Welcome to the Interactive Agenda for the 2016 ICS Cyber Security Conference! (View the full ICS Cyber Security Conference website here)  This agenda is currently a work in progress, please check back often as our team is making upates DAILY. (You can register for the conference here)
Workshop 1 (Salon 3) [clear filter]
Monday, October 24

9:00am EDT

Managing the Industrial Control Message: Firewalls vs NGFW vs Parsing

ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.

ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.

With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.


  • Understand ICS commands and identify abnormal behavior
  • Learn what is normal vs. abnormal activity relative to standard industrial protocols
  • Define types of DPI and weigh their relevance to types of environment
  • Pros and cons of blacklisting vs whitelisting


avatar for Matt Cowell

Matt Cowell

Director, Industrial Markets, Ultra Electronics, 3eTI.
Matt Cowell is Director, Industrial Markets at Ultra Electronics, 3eTI. He has more than 15 years of experience in ICS and OT applications with a focus on networks and cyber security. He has specific expertise in automation and SCADA systems as the company's lead for market development... Read More →

Monday October 24, 2016 9:00am - 9:45am EDT
Workshop 1 (Salon 3)

9:45am EDT

Hacking IEEE 802.15.4/WirelessHART From the Ground Up

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.

For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.

Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.


  • Researching WirelessHART

  • Understanding the protocol

  • Reverse Engineering Third Party implementations

  • Designing and Building a WirelessHART Fuzzing platform

  • Hardware Platform

  • Transmitter

  • WH debugging (Sniffing and Dissecting)

  • Triggering and Catching crashes

  • Case study

  • Demo 

What is Wireless WirelessHART? WikiPedia desribes WirelessHART as "a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). The protocol utilizes a time synchronized, self-organizing, and self-healing mesh architecture. The protocol supports operation in the 2.4 GHz ISM band using IEEE 802.15.4 standard radios. Backward compatibility with the HART “user layer” allows transparent adaptation of HART compatible control systems and configuration tools to integrate new wireless networks and their devices, as well as continued use of proven configuration and system-integration work practices. It on the estimated 25 million HART field devices installed, and approximately 3 million new wired HART devices shipping each year. In September 2008, Emerson became the first process automation supplier to begin production shipments for its WirelessHART enabled products."

avatar for Sergio Alvarez

Sergio Alvarez

Security Researcher and Reverse Engineer, Applied Risk
Sergio Alvarez is an security researcher and reverse engineer at Applied Risk, with over 15 of experience in vulnerability research, exploit development and both blackbox and whitebox application pentesting. Sergio has found numerous critical security vulnerabilities in widely deployed... Read More →

Monday October 24, 2016 9:45am - 10:30am EDT
Workshop 1 (Salon 3)

11:00am EDT

Case Study: OT Security Management at a Major Oil and Gas Company

The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.

The enterprise strategy was based on three pillars:

  • Top down approach for a standardizing plant-wide security practice
  • Focus on security essential and automate their enforcement to save scarce engineering and IT personal time
  • Outsource the ongoing monitoring of OT security and compliance to a specialized company

In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.

Key Takeaways:

  • What is the aim to strengthen OT security posture and compliance maturity?
  • What challenges are organizations with complex ICS networks facing when addressing OT security?
  • Review of a global OT security project strategy, architecture and functionalities
  • Outcome and recommendation for other industrial and critical infrastructure organizations

avatar for Don Harroll

Don Harroll

North America Director of Sales, NextNine
Don Harroll is North America Director of Sales for NextNine.

Monday October 24, 2016 11:00am - 11:45am EDT
Workshop 1 (Salon 3)

11:45am EDT

Disassembly and Hacking of Firmware: Live Hacking Demonstration

Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration

 In this session we'll cover:           

  • Vulnerability and capability assessment of firmware attacks
  • Physical ramifications of tool attacks
  • Finding and verifying firmware
  • Some instances where "less security" is better
  • Safety / Security tips for firmware  

Take Aways:

  • Better understanding of the location and use of firmware in unexpected places.
  • Gain insight into the attack methodologies for and security of devices with firmware.

avatar for Monta Elkins

Monta Elkins

Security Architect, FoxGuard Solutions
Monta Elkins is currently Security Architect for FoxGuard Solutions, an ICS patch provider. A security researcher and consultant; he was formerly Security Architect for Rackspace, and the first ISO for Radford University.  He has been a speaker at DEFCON , Homeland Security’s ICSJWG... Read More →

