (OT) has relied on preventing network connections between control operations and enterprise networks – the “air-gap.” However, now the air-gap is being bridged by new digital solutions that connect directly to mobile devices or cloud-based analytic platforms to improve plant performance. Traditional information technology (IT) cybersecurity measures cannot be used due to the mixture of new and legacy equipment and a lack of network visibility present in the water and wastewater industrial space. This is a unique opportunity for ICS security community to expand security guidance for a high variety of architectures and to contribute to processes for delivering those technologies as they emerge.

This presentation delves into the threat landscape, threat actors, and solution horizon for cyber security in the water and wastewater sector. We provide an overview of cyber attacks against utilities in the water and wastewater sector, discuss the threat actors that are targeting critical infrastructure and the rate at which they are broadening their focus to include water and wastewater systems, and discuss the new hacking techniques that are emerging for exploiting industrial automation and controls systems. We use MITRE ATT&CK for Industrial Control Systems to standardize the descriptions of the most likely tactics and techniques that will be used against water and wastewater industrial automation and control systems. These techniques provide a foundation to prioritize mitigation activities. We show how the responsibility for these mitigations is distributed across the community of product makers, integrators, operators, and maintenance. For example, the product maker must create secure methods for firmware updates, disable-by-default insecure features, enable logging, provide secure deployment guidance, etc. However, the operators need to ensure they have a log collection framework and access to incident response capabilities. We outline a partnership responsibility roadmap that covers the product maker during secure development, the integrator or system operator during secure deployment and installation commissioning, and the operator of the system, as well as addressing mitigations required for system upgrades and maintenance.

The desired outcome of this presentation is to discuss cybersecurity priorities based on evidence of actual targeting relevant to the water and wastewater industry and its emerging technologies, and to present a partnership model that describes how a community works together to enable secure digitization of water and wastewater infrastructure.

TBA

Bruce Large, OT Security Lead, CyberCX

TBA

Maggie Morganti, Product Security Researcher, Schneider Electric

TBA

Tim Conway & Jeff McJunkin

Day 2 Wrap-Up