ICS-Houston Security Briefing

  • Tuesday, 26 Jul 2016 5:20PM EDT (26 Jul 2016 21:20 UTC)
  • Speaker: NULL

In conjunction with the ICS - Houston training event, SANS is pleased to offer the 4th Annual Industrial Control Systems Security Briefing. This event provides the opportunity to engage in dialog around Industrial Controls Systems Security and learn about key solution capabilities.

Happen to be in the Houston Area? Drop by the Royal Sonesta Hotel for the LIVE event. Register here



  • 4:00pm - 4:15pm:    Registration & Networking

  • 4:15pm - 4:30pm:    Opening Remarks - Key ICS Security Survey Findings
                                    Derek Harp, SANS Director - ICS & SCADA

    The Annual SANS ICS Security Survey is is one of the premier sources of data on threats to control and automation systems and networks. Every year we develop and report insights into the state of security in these critical systems. This session will present a brief look at a few findings from this year's survey, as well as directions to find out more information.

  • 4:30pm - 4:50pm:    Addressing the threat of ransomware in ICS/SCADA
                                    Lionel Jacobs, Palo Alto Networks

    Ransomware has quickly become a concern for IT and poses a grave threat to operational technology as well. ICS owner/operators need to educate themselves and prepare their organizations to defend critical systems from this growing threat. In this 20-minute presentation, we will look at why cyber criminals want to attack ICS systems and ways that owner/operators can prevent these types of events from happening.

  • 4:50pm - 6:05pm:    ICS Rapid-Fire Session
                                    - Brian Wilson - Economic Espionage (The Spies in your ICS)

    Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation's prosperity and security. Cyberspace - where most business activity and development of new ideas now takes place - amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.

                                    - Matt Luallen - PERA Level 1 Device Protections

    The Purdue Enterprise Reference Architecture (PERA) provides a reference model for owners, operators and vendors to integrate applications and capabilities within the ICS-enabled enterprise. Level 1 represents the Intelligent Electronic Devices (IEDs) to sense and manipulate the physical processes through sensors, actuators and instrumentation. These devices serve as the decentralized I/O points communicating with a DCS, OPC server and operator HMI. Level 1 devices have been repeatedly labeled as "Vulnerable by Design" and require care in protecting them. This lunch & learn will delve in to the specific attack surface and provide advice on how to physically, cyber and operationally protect PERA level 1 devices.

                                    - Marc Ayala - "What's in YOUR ICS Network?

    Assessing cybersecurity risk is generally considered to be one of the first and most fundamental steps in any solid IACS cybersecurity management program. ISA 99.02.01 (now ISA 62443-2-1) published in 2009 includes requirements that organizations perform both high-level and detailed cybersecurity risk assessments on all identified IACSs. These requirements were reinforced in 2014 by the NIST Cybersecurity Framework that also specifies cybersecurity risk assessments and directly references the ISA 62443 requirements.

    While both of these documents require risk assessments neither provide information regarding "how" to perform such an assessment. Guidance on how to perform IACS cybersecurity risk assessments is now available in the recently developed ISA 62443-3-2, "Security Risk Assessment and System Design". This presentation will provide an overview of the 62443-3-2 standard and demonstrate the IACS cybersecurity risk assessment process through a chemical industry example.

  • 6:05pm - 6:20pm:    Networking Break

  • 6:20pm - 6:40pm:    Stop Patching, It's Stupid.
                                    Lior Frenkel, Waterfall Security Solutions

    A better way to think about security is to consider a threat spectrum and decide how high in the spectrum to raise the bar. No security system is or ever can be perfect. Important control systems should raise the bar to just below Stuxnet-class attacks. That is: the only high-impact attack our defenses may not have a high degree of confidence in deflecting, are the most-sophisticated, autonomous, targeted attacks, which are designed to defeat one site's defenses specifically, with the active assistance of compromised insiders at the targeted site. Our goal for our important control systems should be to raise the bar to the point where the only credible, high-impact attacks are the most sophisticated, autonomous attacks, with active, deliberatecooperation from compromised insiders. With this goal in place, and a clear path to achieving it, we only need to determine which of our control systems are important.

  • 6:40pm - 7:20pm:    ICS Panel
                                    Moderator:   Derek Harp, SANS Director - ICS & SCADA
                                    Panelists:     Justin Searle
                                                         Rob Davis
                                                         Brett Young

    Panelists will discuss top current threats to ICS systems and what can be done to protect your devices, networks and operations.

  • 7:20pm - 7:30pm:    Cyber Resilient Energy Delivery Consortium

    Cyber networks provide the framework for many important functions within energy delivery systems, from sending data between a smart meter and utility to controlling the flow of oil or gas in a pipeline. However, they are also vulnerable to disturbances. According to the ICS-CERT "Monitor" newsletter, a publication of the Department of Homeland Security, a third of the 245 reported cyber incidents in industrial control systems that happened in 2014 occurred in the energy sector.

    The Cyber Resilient Energy Delivery Consortium (CREDC) aids and will continue to aid in making these systems more secure and resilient. In the cyber world, "security" refers to the ability to keep data confidential and uncorrupted, while "resiliency" is the ability to withstand attacks, provide an acceptable level of service in the midst of an incident, and recover quickly following an attack. CREDC focuses on resiliency. By involving industry early and often - from helping us identify critical sector needs to performing pilot deployments and technology adoption - CREDC continues to develop research that has significant and measurable sector impact. This initiative aims to create and fill a technology pipeline through which foundational research will lead to applied research and development, which in turn will result in technology that is effective and affordable and can be implemented quickly in the field.

  • 7:30pm - ??:            Networking Reception