Welcome to the Interactive Agenda for the 2016 ICS Cyber Security Conference! (View the full ICS Cyber Security Conference website here)  This agenda is currently a work in progress, please check back often as our team is making upates DAILY. (You can register for the conference here)
Open Workshop [clear filter]
Monday, October 24

9:00am EDT

Managing the Industrial Control Message: Firewalls vs NGFW vs Parsing

ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.

ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.

With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.


  • Understand ICS commands and identify abnormal behavior
  • Learn what is normal vs. abnormal activity relative to standard industrial protocols
  • Define types of DPI and weigh their relevance to types of environment
  • Pros and cons of blacklisting vs whitelisting


avatar for Matt Cowell

Matt Cowell

Director, Industrial Markets, Ultra Electronics, 3eTI.
Matt Cowell is Director, Industrial Markets at Ultra Electronics, 3eTI. He has more than 15 years of experience in ICS and OT applications with a focus on networks and cyber security. He has specific expertise in automation and SCADA systems as the company's lead for market development... Read More →

Monday October 24, 2016 9:00am - 9:45am EDT
Workshop 1 (Salon 3)

9:00am EDT

OT Security – The Big Picture.

OT Security, Control System operation and system administration management often focuses on the technology, overlooking the people, process and politics side of the equations.  Through this presentation explore the soft underbelly of the cyber challenges in the ICS Domain.  As the former CIO of a System Integrator and Workforce Development Co-Chair for the ICSJWG Mike offers a wide angled view of why securing critical infrastructure is so difficult, and doesn’t need to be.  Creating a comparison of the contrasting view of the need from the inside of several different organizations within Critical Infrastructure Mike breaks down the difficult to talk topics about and takes an honest approach to understanding the issues. 

This discussion will shed light on how internal politics drive top down policies and ultimately fail in accomplishing anything but contradiction and conjecture.  This sets up the event horizon for loss of intellectual property through well intentioned trusted insiders, applying “best practices” that actually hurt your organization and loss production due to fear and a lack of establishing ownership to the problem. 

Security does not solve problems, it does not make money and the security paradox is that it rarely provides a more secure environment.  Lack of true situational awareness is the most dangerous part of our Nation’s infrastructure.  The problem is most people do not understand that we are missing a key data point to provide a well-rounded awareness…

Let’s explore though questioning the assumptions and talk about the tough topics.

avatar for Michael Glover

Michael Glover

Vice President of Industrial Control Systems Strategy, TDi Technologies
Michael Glover is Vice President of Industrial Control Systems Strategy at TDi Technologies and has over twenty years of information technology management and eight years of industrial control systems security leadership experience. Prior to TDi, Mr. Glover was the Managing Partner... Read More →

Monday October 24, 2016 9:00am - 9:45am EDT
Workshop 2 (Salon 4)

9:45am EDT

Hacking IEEE 802.15.4/WirelessHART From the Ground Up

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.

For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.

Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.


  • Researching WirelessHART

  • Understanding the protocol

  • Reverse Engineering Third Party implementations

  • Designing and Building a WirelessHART Fuzzing platform

  • Hardware Platform

  • Transmitter

  • WH debugging (Sniffing and Dissecting)

  • Triggering and Catching crashes

  • Case study

  • Demo 

What is Wireless WirelessHART? WikiPedia desribes WirelessHART as "a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). The protocol utilizes a time synchronized, self-organizing, and self-healing mesh architecture. The protocol supports operation in the 2.4 GHz ISM band using IEEE 802.15.4 standard radios. Backward compatibility with the HART “user layer” allows transparent adaptation of HART compatible control systems and configuration tools to integrate new wireless networks and their devices, as well as continued use of proven configuration and system-integration work practices. It on the estimated 25 million HART field devices installed, and approximately 3 million new wired HART devices shipping each year. In September 2008, Emerson became the first process automation supplier to begin production shipments for its WirelessHART enabled products."

avatar for Sergio Alvarez

Sergio Alvarez

Security Researcher and Reverse Engineer, Applied Risk
Sergio Alvarez is an security researcher and reverse engineer at Applied Risk, with over 15 of experience in vulnerability research, exploit development and both blackbox and whitebox application pentesting. Sergio has found numerous critical security vulnerabilities in widely deployed... Read More →

