ICS Security Summit
Live Online | March 4-5, 2021
Thursday, March 4 – all times in Eastern Standard Time (UTC – 5) | |
---|---|
9:00-10:00am |
SANS ICS Lifetime Achievement AwardTim Conway, Certified Instructor, SANS Institute |
10:00-10:15am |
Opening RemarksRobert M. Lee, @RobertMLee, Senior Instructor, SANS Institute Tim Conway, Certified Instructor, SANS Institute |
10:15-11:00am |
Keynote: 2020 Year in ReviewRobert M. Lee, @RobertMLee, CEO and co-founder, Dragos |
11:00-11:15am | Break |
11:15-11:45am |
Correlating Alarm and System Events for Security Monitoring in ICS EnvironmentsUduak Daniels, Cybersecurity Specialist, Saudi Aramco The objective of this presentation is to highlight the benefits of leveraging process alarm events for security event correlation, significantly improving both the detection and analysis of relationships between events generated from various industrial control systems (ICS). Currently some asset owners have currently implemented Security Information and Event Management (SIEM) technologies in their ICS environments, with varying returns on investment (ROI). A significant challenge with this technology implementation in ICS environments has been the lack of the inclusion of process automation application logs in the security event correlation effort. This lack of ICS system event visibility slows down the security event correlation process, and presents inefficient alerting increasing the time required for analysis and response. The collection, normalization and correlation of application, system, and network logs have been the foundation of most if not all IT SIEM implementations. Unfortunately, in most ICS SIEM implementations, these benefits have been missed due to the lack of clearly defined logging requirements for process automation systems and applications. Fortunately, Open Platform Communication (OPC), as part of its specification, defines alarms and events that contain a wealth of ICS event information, which when carefully correlated with operating system and/or network device events, can be leveraged for event correlation to address the defined inefficiencies. |
11:50-12:20pm |
Exorcising the Ghost in the Machine: A Critical Evaluation of ICS-Focused Supply Chain AttacksJoe Slowik, @jfslowik, Senior Threat Researcher, DomainTools Supply chain attacks appear to be among the most concerning threat vectors for many organizations - yet most descriptions of such threats appear to either ignore or be ignorant of the steps required to actualize an implant for offensive purposes. First, this talk will work to disambiguate two distinct attack types often lumped together: software/hardware supply chain attacks via modification, and trusted third-party/vendor/contractor compromise to facilitate access to supported organizations. This distinction is very important and looking at these two event types as event equivalents is deeply confusing. |
12:25-12:55pm |
2021 is CCE's Coming Out YearAndy Bochman, @andybochman, Grid Strategist, Idaho National Lab More than a decade ago, legendary SANS ICS Security program leader Mike Assante began thinking that no matter what cyber tools an organization deployed, and no matter how well it ran its security operations, adaptive, well-resourced attackers could and would get through the best defenses, almost always undetected. Mike didn't like this one bit and pledged to do something about it. In recent years, his former colleagues at INL have brought the methodology he pioneered, Consequence-driven Cyber-informed Engineering, to maturity with support from DOE, DoD and DHS. And they've used it to engineer out much of the cyber risk at selected critical infrastructure and military sites. Now with Countering Cyber Sabotage (the first CCE book) just published, and with the CCE @ Scale partner program ramping up throughout 2021, INL is ready to give the SANS ICS community a closer look at CCE than ever before. |
1:00-2:00pm |
Lunch |
2:00-3:00pm |
A CISO View on the Journey of OT/ICS CybersecurityModerator: Tim Conway, Certified Instructor, SANS Institute Panelists: Annessa O. McKenzie, VP of Supply Chain & Chief Security Officer, Calpine Dr. Reem F. Al-Shammari, CISO of Kuwait Oil Company, Kuwait Oil Company In this moderated panel discussion three CISOs representing asset owner and operators from different sectors will talk about their companies' journey into building an OT/ICS cybersecurity program covering people, process, and technology. They will take questions on the challenges they see, the role and responsibilities of different parts of the value chain, the wins they've had, and the lessons learned not only in communicating to practitioners but also in educating their boards of directors and other executives. |
3:05-3:35pm |
Are you under ATT&CK? How to gain OT visibility necessary for MITRE ATT&CK for ICS coverage.Mike Hoffman, @ICSSecurityGeek, Principle Industrial Consultant, Dragos Asset owners and operators are faced with the difficult challenge of adequate network visibility, host log visibility, and ICS device log visibility. This talk will pull together Crown Jewel Analysis and Collection Management Framework concepts to help asset owners and operators focus their monitoring strategy to align with known adversarial tactics and techniques. |
