S4x19

A then record 532 attendees came to Miami South Beach for S4x19 the week of January 14th, 2019. It began on Monday with a jam packed OnRamp: 101-Level ICS Security Training day. 10 of the world’s best in ICS security got newcomers to the topic up to speed fast. Both so they could enjoy and understand S4x19 and so they could participate in ICS cyber risk discussions when they returned home. The OnRamp is now available as a free online workshop, and over 1,000 people have received this training.

On Tuesday through Thursday S4x19 took place on three stages, the Main Stage for keynotes and less technical talks, Stage 2: Technical Deep Dives, and the Sponsor Stage. You can see the videos of these sessions below or on the S4 Events YouTube Channel.

Main Stage

 Dale Peterson Mini Keynote – Create The Future

Dale opens up S4x19 with three friends, Patrick Miller, Eireann Leverett, and Rob Lee asking What If questions. We are making progress in security ICS while at the same time falling behind to a variety of factors accelerating faster than the communities’ progress.

Charity: Water Campaign

12 minutes on we selected Charity: Water for the S4x19 Giveback. It’s a simple ICS, and we can fund a water project for a village and see the results. Includes Dale talking about it and powerful Charity: Water videos. Please give if you can. Our goal is $20K and the campaign ends on Jan 31st.

 ICS Detection Challenge Results

A real world test of product’s ability to create an ICS asset inventory and detect and analyze attacks on ICS via passive monitoring. 130GB packet captures from a real ICS, anonymized and then a very complex attack scenario is inserted. In the end only Dragos and Kaspersky stepped up to the Challenge.

Risk, Utility & The Public Good (Cyber Insurance for ICS)

This presentation plays off a book he recently co-authored, Solving Cyber Risk. Eireann shows how the insurance industry looks at the issue of writing policies for risks with limited data. And he shows how cyber insurance policies can be and are being written for potential ICS losses.

A New CVSS For ICS Vulnerabilities

In this session, Billy Rios, Clint Bodungen and Art Manion present their suggested modifications to the CVSS for ICS vulnerabilities. They score the same vulnerabilities and then discuss the pro’s and con’s of each others methods.

Small Pox, Armor and ICS Security

Michael Thompson gave an interesting, 20 minute think piece that tied well into the S4x19 Create The Future theme. It revolved around stories of the small pox vaccine and armoring WWII allied planes where the success involved looking at the problem very differently.

Layered Blueprints for OT Security

Sarah Fluchs begins with a bold statement, reminiscent of an earlier Witch Doctor vs. Engineer S4x12 session, “OT Security Engineering does not deserve to be called Engineering.” She then lays out a series of three questions that must be asked and a methodology to answer the questions.

Cyber-Physical Response – Lessons Learned from Liberty Eclipse II

A number of US Government agencies funded and worked on a project to learn more about the ability to respond to a blackout caused by a cyber attack or incident. They went to Plum Island, where people would not be affected, and created a very realistic scenario. All roles that would typically be involved were there.

Triton – A Report From The Trenches

Julian Gutmanis was in the plant that was compromised by Triton, and he was involved in the response and recovery. This is his first hand report. Here are some of the highlights: – the initial outage was related to one down controller on a Saturday in early June, 2017 – six controllers went down in the August, 2017 attack – DCS reflected normal operation during both outages.

Hyper-Connectivity Will Improve Cybersecurity

Dave Weinstein makes the counterintuitive point that hyper-connectivity will improve cybersecurity / reduce risk. Up until now hyper-connectivity has tracked with improved offense while defense lags. Dave’s point is hyper-connectivity paired with the possible visibility this hyper-connectivity provides will help defense much more than the attacker.

Andrew Ginter’s SEC-OT

Unidirectional Gateway devotee Andrew Ginter of Waterfall introduces the Secure Operational Technology: SEC-OT philosophy that underlies his book of the same title. The key and controversial tenet is “forbid firewalls as connection from ICS to IT networks – permit only unidirectional gateways”.

Averting Supply Chain Attacks

Ed Turkaley begins with an opinion that advanced semiconductor design and manufacturer is the key to the trade wars, and why. He then pivots and discusses the key elements of a supply chain security program geared towards ICS.