Monday October 24, 2016 11:45am - 12:30pm EDT
Workshop 1 (Salon 3)

1:30pm EDT

Embedded Security for the Industrial IoT
In this session, attendees with learn:
  • To understand the similarities and differences between OT and IoT security
  • How mission critical IoT has different standards
  • Discover implications for the industrial internet
  • Recommendations on how to build ultra-secure industrial ecosystems


Dean Weber

CTO, Mocana

Monday October 24, 2016 1:30pm - 2:15pm EDT
Workshop 1 (Salon 3)

2:15pm EDT

Cyber-Physical Critical Infrastructure Mission Resiliency Analysis

Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology.  Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors.  However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility.  This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.

A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system.  An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission.  This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations.  The mission impact is quantified to enable informed decision making of the entire solution space.

avatar for Dr. David Flanigan

Dr. David Flanigan

Vice Chair, Systems Engineering, Johns Hopkins University Applied Physics Laboratory
Dr. Flanigan works with government, industry, and academia to plan and execute analytical studies in support of advanced concepts and integrated acquisition strategies. Before arriving at JHU/APL, Dr. Flanigan was a Surface Warfare Officer and retired from the US Naval Reserve... Read More →

Monday October 24, 2016 2:15pm - 3:00pm EDT
Workshop 1 (Salon 3)

3:30pm EDT

Are Your Networked Devices Working for You or Someone Else?

This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.

In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.

Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.  

The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.  

Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation. 

avatar for Matthew Caldwell, CISSP

Matthew Caldwell, CISSP

Chief Security Researcher, BorderHawk
Matthew is Chief Security Researcher at BorderHawk.  Notably, Matthew was instrumental at BorderHawk’s Anchorage Lab in identifying cyber risks and developing mitigation strategies associated with IoT used within certain energy company environments. Matthew’s cybersecurity... Read More →

Monday October 24, 2016 3:30pm - 4:15pm EDT
Workshop 1 (Salon 3)

4:15pm EDT

ICS Vulnerabilities in Modern Data Centers

The world’s industrial and critical infrastructure is now connected to the Internet -- and it’s completely unprotected against network-based attacks. There are many challenges ahead for securing the Industrial IoT. Organizations responsible for critical infrastructure are hesitant to enable Internet communications to industrial assets because of cybersecurity concerns. 

But integrating the “Industrial Internet” can lead to increased visibility into Operational Technology (OT) processes, applications and data. OT data such as Industrial Control Systems (ICS) can be leveraged to prevent disruptions and enhance operational efficiency and continuity.

In this presentation, Francis Cianfrocca will describe Industrial Internet security best practices that can move your organization from vulnerable to secure. The presentation will examine the challenges of IT/OT convergence with real-life stories from the field, describing actual Industrial Internet security projects and lessons learned. These use cases enable benefits such as reduced costs and improved efficiency; protection of field industrial devices from local and Internet-based attack; safe and secure third-party access to local OT/ICS devices and data; and aggregation and analysis of big data to create visibility and insight to operations such as:

  • Data Centers
  • Building Automation Systems
  • Critical Infrastructure

Data Centers are particularly vulnerable to cyber-attacks on industry and infrastructure. Today's hackers can shut down businesses and threaten personal safety by remotely accessing building automation systems, HVAC, power generation, fire suppression, access card readers, and so on -- anything with a sensor can be compromised.

Learning objectives for attendees 

  • Examination of the IT/OT convergence cyber security apertures
  • Overview of Best Practices for Industrial IoT cyber security
  • Operational policies that define how you manage your OT assets and processes
  • Security policies that define how you protect your physical OT assets and business processes from being compromised
  • Safety policies that define how you manage OT assets and processes to ensure the safety of your employees, your customers, the public, and the environment. 



avatar for Francis Cianfrocca

Francis Cianfrocca

Bayshore Networks, Founder & Chief Executive Officer
Francis leads Bayshore’s technology vision and thought leadership. He is Bayshore’s technology inventor, and a recognized IoT industry visionary and evangelist. He has a significant following on subjects relating to technology, cybersecurity, and national economic and security... Read More →

Monday October 24, 2016 4:15pm - 5:00pm EDT
Workshop 1 (Salon 3)
Filter sessions
Apply filters to sessions.