Forum Format: Virtual
How can organizations prepare their IT and OT teams to be ready for security incidents? What are the techniques and tools the teams can use to improve the identification, containment, and eradication of suspicious or malicious activities to improve response times and reduce recovery efforts? This briefing will explore these questions through invited speakers while showcasing current capabilities available today. Vendor presentations will focus on case-studies and specific capabilities that may improve communication and response activities during an actual security incidents.
9:00 - 9:20 AM CDT - Welcome & Keynote
Most organizations focus their information technology (IT) and operational technology (OT) teams on securing the control network and gathering as much information as possible. The tasks associated with improving brown field environments or engineering green field environments with the appropriate design requirements typically necessitates a large investment in project work hours. Solutions are often a conglomeration of technologies that are stitched together by sweat, creativity, and ingenuity. The end result is an influx of information that needs to be stored, correlated, analyzed, and monitored. The result is actionable intelligence that allows leadership to make informed decisions and improve the organization's security program in line with the direction and goals of the control network.
Many organizations would consider this a success, and it is. But this influx of information will, eventually, lead to the identification of anomalous events. These events will lead to the identification of malicious activity. What does your team do now? The incident responses plans for most organizations are geared to their corporate environment and assets. They are not consistent with the technologies and operational requirements of the control network. Organizations that fail to prepare their team to handle actual security incidents will experience increased downtime and difficulties returning to 100 percent production. Response and recovery is just as important to an organization as the deployment of technologies designed for prevention and identification.
9:20 - 9:55 AM CDT - Faster, Cheaper, Better: Why Companies Should Embrace IT/OT Security Operations Centers
Trevor Houck, Lead, OT Network Defense Services, Revolutionary Security - Part of Accenture Security, @RevSec
When it comes to Operational Technology (OT), traditional security monitoring and response operations are no match against evolving cybersecurity threats. Even the latest tools and technology are not enough. What many organizations have found successful is using a well-structured joint SOC model that combines IT and OT environments. This aggregate approach allows both environments to benefit from the tools and technology, threat intelligence sources, and talented staff employed by an organization. The result is a streamlined security incident response process, reduction in duplicated efforts, and improved collaboration.
9:55 - 10:30 AM CDT - Remote Access to SCADA Systems: Designs That Make it Worthwhile & How to Get Them Approved
Remote access is an operational efficiency and crew safety tool with a cybersecurity problem. This is SANS, so we are going to show you how to identify and fix this cyber problem so your firm can start benefitting from remote access again. From a security perspective, we will be covering the new (MTD networks and disposable infrastructure), the old (static VPNs, MPLS, UDP hole punching, and multi-tenanted systems), and the just plain ugly (on-prem systems with static portals and mailed laptops). From an operational perspective, we will be covering how to get remote access deployments through the committees where such initiatives tend to die.
10:30 - 10:40 AM CDT - Break & Trivia Game
10:40 - 11:15 AM CDT - Analyzing & Preventing ICS Attacks with the MITRE ATT&CK for ICS Knowledgebase
The typical ICS environment is no longer the impregnable air-gapped network that it once was. It has been connected to the enterprise network, to the Internet, and to business partners who provide remote support. So while the traditional Purdue reference architecture is still 'the ' model, in most real-world environments it has lost its integrity. Attackers can find their way into your OT environment through new connected devices and converging networks.
The new MITRE ATT&CK for ICS knowledgebase can help security managers understand the tactics and techniques that attackers use to gain access to industrial control systems.
11:15 - 11:50 AM CDT - Detecting and Understanding Unusual Network Activity in a Plant Environment
Plants were originally designed with the primary objective of reliable output, with safety and resilience coming in a very close second. As organizations continue to evolve their plants through transformational projects, or build new facilities, one thing is clear: interconnectivity and automation are inevitable. With this comes the need to understand the environment and establish baselines and norms in order to continue to ensure safe and reliable output. This presentation will walk through a case study leveraging tools to identify assets on a plant's network, understand potential threats, and guide response in the event of an incident.
11:50 AM - 12:25 PM CDT - OT/IoT Security Threat Report 2020
Learn about the most active threats seen in 2020, including IoT malware, ransomware, and COVID-19-themed malware. Gain insight into their tactics, and recommendations for securing OT/IoT networks.
12:25 - 12:30 PM CDT - Closing Statement & Trivia Winner Announced
Summit: October 2 | Training: October 5-10
The SANS Oil & Gas Cybersecurity Summit will bring leading experts together to discuss industry trends, challenges, and opportunities. They'll address recent attacks and current threats, integrated IT/OT security operations, best practices, and lessons learned to benefit the community.