3:40-3:55pm | Break |
3:55-4:25pm |
A tale of two wireless RTUS – sinking titanic and ransoming it.Ron Brash, @ron_brash, Director of Cyber Security Insights, Verve Industrial Protection As a technical follow up to my SANS oil & gas session – tale of the lost RTUs, I am going to discuss how a Software Bill of Materials (SBOM) for two commonly used cellular Remote Terminal Units (RTUs) resulted in disclosures using merely their firmware to guide a research process to “sink the titanic”. But! Why stop there? |
4:30-5:00pm |
Future Outlook is a bit CloudyDavid Foose, @Davefoose, Ovation Security Program Manager, Emerson Love it or Hate it, organizations are moving more of their infrastructure outside their physical control. These same organizations are looking towards their operational environments to see similar benefits in both cost and efficiencies. From diagnostics, control centers, to full SCADA in the cloud, we will explore actual steps in installations entities have been implementing. We will go over what has worked, what has not been realized, and what trends we are seeing as we digitally transform our plants. |
5:00-5:15pm | Break |
5:15-5:45pm |
Lurking Beneath the Surface... Uncovering Hidden Components in ICS SoftwareEric Byres, @ICS_Secure, P.Eng, ISA Fellow, CEO, aDolus Technology inc Today’s ICS software is never written from scratch. Vendors focus development resources on core competencies and prefer to buy (rather than build) components available off the shelf, such as license managers, installers, and cryptographic libraries. This strategy, while efficient in terms of development effort, entwines the vendor’s security posture with multiple suppliers and open source projects. Ultimately, it makes it difficult to know what exactly is included in a package. |
5:50-6:20pm |
Lessons from Two Years of ICS Security AssessmentsDon C. Weber, @cutaway, Principal Consultant and Founder, Cutaway Security, LLC ICS environments are under the gun and under the spotlight. Organizations are working hard to determine the best methods for improving security and asking vendors to help them. This presentation will cover two years of ICS security assessments, conducted by Cutaway Security, in a variety of industrial sectors. We will breakdown our assessment process and the common issues it identified during these engagements. Our goal is to provide attendees with an understanding of the common problems that happen before, during, and after an assessment. |
6:20-6:30pm |
Day 1 Wrap-Up |
Thursday, March 4 – all times in Eastern Standard Time (UTC – 5) | |
---|---|
9:00-9:15pm |
IntroductionsPeter Jackson, Engineering Manager – Cyber, SGS ECL |
9:15-9:45pm |
The Collision of ICS Safety and Security in 2021Peter Jackson, Engineering Manager – Cyber, SGS ECL The history of safety in industrial control systems (ICS) is rich. We have learnt over decades to build in safety by design as part of good engineering practice. Security in ICS is less mature but there are good things happening with owner/operators, consultants, vendors, and standards to move this forward and grow in maturity. With more than three years since the first known safety instrumented system (SIS) malware (TRISIS/TRITON), this talk is a look back to where we’ve come from, a check-in on where we’re at and a look forward to the future of safety and security in ICS. It should be easy to prioritize safety and security when they align – why don’t we? And what about when they don’t align? |
9:50-10:20pm |
Re-evaluating ICS/OT Procurement LanguageSarah Freeman, ICS Cybersecurity Analyst, Idaho National Laboratory As demonstrated during the events of 2020, supply chains for almost every product and service have become globalized. Additionally, in spite of several efforts to improve the robustness of supply chain lines, COVID-19 has demonstrated the “failure of imagination” of supply chain engineers to identify potential areas of weakness. In December 2020, the cybersecurity community experienced the SolarWinds hack and, although not the first, the implications of this supply chain attack will likely ripple for years to come. In spite of these events, however, a substantial foundation for supply chain security exists. Previous research by DHS, Idaho National Laboratory and SANS, for example, laid the groundwork by defining base language for procuring secure software and hardware for ICS. DHS’s Cyber Security Procurement Language for Control Systems (2009) and SANS Application Security Procurement Language (2009) serve as a starting point for vendor and asset owner discussions on product security. Still, as supply chain attacks have continued to evolve since 2009, it is necessary to reevaluate these efforts and their language to identify and address gaps in supply chain security. |
10:25-10:55pm |
