Welcome to the Interactive Agenda for the 2016 ICS Cyber Security Conference! (View the full ICS Cyber Security Conference website here)  This agenda is currently a work in progress, please check back often as our team is making upates DAILY. (You can register for the conference here)
Breakout [clear filter]
Tuesday, October 25

1:30pm EDT

An Industrial Immune System: Using Machine Learning for Next Generation ICS Security

As IT and Operational Technology (OT) environments continue to converge, managers of ICS have been faced with the challenge of protecting these crucial systems and data, in spite of inherent security weaknesses and the continual risk of insider threat. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. Existing, legacy approaches have proven inadequate on their own, especially against insiders who, by definition, have authorized access.

There is an urgent need for a new approach to combat the next generation of cyber-threats, across both OT and IT environments. While total prevention of compromise is untenable, utilizing automated self-learning technologies to detect and respond to emerging threats within a network is an achievable cyber security goal, irrespective of whether the suspicious behavior originated on the corporate network or ICS.

Some of the world’s leading energy and manufacturing companies are using these technologies to detect early indicators of cyber-attacks or vulnerabilities across IT and OT environments, without reliance on pre-identified threat feeds, rules, or signatures. These technologies represent an innovative and fundamental step-change in automated cyber-defense.

In this session, attendees will learn:

  • How new machine learning and mathematics are automating advanced threat detection
  • Why 100% network visibility allows you to preempt emerging situations, in real time, across both IT and OT environments
  • How smart prioritization and visualization of threats allows for better resource allocation and lower risk
  • Real-world examples of detected OT threats, from non-malicious insiders to sophisticated cyber-attackers
Sponsored by Darktrace

avatar for Jeff Cornelius, Ph.D.

Jeff Cornelius, Ph.D.

EVP, Industrial Control and Critical Infrastructure Solutions, Darktrace
Jeff Cornelius joined Darktrace in February of 2014 as EVP.  His background with large Enterprise Software organizations over the past 15 years lends itself to the needs of a young, innovative, market-defining organization from a commercial standpoint.  Jeff oversees the global... Read More →

Tuesday October 25, 2016 1:30pm - 2:15pm EDT
Breakout 1 (Salon 1,2,3)

1:30pm EDT

CyberFence - More than an Industrial Firewall

Persistent attackers will always find a way in, often exploiting the very processes that facilitate productivity and profitable collaboration. Operators must lock down these access points to close frequently exploited attack vectors –firewalls are not enough. This session will overview CyberFence, the award-winning and military-approved solution for robust and comprehensive industrial (ICS/SCADA) cyber security. CyberFence surpasses basic firewall, perimeter and signature-based defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity. Listen for yourself why the US Navy, Department of State and many critical businesses worldwide trust CyberFence to secure network endpoints.

Sponsored by: Ultra Electronics, 3eTI

avatar for Ben Garber

Ben Garber

Cyber Guru, Ultra Electronics, 3eTI
Mr. Garber joined 3eTI soon after completing his Master of Science in Cyber Security at University of Maryland University College (UMUC). He is instrumental in designing and implementing hacker tools and techniques to conduct penetration tests for critical infrastructure. These cyber-attack... Read More →

Tuesday October 25, 2016 1:30pm - 2:15pm EDT
Breakout 2 (Salon 4,5,6)

2:15pm EDT

Hacking the Bakken: Attacks on Kelly and Top Drive Oil Rigs

This talk will go into detail about how drilling systems communicate and some of the attacks that could be performed on a drilling rig. This includes throwing off toolface information and burning out motors in BITs, Disabling H2S and sour gas detection systems, changing survey data to cause the drilling crew to drill out of zone causing sidetrack and time drilling operations that can cost millions of dollars to a drilling rig. And finally modifying chromatograph information and mud weight causing a blow out and potentially burning a rig to the ground. Infection methods include excel files used by directional drillers and MWD staff and 3rd party’s. 

