SANS 2021 features 30+ Interactive Courses, Three NetWars Tournaments, Trivia Night, and Bonus Talks. Save $150 thru Tomorrow!

ICS Security Summit & Training 2021 - Live Online

Virtual, US Eastern | Thu, Mar 4 - Sat, Mar 13, 2021

ICS Security Summit

Live Online | March 4-5, 2021

Americas Day 1 | Americas Day 2 | APAC | EMEA

Add all of the ICS Security Summit presentations to your schedule by subscribing to the ICS Summit Calendar
*You must be registered for the Free Summit to gain access to these presentations. Register now!


Wednesday, March 3

10:00 am-10:00 pm EST

(15:00-5:00 UTC)

SANS and Dragos CTF

calendarAdd to Calendar

This CTF will be an all new ICS CTF focused on analyzing logic files, logs, network traffic, ICS protocols, digital forensic artifacts, and more to analyze attacks against an in-depth ICS range.

  • Level 1 will focus on participant ICS knowledge.
  • Level 2 will focus more on skills and familiarity with tools and analysis.
  • Levels 3 and 4 will move into a case study scenario and will truly tie together the knowledge, skill, and abilities of the participants as they examine the scenario and work to uncover the answers hidden in the data.

Thursday, March 4 – Americas

10:00-10:15am EST

(15:00-15:15 UTC)

Opening Remarks

Robert M. Lee, @RobertMLee, Senior Instructor, SANS Institute

Tim Conway, Certified Instructor, SANS Institute

calendarAdd to Calendar

10:15-11:00am EST

(15:15- 16:00 UTC)

Keynote: 2020 Year in Review

Robert M. Lee, @RobertMLee, CEO and Co-Founder, Dragos

calendarAdd to Calendar

11:00-11:15am EST

(16:00- 16:15 UTC)

Break

11:15-11:45am EST

(16:15- 16:45 UTC)

Correlating Alarm and System Events for Security Monitoring in ICS Environments

Uduak Daniels, Cybersecurity Specialist, Saudi Aramco

calendar ucibAdd to Calendar

The objective of this presentation is to highlight the benefits of leveraging process alarm events for security event correlation, significantly improving both the detection and analysis of relationships between events generated from various industrial control systems (ICS). Currently some asset owners have currently implemented Security Information and Event Management (SIEM) technologies in their ICS environments, with varying returns on investment (ROI). A significant challenge with this technology implementation in ICS environments has been the lack of the inclusion of process automation application logs in the security event correlation effort. This lack of ICS system event visibility slows down the security event correlation process, and presents inefficient alerting increasing the time required for analysis and response. The collection, normalization and correlation of application, system, and network logs have been the foundation of most if not all IT SIEM implementations. Unfortunately, in most ICS SIEM implementations, these benefits have been missed due to the lack of clearly defined logging requirements for process automation systems and applications. Fortunately, Open Platform Communication (OPC), as part of its specification, defines alarms and events that contain a wealth of ICS event information, which when carefully correlated with operating system and/or network device events, can be leveraged for event correlation to address the defined inefficiencies.

11:50-12:20pm EST

(16:50-17:20 UTC)

Exorcising the Ghost in the Machine: A Critical Evaluation of ICS-Focused Supply Chain Attacks

Joe Slowik, @jfslowik, Senior Threat Researcher, DomainTools

calendar ucibAdd to Calendar

Supply chain attacks appear to be among the most concerning threat vectors for many organizations - yet most descriptions of such threats appear to either ignore or be ignorant of the steps required to actualize an implant for offensive purposes. First, this talk will work to disambiguate two distinct attack types often lumped together: software/hardware supply chain attacks via modification, and trusted third-party/vendor/contractor compromise to facilitate access to supported organizations. This distinction is very important and looking at these two event types as event equivalents is deeply confusing.

