2016 ICS Cyber Security Conference

Learn how attackers reverse engineer, compromise, and backdoor, control systems.

Brought to you by the Senrio research team (formerly Xipiter) whose custom developed trainings have sold out at Blackhat five years running, this intense hands-on Automation Exploitation workshop is meant to provide an introductory basis to the unique security challenges in the world of Automation.

Participants will learn how attackers reverse engineer, tamper with,and exploit all parts of an industrial control network. Since Automotive technologies have their roots in Industrial Control and Building Automation (CAN bus) this course will also include "Car Hacking" content. Participants will learn about threats to those systems, perform hand-on attacks themselves, and learn how these insecure design patterns are found throughout the world of Automation (and automotives!).

Who Should Attend:

• Field Service Engineers, Safety Engineers, Automation Engineers,"Makers", Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.

Student Requirements:

• Understanding basic computing.
• Some programming experience a plus.

• A laptop (running their favorite OS) capable of connecting to wired and wireless networks. Laptop must also have several available and operational USB Ports
• Installed and valid VMWare workstation (with working access to USB Ports and network card bridged or NATed)
• Three button external mouse.

ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.

ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.

With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.

KEY TOPICS & TAKE AWAYS

• Understand ICS commands and identify abnormal behavior
• Learn what is normal vs. abnormal activity relative to standard industrial protocols
• Define types of DPI and weigh their relevance to types of environment
• Pros and cons of blacklisting vs whitelisting

OT Security, Control System operation and system administration management often focuses on the technology, overlooking the people, process and politics side of the equations.  Through this presentation explore the soft underbelly of the cyber challenges in the ICS Domain.  As the former CIO of a System Integrator and Workforce Development Co-Chair for the ICSJWG Mike offers a wide angled view of why securing critical infrastructure is so difficult, and doesn’t need to be.  Creating a comparison of the contrasting view of the need from the inside of several different organizations within Critical Infrastructure Mike breaks down the difficult to talk topics about and takes an honest approach to understanding the issues. 

This discussion will shed light on how internal politics drive top down policies and ultimately fail in accomplishing anything but contradiction and conjecture.  This sets up the event horizon for loss of intellectual property through well intentioned trusted insiders, applying “best practices” that actually hurt your organization and loss production due to fear and a lack of establishing ownership to the problem. 

Security does not solve problems, it does not make money and the security paradox is that it rarely provides a more secure environment.  Lack of true situational awareness is the most dangerous part of our Nation’s infrastructure.  The problem is most people do not understand that we are missing a key data point to provide a well-rounded awareness…

Let’s explore though questioning the assumptions and talk about the tough topics.

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.

For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.

Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.

Agenda

• Researching WirelessHART

• Understanding the protocol

• Reverse Engineering Third Party implementations

• Designing and Building a WirelessHART Fuzzing platform

• Hardware Platform

• Transmitter

• WH debugging (Sniffing and Dissecting)

• Triggering and Catching crashes

• Case study

• Demo 

The presentation will be an open and general discussion on why there is still such a reluctance at the corporate level to take responsibility for cyber-security. This talk will address topics including: 

• Classifying attacks as “Incidents” when they are actually “Cybersecurity attacks” and the underreporting internal threats and violations of policies.
• How vendors and cybersecurity professionals need to do a better job at educating end customers with greater details to the risks, benefits, costs associated with cybersecurity management
• Where do we typically focus on cyber security measures and why they are not adequate? Examples of ICS cybersecurity breaches that were avoidable if ICS architecture was designed with OT policies and procedures, instead of IT.
• Value in regional deployments for “simulated honeypots” on their own infrastructure networks to share findings

With increasing attacks on critical infrastructure networks that have become more frequent and consequential, more effective operational cyber solutions are required that aggregate, analyze and correlate various sources of data and across multiple platforms into a near-real time visualization that depicts the potential threats emerging. Organizations have to look beyond their own perimeter to collaborate and assess the impact of a cyber-attack on their corporate partners, suppliers, and vendors. With complex systems of interacting devices, networks, organizations and people to facilitate the productive sharing of information; this is quickly becoming as much of a benefit as it is a threat.

The U.S. Department of Homeland Security (DHS) has identified three core principles for developing cyber ecosystems: Automation, Interoperability and Authentication

Maintaining the integrity of the ICS requires thorough understanding of the communications standards used between all the various ICS components, so that we maintain safe and efficient operations. In this cyber-physical layer, it can be difficult to spot communications errors, cyber security threats, and poor network health problems. The symptoms are obvious; sluggish HMI updates, unexplained shutdowns, and precarious failures of ICS components. A robust and healthy OT network is key to preventing these failures. This discussion mentions the tools and techniques used by professional cyber security firms including Network Security Monitoring (NSM), Intrusion Detection Systems (IDS), and manual analysis techniques are used to find and isolate problems on OT networks before they cause harmful impacts, or worse found by your adversaries.

The take away for the attendees will be to demonstrate why all facets of the cybersecurity industry must work together to improve end customers cyber-security processes and understanding from the basic framework to how their resources and organizational structure grow over time to result in a stronger security posture. An acknowledgement from our sector that a lot still needs to be done with standards, collaboration and awareness.

This presentation will also provide end users with a roadmap to start or improve their cyber- security processes through a basic framework and how to develop their resources and organizational structure over time to result in a stronger security posture.

