Persistent attackers will always find a way in, often exploiting the very processes that facilitate productivity and profitable collaboration. Operators must lock down these access points to close frequently exploited attack vectors –firewalls are not enough. This session will overview CyberFence, the award-winning and military-approved solution for robust and comprehensive industrial (ICS/SCADA) cyber security. CyberFence surpasses basic firewall, perimeter and signature-based defense, extending protection to SCADA and other networked system endpoints using protocol-specific parsing and whitelisting to assure data integrity. Listen for yourself why the US Navy, Department of State and many critical businesses worldwide trust CyberFence to secure network endpoints.
Sponsored by: Ultra Electronics, 3eTI
ICS incidents threaten not just process safety and mission assurance, but also – based on the layer of assets compromised – may impact physical assets, result in operational downtime, and trigger liability. This session examines how the risk management community thinks about ICS cybersecurity impacts, from insurance actuarial models and underwriting decisions, to broker guidance for insureds, and to how risk managers approach the unique risks generated by ICS cyber events that cross multiple types of insurance policies. The session explores how risk management and vulnerability remediation relate to insurance coverage and costs, in a complex cross-section of insurance that is new to virtually every player in the food chain.
Franky Thrasher, Senior Cyber Security Expert & Information Systems Security Officer at ENGIE, will share his end user experience in securing globally distributed critical infrastructure at one of the world’s leading energy companies.
With more than 150,000 employees worldwide and revenues in excess of €69 billion, ENGIE understands how global companies can sometimes have much diversified complex models.
If you run a micro grid in Antarctica, A Hydro plant in the Rainforest and or gas fired power plants in Europe and LNG fleets worldwide are you facing the same challenges? Is any given standard applicable across your business? Is any technology applicable? Is your threat landscape modified according to your geographical location?
Thrasher will share his end user experience based on three different aspects;
Governance and regulations: - Examples of corporate policies that are either not applicable across the company due to regulatory constraints, or even local sensibilities. The talk will also explain how policies and governance practices can be adapted to a complex business model in global energy utility.
Technology: Examples of technology will be provided that have been implemented that were not as viable in different ICS environments, demonstrating that while magic “technology” boxes are useful, a completely different outlook is needed when deploying solutions on a global scale and across different business models. Thrasher will explain a remote connectivity system solution developed internally because a market product to fullfil the challenges ENGIE faced globally could not be found.
Geo politics in cyber security: How is your risk affected when you have assets in the Middle East? In Turkey? In South America? Sometimes data is not allowed outside the country sometimes technology is deemed illegal. What are some of the cultural issues you can run into? How does a conflict between two countries you have assets in affect your business? What happens when you are not allowed to do security testing across borders. This talk will also give to the point examples of issues experienced when doing cybersecurity across the globe.
Operational Technology (OT) and specifically Industrial Control Systems (ICS) and associated equipment and devices, have mostly been ignored by industry leadership.
Safeguarding this critical area requires a unique mix of technical and operating insight into how threat actors (hostile nation-states, terrorist organizations and hacktivist organizations) can compromise industrial controls that operate and manage industrial processes – at the process level, the control component level, the human-machine interface level and the SCADA system level.
This talk will raise the level of awareness in the C-suite and Boardroom to this perilous operating risk that we think needs to be elevated well above the current limited focus on compliance with regulatory regimes that have not kept pace with the executional characteristics of industrial cyber risk. Power and utility companies need to address these risks head on, and likewise CFO and CISOs need to understand their true insurance coverage, and possible gaps, to assess whether their stature meets their company’s acceptable risk profile. Creating awareness at high levels and driving appropriate action is required.
Attendees will learn how companies should map their at-risk industrial component configurations, provide analysis and synthesis of the critical interfaces between operating OT and IT, perform risk and asset downtime impact assessments as part of their failure mode and effects analysis, and develop practical policy recommendations - so that cybersecurity experts and operating engineers can begin to correlate conventional information security anomalies with process controls events that may impact how effectively – and how safely – industrial processes operate. We believe effective security includes developing a documented understanding of the downtime impact of addressable system equipment across the entire process, or system, with specific focus on ICS interconnection and interdependency considerations.
With cyber risk insurance as the fastest growing segment in property/casualty insurance, the discussion around industrial cyber security has moved from one of best practices and compliance to one of risk management. The emergence of debt rating agency resiliency requirements, regulations and industry standards, boards have increasingly prioritized cyber security as a top enterprise risk.
Too many organizations opt to start with standards based frameworks or maturity models to define their ICS security programs. Adopting these models can actually add risk and often fail to prioritize the most critical enterprise threats. Likewise, relying upon the opinions of Subject Matter Experts to take decisions where data is scarce can create more harm than good in the establishment of ICS security programs.
This talk will focus on using robust methods to define organizational risk tolerances and methods to measure and track programs to prioritized areas of risk. This approach allows ICS security program stewards and stakeholders to more easily demonstrate real improvements in security posture, achieved with security related expenditures.
With more organizations creating dedicated operational technology security structures and responsible executive leaders, the development and maintenance of a mature ICS security program is vital.
Sponsored By: Honeywell
Health, safety, and environment (HSE) management systems are widely adopted by many organizations and industrial facilities we work with. The main benefits of HSE programs are risk reduction from injuries, lost time incidents, liability and insurance costs. Safety management systems have a long history of statistical evidences showing how different types of well-documented unsafe practices, near misses and incidents have been dramatically reduced and improved through ongoing awareness training, intervention and controls. The ongoing realization of safety management system is a continuous effort towards zero incidents.
On the other hand, cyber security for industrial control systems (ICS) does not have the same benefit of decades of statistics, legislation, training, and budgets to build on, but are as critical as their conventional mechanical and human counterparts. While many organizations dedicate countless hours to protecting their employees and their physical assets, the cyber security of ICS assets are still strangely neglected in many organizations
In this presentation, we will cover the various aspects of Safety and Cyber Security and how this could be part of every organization’s culture not only as a priority, but also as core value:
How Safety and Cyber Security programs can be integrated to achieve the highest level of operational excellence?
How to use Cyber security awareness training to reduce risk and ensure safe/reliable operations?
Example of the first Cyber security Golden Rules from the first Online ICS Cyber Security Awareness Training for engineering community.
Most ICS organizations haven’t done a good job preparing to respond to a cyber attack. Further complicating this is the fact that IT personnel don’t have a good understanding of the ICS need for 100% availability, or what it takes to get a process up and running after it has been shut down.
This presentation will help organizations prepare to respond to ICS cyber incidents whether they’re caused by unintentional insiders or malicious outsiders such as industrial spies, hactivists, or nation state attackers. Proper Cyber Incident Response planning will minimize financial losses due to system downtime, data loss, higher insurance premiums, and most importantly to the safety of the organization personnel and the public.