Research Background

Using a honeypot run as a disposable mail service on TOR, Weston Hecker came across custom tailored malware including several versions of SAMSAM and Cryptolocker.  In early May he came across a sample that is targeting (WITS) information “Wellsite Information Transfer Specification” and (MWD) Measure while drilling systems associated with land based drilling platforms. This lead him to do research the attack surface of a drilling rig.

avatar for Weston Hecker

Weston Hecker

Sr. Pentester & Senior Security Engineer, NCR Corporation
Weston Hecker has been pen-testing for 11 years and has 12 years of experience doing security research and programming. He is currently working for NCR Corporation. Weston has recently spoken at Blackhat 2016, Defcon 22,23 and 24, Enterprise Connect 2016, ISC2-Security Congress, SC-Congress... Read More →

Tuesday October 25, 2016 2:15pm - 3:00pm EDT
Breakout 1 (Salon 1,2,3)

3:30pm EDT

Enhanced ICS/SCADA Security Using Field Device Fingerprints Composed of WS-DNA Features

Protecting Critical Infrastructure and Key Resources (CIKR) of the United States emerged as a national priority [Oba13] and simple adaptation of Information Technology (IT) security solutions for Industrial Control System (ICS) applications presents certain technical challenges for the cybersecurity community.

Results here expand upon AFIT’s PHY-based Level 0 protection strategy that was first introduced by researchers in [LoT14, LTM15]. These early works demonstrated a promising proof-of- concept capability for a Level 0 (physical end-device) anomaly detection scheme that aims to improve cyber-physical system resilience using device fingerprints composed of Wired Signal Distinct Native Attribute (WS-DNA) features. The WS-DNA features were extracted from WS responses of differential pressure transmitters employing smart sensor technology to control and monitor an experimental automated control process.

AFIT’s WS-DNA exploitation capability has been expanded, with results here based on field devices from four different manufacturers (Siemens, Yokogawa, Honeywell and Endress+Hauser) implementing the Highway Addressable Remote Transducer (HART) protocol. The aim is on discovering discriminable PHY features from the Frequency Shift Keyed (FSK) signals used for closed-loop control. Discriminability is assessed for a multi-state problem using each of the manufacturer devices operating under two different conditions. Manufacturer and operating state discrimination results include percent correct classification of %C ≥ 90% for both manufacturer (cross-model) and serial number (like-model) assessments. Thus, Level 0 WS-DNA processing is promising for discriminating field device manufacturer/operating state and remains a viable alternative for securing ICS operations. 

avatar for Juan Lopez Jr.

Juan Lopez Jr.

Cybersecurity Research Engineer, Air Force Institute of Technology
US Air Force Institute of Technology

Tuesday October 25, 2016 3:30pm - 4:15pm EDT
Breakout 1 (Salon 1,2,3)

3:30pm EDT

Securing Critical Infrastructure in Global Companies. A Return on Experience

Franky Thrasher, Senior Cyber Security Expert & Information Systems Security Officer at ENGIE, will share his end user experience in securing globally distributed critical infrastructure at one of the world’s leading energy companies.

With more than 150,000 employees worldwide and revenues in excess of €69 billion, ENGIE understands how global companies can sometimes have much diversified complex models.

If you run a micro grid in Antarctica, A Hydro plant in the Rainforest and or gas fired power plants in Europe and LNG fleets worldwide are you facing the same challenges? Is any given standard applicable across your business? Is any technology applicable? Is your threat landscape modified according to your geographical location?

Thrasher will share his end user experience based on three different aspects;

Governance and regulations: - Examples of corporate policies that are either not applicable across the company due to regulatory constraints, or even local sensibilities. The talk will also explain how policies and governance practices can be adapted to a complex business model in global energy utility.

Technology: Examples of technology will be provided that have been implemented that were not as viable in different ICS environments, demonstrating that while magic “technology” boxes are useful, a completely different outlook is needed when deploying solutions on a global scale and across different business models. Thrasher will explain a remote connectivity system solution developed internally because a market product to fullfil the challenges ENGIE faced globally could not be found.

Geo politics in cyber security: How is your risk affected when you have assets in the Middle East? In Turkey? In South America? Sometimes data is not allowed outside the country sometimes technology is deemed illegal. What are some of the cultural issues you can run into? How does a conflict between two countries you have assets in affect your business?  What happens when you are not allowed to do security testing across borders. This talk will also give to the point examples of issues experienced when doing cybersecurity across the globe.  

avatar for Franky Thrasher

Franky Thrasher

Senior Cyber Security Expert & Information Systems Security Officer, ENGIE
Senior Cyber Security Expert & Information Systems Security Officer

Tuesday October 25, 2016 3:30pm - 4:15pm EDT
Breakout 2 (Salon 4,5,6)

4:15pm EDT

Achieving a Cyber Security Architecture for the OT Systems of Oil & Gas, Power, Chemicals, and Other Industrial Environments

This presentation provides a view of a target cyber security architecture made for industrial control systems – for the Operations Technology (OT) of the oil and gas, power, chemicals and other industries.