E-MIMICS: Extended Malware in Modern ICSSeth Enoka, @seth_enoka, Senior Industrial Incident Responder, Dragos In 2017, the Dragos team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files within those databases to encourage a discussion around security in modern ICS. Three years later, there is a wealth of new information available in public datasets that you can again use to immediately inform your cyber security postures and strategies. This presentation relates to research conducted recently into ICS-targeted malware, using a much larger dataset from VirusTotal and covering a longer timeframe than the original Project MIMICS. Several new activity groups and adversaries have been identified since 2017, many of which are known to specifically target ICS and OT environments aiming to cause loss of view, loss of control, or loss of life. So, it's time to revisit this research, determine if the findings still hold true, and develop a strategy for mitigating the risks of malware in modern ICS. |
11:00-11:30pm |
Secure System Engineering - Tales from Rail IndustrySaravanakumar G, @Shaunsaravanas, TfNSW Increasing attacks on industrial control system (ICS) environment have forced communities to invest significant efforts to uplift their cyber defence capabilities. However, the nature of ICS operations brings along inherent limitations to the extent of security controls that could be utilized or enforced. It implies that security should be weaved in as part of the engineering design for ICS. This presentation walks through an approach to factor in security as part of system engineering, based on lessons learnt during implementation of a complex ICS infrastructure. It discusses cybersecurity assurance regime that should be considered across each phase of system engineering, to achieve an operationally reliable, safe and efficient system. It also exemplifies how IEC 62443 standards could be leveraged for such complex engagements. |
11:30-11:45pm |
Wrap-Up |
Friday, March 5 – all times in Eastern Standard Time (UTC – 5) | |
---|---|
4:00-4:15am |
IntroductionsKai Thomsen, @kaithomsen, Certified Instructor, SANS Institute |
4:15-4:45am |
DX Security of Factory AutomationHiroshi Sasaki, CISSP Special Expert, Industrial Cyber Security Center of Excellence (ICSCoE) Challenges and good practices of ICS security of Factory Automation (FA) is introduced. Recently, almost all Japanese manufacturers are going to promote the convergence of IT and FA system, accelerated by COVID-19 situation. However, they struggle to move forward due to a lot of challenges such as the flat network architecture of FA system, lack of awareness of OT people, lack of process of incident handling etc. I have supported several manufacturers in Japan by holding the OT security workshop which makes the executive, IT and OT people understand each other of the challenges and consider how to promote DX in Factory Automation. |
4:50-5:20am |
TTPs from ICS cyber rangeSalimah Liyakkathali, CyberSecurity Technology Engineer, iTrust (Centre for Research in Cybersecurity), Singapore University of Technology & Design iTrust is a host of several world-class testbeds such as Secure Water Treatment, Water Distribution and Electric Power and Intelligent Control grid. Annually, iTrust organizes an ICS cyber range, Critical infrastructure Security Showdown (CISS), where the red teams and blue teams were invited to attack these testbeds and detect those attacks. Last year, CISS was moved to an online platform and this has allowed more participants from varies countries from different background. The red teams were given a unique opportunity to attack a realistic water treatment plant to cause process anomalies. This has given us insights to understand composite Tactics, Techniques and Procedures (TTPs) that can be used for enhanced Operation Security (OpSec). Hence, this presentation focuses on the (TTPs) observed during the event. Attack scenarios and examples are shared with the community that consists of the attacks that lead to disruption of the operation. |
5:25-5:40am | Break |
5:45-6:15am | TBA |
6:20-6:50AM |
You are hacked, what now?Goran Katava, Network security engineer, Applied Risk In 2019 I witnessed ransomware attack in large chemical company. Luckily, we just finished project to separate production facilities from the Office. I was lead firewall guy on the project and later in whole company. The firewalls alone, even being new generation, could not stop adversaries. They managed to get access via Citrix and even domain admin account. In the next month we were rebuilding whole environment. Now I had a clean slate to remediate also the firewall rules which we never dared to touch being afraid that some traffic might be broken, like outbound internet traffic. The adversaries were able to use the holes in it to establish 2C traffic. |
6:55-7:25am |
Engineering for ResilienceJohannes Braams, Senior advisor ICS Cyber Security, Royal HaskoningDHV Complex systems, such as Tunnel systems, are usually designed and built using Systems Engineering techniques. As the Tunnel Technical Installations tend to encompass several computer and PLC based systems, all interconnected via networks, securing them is vital for the safe and secure operation of the tunnel during it's lifecycle. This talk discusses how we can take cybersecurity into account during the various stages of the requirements formulation, design-, build-, test- and exploitation-stages of these systems. |