Monday October 24, 2016 9:45am - 10:30am EDT
Workshop 1 (Salon 3)

9:45am EDT

Improving the Industrial Cyber Security Ecosystem

The presentation will be an open and general discussion on why there is still such a reluctance at the corporate level to take responsibility for cyber-security. This talk will address topics including: 

  • Classifying attacks as “Incidents” when they are actually “Cybersecurity attacks” and the underreporting internal threats and violations of policies.
  • How vendors and cybersecurity professionals need to do a better job at educating end customers with greater details to the risks, benefits, costs associated with cybersecurity management
  • Where do we typically focus on cyber security measures and why they are not adequate? Examples of ICS cybersecurity breaches that were avoidable if ICS architecture was designed with OT policies and procedures, instead of IT.
  • Value in regional deployments for “simulated honeypots” on their own infrastructure networks to share findings

With increasing attacks on critical infrastructure networks that have become more frequent and consequential, more effective operational cyber solutions are required that aggregate, analyze and correlate various sources of data and across multiple platforms into a near-real time visualization that depicts the potential threats emerging. Organizations have to look beyond their own perimeter to collaborate and assess the impact of a cyber-attack on their corporate partners, suppliers, and vendors. With complex systems of interacting devices, networks, organizations and people to facilitate the productive sharing of information; this is quickly becoming as much of a benefit as it is a threat.

The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, Interoperability and Authentication

Maintaining the integrity of the ICS requires thorough understanding of the communications standards used between all the various ICS components, so that we maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cyber security threats, and poor network health problems. The symptoms are obvious; sluggish HMI updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy OT network is key to preventing these failures. This discussion mentions the tools and techniques used by professional cyber security firms including Network Security Monitoring (NSM), Intrusion Detection Systems (IDS), and manual analysis techniques are used to find and isolate problems on OT networks before they cause harmful impacts, or worse found by your adversaries.

The take away for the attendees will be to demonstrate why all facets of the cybersecurity industry must work together to improve end customers cyber-security processes and understanding from the basic framework to how their resources and organizational structure grow over time to result in a stronger security posture. An acknowledgement from our sector that a lot still needs to be done with standards, collaboration and awareness.

This presentation will also provide end users with a roadmap to start or improve their cyber- security processes through a basic framework and how to develop their resources and organizational structure over time to result in a stronger security posture.

avatar for Anil Gosine

Anil Gosine

Anil Gosine has over 17 years of construction management, operations and engineering experience within the Industrial Sector with primary focus on Electrical, Instrumentation and Automation process issues in US, Canada and Caribbean. He has been involved in the Water/Wastewater industry... Read More →

Monday October 24, 2016 9:45am - 10:30am EDT
Workshop 2 (Salon 4)

11:00am EDT

Case Study: OT Security Management at a Major Oil and Gas Company

The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.

The enterprise strategy was based on three pillars:

  • Top down approach for a standardizing plant-wide security practice
  • Focus on security essential and automate their enforcement to save scarce engineering and IT personal time
  • Outsource the ongoing monitoring of OT security and compliance to a specialized company

In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.

Key Takeaways:

  • What is the aim to strengthen OT security posture and compliance maturity?
  • What challenges are organizations with complex ICS networks facing when addressing OT security?
  • Review of a global OT security project strategy, architecture and functionalities
  • Outcome and recommendation for other industrial and critical infrastructure organizations

avatar for Don Harroll

Don Harroll

North America Director of Sales, NextNine
Don Harroll is North America Director of Sales for NextNine.

Monday October 24, 2016 11:00am - 11:45am EDT
Workshop 1 (Salon 3)

11:00am EDT

Surprises in a Decade of Evolving SCADA Security Advice

Over the last decade, Industrial Control System Security has risen to a prominent role in our lives. Much has been said and written to offer our community guidance and structure over this time. Join us for a sometimes humorous, sometimes encouraging, and sometimes pitiful look back at some of the highlights and lowlights from SCADA Security research, advice, and regulation over the past 10 years.

avatar for Michael Firstenberg

Michael Firstenberg

Director of Industrial Security, Waterfall Security Solutions
Mike Firstenberg is the Director of Industrial Security for Waterfall Security Solutions. Mike brings almost two decades of experience in Control System Security, specializing in Control System Cyber Security. With a proven track record as a hands-on engineer - researching, designing... Read More →

