Oil & Gas Cybersecurity Summit 2020 - Live Online

Opening Remarks

Rob M Lee, @RobertMLee, SANS Senior Instructor
Tim Conway, SANS Certified Instructor

Keynote

Q&A with CESER's Sean Plankey

Andrew A. Bochman, @andybochman, Senior Grid Strategist, National & Homeland Security
Sean Plankey, Principal Deputy Assistant Secretary, Office of Cybersecurity, Energy Security, and Emergency Response. U.S. Department of Energy

The #2 man at the Federal government's #1 grid protection organization has agreed to take questions from INL's senior grid strategist, and the exchange promises to be lively. Here is some of what they'll hash out:

• How Sean's time at BP helped shape his ICS cyber perspective
• Executive order 13920 on supply chain security for the bulk power system
• The Cyberspace Solarium Commission's recommendations
• The expanding role of natural gas and distributed energy resources in electricity production and ramifications for grid security and resilience
• DOE stepping in assist, participate in and guide DHS' long-running ONG Cyber LOGIIC program
• A rundown on CESER's highest impact programs
• A gaze into the crystal ball at likely future challenges and priorities

And of course, all of this is going on in the context of a crippling global pandemic. How's COVID-19 affecting cybersecurity priorities at DOE and in the utilities it's charged with helping?

Raiders of the lost RTUs, Meters, and Valves

Ron Brash, @ron_brash, Director of Cybersecurity Insights, Verve Industrial Protection

While IoT/IIoT is everywhere in product catalogues today, Oil & Gas is the original Joe for connected embedded things to fulfill specific purposes such as providing telemetry remotely, or to monitor the health of a well or pipeline. And like many aspects of industrial systems, it was and still is the Wild West of security, updates (or lack of), and deployments where it makes little economic sense to upgrade enforces the fact that producers need to reduce any disruption or security risk for these devices - new or legacy.

With thousands of existing deployments, these devices are often forgotten, and whether for cyber-security or for merely inventory management due to divestment, an effective resource-friendly method is absolutely required to manage these types of systems.

This session walks through several areas (agnostically) with more than 35 years combined experience on:

• How are these devices are often deployed, and in what kinds of environments?
• Discovering technical vulnerabilities/weaknesses and horror-shows buried in these devices
• One approach to successfully enumerate, research, and support candidate devices
• A live demonstration of a hidden surprise with a device obtained from the grey-market
• And how to bring these devices into the fold for inventory/asset management with considerations for cyber-PHAZOPs & vulnerabilities

Developing Effective Detection and Defense Strategies Against Activity Groups in Oil & Gas OT using the Diamond Model, Kill Chain, and ATT&CK®

Sergio Caltagirone, VP Threat Intelligence, Dragos

Following best practice is always a good approach when establishing cyber defense policies. But best practices are general guidance and don't fit every situation. Instead, we can get specific by using the Diamond Model, Kill Chain and Mitre ATT&CK® frameworks to develop threat-specific detection and defense strategies based on your own threat profile. In this presentation you'll learn how to build a better threat model, develop a measurably effective detection and defense strategy, and, usually skipped by many, evolve and measure your defenses as the threat environment changes.

Preparing for M&A and Onboarding Newly Acquired "Immature" Organizations

Brent Foster, Founder, Extensible Security

A drop in oil prices means M&A. Now is the time to get ahead by updating your due diligence process and checklists to support your ICS security objectives. We will look at ways to efficiently get the right information and executive visibility of security issues up front to prevent future pain. Spoiler, the best answer isn't "Go get 3PAO to audit target against (insert framework here)" - few M&A efforts look the same from a ground level operational perspective. Plus, executives will be happy because of the potential impact to price. However, despite your target's best efforts, cost cutting measures negatively impacted ICS security. We will discuss how to utilize the executive buy-in, information gathered, and relationships built during the M&A process to quickly fix critical issues while prioritizing future efforts. The goal is for you to leave able to update your M&A processes, so when the deal is inked there's already explicit (or at a least implicit) approval to fix critical issues asap, with other issues roughly tied to your current roadmap.

Process Vulnerabilities for Refineries: When milliseconds matter

Can Demirel, @secandit, ICS Cyber Resilience Services Manager, Cyberwise
Yusuf Yılmaz Akdemir, Independent Researcher

The most of the time security assessments, penetration tests or red teaming activities at Oil &Gas plants focus on core processes and their vulnerabilities. What if attacker leverage supportive processes such as power or steam load shedding, decontamination, pipeline operations etc. During this talk we will walkthrough how to exploit and defend process vulnerabilities with real world scenarios. And also, we will discuss how to create use cases and basic simple defense mechanisms to enable OT-SOC.

the "BLACK GOLD": battle to defend the most treasured assets in world

Anas Faruqui, @anasf1885, OT Cybersecurity Engineer, Aramco

You're a CIO, CISO or IT Security Manager - and you wake up in the middle of the night to a call from your Security Operations Center (SOC) analyst. And suddenly you find that your organization is in the headlines of national newspapers because their core business - operational technology (OT) (an energy/oil producing plant) - was breached.

