ICS Consequence-Driven Incident Response Solutions Forum

  • Friday, 09 Dec 2022 10:30AM EST (09 Dec 2022 15:30 UTC)
  • Speaker: Dean Parsons

Consequences of modern cyber-attacks impacting control systems can range from large power grid blackouts to large cities or major regions, failure of critical manufacturing equipment with massive financial loss, paralyzing smart city infrastructure such as transportation in large municipalities, inflict serious environmental damage, or worse, cause injury or death to facility workers.

The obvious choice for ICS security managers and technical defenders is to focus on pre-incident defense - prevention - which has a lot of value! However, facility owners and security managers must not become fatigued by a prevention-only approach and forget to focus on regularly refining steps for effective and optimal engineering MTTR (mean time to recover) for a rapid return to operations.

Establishing ICS-specific network visibility, threat detection based on evolving sector specific threat intelligence, and specific incident response for control networks - are all critical! They are all requirements of the first stages of maturity towards any effective ICS Security Defense Program.

However, for resilience, with the consequences these imminent intrusions bring, plant owners and operators will do well to ensure the ICS incident response includes effective and rapid engineering system recovery plans. That is, technology solutions and processes combined with ICS-trained defenders, security managers and engineering teams being able to work to restore control systems to trusted restore points after events from cyber incidents, natural disasters, human error, or possible malicious insiders that threaten engineering operations.

This ICS Forum will bring to light lessons learned through a 2022 ICS year in review and reveal suggested actions for ICS incident response with a focus on ICS specific threat detection and rapid engineering system recovery.




Agenda | December 9, 2022 | 10:30 AM - 1:30 PM EST

Timeline (EST)

Session Details

10:30 AM

Welcome & Opening Remarks

Dean Parsons, Certified Instructor, SANS Institute

10:45 AM

You Are Not Alone – 5 Critical Controls for Consequence-Driven Incident Response in ICS/OT Environments

Keeping the operational technology (OT) environments of industrial control systems (ICS) secure from cyberattacks is critical to our daily lives, and increasingly top of mind from the board room to the manufacturing floor. And while aligning organizational leadership and implementing a successful OT cybersecurity posture can be overwhelming for even seasoned security operations teams, there are some proven strategies to be proactive about protecting industrial infrastructure.

Context and collaboration are key to establishing effective, consequence-driven incident response. First, it’s important to understand that leveraging an IT incident response plan (IRP) simply won’t work, because the risk profile is very different and the potential consequences and costs for personal, operational, and environmental safety are much more significant. Having a dedicated IRP suited for ICS/OT environments is a must-have for effective incident response that is consequence oriented.

Join Tim Ennis, Senior Industrial Incident Responder at Dragos, and Jan Hoff, Principal Industrial Incident Responder at Dragos, for an informative panel discussion exploring 5 critical controls for OT cybersecurity and their significance for consequence-driven incident response. Additionally, this session will cover the importance of:

  • Driving alignment and cross-functional collaboration for an ICS-specific incident response plan
  • Correlating OT systems data with a Collection Management Framework is essential to the speed, effectiveness, and efficiency of incident response
  • Knowing your Crown Jewels, and the impact of a cyberattack on key assets

Tim Ennis, Senior Industrial Incident Responder, Dragos, Inc.

Jan Hoff, Principal Industrial Incident Responder, Dragos, Inc.

11:20 AM
Pre and Post Incident Network Collection at the Edge - A Practical Guide for Asset Owners

Implementing a comprehensive and continuous network visibility solution may not be possible for all organizations. Ron Fabela, CTO & Co-Founder at SynSaber will discuss the many practical steps to industrial edge visibility that can be taken before and after an incident has occured. Collection of industrial edge data is critical to the understanding of any process or control environment; so are some other non-technology based processes that can assist.

Key takeaways for this segment include:

  • The importance of automated collection, analysis and transport of industrial edge network data
  • Methods to collect industrial edge data without a continuous monitoring solution

Ron Fabela, CTO & Co-founder, SynSaber

11:55 AM
Implementing a Zero Trust Framework for Secure Remote Access in ICS

Remote access is becoming a necessity for OT and there are countless reasons from professionals running offshore oil rigs, manufacturing plants meeting high demand, water treatment facilities serving large populations and other critical facilities needing 24/7 access from anywhere. But providing that access has traditionally been too complex and fraught with security issues as exposing critical infrastructure to the “outside” greatly expands the attack surface for hackers. Hear how to create and maintain secure and frictionless access to industrial control systems, enabling secure remote operations with a zero-trust architecture including protocol isolation, integrated MFA, role-based and time-based access controls, user session analytics, and more.

Bill Moore, CEO, Xona

12:30 PM
12:40 PM
Panel Discussion - ICS Consequence-Driven Incident Response

Dean Parsons, Certified Instructor, SANS Institute

Bill Moore, CEO, Xona

Jan Hoff, Principal Industrial Incident Responder, Dragos

Ron Fabela, CTO & Co-founder, Synsaber

1:25 PM

Dean Parsons, Certified Instructor, SANS Institute