After setting the groundwork for discussion, physical or software supply chain attack (e.g., modification of device hardware, firmware, "adding a rice-sized chip" to a motherboard, or altering source code) functionality and execution will be analyzed in detail: how these attacks work in practice, and what actions and accesses are required to make these attacks useful. Based on this exploration, defenders will gain insight into the true scope and meaning of such attacks, specifically: how such attacks are overhyped; why such attacks are extremely difficult to execute; and how multiple defensive measures exist to detect or mitigate against such attacks. From this analysis, defenders and information security stakeholders will learn how to precisely orient the risk of supply chain compromise events and exorcise the persistent threat of a “ghost in the machine”.

12:25-12:55pm EST

(17:25- 17:55 UTC)

No One Likes to Face the Consequences, but CCE is Here to Help

Andy Bochman, @andybochman, Grid Strategist, Idaho National Lab

calendar ucibAdd to Calendar

More than a decade ago, legendary SANS ICS Security program leader Mike Assante began thinking that no matter what cyber tools an organization deployed, and no matter how well it ran its security operations, adaptive, well-resourced attackers could and would get through the best defenses, almost always undetected. Mike didn't like this one bit and pledged to do something about it. In recent years, his former colleagues at INL have brought the methodology he pioneered, Consequence-driven Cyber-informed Engineering, to maturity with support from DOE, DoD and DHS. And they've used it to engineer out much of the cyber risk at selected critical infrastructure and military sites. Now with Countering Cyber Sabotage (the first CCE book) just published, and with the CCE @ Scale partner program ramping up throughout 2021, INL is ready to give the SANS ICS community a closer look at CCE than ever before.

1:00-2:00pm EST

(18:00- 19:00 UTC)

Lunch

2:00-3:00pm EST

(19:00- 20:00 UTC)

A CISO View on the Journey of OT/ICS Cybersecurity

Moderator: Dr. Paul Stockton, Co-Chair for the Department of Energy's subcommittee on Grid Resilience for National Security, Former Assistant Secretary of Defense for Homeland Defense

Panelists:

Annessa O. McKenzie, VP of Supply Chain & Chief Security Officer, Calpine

Dr. Reem F. Al-Shammari, CISO of Kuwait Oil Company, Kuwait Oil Company

Thomas L. Kuczynski, VP of IT at DC Water & President at Blue Drop, LLC

Mikhail Y. Falkovich, Director of IT, Con Edison

calendar ucibAdd to Calendar

In this moderated panel discussion three CISOs representing asset owner and operators from different sectors will talk about their companies' journey into building an OT/ICS cybersecurity program covering people, process, and technology. They will take questions on the challenges they see, the role and responsibilities of different parts of the value chain, the wins they've had, and the lessons learned not only in communicating to practitioners but also in educating their boards of directors and other executives.

Their firsthand lessons learned will offer actionable guidance to attendees and openly discuss the victories and hardships they've faced.

3:05-3:35pm EST

(20:05- 20:35 UTC)

Are you under ATT&CK? How to gain OT visibility necessary for MITRE ATT&CK for ICS coverage.

Mike Hoffman, @ICSSecurityGeek, Principle Industrial Consultant, Dragos

calendar ucibAdd to Calendar

Asset owners and operators are faced with the difficult challenge of adequate network visibility, host log visibility, and ICS device log visibility. This talk will pull together Crown Jewel Analysis and Collection Management Framework concepts to help asset owners and operators focus their monitoring strategy to align with known adversarial tactics and techniques.

3:40-3:55pm EST

(20:40- 20:55 UTC)

Break

3:55-4:25pm EST

(20:55- 21:25 UTC)

A tale of two wireless RTUS – sinking titanic and ransoming it.

Ron Brash, @ron_brash, Director of Cyber Security Insights, Verve Industrial Protection

calendar ucibAdd to Calendar

As a technical follow up to my SANS oil & gas session – tale of the lost RTUs, I am going to discuss how a Software Bill of Materials (SBOM) for two commonly used cellular Remote Terminal Units (RTUs) resulted in disclosures using merely their firmware to guide a research process to “sink the titanic”. But! Why stop there?

Well, recently, there has been some small-scale ransomware attacks targeting relatively commodity Network Area Storage (NAS) devices such as those by QNAP or NetGear, and so I thought it would be fitting to see how a ransomware strategy plays into a threat scenario with often directly connected remote devices often seen on Shodan. Using the same target devices, I will use their “sinking” to my advantage, and leverage that information to build malicious firmware, access functionality on hardware using a low-cost probe/logic analyzer and look towards the future – ransoming an embedded ICS device. It may not be a completely greenfield strategy, but it might be among the first to be explored in a public scenario.