The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.

The enterprise strategy was based on three pillars:

• Top down approach for a standardizing plant-wide security practice
• Focus on security essential and automate their enforcement to save scarce engineering and IT personal time
• Outsource the ongoing monitoring of OT security and compliance to a specialized company

In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.

Key Takeaways:

• What is the aim to strengthen OT security posture and compliance maturity?
• What challenges are organizations with complex ICS networks facing when addressing OT security?
• Review of a global OT security project strategy, architecture and functionalities
• Outcome and recommendation for other industrial and critical infrastructure organizations

Over the last decade, Industrial Control System Security has risen to a prominent role in our lives. Much has been said and written to offer our community guidance and structure over this time. Join us for a sometimes humorous, sometimes encouraging, and sometimes pitiful look back at some of the highlights and lowlights from SCADA Security research, advice, and regulation over the past 10 years.

Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration

 In this session we'll cover:           

• Vulnerability and capability assessment of firmware attacks
• Physical ramifications of tool attacks
• Finding and verifying firmware
• Some instances where "less security" is better
• Safety / Security tips for firmware  

Take Aways:

• Better understanding of the location and use of firmware in unexpected places.
• Gain insight into the attack methodologies for and security of devices with firmware.

A significant part of implementing security is identifying that there really is a security problem. This discussion will include a discussion of Polling Strategies, and communications integrity checks that can be done online. It can trigger alarms in the SCADA system if they detect real security problems. Furthermore, it can help telecommunications staff detect performance problems earlier.

This session will use DNP3 in this example, but other protocols have similar features.

• To understand the similarities and differences between OT and IoT security
• How mission critical IoT has different standards
• Discover implications for the industrial internet
• Recommendations on how to build ultra-secure industrial ecosystems

Securing OT traffic is a fundamental component of improving OT security. There is no question that OT systems need to be hardened against cyber adversaries. The threat is real and incident rates are increasing in number and severity. This presentation explains how a proposed authentication and authorization architecture secures industrial control systems by blending TLS to secure existing OT protocols, extending X.509 digital certificates with Industrial Certification Authority.

This presentation will cover the key challenges that need to be overcome in order to introduce a digital certificate-based industrial authentication authorization concept, as well as a proposal for a secure Modbus protocol.

What will be covered?

1. The challenges to implementing security for OT-specific protocols; an overall authentication authorization architecture for protocols and devices
2. How to implement a role-based access control system that does not require a centralized server to be online for communication

Intended audience: General public in charge of cybersecurity for OT/ICS 

Industrial Control Systems are surrounding every aspect of our life. Our water or electric supply are fully dependent on reliable operation of those systems. The same goes for our medicine production or a chemical facilities. 

Are those systems fully secured? Is your OT network immune against cyber-attacks?

Stay one step ahead of the threat actors by learning from the experience of your sector counterparts. In this interactive discussion explore: how to segment, secure and prevent various attack vectors on your OT networks. The conversation will examine  using most advanced discovery and detection techniques.

Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology.  Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors.  However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility.  This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.

A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system.  An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission.  This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations.  The mission impact is quantified to enable informed decision making of the entire solution space.

This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.

In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.

Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.  

The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.  

Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation. 

The Industrial Control System – Cyber Emergency Response Team (ICS-CERT) has highlighted the increased frequency of attempted attacks against Industrial Control Systems (ICS). According to a DHS/FBI/NSA joint publication “Seven Steps to Effectively Defend Industrial Control Systems,” of the 295 breaches reported in the previous year, 98 percent could have been prevented if certain basic security protocols had been in place.

As evidenced by the Ukraine Power Grid Attack and other recent breaches, privileged accounts are on the attackers critical path to success 100% of the time in every attack. Let’s elevate the conversation and talk about how this attack vector is taking the industrial world by surprise. In this session, Alex Leemon will present the case studies of two companies that have put in place proactive controls to safeguard industrial control systems from malicious insiders or external threats by implementing privileged account security controls as recommended by the DHS/FBI/NSA publication.

Attendees will also learn how to mitigate the risks associated with the increased connectivity between IT and OT through the implementation of controls that can be used to isolate, control and monitor interactive remote access sessions which connect to ICS.

With cyber-attacks posing an increasing threat to critical infrastructure, a change of mindset is needed – one that presumes an attacker will inevitably infiltrate the network. It only takes one vulnerable system to be exploited for an attacker to cause significant damage that could compromise system performance and even their operation. It is therefore essential that industrial organizations proactively safeguard their systems with a practical set of steps that includes securing all privileged accounts existing in their networks.

Learning Objectives:

In this session, attendees will learn how organizations have applied the steps recommended by the DHS/FBI/NSA publication to safeguard industrial control systems. Attendees will learn how to lock up the “keys to the kingdom” through the implementation of a privileged account security solution while safeguarding critical assets from potentially malicious activity.

Attendees will also learn how to:

• Reduce the attack surface area
• Help prevent the spread of malware to critical systems
• Implement Secure Remote Access
• Monitor and  Respond

The world’s industrial and critical infrastructure is now connected to the Internet -- and it’s completely unprotected against network-based attacks. There are many challenges ahead for securing the Industrial IoT. Organizations responsible for critical infrastructure are hesitant to enable Internet communications to industrial assets because of cybersecurity concerns. 