It does not only stop there, but this cyber incident has caused huge environmental disaster and resulted in an explosion due to incorrect mixture of blend or kicked-off emergency shutdown procedure of an production facility.

But what if you can know stop all hacker/terrorist before it happens ... The recent growth of IP based systems and push for Industrial Revolution 4.0 (IR 4.0) in OT/ICS/SCADA presents a massive opportunity for companies to use these datasets in many meaningful ways for security/network/OT centers.

As more and more IT and OT integration happen, and we have created this world of hybrid environments infrastructures requiring businesses to address both technological and organizational to comply with government and industry best approach requirements.

This session will SPELL out the plan and show case you how the largest OT implementation of cyber security monitoring in the world happened, enabling us to be ready for any breach in OT.

Detecting Encrypted Radio Communications Using Universal Hacker Radio

Don Weber, @cutaway, Information Security Consultant, Cutaway Security, LLC

Radio communications are used to establish communications without the need for wired connections. They also provide a degree of safety to personnel supporting dangerous processes. These benefits come with additional risk. Radio communications are externally accessible, meaning that they expose their networks to the public. This presentation will demonstrate how to capture radio communications of 900 MHz radios that are commonly deployed in operational technology (OT) environments. The tool Universal Radio Hacker (URH) will be used to quickly isolate the radio communications, transform those transmissions to data packets, and review the packets for encryption.

2:45- 3:20 pm CDT

What's cooking? Starting your own DIY Automation and ICS Security Projects

Mike Hoffman, @ICSSecurityGeek, Principle ICS Security Consultant, Dragos

Continuous learning and curiosity are both pre-requisites to a successful and rewarding profession in ICS Security. Getting hands-on time with ICS systems is a great way to hone skills and reinforce ideas and concepts gained from SANS courses and time in the field. This presentation will show how you can turn a CLICK PLC and C-more HMI from ICS612 into a safe and secure home coffee roaster -- a project that will help you learn Ladder Logic Programming, PID Control, and ICS protocols. Implemented correctly, you will reap not only the benefits of knowledge gained but also a favorable cup of joe.

Secure and Safe Operations in the Remote Work Era: COVID-19 and Beyond

Mark Carrigan, Chief Operating Officer, PAS Global, LLC

The executive desire for a shift to remote work within the oil and natural gas industry has been underway for some time. While such a shift is likely to benefit the broader organization with lower costs and greater safety, it is also not without risks to security and also safety. The COVID-19 pandemic has been a catalyst for increasing the shift to remote work, but it has also exposed weaknesses in processes and tools to support it.

In this session:

• Explore the benefits that remote work can bring to operators, automation engineers, and health & safety personnel
• Examine the tools and process changes required to enable effective, secure, and safe remote operations
• Hear specific recommendations to help guide decisions and investments that enable remote work, while addressing potential security and safety implications
• Review lessons learned on challenges to anticipate, pitfalls to avoid, and best practices for ensuring process safety as well as reducing potential cybersecurity risks

OT IR: Are You Prepared to Respond?

Gabriel Agboruche, @ICS_Gabe, Senior Consultant, FireEye

There are a plethora of well-defined IT security incident response methodologies, tools and methods, but at times, OT incident response gets left out. When an organization gets breached, the incident affects the IT and OT sides of the organizations. Whether it’s commodity ransomware or a targeted OT payload running wild in control systems, the entirety of the organization should be ready to identify and respond. This presentation will address integral areas that will assist organizations with responding to cybersecurity incidents, it will cover frontline incident responses engagements, and the aim is to provide actionable guidance on improving and fortifying your OT incident response plans.

A Game Theory Approach for Defending the ICS-SCADA Environment: Win the game using ICS MITRE®.

Rashed Rabie, Cyber Threat Hunter, Deloitte & Touche LLP

This presentation will describe how to map the ICS threat landscape to MITRE ICS ATT&CK®. This approach correlates game theory modeling and the ICS ATT&CK framework to identify the security solution to win the game against the adversary.

The game theory modeling can be summarized as follows: 1) Game - the game-players are in a Simultaneous Static Game; 2) Strategy - the defender's strategy is to determine an optimal security system solution to detect the attacker traffic, and the attacker's strategy is to find the optimal sophistication level to elude the defender's security measurements; 3) Payoff - the model projects the payoff for each player's strategy based on mapping the threats to ICS ATT&CK. The goal will then be to solve the game and find the equilibrium point, which is the best strategy for both players. This equilibrium will occur when the players do not have any profit deviation in using any other strategy.