Attendees should walk away with an understanding of:
* How the research target was selected, and how a SBOM lead to this further research
* How to scope hardware and begin the process using a scope or serial adapter to find an entrance
* How firmware was created and uploaded to the research targets
* How ransoming is a definitive possibility when dealing with embedded systems
* And some observations about reducing risks in this scenario for OEMs and & asset owners

4:30-5:00pm EST

(21:30- 22:00 UTC)

Future Outlook is a bit Cloudy

David Foose, @Davefoose, Ovation Security Program Manager, Emerson

calendar ucibAdd to Calendar

Love it or Hate it, organizations are moving more of their infrastructure outside their physical control. These same organizations are looking towards their operational environments to see similar benefits in both cost and efficiencies. From diagnostics, control centers, to full SCADA in the cloud, we will explore actual steps in installations entities have been implementing. We will go over what has worked, what has not been realized, and what trends we are seeing as we digitally transform our plants.

5:00-5:15pm EST

(22:00- 22:15 UTC)

Break

5:15-5:45pm EST

(22:15- 22:45 UTC)

Lurking Beneath the Surface... Uncovering Hidden Components in ICS Software

Eric Byres, @ICS_Secure, P.Eng, ISA Fellow, CEO, aDolus Technology inc

calendar ucibAdd to Calendar

Today’s ICS software is never written from scratch. Vendors focus development resources on core competencies and prefer to buy (rather than build) components available off the shelf, such as license managers, installers, and cryptographic libraries. This strategy, while efficient in terms of development effort, entwines the vendor’s security posture with multiple suppliers and open source projects. Ultimately, it makes it difficult to know what exactly is included in a package.

This lack of component visibility directly impacts asset owner vulnerability management processes. For example, in 2019, ICS were exposed to critical vulnerabilities found in the VxWorks TCP Stack. Vendors had used this component in their ICS products, but most operators were unaware of this. Searching vulnerability databases didn’t reveal the problem as the vulnerabilities were listed under WindRiver products rather than ICS vendor products. Automated vulnerability tools using NVD lists failed to detect this issue in deployed products.

5:50-6:20pm EST

(22:50- 23:20 UTC)

Lessons from Two Years of ICS Security Assessments

Don C. Weber, @cutaway, Principal Consultant and Founder, Cutaway Security, LLC

calendar ucibAdd to Calendar

ICS environments are under the gun and under the spotlight. Organizations are working hard to determine the best methods for improving security and asking vendors to help them. This presentation will cover two years of ICS security assessments, conducted by Cutaway Security, in a variety of industrial sectors. We will breakdown our assessment process and the common issues it identified during these engagements. Our goal is to provide attendees with an understanding of the common problems that happen before, during, and after an assessment.

6:20-6:30pm EST

(23:20- 23:30 UTC)

Day 1 Wrap-Up

Thursday, March 4 – APAC

9:00-9:15pm EST

(2:00-2:15 UTC)

Introductions

Peter Jackson, Engineering Manager – Cyber, SGS ECL

calendar ucibAdd to Calendar

9:15-9:45pm EST

(2:15- 2:45 UTC)

The Collision of ICS Safety and Security in 2021

Peter Jackson, Engineering Manager – Cyber, SGS ECL

calendar ucibAdd to Calendar

The history of safety in industrial control systems (ICS) is rich. We have learnt over decades to build in safety by design as part of good engineering practice. Security in ICS is less mature but there are good things happening with owner/operators, consultants, vendors, and standards to move this forward and grow in maturity. With more than three years since the first known safety instrumented system (SIS) malware (TRISIS/TRITON), this talk is a look back to where we’ve come from, a check-in on where we’re at and a look forward to the future of safety and security in ICS. It should be easy to prioritize safety and security when they align – why don’t we? And what about when they don’t align?