It would seem a straightforward idea. There is a cyber risk to vulnerable OT systems so why not cyber-secure the process control networks (PCNs) by integrating layered security (a defense-in- depth security architecture) in the same manner as the IT enterprise is made secure? Sounds simple. Yet a deeper understanding of the OT - the technology, business and operational requirements – makes it clear that simply adding an IT defense-in-depth security is not so straightforward. In some cases, it can even run counter to the safe operation of the plant.

There is no question that OT systems need to be hardened against cyber adversaries. The threat is real. The vulnerabilities and lack of protections against cyber attacks is alarming. Incidents are cropping up in growing numbers, ever more consequential. But the PCNs in OT systems have significant differences from IT systems. The security architecture must fit to the purpose and conditions of OT systems currently deployed in plants and remote locations - systems that are not easily replaced, enhanced or patched.

This is the challenge – to achieve a suitable security architecture for OT systems that provides needed defense-in-depth protections against cyber attacks while still meeting business requirements and safety functions.

This presentation delivers an architectural overview – first to reconcile the differences between OT operational requirements of reliable, real-time operations and safety with the cyber security requirements for identity and access control, asset management, segmentation, configuration and network management – just to name a few. Second, the presentation will discuss ways to achieve a target security architecture – one that can work within the reality of legacy (installed) PCNs with limited resource capacity constraints for computing and network flows.

How it is currently relevant to the industry: There is increasing concern within ICS industries (including Oil and Gas) about cyber threats at the same time that the industry becomes more aware of the existing exposures / vulnerabilities in its process control networks. The industry needs the right security answers – the kind that would work within a security architecture that is fit-for purpose in an OT environment with its constraints and business demands.

What objectives will be covered?

  1. Defines the challenges to implementing cyber security in an oil and gas OT environment
  2. Defines what would be the target OT-suitable (fit-for-purpose) cyber security architecture
  3. Defines a three-step progression to achieve this target security architecture within the realities of PCN system and operational constraints

Intended audience: Engineers and Architects charged with security for OT/ICS 

avatar for Carlos Solari

Carlos Solari

CIO, Mission Secure, Inc.
Carlos Solari is an internationally recognized information technology and cyber security expert. He has been involved in some of the most sensitive roles in the U.S. federal government as well as in large multinational corporations. As the former CIO of The White House, Carlos was... Read More →

Tuesday October 25, 2016 4:15pm - 5:00pm EDT
Breakout 1 (Salon 1,2,3)

4:15pm EDT

Addressing the ICS Cybersecurity Leadership Gap

Operational Technology (OT) and specifically Industrial Control Systems (ICS) and associated equipment and devices, have mostly been ignored by industry leadership.

Safeguarding this critical area requires a unique mix of technical and operating insight into how threat actors (hostile nation-states, terrorist organizations and hacktivist organizations) can compromise industrial controls that operate and manage industrial processes – at the process level, the control component level, the human-machine interface level and the SCADA system level.

This talk will raise the level of awareness in the C-suite and Boardroom to this perilous operating risk that we think needs to be elevated well above the current limited focus on compliance with regulatory regimes that have not kept pace with the executional characteristics of industrial cyber risk. Power and utility companies need to address these risks head on, and likewise CFO and CISOs need to understand their true insurance coverage, and possible gaps, to assess whether their stature meets their company’s acceptable risk profile. Creating awareness at high levels and driving appropriate action is required.

Attendees will learn how companies should map their at-risk industrial component configurations, provide analysis and synthesis of the critical interfaces between operating OT and IT, perform risk and asset downtime impact assessments as part of their failure mode and effects analysis, and develop practical policy recommendations - so that cybersecurity experts and operating engineers can begin to correlate conventional information security anomalies with process controls events that may impact how effectively – and how safely – industrial processes operate. We believe effective security includes developing a documented understanding of the downtime impact of addressable system equipment across the entire process, or system, with specific focus on ICS interconnection and interdependency considerations.

avatar for Ellen Smith

Ellen Smith

FTI Consulting
Ellen Smith has held senior leadership roles at several leading energy, power and utility companies including General Electric Co., Pratt & Whitney, Hess Corp. and as Chief Operating Officer of National Grid, U.S.  Find out what Ellen, now Senior Managing Director and Power & Utilities... Read More →