Digital Ghost: Real Time, Active Defense for ICS

This is a presentation we chased hard for S4x19. Colin Parris and Justin John of GE explain how they have expanded their Digital Twin efforts to add security. Two big takeaways for me, Process variable anomaly detection is an important part of the future detection solution. It is what the asset owner actually cares most about and will detect all cause cyber incidents

In Firmware We Trust: Securing The Software Supply Chain

The first 40 minutes discuss the importance and difficulties of securing the ICS software/firmware supply chain. And the community effort that aDolus is working on so asset owners can get assurance in what is provided by the vendor or integrator prior to using it in their ICS.

2019 SCADA Diva Award Ceremony

Bryan Owen is the proud winner of the SCADA Diva award. This presentation was fun because it followed a pirate / shark skit. Bryan takes over the Diva hardhat from Mike Assante.

A 2nd Monitoring Network at Level 0/1

ICS security legend Joe Weiss sets foot on the S4 stage for the first time. Joe and Amir Samoiloff make the case that monitoring network traffic to detect ICS cyber incidents is insufficient. They contend that data directly from the sensors, before it has been processed by the PLC / Level 1 device or converted from serial to Ethernet, will miss important information. They close the presentation with some case studies that support their case.

ICS Honeypots – How To Use Them

This S4x19 discussion is on the state of the art in ICS honeypots and honeynets. How and when an asset owner should consider using them? Where they should be placed? And what expectations are reasonable for detection and threat intelligence.

Overall Equipment Effectiveness (OEE) As An ICS Cybersecurity Metric

Inaki Eguia first explains the OEE calculation and then goes over some ICS examples. He makes the case that OEE is a metric that should drive the determination of the security posture and where security related resources should be spent

Is The Purdue Model Dead?

Joel Langill and Brad Hegrat join Dale Peterson to answer this question. The Purdue Model was used as THE MODEL when it came to ICS security, and it worked well in a traditional plant or factory environment. Is this true in the coming world of cloud services, IIoT and other changes? Joel, Brad and Dale discuss and actually reach a mostly common understanding.

Debate: Are OT Specific Tools & Talent Required To Detect Attacks On ICS?

We called this the Miller’s Crossing debate. Ben Miller took the pro position that OT Specific Tools & Talent are required. Steve Miller took the con position, and Dale Peterson moderated this 30 minute debate.

Network Traffic Collection Methodologies

A great primer on the different options for collecting and forwarding ICS traffic. Some good examples of the amount of traffic generated on an access switch in a Rockwell Automation environment.

Consequence Based ICS Risk Management

Dale talks with Andy Bochman about the Consequence-Driven, Cyber-Informed Engineering (CCE)and John Cusimano about CyberPHA’s. This focus on the consequence side of the risk management is gaining attention. It’s not a replacement for security controls that will reduce likelihood, but it may be more efficient risk reduction than some security controls and lowers the maximum impact of a successful attack.

Stage 2: Technical Deep Dives

The Industrial Radio Project – Hacking Cranes Using SDR

Crane’s and other mobile equipment lack basic security controls. When operation is local and wired, this risk is minor. When they move to wireless control, it becomes possible for an adversary even 1 or more kilometers away to take control of the crane as Stephen Hilt and Jonathan Andersson of Trend Micro show at S4x19 in Miami South Beach.

Will Your Protection System Work In A Cyber Incident?

Protection and Safety systems are designed and deployed to prevent high consequence incidents from happening. The ICSsec community has seen examples where these systems have been hacked and modified, Stuxnet and Triton, to prevent proper operation. But what if it isn’t even necessary to attack the safety or protection system to prevent it from doing it’s one task?

PASTA – Portable Automotive Security Testbed with Adaptability

Take a look at a portable auto simulator that can be used for offensive and defensive security testing. It has ECU’s, OBD-II port and the CAN protocol, just like a car. 5:20 Close up of the PASTA suitcase and displays

Persisting in Level 1: The Building is Alive

This is a great example of the steps an attacker would take to attack, exploit and persist on an industrial control system (ICS), specifically a building control system in this presentation by Elisa Costante of FourScout.