But integrating the “Industrial Internet” can lead to increased visibility into Operational Technology (OT) processes, applications and data. OT data such as Industrial Control Systems (ICS) can be leveraged to prevent disruptions and enhance operational efficiency and continuity.

In this presentation, Francis Cianfrocca will describe Industrial Internet security best practices that can move your organization from vulnerable to secure. The presentation will examine the challenges of IT/OT convergence with real-life stories from the field, describing actual Industrial Internet security projects and lessons learned. These use cases enable benefits such as reduced costs and improved efficiency; protection of field industrial devices from local and Internet-based attack; safe and secure third-party access to local OT/ICS devices and data; and aggregation and analysis of big data to create visibility and insight to operations such as:

• Data Centers
• Building Automation Systems
• Critical Infrastructure

Data Centers are particularly vulnerable to cyber-attacks on industry and infrastructure. Today's hackers can shut down businesses and threaten personal safety by remotely accessing building automation systems, HVAC, power generation, fire suppression, access card readers, and so on -- anything with a sensor can be compromised.

Learning objectives for attendees 

• Examination of the IT/OT convergence cyber security apertures
• Overview of Best Practices for Industrial IoT cyber security
• Operational policies that define how you manage your OT assets and processes
• Security policies that define how you protect your physical OT assets and business processes from being compromised
• Safety policies that define how you manage OT assets and processes to ensure the safety of your employees, your customers, the public, and the environment. 

Welcome address and conference introduction for the 2016 ICS Cyber Security Conference. – Michael Lennon, Founder and Managing Director, SecurityWeek, Chairman of ICS Cyber Security Conference

With new Drone technologies appearing in the consumer space daily, Industrial Site operators are being forced to rethink their most fundamental assumptions about Industrial Sites and Cyber-Physical security. This presentation will cover Electronic Threats, Electronic Defensive measures, Recent Electronic jamming incidents, Latest Drone Threats and capabilities, defensive planning, and Electronic Attack Threats with Drones as delivery platform. 

This talk will present 2 drone attack scenarios with video [potentially live] demonstrations of drone attack capabilities on an industrial wireless flowmeter.  The first attack will illustrate simple disruption of the flowmeters signal potently causing the non-report of a product spill (Hacktivist purposes). The second demonstration would take this a step further demonstrating the ability for a $1000 drone to autonomously turn a directional disrupter via image targeting of plat personnel (Hacktivist/Malicious Attack purposes). 

Attendee Takeaways:

• A new appreciation for the terrifying capabilities now available in hobby drones.

• A better understanding how drones can now be the bridge that Hacktivists use to make attacks that were only possible in close proximity before.

• Realization that large scale EW attacks to Industrial system that used to be possible with military grade equipment are now possible with hobby components.

• An understand of what a defensive security person must consider when risk evaluating the threats to industrial wireless systems.

• Using WiFi surveillance to track possible Drone use, scan of MACs associated with drones

• Physical Defense and what to tell your guards if they see a Drone jump the fence.

• Overview of Law and FAA regulations concerning drone use in and around plant infrastructure.

• Much More

In this session we will demonstrate live cyberattacks against a Schweitzer SEL-751A feeder protection relay and the related impact to end devices and operator interfaces.

While the demonstration is not meant to single out any particular vendor or piece of equipment, it will highlight the lack of cyber security built into widely deployed intelligent electronic devices (IED), how these IEDs can be attacked and the physical impact they can have when compromised.

The cyberattack demonstration will highlight a loss of control of the relay, how such loss impacts an end device like a motor and how this can all be hidden from the operator.  The attacks include an adversary gaining access to the relay, taking control, locking out administrators, and changing the relay’s configuration. In addition, the attacks will be masked to leave no trace, making it difficult for an operator to trouble shoot the disruption was caused by a cyberattack, let alone prevent it from happening again.

The SEL-751A is an important piece of equipment performing many critical functions, and such attacks could be repeated across the same or different relays from different manufacturers.

Imagine an attack on critical infrastructures that could evade virtually all existing security measures (network firewalls, AV, application whitelisting, etc.) and that would operate generically across a wide range of different SCADA implementations. Indegy researcher Avihay Kain has discovered a vulnerability that would enable just such an attack. We will unveil the vulnerability for the first time at  the 2016 Industrial Control Systems (ICS) Cyber Security Conference.

The vulnerability allows for remote code execution in Schneider Electric’s flagship product - the UnityPro software platform. (The vulnerability applies to all versions of UnityPro, including the latest release of version 10.0.) Schneider Electric’s UnityPro software platform, which runs on Windows-based engineering workstations, is used for programing and managing Schneider Electric equipment in industrial control networks including those operating critical infrastructure.  Regardless of the specific SCADA application in use, if Schneider Electric PLCs are in use, UnityPro software will be deployed for the engineering stations, making this attack relevant across virtually any process controlled by Schneider PLCs.