Tuesday October 25, 2016 4:15pm - 5:00pm EDT
Breakout 2 (Salon 4,5,6)
Wednesday, October 26

2:30pm EDT

Cybersecurity Services for the Next Level of Automation

Driven by business sustainability requirements, access to (near) real-time data within the automation industry has created a growing trend towards interconnectivity between control system and enterprise environments.  A component of this trend is the movement away from proprietary control system platforms and technology, to a more open and interoperable Asset Control System.  This development creates opportunities for businesses, but can also simultaneously increase their exposure to potential vulnerabilities.  Due to the evolving, complex nature of control systems in the enterprise today, many asset owners simply do not know where to start when it comes to devising a security strategy.  A lack of awareness about their current vulnerability state makes the effective application of security controls and /or processes difficult.  Many customers lack experience in determining vulnerability levels, exposure, and possible impacts of threats to network and critical assets.  They also face difficulty in effectively distributing and enforcing appropriate policies and procedures.

This presentation will describe how an external Cybersecurity Services team can provide valuable assessment, implementation, maintenance, and education services for businesses focused on minimizing Operational Technology (OT) cybersecurity risks within their ICS environment.  It will also include an overview of how IT / OT environments are converging today, the challenges with managing that process and the sprawl of the Industrial IoT.  Finally, we’ll discuss some best practices that have been assembled from lessons learned in Building Automation Systems, Water / Wastewater, Refineries, and other critical infrastructure.

Sponsored by: Schneider Electric

avatar for Joshua Carlson

Joshua Carlson

Cybersecurity Services Manager, Schneider Electric
Mr. Carlson possesses over 16 years of Cybersecurity experience working with the United States and Middle Eastern governments, global financial institutions, as well as market verticals for bulk energy providers, oil & gas, nuclear, petrochemical, and paper / pulp organizations; regional... Read More →

Wednesday October 26, 2016 2:30pm - 3:15pm EDT
Breakout 1 (Salon 1,2,3)

2:30pm EDT

Risk Management in ICS Security to Demonstrate Results

With cyber risk insurance as the fastest growing segment in property/casualty insurance, the discussion around industrial cyber security has moved from one of best practices and compliance to one of risk management.  The emergence of debt rating agency resiliency requirements, regulations and industry standards, boards have increasingly prioritized cyber security as a top enterprise risk.

Too many organizations opt to start with standards based frameworks or maturity models to define their ICS security programs.  Adopting these models can actually add risk and often fail to prioritize the most critical enterprise threats.  Likewise, relying upon the opinions of Subject Matter Experts to take decisions where data is scarce can create more harm than good in the establishment of ICS security programs.

This talk will focus on using robust methods to define organizational risk tolerances and methods to measure and track programs to prioritized areas of risk.  This approach allows ICS security program stewards and stakeholders to more easily demonstrate real improvements in security posture, achieved with security related expenditures. 

With more organizations creating dedicated operational technology security structures and responsible executive leaders, the development and maintenance of a mature ICS security program is vital.  

Sponsored By: Honeywell

avatar for Susan Peterson-Sturm

Susan Peterson-Sturm

Director, Cyber Product Marketing & Strategy, Honeywell Process Solutions

Wednesday October 26, 2016 2:30pm - 3:15pm EDT
Breakout 2 (Salon 4,5,6)

3:30pm EDT

Know Your Industrial Networks Better Than Your Adversaries
Results and observations from joint IT/ICS projects

The hallmark of this year’s attack on the Ukrainian power grid was the extensive reconnaissance, performed by attackers on their target’s control networks, used to maximize system disruption.  Situational awareness, incident response and recovery all depend on an accurate understanding of control system inventories, including normal process behavior.  The Ukrainian attack has led our community to a key question; do we know our industrial control networks as well as our adversaries?

Despite the emergence of technologies that monitor data flows of industrial control networks, ICS operators consistently cite inadequate real-time views to control system the topology, devices, and behavior as a fundamental obstacle to securing their operations.   Historically, gathering and maintaining this information has proven incredibly labor intensive and disruptive to economic operations of industrial operations. 