7:30-7:45am |
Wrap-Up |
7:45-8:45am | Break |
8:45-9:00am |
Opening RemarksRobert M. Lee, @RobertMLee, Senior Instructor, SANS Institute Tim Conway, Certified Instructor, SANS Institute |
9:00-9:45am |
KeynoteTBA |
9:45-10:00am | Break/Transition to SolutionsTrack |
10:00-10:30am |
The SolarWinds Hack Can Affect Control Systems - what can be doneJoe Weiss, Managing Partner, Applied Control Solutions A highly sophisticated Russian Intelligence group has compromised the SolarWinds Orion platform. The SolarWinds advisories and webinars have focused on the IT networks, network visibility, and data exfiltration/compromise. However, SolarWinds is also used to directly monitor and CONTROL SNMP devices including building power and cooling systems used in control centers, data centers, laboratories, Ethernet OT network switches etc. The control system issues are not being adequately addressed. The presentation will address the control system issues and possible long-term control system fixes. |
10:35-11:05am |
ARMOR for OT Security LeadersJason Christopher, Certified Instructor, SANS Institute As OT security leaders, we need to be experts on ICS technology trends, cyber security threats, and process engineering impacts—all while managing daily alerts, cultural silos, and disparate resources from our IT-centric peers. The real-world implications can be painful. To minimize that pain, leaders should put on some ARMOR, or Augmented Risk Management for Operational Resilience. Building on the concepts from the 2020 DISC-SANS presentation “The ICS Security Crucible,” this talk deep-dive into the programmatic elements needed to link OT security to other business objectives. This ARMOR can be adapted to any industrial organization, regardless of size or sector, as presented in several use cases from real industry examples. Similar programs are already used in mature aspects of industrial organizations, including safety and finance, to secure budgets, track progress, and highlight concerns to executives and boards. As OT security continues to mature, leaders will need to tackle difficult business-level topics, beyond their daily tasks, to make meaningful changes. While not easy, ARMOR will help. So suit up and get ready for battle! |
11:10-11:40am |
Unit Operations for ICS security professionals (one big and expensive “Lego”)Oscar J. Delgado-Melo, @lijantropique, Process Engineer, ICS Student ICS security teams usually include security professionals and operations personnel (i.e., engineers, operators, and technicians) with diverse and particular backgrounds. Effective team communication requires some "common ground" where Operations personnel understand basic network concepts (e.g., data flow, network areas, subnets), and security professionals understand basic process concepts (units, equipment, and controls). While it is not mandatory to become Process Engineers (PE), security professionals will benefit from a refresher of what a PE does and which tools they use. |
11:45am - 12:00pm | Break |
12:00-12:30pm |
Cyber-Physical Safety Systems for Water UtilitiesAndrew Hildick-Smith, Principal, OT Sec, LLC Anyone responsible for the reliable, safe, and cyber-secure operation of a water utility should assume they will be breached at some point. If the adversary is targeting the control system, it is likely that they can find a way in. If they spend the time to fully understand the system and its physics, they may also find a way to physically damage the water infrastructure. A core goal of every water utility is to maintain basic service. Armed with a manual operations plan and an incident response plan, a utility that is dealt a severe cyber blow can maintain service and minimize recovery time, as long as they can prevent physical damage to their system. |
12:35-1:05pm |
Building Cyber Security in the Water and Wastewater IndustryKenneth G. Crowther, Product Security Leader, Xylem Inc The water and wastewater sector is moving towards digitization due to the millions of dollars of savings derived from remote monitoring, predictive maintenance, and improved control Digitization of water and wastewater infrastructure can potentially help resolve problems of access to clean water, sanitation, and sustainability if we can find the right partnership model to build security in while controlling costs. However, due to the highly distributed nature of water and wastewater operations (municipal treatment, industrial wastewater treatment, agricultural, commercial buildings, etc.), the smaller average size of operating companies, and the cost constraints, the emerging technology and architecture is increasingly appearing more like an internet of things than traditional industrial control systems (ICS) following a Purdue model-type segmentation. |
1:05-2:00pm | Lunch |
2:00-2:30pm |
TBA Bruce Large, OT Security Lead, CyberCX |
2:35-3:05pm |
TBA Maggie Morganti, Product Security Researcher, Schneider Electric |
3:10-3:40pm |
TBA Tim Conway & Jeff McJunkin |
3:45-4:00pm |
Day 2 Wrap-Up |