A then record 532 attendees came to Miami South Beach for S4x19 the week of January 14th, 2019. It began on Monday with a jam packed OnRamp: 101-Level ICS Security Training day. 10 of the world’s best in ICS security got newcomers to the topic up to speed fast. Both so they could enjoy and understand S4x19 and so they could participate in ICS cyber risk discussions when they returned home. The OnRamp is now available as a free online workshop, and over 1,000 people have received this training.
On Tuesday through Thursday S4x19 took place on three stages, the Main Stage for keynotes and less technical talks, Stage 2: Technical Deep Dives, and the Sponsor Stage. You can see the videos of these sessions below or on the S4 Events YouTube Channel.
Dale opens up S4x19 with three friends, Patrick Miller, Eireann Leverett, and Rob Lee asking What If questions. We are making progress in security ICS while at the same time falling behind to a variety of factors accelerating faster than the communities’ progress.
12 minutes on we selected Charity: Water for the S4x19 Giveback. It’s a simple ICS, and we can fund a water project for a village and see the results. Includes Dale talking about it and powerful Charity: Water videos. Please give if you can. Our goal is $20K and the campaign ends on Jan 31st.
A real world test of product’s ability to create an ICS asset inventory and detect and analyze attacks on ICS via passive monitoring. 130GB packet captures from a real ICS, anonymized and then a very complex attack scenario is inserted. In the end only Dragos and Kaspersky stepped up to the Challenge.
This presentation plays off a book he recently co-authored, Solving Cyber Risk. Eireann shows how the insurance industry looks at the issue of writing policies for risks with limited data. And he shows how cyber insurance policies can be and are being written for potential ICS losses.
In this session, Billy Rios, Clint Bodungen and Art Manion present their suggested modifications to the CVSS for ICS vulnerabilities. They score the same vulnerabilities and then discuss the pro’s and con’s of each others methods.
Michael Thompson gave an interesting, 20 minute think piece that tied well into the S4x19 Create The Future theme. It revolved around stories of the small pox vaccine and armoring WWII allied planes where the success involved looking at the problem very differently.
Sarah Fluchs begins with a bold statement, reminiscent of an earlier Witch Doctor vs. Engineer S4x12 session, “OT Security Engineering does not deserve to be called Engineering.” She then lays out a series of three questions that must be asked and a methodology to answer the questions.
A number of US Government agencies funded and worked on a project to learn more about the ability to respond to a blackout caused by a cyber attack or incident. They went to Plum Island, where people would not be affected, and created a very realistic scenario. All roles that would typically be involved were there.
Julian Gutmanis was in the plant that was compromised by Triton, and he was involved in the response and recovery. This is his first hand report. Here are some of the highlights: – the initial outage was related to one down controller on a Saturday in early June, 2017 – six controllers went down in the August, 2017 attack – DCS reflected normal operation during both outages.
Dave Weinstein makes the counterintuitive point that hyper-connectivity will improve cybersecurity / reduce risk. Up until now hyper-connectivity has tracked with improved offense while defense lags. Dave’s point is hyper-connectivity paired with the possible visibility this hyper-connectivity provides will help defense much more than the attacker.
Unidirectional Gateway devotee Andrew Ginter of Waterfall introduces the Secure Operational Technology: SEC-OT philosophy that underlies his book of the same title. The key and controversial tenet is “forbid firewalls as connection from ICS to IT networks – permit only unidirectional gateways”.
Ed Turkaley begins with an opinion that advanced semiconductor design and manufacturer is the key to the trade wars, and why. He then pivots and discusses the key elements of a supply chain security program geared towards ICS.
This is a presentation we chased hard for S4x19. Colin Parris and Justin John of GE explain how they have expanded their Digital Twin efforts to add security. Two big takeaways for me, Process variable anomaly detection is an important part of the future detection solution. It is what the asset owner actually cares most about and will detect all cause cyber incidents
The first 40 minutes discuss the importance and difficulties of securing the ICS software/firmware supply chain. And the community effort that aDolus is working on so asset owners can get assurance in what is provided by the vendor or integrator prior to using it in their ICS.
