DISC SANS ICS Virtual Conference

  • Friday, 01 May 2020 10:00AM EDT (01 May 2020 14:00 UTC)
  • Speakers: Tim Conway, Robert M. Lee, Jason Dely, John Lavender, Sergio Caltagirone, Amy Bejtlich, Kate Vajda, Tom Van Norman, Jason D. Christopher, Jeff Shearer, Don C. Weber, Austin Scott

This virtual conference will be held over Zoom due to the size of the audience (multiple thousand). SANS has evaluated the claims around Zoom's security and have found, collectively with our national partners, Zoom's response to the concerns to be appropriate.

It is our assessment that even though there were valid concerns about Zoom, the company has responded accordingly to resolve the situation. SANS also found a significant level of misinformation about the Zoom security. More information about our Zoom's security assessment can be viewed in this webcast. However, SANS will configure Zoom so that participants can use the web client if they do not want to install the Zoom application on their systems.

We feel confident in our platform choice and look forward to your participation in the virtual conference.

IMPORTANT: We strongly suggest for attendees to please read the event detail information document here.

SANS and Dragos join forces to provide a fully virtual conference on Friday May 1st open to the community to share technical insights, lessons learned, and best practices for ICS/OT cybersecurity presented by SANS Institute instructors and Dragos staff.

The content is focused around being widely acceptable for both IT Security and OT/ICS audiences and the theme is focused around education especially during times when many folks are at home and working remotely. Special focuses are being given in the talks to what work and efforts can be accomplished with minimal effort during slow down periods.

The DISC SANS ICS Virtual Conference will also host a NetWars CTF jointly developed by SANS and Dragos with 4-8 hours with of cyber defense and ICS network security related challenges on Thursday April 30. The winner will be announced at the conference and the answers provided to all attendees. 'Registration now open through your SANS Portal account.

IMPORTANT: We strongly suggest for attendees to please read the event detail information document here.


10:00am - 10:30am - Welcome & Opening Remarks, Tim Conway & Robert M. Lee @robertmlee, Conference Co-Chairs

10:30am - 11:05am - The ICS Security Crucible: Forging Programmatic Armor and Weapons Jason Christopher, Principal Cyber Risk Advisor, Dragos Inc. and SANS Certified Instructor

When we think of cybersecurity, we often think of new technologies that can help us manage all the threats we hear about. That said, our industry also knows that technology cannot solve this problem alone. We further understand that cybersecurity capabilities are defined as a combination of technology, people (like you), and processes (including documentation!). These three ingredients, when merged together, make a powerful compound 'and define successful ICS security programs. This presentation will introduce an "ICS Security Crucible" where you will combine people, processes, and technology to create custom-fitted armor and defenses for your industrial operations based on unique risks, associated impacts, budgets, and known threats. Leveraging real use-cases, participants will learn practical next steps in either creating or refining their ICS-specific security program. When we combine technology with the right people and robust processes, organizations create a strong culture of security and forge lasting legacies for critical infrastructure protection. And we sure could use more of that these days...

11:05am - 11:40am - ICS Ranges and DIY For Home Learning, Tom VanNorman, Director of Engineering Services, Dragos Inc

Are you thinking about building your own ICS Range, but you have no idea where to start? Whether you are looking to build something for personal enrichment, or you are looking to build something at work this talk will cover what you need to know to start your project. I will cover pros and cons of different configurations as well as provide you with firsthand knowledge of things that I found that work and do not work.

11:40am - 12:10pm - Break

12:10pm - 12:40pm - Don C. Weber @cutaway, Instructor SANS ICS410 & HOSTED: Assessing and Exploiting Control Systems

Analyzing OT Radio Implementations for Attack Surfaces

Security assessments help an organization understand the strengths and weaknesses of a technology. Technologies that provide public access to an environment, particularly those with operational technologies, deserve a very close look. This presentation will focus on reviewing the capabilities of a wireless gateway, identifying the potential attacks on the technology, and outlining the methods to mitigate the threats.

12:40pm - 1:10pm - Operationalizing Threat Intelligence in ICS, Sergio Caltagirone, VP of Threat Intelligence, Dragos Inc., Amy Bejtlich, Director of Threat Intelligence, Dragos Inc.

Threat intelligence allows asset owners and operations to make better cybersecurity decisions for ICS/OT environments. 'However, it's not easy. 'In this presentation, we'll discuss how to consume and digest threat intelligence to make it usable, and your operations better than before. 'Do you need a "threat intelligence team?" How would you form one? 'Does your SOC need to know about threat intelligence? 'How do you measure the benefit of threat intelligence? We'll answer these questions and more.

1:10pm - 1:40pm - Evaluating ICS Vulnerabilities, Katherine Vajda, Senior Intelligence and Vulnerability Analyst, Dragos Inc.

Managing and understanding the risk of vulnerabilities within ICS is crucial in protecting the delivery of the function. In this presentation, we'll discuss highlights from the 2019 vulnerability year in review report, what we've learned about these vulnerabilities, and what you can do with this information. We'll go in-depth into our process and drivers for prioritizing and understanding the risks of vulnerabilities within ICS and how to get the best ROI on your efforts involving mitigation.

1:40pm - 2:40pm - Lunch

2:40pm - 3:25pm - Future Things: Simple Yet Effective ICS Cyber Attacks, Jason Dely and Jeff Shearer, SANS Institute, Instructors and ICS612 Co-Authors

ICS focused attacks have a sliding scale of impacts with the largest effect being hardware manipulation to cause product quality issues, product manufacturing disruption or the highest effect of all; loss of life. This presentation and demonstration will walk through some common attack objectives and interesting ways to achieve those goals by attacking the control system through the control system itself.

3:30pm - 4:10pm - Simple Wins During Slow Downs, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc.

Recent events have added some additional constraints to our ability as an industry to move ICS cyber security programs forward. 'How do we continue to identify and reduce cyber risk in our ICS environments when we cannot hire consultants or meet with vendors? As ICS operations team are actively working to minimize contact with the outside world, how do we add implement new technology or improve the security posture of our environments? In my presentation, I will detail several ways that ICS cybersecurity teams can work with existing technologies and infrastructure to identify and reduce cyber risk. Many of these recommendations can be done remotely and have a very low chance of inadvertently causing any operational issues.

4:10pm - 4:45pm - Networking Break

4:45pm - 5:25pm - Electric Sector Incident Response, Tim Conway, SANS Institute

This talk will discuss current Incident Response requirements for North American Electric sector asset owners and operators, as well as some IR guidance beyond the current requirements. Looking forward we will also discuss the benefits and challenges that organizations need to consider in relation to the new CIP-008-6 Standard going into effect starting Jan 1 next year.

5:30pm - 6:10pm - ICS CTF Results and Answers, Austin Scott, Principal Industrial Penetration Tester, Dragos Inc., Jon Lavender, Chief Technology Officer and Co-Founder, Dragos Inc.

Cyberville is in an isolated desert town fed only by a single sub-transmission line. The 4444 residents of Cyberville is largely made up of retirees who have come to the desert to escape from cold weather altogether. During the summer, the average high is over 102F, and without air-conditioning, the elderly residents of Cyberville are at risk. A microgrid has been created to protect the residents of Cyberville from high-winds or a lightning strike from cutting power to the town for an extended period. Cyberville's microgrid includes local power generation (solar, wind, and gas turbine), local energy storage, and automated switching. 'Cyberville's microgrid can disconnect and function independently during emergencies, supplying vital electricity to the local community.

We believe that an adversary has compromised the Cyberville microgrid network. You have been tasked with performing the incident response work on Cyberville's microgrid and removing the threat before it can put the lives of our residents at risk.