In this game, mapping threats to ICS ATT&CK leads to identify the adversaries' sophistication levels. The sophistication then guides the defender for the most effective strategy. When the adversary chooses a low sophistication threat, the defender can use the ICS security measurements and controls, in addition to isolating OT and IT by using Data Diode technology. If the adversary chooses a medium sophistication threat, the defender can use continuous monitoring solutions (e.g., Security Operating Center (SOC)) and hunting service for non-target dual-use prolific exploits. When the adversary chooses advanced threats, the defender can apply defense-in-depth solutions such as hardware-based fingerprints detecting using NoiSense techniques. This approach provides stakeholders with broad solutions to help secure the ICS environment.

Day 1 wrap-up

Register for This Webcast

Welcome & Keynote

Don Weber, @cutaway, Chairperson, SANS Institute

Most organizations focus their information technology (IT) and operational technology (OT) teams on securing the control network and gathering as much information as possible. The tasks associated with improving brown field environments or engineering green field environments with the appropriate design requirements typically necessitates a large investment in project work hours. Solutions are often a conglomeration of technologies that are stitched together by sweat, creativity, and ingenuity. The end result is an influx of information that needs to be stored, correlated, analyzed, and monitored. The result is actionable intelligence that allows leadership to make informed decisions and improve the organizations security program in line with the direction and goals of the control network.

Many organizations would consider this a success, and it is. But this influx of information will, eventually, lead to the identification of anomalous events. These events will lead to the identification of malicious activity. What does your team do now? The incident responses plans for most organizations are geared to their corporate environment and assets. They are not consistent with the technologies and operational requirements of the control network. Organizations that fail to prepare their team to handle actual security incidents will experience increased downtime and difficulties returning to 100 percent production. Response and recovery is just as important to an organization as the deployment of technologies designed for prevention and identification.

Faster, Cheaper, Better: Why Companies Should Embrace IT/OT Security Operations Centers

Trevor Houck, Lead, OT Network Defense Services, Revolutionary Security - Part of Accenture Security, @RevSec

When it comes to Operational Technology (OT), traditional security monitoring and response operations are no match against evolving cybersecurity threats. Even the latest tools and technology are not enough. What many organizations have found successful is using a well-structured joint SOC model that combines IT and OT environments. This aggregate approach allows both environments to benefit from the tools and technology, threat intelligence sources, and talented staff employed by an organization. The result is a streamlined security incident response process, reduction in duplicated efforts, and improved collaboration.

Remote Access to SCADA Systems: Designs That Make it Worthwhile & How to Get Them Approved

Ian Schmertzler, President, Dispel, @DispelHQ

Remote access is an operational efficiency and crew safety tool with a cybersecurity problem. This is SANS, so we are going to show you how to identify and fix this cyber problem so your firm can start benefitting from remote access again. From a security perspective, we will be covering the new (MTD networks and disposable infrastructure), the old (static VPNs, MPLS, UDP hole punching, and multi-tenanted systems), and the just plain ugly (on-prem systems with static portals and mailed laptops). From an operational perspective, we will be covering how to get remote access deployments through the committees where such initiatives tend to die.

Analyzing & Preventing ICS Attacks with the MITRE ATT&CK for ICS Knowledgebase

Jack Marsal, Director, Product Marketing, Armis, @ArmisSecurity

The typical ICS environment is no longer the impregnable air-gapped network that it once was. It has been connected to the enterprise network, to the Internet, and to business partners who provide remote support. So while the traditional Purdue reference architecture is still the model, in most real-world environments it has lost its integrity. Attackers can find their way into your OT environment through new connected devices and converging networks.

The new MITRE ATT&CK for ICS knowledgebase can help security managers understand the tactics and techniques that attackers use to gain access to industrial control systems.

Detecting and Understanding Unusual Network Activity in a Plant Environment

Sam Van Ryder, @SamVR, Director of Strategic Accounts, Dragos, Inc., @DragosInc

Plants were originally designed with the primary objective of reliable output, with safety and resilience coming in a very close second. As organizations continue to evolve their plants through transformational projects, or build new facilities, one thing is clear: interconnectivity and automation are inevitable. With this comes the need to understand the environment and establish baselines and norms in order to continue to ensure safe and reliable output. This presentation will walk through a case study leveraging tools to identify assets on a plants network, understand potential threats, and guide response in the event of an incident.

OT/IoT Security Threat Report 2020

Chris Grove, Technology Evangelist, Nozomi Networks, @NozomiNetworks
Alessandro Di Pinto, @adipinto, Security Research Manager, Nozomi Networks, @NozomiNetworks

Learn about the most active threats seen in 2020, including IoT malware, ransomware, and COVID-19-themed malware. Gain insight into their tactics, and recommendations for securing OT/IoT networks.