ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.
ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.
With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.
KEY TOPICS & TAKE AWAYS
OT Security, Control System operation and system administration management often focuses on the technology, overlooking the people, process and politics side of the equations. Through this presentation explore the soft underbelly of the cyber challenges in the ICS Domain. As the former CIO of a System Integrator and Workforce Development Co-Chair for the ICSJWG Mike offers a wide angled view of why securing critical infrastructure is so difficult, and doesn’t need to be. Creating a comparison of the contrasting view of the need from the inside of several different organizations within Critical Infrastructure Mike breaks down the difficult to talk topics about and takes an honest approach to understanding the issues.
This discussion will shed light on how internal politics drive top down policies and ultimately fail in accomplishing anything but contradiction and conjecture. This sets up the event horizon for loss of intellectual property through well intentioned trusted insiders, applying “best practices” that actually hurt your organization and loss production due to fear and a lack of establishing ownership to the problem.
Security does not solve problems, it does not make money and the security paradox is that it rarely provides a more secure environment. Lack of true situational awareness is the most dangerous part of our Nation’s infrastructure. The problem is most people do not understand that we are missing a key data point to provide a well-rounded awareness…
Let’s explore though questioning the assumptions and talk about the tough topics.
WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.
For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.
Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.
Agenda
Researching WirelessHART
Understanding the protocol
Reverse Engineering Third Party implementations
Designing and Building a WirelessHART Fuzzing platform
Hardware Platform
Transmitter
WH debugging (Sniffing and Dissecting)
Triggering and Catching crashes
Case study
Demo
The presentation will be an open and general discussion on why there is still such a reluctance at the corporate level to take responsibility for cyber-security. This talk will address topics including:
With increasing attacks on critical infrastructure networks that have become more frequent and consequential, more effective operational cyber solutions are required that aggregate, analyze and correlate various sources of data and across multiple platforms into a near-real time visualization that depicts the potential threats emerging. Organizations have to look beyond their own perimeter to collaborate and assess the impact of a cyber-attack on their corporate partners, suppliers, and vendors. With complex systems of interacting devices, networks, organizations and people to facilitate the productive sharing of information; this is quickly becoming as much of a benefit as it is a threat.
The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, Interoperability and Authentication
Maintaining the integrity of the ICS requires thorough understanding of the communications standards used between all the various ICS components, so that we maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cyber security threats, and poor network health problems. The symptoms are obvious; sluggish HMI updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy OT network is key to preventing these failures. This discussion mentions the tools and techniques used by professional cyber security firms including Network Security Monitoring (NSM), Intrusion Detection Systems (IDS), and manual analysis techniques are used to find and isolate problems on OT networks before they cause harmful impacts, or worse found by your adversaries.
The take away for the attendees will be to demonstrate why all facets of the cybersecurity industry must work together to improve end customers cyber-security processes and understanding from the basic framework to how their resources and organizational structure grow over time to result in a stronger security posture. An acknowledgement from our sector that a lot still needs to be done with standards, collaboration and awareness.
This presentation will also provide end users with a roadmap to start or improve their cyber- security processes through a basic framework and how to develop their resources and organizational structure over time to result in a stronger security posture.
The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.
The enterprise strategy was based on three pillars:
In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.
Key Takeaways:
Over the last decade, Industrial Control System Security has risen to a prominent role in our lives. Much has been said and written to offer our community guidance and structure over this time. Join us for a sometimes humorous, sometimes encouraging, and sometimes pitiful look back at some of the highlights and lowlights from SCADA Security research, advice, and regulation over the past 10 years.
Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration
In this session we'll cover:
Take Aways:
A significant part of implementing security is identifying that there really is a security problem. This discussion will include a discussion of Polling Strategies, and communications integrity checks that can be done online. It can trigger alarms in the SCADA system if they detect real security problems. Furthermore, it can help telecommunications staff detect performance problems earlier.
This session will use DNP3 in this example, but other protocols have similar features.
Securing OT traffic is a fundamental component of improving OT security. There is no question that OT systems need to be hardened against cyber adversaries. The threat is real and incident rates are increasing in number and severity. This presentation explains how a proposed authentication and authorization architecture secures industrial control systems by blending TLS to secure existing OT protocols, extending X.509 digital certificates with Industrial Certification Authority.
This presentation will cover the key challenges that need to be overcome in order to introduce a digital certificate-based industrial authentication authorization concept, as well as a proposal for a secure Modbus protocol.
What will be covered?
Intended audience: General public in charge of cybersecurity for OT/ICS
Industrial Control Systems are surrounding every aspect of our life. Our water or electric supply are fully dependent on reliable operation of those systems. The same goes for our medicine production or a chemical facilities.
Are those systems fully secured? Is your OT network immune against cyber-attacks?
Stay one step ahead of the threat actors by learning from the experience of your sector counterparts. In this interactive discussion explore: how to segment, secure and prevent various attack vectors on your OT networks. The conversation will examine using most advanced discovery and detection techniques.
Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology. Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors. However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility. This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.
A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system. An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission. This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations. The mission impact is quantified to enable informed decision making of the entire solution space.
This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.
In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.
Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.
The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.
Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation.
The Industrial Control System – Cyber Emergency Response Team (ICS-CERT) has highlighted the increased frequency of attempted attacks against Industrial Control Systems (ICS). According to a DHS/FBI/NSA joint publication “Seven Steps to Effectively Defend Industrial Control Systems,” of the 295 breaches reported in the previous year, 98 percent could have been prevented if certain basic security protocols had been in place.
As evidenced by the Ukraine Power Grid Attack and other recent breaches, privileged accounts are on the attackers critical path to success 100% of the time in every attack. Let’s elevate the conversation and talk about how this attack vector is taking the industrial world by surprise. In this session, Alex Leemon will present the case studies of two companies that have put in place proactive controls to safeguard industrial control systems from malicious insiders or external threats by implementing privileged account security controls as recommended by the DHS/FBI/NSA publication.
Attendees will also learn how to mitigate the risks associated with the increased connectivity between IT and OT through the implementation of controls that can be used to isolate, control and monitor interactive remote access sessions which connect to ICS.
With cyber-attacks posing an increasing threat to critical infrastructure, a change of mindset is needed – one that presumes an attacker will inevitably infiltrate the network. It only takes one vulnerable system to be exploited for an attacker to cause significant damage that could compromise system performance and even their operation. It is therefore essential that industrial organizations proactively safeguard their systems with a practical set of steps that includes securing all privileged accounts existing in their networks.
Learning Objectives:
In this session, attendees will learn how organizations have applied the steps recommended by the DHS/FBI/NSA publication to safeguard industrial control systems. Attendees will learn how to lock up the “keys to the kingdom” through the implementation of a privileged account security solution while safeguarding critical assets from potentially malicious activity.
Attendees will also learn how to: