2016 ICS Cyber Security Conference

ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.

ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.

With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.

KEY TOPICS & TAKE AWAYS

• Understand ICS commands and identify abnormal behavior
• Learn what is normal vs. abnormal activity relative to standard industrial protocols
• Define types of DPI and weigh their relevance to types of environment
• Pros and cons of blacklisting vs whitelisting

 

OT Security, Control System operation and system administration management often focuses on the technology, overlooking the people, process and politics side of the equations.  Through this presentation explore the soft underbelly of the cyber challenges in the ICS Domain.  As the former CIO of a System Integrator and Workforce Development Co-Chair for the ICSJWG Mike offers a wide angled view of why securing critical infrastructure is so difficult, and doesn’t need to be.  Creating a comparison of the contrasting view of the need from the inside of several different organizations within Critical Infrastructure Mike breaks down the difficult to talk topics about and takes an honest approach to understanding the issues. 

This discussion will shed light on how internal politics drive top down policies and ultimately fail in accomplishing anything but contradiction and conjecture.  This sets up the event horizon for loss of intellectual property through well intentioned trusted insiders, applying “best practices” that actually hurt your organization and loss production due to fear and a lack of establishing ownership to the problem. 

Security does not solve problems, it does not make money and the security paradox is that it rarely provides a more secure environment.  Lack of true situational awareness is the most dangerous part of our Nation’s infrastructure.  The problem is most people do not understand that we are missing a key data point to provide a well-rounded awareness…

Let’s explore though questioning the assumptions and talk about the tough topics.

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.

For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.

Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.

Agenda

• Researching WirelessHART

• Understanding the protocol

• Reverse Engineering Third Party implementations

• Designing and Building a WirelessHART Fuzzing platform

• Hardware Platform

• Transmitter

• WH debugging (Sniffing and Dissecting)

• Triggering and Catching crashes

• Case study

• Demo 

What is Wireless WirelessHART? WikiPedia desribes WirelessHART as "a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). The protocol utilizes a time synchronized, self-organizing, and self-healing mesh architecture. The protocol supports operation in the 2.4 GHz ISM band using IEEE 802.15.4 standard radios. Backward compatibility with the HART “user layer” allows transparent adaptation of HART compatible control systems and configuration tools to integrate new wireless networks and their devices, as well as continued use of proven configuration and system-integration work practices. It on the estimated 25 million HART field devices installed, and approximately 3 million new wired HART devices shipping each year. In September 2008, Emerson became the first process automation supplier to begin production shipments for its WirelessHART enabled products."

The presentation will be an open and general discussion on why there is still such a reluctance at the corporate level to take responsibility for cyber-security. This talk will address topics including: 

• Classifying attacks as “Incidents” when they are actually “Cybersecurity attacks” and the underreporting internal threats and violations of policies.
• How vendors and cybersecurity professionals need to do a better job at educating end customers with greater details to the risks, benefits, costs associated with cybersecurity management
• Where do we typically focus on cyber security measures and why they are not adequate? Examples of ICS cybersecurity breaches that were avoidable if ICS architecture was designed with OT policies and procedures, instead of IT.
• Value in regional deployments for “simulated honeypots” on their own infrastructure networks to share findings

With increasing attacks on critical infrastructure networks that have become more frequent and consequential, more effective operational cyber solutions are required that aggregate, analyze and correlate various sources of data and across multiple platforms into a near-real time visualization that depicts the potential threats emerging. Organizations have to look beyond their own perimeter to collaborate and assess the impact of a cyber-attack on their corporate partners, suppliers, and vendors. With complex systems of interacting devices, networks, organizations and people to facilitate the productive sharing of information; this is quickly becoming as much of a benefit as it is a threat.

The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, Interoperability and Authentication

Maintaining the integrity of the ICS requires thorough understanding of the communications standards used between all the various ICS components, so that we maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cyber security threats, and poor network health problems. The symptoms are obvious; sluggish HMI updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy OT network is key to preventing these failures. This discussion mentions the tools and techniques used by professional cyber security firms including Network Security Monitoring (NSM), Intrusion Detection Systems (IDS), and manual analysis techniques are used to find and isolate problems on OT networks before they cause harmful impacts, or worse found by your adversaries.

The take away for the attendees will be to demonstrate why all facets of the cybersecurity industry must work together to improve end customers cyber-security processes and understanding from the basic framework to how their resources and organizational structure grow over time to result in a stronger security posture. An acknowledgement from our sector that a lot still needs to be done with standards, collaboration and awareness.

This presentation will also provide end users with a roadmap to start or improve their cyber- security processes through a basic framework and how to develop their resources and organizational structure over time to result in a stronger security posture.

The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.

The enterprise strategy was based on three pillars:

• Top down approach for a standardizing plant-wide security practice
• Focus on security essential and automate their enforcement to save scarce engineering and IT personal time
• Outsource the ongoing monitoring of OT security and compliance to a specialized company

In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.