9:50-10:20pm EST

(2:50- 3:20 UTC)

Re-evaluating ICS/OT Procurement Language

Sarah Freeman, ICS Cybersecurity Analyst, Idaho National Laboratory

calendar ucibAdd to Calendar

As demonstrated during the events of 2020, supply chains for almost every product and service have become globalized. Additionally, in spite of several efforts to improve the robustness of supply chain lines, COVID-19 has demonstrated the “failure of imagination” of supply chain engineers to identify potential areas of weakness. In December 2020, the cybersecurity community experienced the SolarWinds hack and, although not the first, the implications of this supply chain attack will likely ripple for years to come. In spite of these events, however, a substantial foundation for supply chain security exists. Previous research by DHS, Idaho National Laboratory and SANS, for example, laid the groundwork by defining base language for procuring secure software and hardware for ICS. DHS’s Cyber Security Procurement Language for Control Systems (2009) and SANS Application Security Procurement Language (2009) serve as a starting point for vendor and asset owner discussions on product security. Still, as supply chain attacks have continued to evolve since 2009, it is necessary to reevaluate these efforts and their language to identify and address gaps in supply chain security.

This presentation is intended to provide the audience with an overview of relevant federal and private sector efforts to define a secure supply chain (e.g., Section 889 of NDAA 2019, Securing the United States Bulk-Power System (EO 13920), etc.) highlight key supply chain attacks (e.g., Havex, NotPetya, RubyGems, etc.), and identify gaps in existing approaches. Some recommendations for product end-users will be identified. This talk is not intended to be prescriptive, but to highlight areas for additional discussions and research.

10:25-10:55pm EST

(3:25- 3:55 UTC)

E-MIMICS: Extended Malware in Modern ICS

Seth Enoka, @seth_enoka, Senior Industrial Incident Responder, Dragos

calendar ucibAdd to Calendar

In 2017, the Dragos team looked at public data sources such as VirusTotal to identify malware and (in many cases) legitimate ICS files within those databases to encourage a discussion around security in modern ICS. Three years later, there is a wealth of new information available in public datasets that you can again use to immediately inform your cyber security postures and strategies. This presentation relates to research conducted recently into ICS-targeted malware, using a much larger dataset from VirusTotal and covering a longer timeframe than the original Project MIMICS. Several new activity groups and adversaries have been identified since 2017, many of which are known to specifically target ICS and OT environments aiming to cause loss of view, loss of control, or loss of life. So, it's time to revisit this research, determine if the findings still hold true, and develop a strategy for mitigating the risks of malware in modern ICS.

11:00-11:30pm EST

(4:00- 4:30 UTC)

Secure System Engineering - Tales from Rail Industry

Saravanakumar G, @Shaunsaravanas, TfNSW

calendar ucibAdd to Calendar

Increasing attacks on industrial control system (ICS) environment have forced communities to invest significant efforts to uplift their cyber defence capabilities. However, the nature of ICS operations brings along inherent limitations to the extent of security controls that could be utilized or enforced. It implies that security should be weaved in as part of the engineering design for ICS. This presentation walks through an approach to factor in security as part of system engineering, based on lessons learnt during implementation of a complex ICS infrastructure. It discusses cybersecurity assurance regime that should be considered across each phase of system engineering, to achieve an operationally reliable, safe and efficient system. It also exemplifies how IEC 62443 standards could be leveraged for such complex engagements.

11:30-11:45pm EST

(4:30- 4:45 UTC)

Wrap-Up

Friday, March 5 – EMEA

4:00-4:15am EST

(9:00- 9:15 UTC)

Introductions

Kai Thomsen, @kaithomsen, Certified Instructor, SANS Institute

calendar ucibAdd to Calendar

4:15-4:45am EST

(9:15-9:45 UTC)

DX Security of Factory Automation

Hiroshi Sasaki, CISSP Special Expert, Industrial Cyber Security Center of Excellence (ICSCoE)

calendar ucibAdd to Calendar

Challenges and good practices of ICS security of Factory Automation (FA) is introduced. Recently, almost all Japanese manufacturers are going to promote the convergence of IT and FA system, accelerated by COVID-19 situation. However, they struggle to move forward due to a lot of challenges such as the flat network architecture of FA system, lack of awareness of OT people, lack of process of incident handling etc. I have supported several manufacturers in Japan by holding the OT security workshop which makes the executive, IT and OT people understand each other of the challenges and consider how to promote DX in Factory Automation.