While we will show an exploit specific to Schneider, all PLC vendors have similar proprietary engineering protocols and  we should expect many vulnerabilities like it that apply to other vendors.  The result is that those concerned with ICS security should realize two key points: 

1.) Attacks on ICS networks do not require exploitation of vulnerabilities in SCADA/HMI applications or the controllers themselves:

There is a misconception in the industrial cyber security space that securing these networks only requires monitoring of the SCADA/HMI application protocols, for instance - MODBUS and DNP3. However, there is an important distinction between the communication protocols used by HMI/SCADA applications, and the control-plane protocols which are used by the engineering station software. The less known engineering station protocols are not fully documented, and worse -- each vendor uses a different proprietary communication protocol, making it extremely difficult to monitor them. As a result, these protocols, which allow an attacker to access the controllers using the vulnerability described above, aren’t monitored and the engineering stations are mostly ignored. 

2.) Combining security controls borrowed from IT Security with HMI/SCADA application monitoring is not enough to secure ICS.

It is commonly believed that with a combination of IT security technologies (secure network design, AV/anti-malware and application whitelisting) and monitoring the HMI/SCADA protocols mentioned in point 1, it is possible to prevent industrial network infiltration and device access. This exploit will look exactly like known good engineering work and will evade all of those controls, demonstrating that IT security plus HMI monitoring is not sufficient for ICS. Additional security controls for engineering network activity monitoring are needed.  

As IT and Operational Technology (OT) environments continue to converge, managers of ICS have been faced with the challenge of protecting these crucial systems and data, in spite of inherent security weaknesses and the continual risk of insider threat. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. Existing, legacy approaches have proven inadequate on their own, especially against insiders who, by definition, have authorized access.

There is an urgent need for a new approach to combat the next generation of cyber-threats, across both OT and IT environments. While total prevention of compromise is untenable, utilizing automated self-learning technologies to detect and respond to emerging threats within a network is an achievable cyber security goal, irrespective of whether the suspicious behavior originated on the corporate network or ICS.

Some of the world’s leading energy and manufacturing companies are using these technologies to detect early indicators of cyber-attacks or vulnerabilities across IT and OT environments, without reliance on pre-identified threat feeds, rules, or signatures. These technologies represent an innovative and fundamental step-change in automated cyber-defense.

In this session, attendees will learn:

• How new machine learning and mathematics are automating advanced threat detection
• Why 100% network visibility allows you to preempt emerging situations, in real time, across both IT and OT environments
• How smart prioritization and visualization of threats allows for better resource allocation and lower risk
• Real-world examples of detected OT threats, from non-malicious insiders to sophisticated cyber-attackers

Persistent attackers will always find a way in, often exploiting the very processes that facilitate productivity and profitable collaboration. Operators must lock down these access points to close frequently exploited attack vectors –firewalls are not enough. This session will overview CyberFence, the award-winning and military-approved solution for robust and comprehensive industrial (ICS/SCADA) cyber security. CyberFence surpasses basic firewall, perimeter and signature-based defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity. Listen for yourself why the US Navy, Department of State and many critical businesses worldwide trust CyberFence to secure network endpoints.

Sponsored by: Ultra Electronics, 3eTI

This talk will go into detail about how drilling systems communicate and some of the attacks that could be performed on a drilling rig. This includes throwing off toolface information and burning out motors in BITs, Disabling H2S and sour gas detection systems, changing survey data to cause the drilling crew to drill out of zone causing sidetrack and time drilling operations that can cost millions of dollars to a drilling rig. And finally modifying chromatograph information and mud weight causing a blow out and potentially burning a rig to the ground. Infection methods include excel files used by directional drillers and MWD staff and 3rd party’s. 

Research Background

Using a honeypot run as a disposable mail service on TOR, Weston Hecker came across custom tailored malware including several versions of SAMSAM and Cryptolocker.  In early May he came across a sample that is targeting (WITS) information “Wellsite Information Transfer Specification” and (MWD) Measure while drilling systems associated with land based drilling platforms. This lead him to do research the attack surface of a drilling rig.

ICS incidents threaten not just process safety and mission assurance, but also – based on the layer of assets compromised – may impact physical assets, result in operational downtime, and trigger liability. This session examines how the risk management community thinks about ICS cybersecurity impacts, from insurance actuarial models and underwriting decisions, to broker guidance for insureds, and to how risk managers approach the unique risks generated by ICS cyber events that cross multiple types of insurance policies. The session explores how risk management and vulnerability remediation relate to insurance coverage and costs, in a complex cross-section of insurance that is new to virtually every player in the food chain.

Protecting Critical Infrastructure and Key Resources (CIKR) of the United States emerged as a national priority [Oba13] and simple adaptation of Information Technology (IT) security solutions for Industrial Control System (ICS) applications presents certain technical challenges for the cybersecurity community.

Results here expand upon AFIT’s PHY-based Level 0 protection strategy that was first introduced by researchers in [LoT14, LTM15]. These early works demonstrated a promising proof-of- concept capability for a Level 0 (physical end-device) anomaly detection scheme that aims to improve cyber-physical system resilience using device fingerprints composed of Wired Signal Distinct Native Attribute (WS-DNA) features. The WS-DNA features were extracted from WS responses of differential pressure transmitters employing smart sensor technology to control and monitor an experimental automated control process.