Monday October 24, 2016 11:00am - 11:45am EDT
Workshop 2 (Salon 4)

11:45am EDT

Disassembly and Hacking of Firmware: Live Hacking Demonstration

Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration

 In this session we'll cover:           

  • Vulnerability and capability assessment of firmware attacks
  • Physical ramifications of tool attacks
  • Finding and verifying firmware
  • Some instances where "less security" is better
  • Safety / Security tips for firmware  

Take Aways:

  • Better understanding of the location and use of firmware in unexpected places.
  • Gain insight into the attack methodologies for and security of devices with firmware.

avatar for Monta Elkins

Monta Elkins

Security Architect, FoxGuard Solutions
Monta Elkins is currently Security Architect for FoxGuard Solutions, an ICS patch provider. A security researcher and consultant; he was formerly Security Architect for Rackspace, and the first ISO for Radford University.  He has been a speaker at DEFCON , Homeland Security’s ICSJWG... Read More →

Monday October 24, 2016 11:45am - 12:30pm EDT
Workshop 1 (Salon 3)

11:45am EDT

Security or Communications Problems: How to tell the Difference

A significant part of implementing security is identifying that there really is a security problem. This discussion will include a discussion of Polling Strategies, and communications integrity checks that can be done online. It can trigger alarms in the SCADA system if they detect real security problems. Furthermore, it can help telecommunications staff detect performance problems earlier.

This session will use DNP3 in this example, but other protocols have similar features.

avatar for Jake Brodsky

Jake Brodsky

Control Systems Engineer, Washington Suburban Sanitary Commission (WSSC)
Having spent nearly 30 years of his Control Systems Engineering careerat the Washington Suburban Sanitary Commission, Jake Brodsky has a lotof hard won experience (making mistakes), learning to live with his creations. He has eagerly shared this experience with various standards committees... Read More →

Monday October 24, 2016 11:45am - 12:30pm EDT
Workshop 2 (Salon 4)

1:30pm EDT

Embedded Security for the Industrial IoT
In this session, attendees with learn:
  • To understand the similarities and differences between OT and IoT security
  • How mission critical IoT has different standards
  • Discover implications for the industrial internet
  • Recommendations on how to build ultra-secure industrial ecosystems


Dean Weber

CTO, Mocana

Monday October 24, 2016 1:30pm - 2:15pm EDT
Workshop 1 (Salon 3)

1:30pm EDT

Securing Connections for Industrial Control Systems

Securing OT traffic is a fundamental component of improving OT security. There is no question that OT systems need to be hardened against cyber adversaries. The threat is real and incident rates are increasing in number and severity. This presentation explains how a proposed authentication and authorization architecture secures industrial control systems by blending TLS to secure existing OT protocols, extending X.509 digital certificates with Industrial Certification Authority.

This presentation will cover the key challenges that need to be overcome in order to introduce a digital certificate-based industrial authentication authorization concept, as well as a proposal for a secure Modbus protocol.

What will be covered?

  1. The challenges to implementing security for OT-specific protocols; an overall authentication authorization architecture for protocols and devices
  2. How to implement a role-based access control system that does not require a centralized server to be online for communication

Intended audience: General public in charge of cybersecurity for OT/ICS 

avatar for Evgeny Bugrov

Evgeny Bugrov

Lead Cyber Security Architect, Schneider Electric

Monday October 24, 2016 1:30pm - 2:15pm EDT
Workshop 2 (Salon 4)

2:15pm EDT

Critical Infrastructure Attacks | Preventing the Kill Chain in Industrial Control Systems

Industrial Control Systems are surrounding every aspect of our life. Our water or electric supply are fully dependent on reliable operation of those systems. The same goes for our medicine production or a chemical facilities. 

Are those systems fully secured? Is your OT network immune against cyber-attacks?

