Ending Soon! Get an iPad Air with Smart Keyboard, or Surface Go, or $300 Off with Online Training through Aug 21!

Oil & Gas Cybersecurity Summit 2019

Houston, TX | Mon, Sep 16 - Sun, Sep 22, 2019
Event starts in 29 Days

Oil & Gas Cybersecurity Summit Agenda

September 16 | Houston, TX

Summit Speakers

Monday, September 16
9:00-9:15 am
Welcome & Opening Remarks
  • Jason Dely (@jasonjdely), Practice Director – Industrial Control Systems, Cylance; Instructor & Summit Co-Chair, SANS Institute
  • Mike Pilkington (@mikepilkington), Researcher, Certified Instructor, Summit Co-Chair, SANS Institute

9:15-10:00 am

Risk-Based Approach to Protecting Industrial Control Systems

Steve Slawson, Director – IT Security & Compliance, Occidental Petroleum

We are faced with a sprawling, heterogeneous industrial control system landscape into which we have little visibility. So what do we do? In this presentation, we’ll lay out the steps we took to get our arms around what we have, and to prioritize both the lines of business and the preventative and mitigation controls needed to lower the risk of a catastrophic breach of our control systems. We’ll describe how we framed risk, how we prioritized the deployment of controls, how we communicated with executive management, and how we leveraged internal audit and executive support to change the organization. You’ll come away with ideas on how to apply these steps within your own organization.

10:00-10:30 am

Networking Break

10:30-11:10 am

Securing the Technology Supply Chain

Keith Turpin, CISO, Universal Weather and Aviation

This presentation covers best practices and considerations when operating a supply chain security program. It is based on more than a decade working in all aspects of supply chain security, from building the supply chain security program for a Fortune 50 company to helping draft the first ISO standard on supply chain security and being involved in every aspect of the process from risk assessments to contract negotiations. We’ll discuss some of the impacts of supply chain failures, including walking through a few pertinent examples. The presentation will also cover the various reasons supply chains may be targeted. The issue of supply chain visibility and the challenges of controlling risks when you only have limited knowledge of your exposure will be covered, as will be the steps to improve awareness, assess supplier risk, identify critical factors, and evaluate impacts. We’ll then turn to contractual considerations for supply chain security in both your upstream and downstream business relationships. Contracts have limitations, especially when they cross international boundaries, and this will be covered in detail. Finally, we’ll discuss what it takes to build an effective program and look at what you should be doing to avoid supply-chain-related fraud.

11:10-11:45 am

Five Steps to Secure Your Industrial Control System/SCADA Network

Pedro Serrano @InfoSecPedro, Security Architect, Cimarex Energy

This presentation will provide a quick look at the most important steps that need to be taken to secure industrial control systems. We’ll examine measures that are realistically obtainable and that can make a difference in your environment. The emphasis will be on what you CAN do.

11:45 am - 12:20 pm

ICS, SCADA, and Mitre ATT&CK: How It Helps and Where It Hurts

Neal Humphrey, Director, Threat Intelligence Engineers, ThreatQuotient

The Mitre ATT&CK framework has many potential uses within SCADA and industrial control system environments. This presentation will dive deep into the process of using the framework to describe specific attack patterns and courses of action around the Triton/Trisis/HatMan attacks. The aim is to support the identification and ultimate resolution of vulnerabilities. In addition, we’ll cover the use of the Mitre ATT&CK framework as well as mitigating and compensating controls that can be used in both business and production networks. Expected takeaways include data and analysis on the Triton/Trisis/Hatman attacks and guidance on how to use Mitre ATT&CK as a communication and validation tool across teams within an organization.