AFIT’s WS-DNA exploitation capability has been expanded, with results here based on field devices from four different manufacturers (Siemens, Yokogawa, Honeywell and Endress+Hauser) implementing the Highway Addressable Remote Transducer (HART) protocol. The aim is on discovering discriminable PHY features from the Frequency Shift Keyed (FSK) signals used for closed-loop control. Discriminability is assessed for a multi-state problem using each of the manufacturer devices operating under two different conditions. Manufacturer and operating state discrimination results include percent correct classification of %C ≥ 90% for both manufacturer (cross-model) and serial number (like-model) assessments. Thus, Level 0 WS-DNA processing is promising for discriminating field device manufacturer/operating state and remains a viable alternative for securing ICS operations. 

Franky Thrasher, Senior Cyber Security Expert & Information Systems Security Officer at ENGIE, will share his end user experience in securing globally distributed critical infrastructure at one of the world’s leading energy companies.

With more than 150,000 employees worldwide and revenues in excess of €69 billion, ENGIE understands how global companies can sometimes have much diversified complex models.

If you run a micro grid in Antarctica, A Hydro plant in the Rainforest and or gas fired power plants in Europe and LNG fleets worldwide are you facing the same challenges? Is any given standard applicable across your business? Is any technology applicable? Is your threat landscape modified according to your geographical location?

Thrasher will share his end user experience based on three different aspects;

Governance and regulations: - Examples of corporate policies that are either not applicable across the company due to regulatory constraints, or even local sensibilities. The talk will also explain how policies and governance practices can be adapted to a complex business model in global energy utility.

Technology: Examples of technology will be provided that have been implemented that were not as viable in different ICS environments, demonstrating that while magic “technology” boxes are useful, a completely different outlook is needed when deploying solutions on a global scale and across different business models. Thrasher will explain a remote connectivity system solution developed internally because a market product to fullfil the challenges ENGIE faced globally could not be found.

Geo politics in cyber security: How is your risk affected when you have assets in the Middle East? In Turkey? In South America? Sometimes data is not allowed outside the country sometimes technology is deemed illegal. What are some of the cultural issues you can run into? How does a conflict between two countries you have assets in affect your business?  What happens when you are not allowed to do security testing across borders. This talk will also give to the point examples of issues experienced when doing cybersecurity across the globe.  

This presentation provides a view of a target cyber security architecture made for industrial control systems – for the Operations Technology (OT) of the oil and gas, power, chemicals and other industries.

It would seem a straightforward idea. There is a cyber risk to vulnerable OT systems so why not cyber-secure the process control networks (PCNs) by integrating layered security (a defense-in- depth security architecture) in the same manner as the IT enterprise is made secure? Sounds simple. Yet a deeper understanding of the OT - the technology, business and operational requirements – makes it clear that simply adding an IT defense-in-depth security is not so straightforward. In some cases, it can even run counter to the safe operation of the plant.

There is no question that OT systems need to be hardened against cyber adversaries. The threat is real. The vulnerabilities and lack of protections against cyber attacks is alarming. Incidents are cropping up in growing numbers, ever more consequential. But the PCNs in OT systems have significant differences from IT systems. The security architecture must fit to the purpose and conditions of OT systems currently deployed in plants and remote locations - systems that are not easily replaced, enhanced or patched.

This is the challenge – to achieve a suitable security architecture for OT systems that provides needed defense-in-depth protections against cyber attacks while still meeting business requirements and safety functions.

This presentation delivers an architectural overview – first to reconcile the differences between OT operational requirements of reliable, real-time operations and safety with the cyber security requirements for identity and access control, asset management, segmentation, configuration and network management – just to name a few. Second, the presentation will discuss ways to achieve a target security architecture – one that can work within the reality of legacy (installed) PCNs with limited resource capacity constraints for computing and network flows.

How it is currently relevant to the industry: There is increasing concern within ICS industries (including Oil and Gas) about cyber threats at the same time that the industry becomes more aware of the existing exposures / vulnerabilities in its process control networks. The industry needs the right security answers – the kind that would work within a security architecture that is fit-for purpose in an OT environment with its constraints and business demands.

What objectives will be covered?

1. Defines the challenges to implementing cyber security in an oil and gas OT environment
2. Defines what would be the target OT-suitable (fit-for-purpose) cyber security architecture
3. Defines a three-step progression to achieve this target security architecture within the realities of PCN system and operational constraints

Intended audience: Engineers and Architects charged with security for OT/ICS 

Operational Technology (OT) and specifically Industrial Control Systems (ICS) and associated equipment and devices, have mostly been ignored by industry leadership.

Safeguarding this critical area requires a unique mix of technical and operating insight into how threat actors (hostile nation-states, terrorist organizations and hacktivist organizations) can compromise industrial controls that operate and manage industrial processes – at the process level, the control component level, the human-machine interface level and the SCADA system level.

This talk will raise the level of awareness in the C-suite and Boardroom to this perilous operating risk that we think needs to be elevated well above the current limited focus on compliance with regulatory regimes that have not kept pace with the executional characteristics of industrial cyber risk. Power and utility companies need to address these risks head on, and likewise CFO and CISOs need to understand their true insurance coverage, and possible gaps, to assess whether their stature meets their company’s acceptable risk profile. Creating awareness at high levels and driving appropriate action is required.