Stay one step ahead of the threat actors by learning from the experience of your sector counterparts. In this interactive discussion explore: how to segment, secure and prevent various attack vectors on your OT networks. The conversation will examine  using most advanced discovery and detection techniques.

avatar for Mati Epstein

Mati Epstein

Global Sales Manager, Industrial Control Systems (ICS), Check Point Software Technologies
Mati Epstein is the Global Sales Manager of Security solutions for Industrial Control Systems and Critical Infrastructure in Check Points’ Government and Defense sectors division. With over 20 years’ experience in sales and business development positions in the areas of communication... Read More →

Monday October 24, 2016 2:15pm - 3:00pm EDT
Workshop 2 (Salon 4)

2:15pm EDT

Cyber-Physical Critical Infrastructure Mission Resiliency Analysis

Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology.  Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors.  However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility.  This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.

A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system.  An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission.  This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations.  The mission impact is quantified to enable informed decision making of the entire solution space.

avatar for Dr. David Flanigan

Dr. David Flanigan

Vice Chair, Systems Engineering, Johns Hopkins University Applied Physics Laboratory
Dr. Flanigan works with government, industry, and academia to plan and execute analytical studies in support of advanced concepts and integrated acquisition strategies. Before arriving at JHU/APL, Dr. Flanigan was a Surface Warfare Officer and retired from the US Naval Reserve... Read More →

Monday October 24, 2016 2:15pm - 3:00pm EDT
Workshop 1 (Salon 3)

3:30pm EDT

Are Your Networked Devices Working for You or Someone Else?

This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.

In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.

Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.  

The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.  

Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation. 

avatar for Matthew Caldwell, CISSP

Matthew Caldwell, CISSP

Chief Security Researcher, BorderHawk
Matthew is Chief Security Researcher at BorderHawk.  Notably, Matthew was instrumental at BorderHawk’s Anchorage Lab in identifying cyber risks and developing mitigation strategies associated with IoT used within certain energy company environments. Matthew’s cybersecurity... Read More →

Monday October 24, 2016 3:30pm - 4:15pm EDT
Workshop 1 (Salon 3)

3:30pm EDT

Understanding the Role of Privilege in ICS Cyberattacks

The Industrial Control System – Cyber Emergency Response Team (ICS-CERT) has highlighted the increased frequency of attempted attacks against Industrial Control Systems (ICS). According to a DHS/FBI/NSA joint publication “Seven Steps to Effectively Defend Industrial Control Systems,” of the 295 breaches reported in the previous year, 98 percent could have been prevented if certain basic security protocols had been in place.

As evidenced by the Ukraine Power Grid Attack and other recent breaches, privileged accounts are on the attackers critical path to success 100% of the time in every attack. Let’s elevate the conversation and talk about how this attack vector is taking the industrial world by surprise. In this session, Alex Leemon will present the case studies of two companies that have put in place proactive controls to safeguard industrial control systems from malicious insiders or external threats by implementing privileged account security controls as recommended by the DHS/FBI/NSA publication.

Attendees will also learn how to mitigate the risks associated with the increased connectivity between IT and OT through the implementation of controls that can be used to isolate, control and monitor interactive remote access sessions which connect to ICS.

With cyber-attacks posing an increasing threat to critical infrastructure, a change of mindset is needed – one that presumes an attacker will inevitably infiltrate the network. It only takes one vulnerable system to be exploited for an attacker to cause significant damage that could compromise system performance and even their operation. It is therefore essential that industrial organizations proactively safeguard their systems with a practical set of steps that includes securing all privileged accounts existing in their networks.

Learning Objectives:

In this session, attendees will learn how organizations have applied the steps recommended by the DHS/FBI/NSA publication to safeguard industrial control systems. Attendees will learn how to lock up the “keys to the kingdom” through the implementation of a privileged account security solution while safeguarding critical assets from potentially malicious activity.

Attendees will also learn how to:

  • Reduce the attack surface area
  • Help prevent the spread of malware to critical systems
  • Implement Secure Remote Access
  • Monitor and  Respond

avatar for Yariv Lechner

Yariv Lechner

Senior Product Manager, Operational Technologies (OT), CyberArk
Yariv Lenchner is the Senior Product Manager, Operational Technologies (OT), for CyberArk Software. Over the past 15 years he has served in various product marketing, product management and system engineering capacities in the fields of Security, VoIP, IP networking and enterprise... Read More →

Monday October 24, 2016 3:30pm - 4:15pm EDT
Workshop 2 (Salon 4)
Filter sessions
Apply filters to sessions.