Bryan Owen is the proud winner of the SCADA Diva award. This presentation was fun because it followed a pirate / shark skit. Bryan takes over the Diva hardhat from Mike Assante.
ICS security legend Joe Weiss sets foot on the S4 stage for the first time. Joe and Amir Samoiloff make the case that monitoring network traffic to detect ICS cyber incidents is insufficient. They contend that data directly from the sensors, before it has been processed by the PLC / Level 1 device or converted from serial to Ethernet, will miss important information. They close the presentation with some case studies that support their case.
This S4x19 discussion is on the state of the art in ICS honeypots and honeynets. How and when an asset owner should consider using them? Where they should be placed? And what expectations are reasonable for detection and threat intelligence.
Inaki Eguia first explains the OEE calculation and then goes over some ICS examples. He makes the case that OEE is a metric that should drive the determination of the security posture and where security related resources should be spent
Joel Langill and Brad Hegrat join Dale Peterson to answer this question. The Purdue Model was used as THE MODEL when it came to ICS security, and it worked well in a traditional plant or factory environment. Is this true in the coming world of cloud services, IIoT and other changes? Joel, Brad and Dale discuss and actually reach a mostly common understanding.
We called this the Miller’s Crossing debate. Ben Miller took the pro position that OT Specific Tools & Talent are required. Steve Miller took the con position, and Dale Peterson moderated this 30 minute debate.
A great primer on the different options for collecting and forwarding ICS traffic. Some good examples of the amount of traffic generated on an access switch in a Rockwell Automation environment.
Dale talks with Andy Bochman about the Consequence-Driven, Cyber-Informed Engineering (CCE)and John Cusimano about CyberPHA’s. This focus on the consequence side of the risk management is gaining attention. It’s not a replacement for security controls that will reduce likelihood, but it may be more efficient risk reduction than some security controls and lowers the maximum impact of a successful attack.
Crane’s and other mobile equipment lack basic security controls. When operation is local and wired, this risk is minor. When they move to wireless control, it becomes possible for an adversary even 1 or more kilometers away to take control of the crane as Stephen Hilt and Jonathan Andersson of Trend Micro show at S4x19 in Miami South Beach.
Protection and Safety systems are designed and deployed to prevent high consequence incidents from happening. The ICSsec community has seen examples where these systems have been hacked and modified, Stuxnet and Triton, to prevent proper operation. But what if it isn’t even necessary to attack the safety or protection system to prevent it from doing it’s one task?
Take a look at a portable auto simulator that can be used for offensive and defensive security testing. It has ECU’s, OBD-II port and the CAN protocol, just like a car. 5:20 Close up of the PASTA suitcase and displays
This is a great example of the steps an attacker would take to attack, exploit and persist on an industrial control system (ICS), specifically a building control system in this presentation by Elisa Costante of FourScout.
Why are Building Automation Skills in such an insecure state, and more importantly what will it take to change that? James Houston identifies the challenge in getting people with the right skills involved.
The definitive video on the ICS module in VPNFilter from Carl Hurd and the team at Talos. The fact that this Modbus / HTTP module was so targeted (one device and selected IP) and yet did so little (logging only) is one of the mysteries. An overview of VPNFilter and detail on that ICS module.
The CoDeSys Runtime System is in at least 340 different models of PLC’s across a wide range of vendors. And it is a hot mess (technical term) from a security perspective. In this S4x19 Stage 2 video, Aleksandr Nochvay of Kaspersky goes through the protocol field by field, and then at 22:20 goes over 5 of the many vulnerabilities in this system
Ken Rhode of Idaho National Labs starts with a video showing how they can hack the auto charger HMI to affect the state of charge in the vehicle and emergency stop charging. The second part of the video shows how a compromised vehicle can fool the charger on status.