Attendees will learn how companies should map their at-risk industrial component configurations, provide analysis and synthesis of the critical interfaces between operating OT and IT, perform risk and asset downtime impact assessments as part of their failure mode and effects analysis, and develop practical policy recommendations - so that cybersecurity experts and operating engineers can begin to correlate conventional information security anomalies with process controls events that may impact how effectively – and how safely – industrial processes operate. We believe effective security includes developing a documented understanding of the downtime impact of addressable system equipment across the entire process, or system, with specific focus on ICS interconnection and interdependency considerations.

Bill Cotter, Master System Engineering Specialist at 3M, will provide a Top 12 Checklist for Process Security, along withan overview of the ISA-TR62443-2-3 ICS Patch Standard.

The state of Indiana executed CRIT-EX 16.2 on the 18th and 19th of May, 2016, at the Muscatatuck Urban Training Center.  This cyberattack readiness exercise aimed to improve the overall security and responsiveness of Indiana’s critical infrastructure in the face of an advanced cyber incident that disrupts essential water utility services and presents a public safety threat. 

The Indiana Department of Homeland Security in conjunction with the Indiana National Guard, Indiana Office of Technology, Cyber Leadership Alliance, and over 16 other public and private partners developed this controlled functional cyberattack exercise to allow participants to deploy resources and communicate with response partners to mitigate adverse effects and expedite recovery.  Additionally, CRIT-EX is the first joint public-private partnership simulating responses to cyberattacks on the Muscatatuck water treatment plant, with expert programming and cybersecurity teams acting as cyberterrorists who attack the facility’s Supervisory Control and Data Acquisition (SCADA) systems.  

The exercise had three very important themes that differentiated Crit-Ex from other cyber exercises: First, participants had to agree on a common language. Second, privacy was at the center of the exercise. The third unique theme and what is considered to be the hallmark of Crit-Ex 16.2 was the complexity of the event.  

This presentation will cover the importance of training cybersecurity for industrial control systems in a complex environment. While using lessons learned as examples, the presenter will provide a roadmap to plan and execute a complex cyber exercise.

View a detailed description of the talk here 

Don Bartusiak, Chief Engineer, Process Control at ExxonMobil Research & Engineering, will present an exclusive talk about ExxonMobil's initiative regarding a standards-based, open, secure, interoperable process control architecture.  Bartusiak will address the business problem that the world's largest publicly traded international oil and gas company is trying to solve and why ExxonMobil feels that existing ICS vendor approaches are not adequate to meet their needs.  

He will also discuss the status of formulation of an end user, supplier, system integrator, and standards organization consortium that is underway with The Open Group.  

Live Demo: Remote Attack That Can Permanently Disable a Fully Air-gapped System

Industrial control systems that claim to be fully air-gapped often aren't. In particular, elements of the ICS take electrical power from a local network, or UPS. Power supply engineers who work on power disturbances can demonstrate certain types of events -- as simple as turning the power off and on in a particular pattern -- that can permanently disable typical off-the-shelf power supplies.  A technical discussion of this attack vector, with a follow-on live demonstration, will be provided.

The ICS threat landscape is expanding fast. With the rise of the Industrial IoT, and increased device connectivity, no mission-critical entity is safe. On one hand, the expansion of the Internet also makes ICS easier prey to attackers, with ICS components being available online. On the other hand, attackers can easily attain industrial products and technologies and reveal relevant vulnerabilities to exploit. Both aspects emphasize that it is getting increasingly simpler for attackers to exercise their will in industrial environments, having to invest less resources to do so.

In this session, we will provide an example which emphasizes this trend, where the CyberX research group was able to expose vulnerabilities within a leading vendor’s PLC, getting from complete obscurity to the desired end-game, while having to cope with diverse challenges. These include physical extraction of components and de-coding of the encoded firmware.

The aforementioned trend in the ICS Security eco-system leads to a flux in ICS vulnerabilities, which is part of the inevitable cat and mouse race between attackers and defenders in the ICS security domain. This race has peaked a new level, where every Industrial IoT environment is in harm's way. We will also outline the need for comprehensive threat analysis tools for the ICS industry required to mitigate the ever growing risks.

Attendee takeaways

1. Understanding of the unique, yet attainable methods required for discovering and exploiting ICS vulnerabilities and how these facilitate the rising number of ICS cyber incidents.
2. Industrial hacking expertise, once thought to be rare, is becoming more common knowledge.
3. Forward thinking insights regarding the need for effective and readily available tools for the ICS industry.

When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. We haven’t thought of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. This is a HUGE blind spot. Embedded devices, such as ICS and SCADA systems, are the low-hanging fruit for potential attackers: They are fairly easy to compromise, are connected to high-value networks and detection often only happens after the fact.

This talk will share experiences exploiting embedded system used in industrial control environments and discuss the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting. Attendees will get an inside view into how attackers operate and walk away knowing what to look for when future-proofing our industrial control systems. 

This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy. 

Driven by business sustainability requirements, access to (near) real-time data within the automation industry has created a growing trend towards interconnectivity between control system and enterprise environments.  A component of this trend is the movement away from proprietary control system platforms and technology, to a more open and interoperable Asset Control System.  This development creates opportunities for businesses, but can also simultaneously increase their exposure to potential vulnerabilities.  Due to the evolving, complex nature of control systems in the enterprise today, many asset owners simply do not know where to start when it comes to devising a security strategy.  A lack of awareness about their current vulnerability state makes the effective application of security controls and /or processes difficult.  Many customers lack experience in determining vulnerability levels, exposure, and possible impacts of threats to network and critical assets.  They also face difficulty in effectively distributing and enforcing appropriate policies and procedures.