4:50-5:20am EST

(9:50- 10:20 UTC)

TTPs from ICS cyber range

Salimah Liyakkathali, CyberSecurity Technology Engineer, iTrust (Centre for Research in Cybersecurity), Singapore University of Technology & Design

calendar ucibAdd to Calendar

iTrust is a host of several world-class testbeds such as Secure Water Treatment, Water Distribution and Electric Power and Intelligent Control grid. Annually, iTrust organizes an ICS cyber range, Critical infrastructure Security Showdown (CISS), where the red teams and blue teams were invited to attack these testbeds and detect those attacks. Last year, CISS was moved to an online platform and this has allowed more participants from varies countries from different background. The red teams were given a unique opportunity to attack a realistic water treatment plant to cause process anomalies. This has given us insights to understand composite Tactics, Techniques and Procedures (TTPs) that can be used for enhanced Operation Security (OpSec). Hence, this presentation focuses on the (TTPs) observed during the event. Attack scenarios and examples are shared with the community that consists of the attacks that lead to disruption of the operation.

5:25-5:40am EST

(10:25- 10:40 UTC)

Break

5:45-6:15am EST

(10:45- 11:15 UTC)

Cybersecurity FAT/SAT testing - Pitfalls and Wins

Dieter Sarrazyn, Freelance SCADA/ICS/OT Security Consultant, Secudea

calendar ucibAdd to Calendar

Everybody knows and understands that factory acceptance testing and site acceptance testing must be done to make sure a project or system has been implemented as agreed within the design specifications.

However, as cybersecurity is more and more important, cybersecurity testing during fat and sat test cycles should be performed as well. However, this most of the times not performed due to various reasons.

Or when it is done, it is not done extensively enough to cover everything.

In this presentation the various pitfalls and wins of cybersecurity fat/sat testing will be explained further.

After this presentation you will better understand the why, what, when, how and receive information to be able to start a scada vendor cybersecurity validation process.

6:20-6:50AM EST

(11:20- 11:50 UTC)

ICS Pentesting During COVID: Lessons Learned from Pentesting Operational Environments Halfway Around the World

Chris Robinson, ICS Security Principal Consultant at BlackBerry (Formerly Cylance Inc.)

calendar ucibAdd to Calendar

Performing a penetration test of any environment has inherent risks but those risks increase in an ICS environment with safety and reliability requirements. On top of that, performing a penetration test of an ICS environment from halfway around the world presents some challenges. This presentation will focus on some of the lessons learned from performing a remote penetration test on two operational environments.

6:55-7:25am EST

(11:55- 12:25 UTC)

Engineering for Resilience

Johannes Braams, Senior advisor ICS Cyber Security, Royal HaskoningDHV

calendar ucibAdd to Calendar

Complex systems, such as Tunnel systems, are usually designed and built using Systems Engineering techniques. As the Tunnel Technical Installations tend to encompass several computer and PLC based systems, all interconnected via networks, securing them is vital for the safe and secure operation of the tunnel during it's lifecycle. This talk discusses how we can take cybersecurity into account during the various stages of the requirements formulation, design-, build-, test- and exploitation-stages of these systems.

7:30-7:45am EST

(12:30- 12:45 UTC)

Wrap-Up

7:45-8:00am EST

(12:45- 13:00 UTC)

Break

8:00-8:45am EST

(13:00- 13:45 UTC)

SANS ICS Awards

Assante Scholars Recognition – Alan Paller, Founder, SANS Institute

CTF Winners Announcement – Robert M. Lee, Senior Instructor, SANS Institute

ICS Security Lifetime Achievement Award Presentation – Tim Conway, Certified Instructor, SANS Institute

calendar ucibAdd to Calendar

8:45-9:00am EST

(13:45- 14:00 UTC)