Key Takeaways:

• What is the aim to strengthen OT security posture and compliance maturity?
• What challenges are organizations with complex ICS networks facing when addressing OT security?
• Review of a global OT security project strategy, architecture and functionalities
• Outcome and recommendation for other industrial and critical infrastructure organizations

Over the last decade, Industrial Control System Security has risen to a prominent role in our lives. Much has been said and written to offer our community guidance and structure over this time. Join us for a sometimes humorous, sometimes encouraging, and sometimes pitiful look back at some of the highlights and lowlights from SCADA Security research, advice, and regulation over the past 10 years.

Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration

 In this session we'll cover:           

• Vulnerability and capability assessment of firmware attacks
• Physical ramifications of tool attacks
• Finding and verifying firmware
• Some instances where "less security" is better
• Safety / Security tips for firmware  

Take Aways:

• Better understanding of the location and use of firmware in unexpected places.
• Gain insight into the attack methodologies for and security of devices with firmware.

A significant part of implementing security is identifying that there really is a security problem. This discussion will include a discussion of Polling Strategies, and communications integrity checks that can be done online. It can trigger alarms in the SCADA system if they detect real security problems. Furthermore, it can help telecommunications staff detect performance problems earlier.

This session will use DNP3 in this example, but other protocols have similar features.

In this session, attendees with learn:

• To understand the similarities and differences between OT and IoT security
• How mission critical IoT has different standards
• Discover implications for the industrial internet
• Recommendations on how to build ultra-secure industrial ecosystems

 

Securing OT traffic is a fundamental component of improving OT security. There is no question that OT systems need to be hardened against cyber adversaries. The threat is real and incident rates are increasing in number and severity. This presentation explains how a proposed authentication and authorization architecture secures industrial control systems by blending TLS to secure existing OT protocols, extending X.509 digital certificates with Industrial Certification Authority.

This presentation will cover the key challenges that need to be overcome in order to introduce a digital certificate-based industrial authentication authorization concept, as well as a proposal for a secure Modbus protocol.

What will be covered?

1. The challenges to implementing security for OT-specific protocols; an overall authentication authorization architecture for protocols and devices
2. How to implement a role-based access control system that does not require a centralized server to be online for communication

Intended audience: General public in charge of cybersecurity for OT/ICS 

Industrial Control Systems are surrounding every aspect of our life. Our water or electric supply are fully dependent on reliable operation of those systems. The same goes for our medicine production or a chemical facilities. 

Are those systems fully secured? Is your OT network immune against cyber-attacks?

Stay one step ahead of the threat actors by learning from the experience of your sector counterparts. In this interactive discussion explore: how to segment, secure and prevent various attack vectors on your OT networks. The conversation will examine  using most advanced discovery and detection techniques.

Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology.  Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors.  However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility.  This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.

A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system.  An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission.  This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations.  The mission impact is quantified to enable informed decision making of the entire solution space.

This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.

In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.

Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.  

The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.  

Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation. 

The Industrial Control System – Cyber Emergency Response Team (ICS-CERT) has highlighted the increased frequency of attempted attacks against Industrial Control Systems (ICS). According to a DHS/FBI/NSA joint publication “Seven Steps to Effectively Defend Industrial Control Systems,” of the 295 breaches reported in the previous year, 98 percent could have been prevented if certain basic security protocols had been in place.

As evidenced by the Ukraine Power Grid Attack and other recent breaches, privileged accounts are on the attackers critical path to success 100% of the time in every attack. Let’s elevate the conversation and talk about how this attack vector is taking the industrial world by surprise. In this session, Alex Leemon will present the case studies of two companies that have put in place proactive controls to safeguard industrial control systems from malicious insiders or external threats by implementing privileged account security controls as recommended by the DHS/FBI/NSA publication.

Attendees will also learn how to mitigate the risks associated with the increased connectivity between IT and OT through the implementation of controls that can be used to isolate, control and monitor interactive remote access sessions which connect to ICS.

With cyber-attacks posing an increasing threat to critical infrastructure, a change of mindset is needed – one that presumes an attacker will inevitably infiltrate the network. It only takes one vulnerable system to be exploited for an attacker to cause significant damage that could compromise system performance and even their operation. It is therefore essential that industrial organizations proactively safeguard their systems with a practical set of steps that includes securing all privileged accounts existing in their networks.

Learning Objectives:

In this session, attendees will learn how organizations have applied the steps recommended by the DHS/FBI/NSA publication to safeguard industrial control systems. Attendees will learn how to lock up the “keys to the kingdom” through the implementation of a privileged account security solution while safeguarding critical assets from potentially malicious activity.

Attendees will also learn how to:

• Reduce the attack surface area
• Help prevent the spread of malware to critical systems
• Implement Secure Remote Access
• Monitor and  Respond