This presentation will describe how an external Cybersecurity Services team can provide valuable assessment, implementation, maintenance, and education services for businesses focused on minimizing Operational Technology (OT) cybersecurity risks within their ICS environment.  It will also include an overview of how IT / OT environments are converging today, the challenges with managing that process and the sprawl of the Industrial IoT.  Finally, we’ll discuss some best practices that have been assembled from lessons learned in Building Automation Systems, Water / Wastewater, Refineries, and other critical infrastructure.

Sponsored by: Schneider Electric

With cyber risk insurance as the fastest growing segment in property/casualty insurance, the discussion around industrial cyber security has moved from one of best practices and compliance to one of risk management.  The emergence of debt rating agency resiliency requirements, regulations and industry standards, boards have increasingly prioritized cyber security as a top enterprise risk.

Too many organizations opt to start with standards based frameworks or maturity models to define their ICS security programs.  Adopting these models can actually add risk and often fail to prioritize the most critical enterprise threats.  Likewise, relying upon the opinions of Subject Matter Experts to take decisions where data is scarce can create more harm than good in the establishment of ICS security programs.

This talk will focus on using robust methods to define organizational risk tolerances and methods to measure and track programs to prioritized areas of risk.  This approach allows ICS security program stewards and stakeholders to more easily demonstrate real improvements in security posture, achieved with security related expenditures. 

With more organizations creating dedicated operational technology security structures and responsible executive leaders, the development and maintenance of a mature ICS security program is vital.  

The hallmark of this year’s attack on the Ukrainian power grid was the extensive reconnaissance, performed by attackers on their target’s control networks, used to maximize system disruption.  Situational awareness, incident response and recovery all depend on an accurate understanding of control system inventories, including normal process behavior.  The Ukrainian attack has led our community to a key question; do we know our industrial control networks as well as our adversaries?

Despite the emergence of technologies that monitor data flows of industrial control networks, ICS operators consistently cite inadequate real-time views to control system the topology, devices, and behavior as a fundamental obstacle to securing their operations.   Historically, gathering and maintaining this information has proven incredibly labor intensive and disruptive to economic operations of industrial operations. 

Health, safety, and environment (HSE) management systems are widely adopted by many organizations and industrial facilities we work with. The main benefits of HSE programs are risk reduction from injuries, lost time incidents, liability and insurance costs. Safety management systems have a long history of statistical evidences showing how different types of well-documented unsafe practices, near misses and incidents have been dramatically reduced and improved through ongoing awareness training, intervention and controls. The ongoing realization of safety management system is a continuous effort towards zero incidents.

On the other hand, cyber security for industrial control systems (ICS) does not have the same benefit of decades of statistics, legislation, training, and budgets to build on, but are as critical as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are still strangely neglected in many organizations

In this presentation, we will cover the various aspects of Safety and Cyber Security and how this could be part of every organization’s culture not only as a priority, but also as core value:

• How Safety and Cyber Security programs can be integrated to achieve the highest level of operational excellence?

• How to use Cyber security awareness training to reduce risk and ensure safe/reliable operations?

• Example of the first Cyber security Golden Rules from the first Online ICS Cyber Security Awareness Training for engineering community.

Most ICS organizations haven’t done a good job preparing to respond to a cyber attack. Further complicating this is the fact that IT personnel don’t have a good understanding of the ICS need for 100% availability, or what it takes to get a process up and running after it has been shut down. 

This presentation will help organizations prepare to respond to ICS cyber incidents whether they’re caused by unintentional insiders or malicious outsiders such as industrial spies, hactivists, or nation state attackers.  Proper Cyber Incident Response planning will minimize financial losses due to system downtime, data loss, higher insurance premiums, and most importantly to the safety of the organization personnel and the public.

Wednesday's breakout sessions will conclude with a moderated discussion of the important cyber issues with safety and security.

Open to audience participation, topics will

• Understanding the differences between safety and security
• What is currently happening with standards affecting safety and security
• What are the pros and cons of integrated control and safety as it pertains to security should safety systems be connected (accessible) to the Internet
• How should cyber security of safety systems differ from cyber security of control systems

Could the U.S. nuclear or energy critical infrastructures be vulnerable to a cyber attack similar to the Ukrainian Power attack in 2015? 

Marlene Ladendorff is a subject matter expert on Nuclear Cyber Security for the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).  

Using data from a few key research projects and primary interviews with a variety of industry practitioners, this session will provide insights to what practitioners are actually thinking and doing every day. What really are the perceived highest risks? What initiatives are gaining traction and which ones aren’t? Is the “C” level bought in? How is the ICS cyber security work force developing? Is OT and IT a divide that can’t be crossed or are organizations building bridges right now? Get the view from the trenches, and share yours as well. 