Opening Remarks

Robert M. Lee, @RobertMLee, Senior Instructor, SANS Institute

Tim Conway, Certified Instructor, SANS Institute

calendar ucibAdd to Calendar

9:00-9:45am EST

(14:00- 14:45 UTC)

Keynote

Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology on the National Security Council

calendar ucibAdd to Calendar

9:45-10:00am EST

(14:45- 15:00 UTC)

Break

10:00-10:30am EST

(15:00-15:30 UTC)

ARMOR for OT Security Leaders

Jason Christopher, Certified Instructor, SANS Institute

calendar ucibAdd to Calendar

As OT security leaders, we need to be experts on ICS technology trends, cyber security threats, and process engineering impacts—all while managing daily alerts, cultural silos, and disparate resources from our IT-centric peers. The real-world implications can be painful. To minimize that pain, leaders should put on some ARMOR, or Augmented Risk Management for Operational Resilience. Building on the concepts from the 2020 DISC-SANS presentation “The ICS Security Crucible,” this talk deep-dive into the programmatic elements needed to link OT security to other business objectives. This ARMOR can be adapted to any industrial organization, regardless of size or sector, as presented in several use cases from real industry examples. Similar programs are already used in mature aspects of industrial organizations, including safety and finance, to secure budgets, track progress, and highlight concerns to executives and boards. As OT security continues to mature, leaders will need to tackle difficult business-level topics, beyond their daily tasks, to make meaningful changes. While not easy, ARMOR will help. So suit up and get ready for battle!

10:35-11:05am EST

(15:35-16:05 UTC)

The SolarWinds Hack Can Affect Control Systems - what can be done

Joe Weiss, Managing Partner, Applied Control Solutions

calendar ucibAdd to Calendar

A highly sophisticated Russian Intelligence group has compromised the SolarWinds Orion platform. The SolarWinds advisories and webinars have focused on the IT networks, network visibility, and data exfiltration/compromise. However, SolarWinds is also used to directly monitor and CONTROL SNMP devices including building power and cooling systems used in control centers, data centers, laboratories, Ethernet OT network switches etc. The control system issues are not being adequately addressed. The presentation will address the control system issues and possible long-term control system fixes.

11:10-11:40am EST

(16:10- 16:40 UTC)

Unit Operations for ICS security professionals (one big and expensive “Lego”)

Oscar J. Delgado-Melo, @lijantropique, Process Engineer, ICS Student

calendar ucibAdd to Calendar

ICS security teams usually include security professionals and operations personnel (i.e., engineers, operators, and technicians) with diverse and particular backgrounds. Effective team communication requires some "common ground" where Operations personnel understand basic network concepts (e.g., data flow, network areas, subnets), and security professionals understand basic process concepts. While it is not mandatory to become Process Engineers (PE), security professionals will benefit from a refresher of how a PE study a new process and which tools they use.

11:45am - 12:00pm EST

(16:45-17:00 UTC)

Break

12:00-12:30pm EST

(17:00- 17:30 UTC)

Cyber-Physical Safety Systems for Water Utilities

Andrew Hildick-Smith, Principal, OT Sec, LLC
Gus Serino, Principal ICS Security Consultant, Dragos

calendar ucibAdd to Calendar

Anyone responsible for the reliable, safe, and cyber-secure operation of a water utility should assume they will be breached at some point. If the adversary is targeting the control system, it is likely that they can find a way in. If they spend the time to fully understand the system and its physics, they may also find a way to physically damage the water infrastructure. A core goal of every water utility is to maintain basic service. Armed with a manual operations plan and an incident response plan, a utility that is dealt a severe cyber blow can maintain service and minimize recovery time, as long as they can prevent physical damage to their system.

This talk will discuss operational vulnerabilities in water systems that could lead to physical infrastructure damage. It will then present possible cyber-physical safety systems designed to mitigate the risk of cyber-attacks leading to physical damage. Where process response is slow enough, out-of-band monitoring can provide protection. The talk will close with advice on how to initiate and lead a similar program in your utility.

Network-independent cyber-physical safety systems are similar to equipment protection systems but are considered safety systems because of their ultimate role in protecting public health. Important advantages of this approach include: system retrofitting that provides an element of robust cyber security and operator error protection, low cost opportunities, and solutions that can be designed and implemented by in-house staff without cyber security skills.