Dr. Carcano’s talk will explore case studies in which emerging technology and process-centric analytics have facilitated more automated, passive methods of inventory collection, network monitoring and characterization of normal process behavior of industrial control systems.  These emergent technologies have enabled operators to baseline normal operational processes and measure network loading.  Dr. Carcano will discuss the operational and safety benefits of automated inventory technologies such as improved visibility to misconfigurations and early detection of zero-day attacks, device failures, and other anomalies. While improving operability, these technologies also hold the promise of expedited detection of adversaries’ reconnaissance activities and improved recovery times.

avatar for Andrea Carcano

Andrea Carcano

Chief Product Officer, Nozomi Networks
Andrea Carcano received the Ph.D. degree in computer science from the University of Insubria, Italy, in February 2012. During his PhD had the chance to collaborate with international research groups and with important industries in the field of energy. From 2011 to 2013 was entitled... Read More →

Wednesday October 26, 2016 3:30pm - 4:15pm EDT
Breakout 1 (Salon 1,2,3)

3:30pm EDT

Safety and Cyber Security: Toward a Safe and Reliable Operations

Health, safety, and environment (HSE) management systems are widely adopted by many organizations and industrial facilities we work with. The main benefits of HSE programs are risk reduction from injuries, lost time incidents, liability and insurance costs. Safety management systems have a long history of statistical evidences showing how different types of well-documented unsafe practices, near misses and incidents have been dramatically reduced and improved through ongoing awareness training, intervention and controls. The ongoing realization of safety management system is a continuous effort towards zero incidents.

On the other hand, cyber security for industrial control systems (ICS) does not have the same benefit of decades of statistics, legislation, training, and budgets to build on, but are as critical as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are still strangely neglected in many organizations

In this presentation, we will cover the various aspects of Safety and Cyber Security and how this could be part of every organization’s culture not only as a priority, but also as core value:

  • How Safety and Cyber Security programs can be integrated to achieve the highest level of operational excellence?

  • How to use Cyber security awareness training to reduce risk and ensure safe/reliable operations?

  • Example of the first Cyber security Golden Rules from the first Online ICS Cyber Security Awareness Training for engineering community.

avatar for Jalal Bouhdada

Jalal Bouhdada

Founder, Principal ICS Security Consultant, Applied Risk
Founder and principal ICS security consultant with over 15 years of experience as security professional covering diverse platforms and security issues. His expertise is mostly focused around security assurance and risk assessment in OT environments. Jalal has knowledge of all areas... Read More →

Wednesday October 26, 2016 3:30pm - 4:15pm EDT
Breakout 2 (Salon 4,5,6)

4:15pm EDT

ICS Incident Response Planning

Most ICS organizations haven’t done a good job preparing to respond to a cyber attack. Further complicating this is the fact that IT personnel don’t have a good understanding of the ICS need for 100% availability, or what it takes to get a process up and running after it has been shut down. 

This presentation will help organizations prepare to respond to ICS cyber incidents whether they’re caused by unintentional insiders or malicious outsiders such as industrial spies, hactivists, or nation state attackers.  Proper Cyber Incident Response planning will minimize financial losses due to system downtime, data loss, higher insurance premiums, and most importantly to the safety of the organization personnel and the public.

avatar for Jack Oden

Jack Oden

Principal Program Manager, Cybersecurity Programs, Parsons
Jack D. Oden is a Principal Program Manager and Cybersecurity Compliance Subject Matter Expert (SME) within the Federal Defense & Security Division. Jack provides consulting services to US government and commercial customers on cybersecurity in the area of industrial control systems... Read More →

Wednesday October 26, 2016 4:15pm - 5:00pm EDT
Breakout 2 (Salon 4,5,6)

4:15pm EDT

Open Discussion: Cyber Issues With Safety and Security

Wednesday's breakout sessions will conclude with a moderated discussion of the important cyber issues with safety and security.

Open to audience participation, topics will

  • Understanding the differences between safety and security
  • What is currently happening with standards affecting safety and security
  • What are the pros and cons of integrated control and safety as it pertains to security should safety systems be connected (accessible) to the Internet
  • How should cyber security of safety systems differ from cyber security of control systems

avatar for Joe Weiss

Joe Weiss

Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. Weiss will provide his annual "State of the State" talk, which weighs in on recent industrial cyber incidents, emerging security threats and more.

Wednesday October 26, 2016 4:15pm - 5:00pm EDT
Breakout 1 (Salon 1,2,3)
Filter sessions
Apply filters to sessions.