Using computer gaming technology for industrial purposes is certainly not an obvious concept. However, as the technology has improved with advanced AI and seemingly realistic physics, one can see where using gaming engines for something beyond just an entertainment medium might actually make a lot of sense. The industrial community seems to finally be turning the corner in regards to industrial control systems (ICS) cyber security. The community now understands that   there is a real and growing threat to these systems and preventative security measures need to be put in place. An area of contention however, remains the ability to determine a realistic threat level for each and every U.S. ICS-CERT advisory, flash report, and security vendor claim. Asset owners/operators find themselves at the mercy of speculation. After all, they can’t exactly simulate attacks that cause actual catastrophic results to industrial environments and systems. Or can they?

In this session, Clint Bodungen will demonstrate how several technologies once intended for completely different industries, such as computer gaming engines and engineering software/hardware, can be combined to simulate realistic consequences of cyber-attack scenarios on industrial systems. Powerful gaming engine physics and 3D animation, scientific data and simulation capabilities (i.e. Matlab and engineering applications), and real-life physical devices (i.e. PLCs) are all connected in this presentation in order to provide a cutting-edge look at the impact analysis capabilities with stunning realistic 3D visuals.

Key Takeaways:

1. Attendees will gain an understanding of what cyber-attack simulation/impact analysis are, and why it they are important for ICS risk mitigation.
2. They will also learn methods of performing realistic cyber-attack simulation/impact analysis using different technologies together.
3. As well as walk away with a better understanding of how to deploy these methods and tools in their own ICS risk mitigation program.

Although developed countries such as the United States have shown the path in terms of Cyber Security in Critical Infrastructure, developing countries are falling behind due to socio-economic conditions. Lack of investment and difficulty in finding the necessary skills are the main reasons that make Cyber Security a challenge for these countries.

This presentation goes through LATAM’s critical infrastructure situation with Argentina as a case of study. On one hand, we provide the audience a brief overview of the actual cyber regulation and national initiatives. On the other, we describe the state of the main industries, common issues and what we are the next steps to be taken in the near future.

The industries most plagued by cyber-attacks are Oil and Gas businesses. Several attacks against the infrastructure of Oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major Oil companies. The Oil and Gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in Oil and Gas industries, and there are even specific SAP modules for Oil and Gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service and Oracle Enterprise Asset Management.

Cyber-attacks on SAP systems belonging to Oil and Gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices).

Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks.

For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.

This talk is based on a several case studies conducted during research and professional services will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to Oil and Gas companies as well as guidelines and processes on how to avoid them.

Takeaways

• Understand specific risks related to Oil and Gas companies infrastructure from IT and OT perspective.
• Learn what kind of enterprise applications are used in Oil and Gas industry and whit kind of security issues they have.
• Learn how to secure these applications.
• For pentesters, it will be helpful to learn how to analyze security of these specific systems. For information security specialists, it will be useful to know how to protect their systems.

This presentation will describe the need to integrate approaches to the physical aspects of computer and network device security during design.

Even if steps are taken to make software attacks on a system impractical, it is possible to bypass these by attacking weaknesses in the physical implementation of systems.  These attacks are much harder or even impossible to “patch” once systems are fielded, and include attacks on the physical implementation of memory (Row Hammer) and attacks on cryptographic systems using timing (cache timing attacks).  Recently both of these have been demonstrated to be practical even without direct access to privileged instructions or native code; both have been accomplished from inside a browser’s Javascript “sandbox.”  Dealing with these sort of attacks requires thinking about security at the physical device design stage.

Not so long ago, seasoned control engineers would laugh at the thought of having their industrial control and SCADA systems connected to the Internet. However, times have changed, and today the Industrial Internet of Things (IIoT) is interconnecting industrial control system (ICS) devices and critical infrastructure to the Internet at an unprecedented pace. This in turn is forcing a fast, large-scale convergence of old and new technologies that is reshaping the reliability, availability and security of industrial environments.

Cloud computing is a paradigm that will eventually come into play with Internet-connected industrial environments. Currently, a vast amount of research is being pursued that investigates cloud-computing's role within the industrial and manufacturing space, as well as other critical infrastructures such as the smart grid. Nonetheless, one major consequence of using cloud-based technologies within industrial environments is that of mitigating pervasive cybersecurity risks for industrial systems. This presentation will highlight the current trends and advancements of cloud-based technologies for industrial environments, both from a practical and research perspective. More importantly, however, the session will provide insight into how cloud-based technologies might be used to alleviate complex cybersecurity challenges within industrial environments.

Learning Objectives:

Attendees will get a glimpse into the advancements of Cloud computing based technologies and their integration within industrial environments. The material will provide a balance of advanced research that will impact near-future industrial systems along with real-world implementations and results that are currently in progress around the world.

In this talk, Bob Radvanovsky will introduce the "SCada Incident Database", or "SCID".

The concept of the project is to include critical infrastructure incidents that have transpired over the years, with a majority of the database made publicly-accessible at no cost. 

The SCID repository will help:

• Governments Worldwide
• Private Sector Asset Owners
• Legal Firms
• Law Enforcement
• Regulatory Organizations
• Insurance Companies

The discussion will include screenshots of the repository, along with relevant field types being collected, and how the data is being ascertained.  Part of the discussion is to engage the audience as part of the project's development, as this is supposed to be a community-based effort. 

Additionally, this talk will address some of the controversial definitions, such as "incident", "cyber incident", "event", and "cyber event", and the reasoning behind the questions.  For this part of the discussion, examples through existing documentation, will be provided.