12:20-1:30 pm Lunch & Learn
1:30-2:05 pm

SANS ICS Survey Results: Top 3 Initiatives for Increasing ICS/OT Security

Moderator: Jason Dely

Panelists to be named

Survey says: we’re getting better all the time, but we’ve still got lots of work to do as an industry. Our panel will discuss the top three areas of focus identified by the most recent SANS ICS Survey with recommendations for improvement. We’ll look at:

  • Increasing visibility into control system cyber assets and configurations.
  • auditing control systems networks and security assets
  • Invest in general cybersecurity awareness programs for employees including IT, OT and hybrid IT/OT personal
2:05-2:40 pm

Breaching the IT/OT Boundary – Wedge Points and How to Secure Them

  • Jackson Evans-Davies, Penetration Tester, Honeywell
  • Connor Leach, Penetration Tester, Honeywell

The IT/OT boundary is one of the most important security controls to protect OT networks. OT security personnel are becoming more proficient at patching and protecting OT services accessible from IT networks. This increase in maturity is forcing attackers to move from traditional technical exploits to soft vulnerabilities (“it’s a feature, not a bug”) to breach the IT/OT boundary. This talk will explore common techniques and tactics attackers (and Pentesters) employ to footprint and breach OT networks. We’ll provide examples that show why network segmentation alone is no longer adequate and should be extended to domains, applications, and platforms, including a demonstration of improper application segmentation by leveraging Windows Server Update Services to target OT systems. We will also discuss common sources of OT information on the IT network and various ways OT users are identified and leveraged to gain access to OT networks. We’ll demonstrate various credential theft techniques and look at how attackers can hijack established IT/OT sessions. We’ll also cover why a properly configured multi-factor authentication solution can be extremely potent at the IT/OT boundary. In summary, this talk will explore the IT/OT boundary from an offensive standpoint and examine how that boundary, when properly secured, can be one of the most important security controls to protect OT networks.

2:40-3:10 pm Networking Break
3:10-3:45 pm

Improving Pipeline Operational Visibility to Avoid Costly Downtime

Paul Smith @paul_timothy, Director of Product Research and Strategy, Nozomi Networks

The main priority for midstream oil and gas operators is to keep their product flowing through pipelines in a secure and safe manner. It is also critical that they have visibility to mitigate any cybersecurity issues and to detect any potential outages that could impact services. When visibility into what is really happening is reduced, significant problems and costs can arise. This is unfortunately what happened with a major pipeline organization when a PLC went down and caused the company $1.9 million in lost revenue and downtime. In this session, Paul Smith will take a deep dive into this case and other real-world use cases to share lessons learned and best practices from years of field experience helping oil and gas organizations pave the way for successful OT visibility and cybersecurity on a local or global scale.

3:45-4:20 pm

A Roadmap to Help Enterprise Security Operations Centers Expand Duties to OT Environments

Vernon L. McCandlish @malanalysis, Principal Security Analyst, Dragos Inc.

This presentation will use a case study of the Xenotime activity group to demonstrate why having the ability to monitor, detect, and respond in an Operational Technology (OT) environment is vital to human safety and continuous operations. Attendees will learn what adversaries are targeting in the OT space, with an emphasis on safety-instrumented systems. We’ll also look at what needs to be taken into consideration when adding or expanding monitoring, detection, and response capabilities for OT environments to an existing enterprise Security Operations Center. Finally, we’ll present a high-level workflow to get started with OT monitoring, detection, and response in your organization.

4:20-4:55 pm

SCADA Cyber Security for Pipelines: API 1164 and Updates from the Trenches

  • Tom Aubuchon, Sr. Director Cyber Security Strategy and Programs, Baker Hughes
  • Jason D. Christopher @jdchristopher, CTO, Axio; Instructor, SANS Institute

API 1164 is a security standard written specifically for oil and natural gas pipelines—and it’s now going through a massive update to be more relevant to today’s threat landscape and technology advancements. The new scope may be applied to up-, mid-, and downstream operations, and will further expand to include measurements for the NIST Cyber Security Framework. This presentation will cover all the major things you need to know about the update, directly from members of the drafting team, and provide insight into what these advancements will mean for individual energy companies.

4:45-5:00 pm
Closing Remarks & Action Items
  • Jason Dely (@jasonjdely), Practice Director – Industrial Control Systems, Cylance; Instructor & Summit Co-Chair, SANS Institute
  • Mike Pilkington (@mikepilkington), Researcher, Certified Instructor, Summit Co-Chair, SANS Institute