12:35-1:05pm EST

(17:35- 18:05 UTC)

Building Cyber Security in the Water and Wastewater Industry

Kenneth G. Crowther, Product Security Leader, Xylem Inc
Estelle Feider-Blazer, Strategy and Market Analyst , Xylem Inc

calendar ucibAdd to Calendar

This presentation delves into the threat landscape, threat actors, and solution horizon for cyber security in the water and wastewater sector. We provide an overview of cyber attacks against utilities in the water and wastewater sector, discuss the threat actors that are targeting critical infrastructure and the rate at which they are broadening their focus to include water and wastewater systems, and discuss the new hacking techniques that are emerging for exploiting industrial automation and controls systems. We use MITRE ATT&CK for Industrial Control Systems to standardize the descriptions of the most likely tactics and techniques that will be used against water and wastewater industrial automation and control systems. These techniques provide a foundation to prioritize mitigation activities. We show how the responsibility for these mitigations is distributed across the community of product makers, integrators, operators, and maintenance. We outline a partnership responsibility roadmap that covers the product maker during secure development, the integrator or system operator during secure deployment and installation commissioning, and the operator of the system, as well as addressing mitigations required for system upgrades and maintenance.

The desired outcome of this presentation is to discuss cybersecurity priorities based on evidence of actual targeting relevant to the water and wastewater industry and its emerging technologies, and to present a partnership model that describes how a community works together to enable secure digitization of water and wastewater infrastructure.

1:05-2:00pm EST

(18:05- 19:00 UTC)

Lunch

Add to Calendar

2:00-2:30pm EST

(19:00- 19:30 UTC)

How to use security architecture to build a defensible ICS network

Bruce Large, OT Security Lead, CyberCX

calendar ucibAdd to Calendar

In this presentation Bruce will deep-dive into Architecture, which is the first category of Rob M. Lee’s Sliding Scale of Cyber Defense paper. The presentation will step through the planning, establishing and upkeep activities relating to cyber security architecture and provide reference materials and worked examples. Bruce will share his experiences and lessons learnt from his time as a Telecommunications Engineer working with SCADA systems and more recently as an OT Cyber Security Specialist. Bruce has racked and stacked, supported, designed, commissioned, and architected solutions and he is keen to bridge the gap from the theoretical to the practical. This presentation will work through Network Security architectures for SCADA and DCS environments.

2:35-3:05pm EST

(19:35- 20:05 UTC)

BRIC-ing the Supply Chain: Managing ICS Product Security in a Fragmenting World

Maggie Morganti, Product Security Researcher, Schneider Electric

calendar ucibAdd to Calendar

It is no secret distrust between “cyber superpowers” has led to calls for a fragmented internet, which would allow them to (theoretically) isolate traffic within their borders. However, these goals don’t end at the firewall. Digital separation includes supply chain autonomy as well. Global ICS vendors know the challenges this will present from a personnel and production standpoint. But we must also examine what implications this will have on how large vendors manage their security, implement controls, adopt new technology and handle vulnerabilities. Additionally, what new challenges will face independent researchers face and what consequences will this have on coordinated disclosure?

3:10-3:40pm EST

(20:10- 20:40 UTC)

Killing Time

Tim Conway, Certified Instructor, SANS Institute
Jeff Shearer, Instructor, SANS Institute

calendar ucibAdd to Calendar

In this talk we will look at some of the different kinds of time sources found in ICS environments (Windows Time, NTP, PTP, IRIG-B, etc.) and briefly discuss how industrial control system devices and applications like PLCs, PACs, Historians, and Alarm Systems use time. We will also discuss common network architectures that allow time sources to be accessible or time protocols like NTP to be passed through IDMZs and firewalls. In this final presentation of the day, we will walk through an attack demonstration targeting a local process through an NTP built in feature for sending a Kiss of Death packet – ultimately attacking the control system from within the control system.

3:45-4:00pm EST

(20:45- 21:00 UTC)

Day 2 Wrap-Up