Jasper Hooft of Toreon explains how there three phase approach to securing ICS via threat modeling. He uses the example of a wind turbine (windmill).
Roee Stark of Indegy shows how the Rockwell Automation controllers can be used to forward attacks through both IP and Controlnet networks. This is due to a very full featured CIP networking stack that lacks authentication.
Jim McGlone outlines his approach to performing a Cyber Process Hazards Analysis for ICS, and interestingly he ties this into his navy experience on submarines with some great stories and photos.
Clay Carter of GE shows how they are using Certificate Transparency (CT) and Binary Transparency (BT) to prove software integrity. Code signing alone is not enough due to risk of CA compromise. This technical session on S4’s Stage 2 walks you through how the process works.
A Stage 2: Technical Deep Dive on how to (and how not to) use the hardware security capabilities available in ARM processors. Jon Taylor of Revolutionary Security covers the why and how and ends the sessions showing how it is used with other components on a board.
The difference in how engineers and cybersecurity professionals approach a project is large. This presentation looks at how to add the engineering discipline to cybersecurity. Specifically it shows how this is being standardized in two IEEE standards efforts. Nathan Wallace of Cybirical, the chair of those two standard’s working groups, presents the approach and some detailed examples.
Always a hit at S4, Dale Peterson talks with Rob Lee and Zach Tudor about the state of ICS Cybersecurity. What aren’t we talking about? Where are we making good progress? Are we gaining ground or losing ground in defending ICS? Speed? Does .gov help? Most important of the 5 NIST CSF functions at this time? And much more.
We close down Stage 2 at S4 with Unsolicited Response. Speakers are allowed 5-minutes to talk (rant) about whatever they want. Some are funny. Some are project ideas. Some are blowback on a session they thought was dead wrong. And there is craft beer and root beer served.
Patrick McBride of Claroty took the Sponsor Stage to present: Extreme Visibility for Better Threat Detection and Reduced TCO. He began with an overview on the company
Barak Perelman of Indegy defines and makes the case for an Active capability in the class of products that creates an ICS asset inventory and detects attacks on an ICS. At 25:00 there is a video from the City of Raleigh on how they use the Indegy solution.
Robert Albach, who is responsible for the Industrial Security Products at Cisco, took a broad network architecture with Cloud, HQ, DMZ and Factory Zones and then mapped recent attacks on ICS to this architecture. Showing what the attackers did and how they could have been stopped at various boundaries.
From the S4x19 Sponsor Stage, Yehonatan Kfir of Radiflow talks about the end goal of visibility … actions and insights. Visibility of the ICS and ICS communication is not the end goal and “extreme visibility” can lead to “extreme confusion” without the right analysis capability.
The Nozomi Sponsor Stage session from S4x19. First 10 minutes are on the company and offerings. 10:25 starts a description of common findings / security issues in the initial days after install. Good questions in the Q&A that starts at 19:20.
Bob Foley presents on the S4x19 Sponsor Stage. He introduces the company and product, and then spends most of the 25 minute session describing situations they have run into deploying ICS detection technology and lessons learned.
Beginning at 11:20 Matt Cowell lays out his view of how to evaluate asset inventory and detection products. He provides an approach and a high level evaluation criteria. The first 11 minutes is an introduction to Dragos and an overview of the asset owner challenge in evaluating ICS cyber security solutions today.
Megan Samford & Umair Masud of Rockwell Automation present their company’s automation product line and how they are helping their customers secure their ICS and processes. It is a combination of products, services and partnerships with some some practical customer examples.
Harry Paul of OSIsoft and Adam Hahn of Washington State University each demonstrate a tool to measure assess the security of an ICS cyber asset. As you might expect, the OSIsoft tool audits the security posture of deployed PI components. The WSU tool can be run on any cyber asset. Both tools are available free of charge.
Dean Weber of Mocana goes into detail on the challenges and crypto and process solutions to the supply chain problem. He covers the development, onboarding, enrollment and update phases, and he stresses how this can be automated to lessen the burden while still providing strong security.