How to Fix the People and Skills Problem in Securing Building Automation Systems

Why are Building Automation Skills in such an insecure state, and more importantly what will it take to change that? James Houston identifies the challenge in getting people with the right skills involved.

VPNFilter Deep Dive

The definitive video on the ICS module in VPNFilter from Carl Hurd and the team at Talos. The fact that this Modbus / HTTP module was so targeted (one device and selected IP) and yet did so little (logging only) is one of the mysteries. An overview of VPNFilter and detail on that ICS module.

CoDeSys Fail

The CoDeSys Runtime System is in at least 340 different models of PLC’s across a wide range of vendors. And it is a hot mess (technical term) from a security perspective. In this S4x19 Stage 2 video, Aleksandr Nochvay of Kaspersky goes through the protocol field by field, and then at 22:20 goes over 5 of the many vulnerabilities in this system

A Distributed Auto Charger Attack On The Grid

Ken Rhode of Idaho National Labs starts with a video showing how they can hack the auto charger HMI to affect the state of charge in the vehicle and emergency stop charging. The second part of the video shows how a compromised vehicle can fool the charger on status.

Threat Modeling Belgian Energy Producers

Jasper Hooft of Toreon explains how there three phase approach to securing ICS via threat modeling. He uses the example of a wind turbine (windmill).

PLC’s: Backdoors in Disguise

Roee Stark of Indegy shows how the Rockwell Automation controllers can be used to forward attacks through both IP and Controlnet networks. This is due to a very full featured CIP networking stack that lacks authentication.

Cybersecurity PHA: Consequence Based Security

Jim McGlone outlines his approach to performing a Cyber Process Hazards Analysis for ICS, and interestingly he ties this into his navy experience on submarines with some great stories and photos.

Public Ledger Technology: Code Signing and Device Birth Certificates

Clay Carter of GE shows how they are using Certificate Transparency (CT) and Binary Transparency (BT) to prove software integrity. Code signing alone is not enough due to risk of CA compromise. This technical session on S4’s Stage 2 walks you through how the process works.

ARM Hardware Security

A Stage 2: Technical Deep Dive on how to (and how not to) use the hardware security capabilities available in ARM processors. Jon Taylor of Revolutionary Security covers the why and how and ends the sessions showing how it is used with other components on a board.

Making Power System Cybersecurity Part of the Engineering Process

The difference in how engineers and cybersecurity professionals approach a project is large. This presentation looks at how to add the engineering discipline to cybersecurity. Specifically it shows how this is being standardized in two IEEE standards efforts. Nathan Wallace of Cybirical, the chair of those two standard’s working groups, presents the approach and some detailed examples.

Closing Panel with Rob Lee, Dale Peterson and Zach Tudor

Always a hit at S4, Dale Peterson talks with Rob Lee and Zach Tudor about the state of ICS Cybersecurity. What aren’t we talking about? Where are we making good progress? Are we gaining ground or losing ground in defending ICS? Speed? Does .gov help? Most important of the 5 NIST CSF functions at this time? And much more.

Unsolicited Response S4x19

We close down Stage 2 at S4 with Unsolicited Response. Speakers are allowed 5-minutes to talk (rant) about whatever they want. Some are funny. Some are project ideas. Some are blowback on a session they thought was dead wrong. And there is craft beer and root beer served.

Sponsor Stage

Extreme Visibility – Claroty S4x19 Sponsor Session

Patrick McBride of Claroty took the Sponsor Stage to present: Extreme Visibility for Better Threat Detection and Reduced TCO. He began with an overview on the company

Active or Passive Detection? – Indegy Sponsor Session

Barak Perelman of Indegy defines and makes the case for an Active capability in the class of products that creates an ICS asset inventory and detects attacks on an ICS. At 25:00 there is a video from the City of Raleigh on how they use the Indegy solution.

Weakness at the Boundaries – Cisco Sponsor Session

Robert Albach, who is responsible for the Industrial Security Products at Cisco, took a broad network architecture with Cloud, HQ, DMZ and Factory Zones and then mapped recent attacks on ICS to this architecture. Showing what the attackers did and how they could have been stopped at various boundaries.

Beyond Visibility – Towards Analytics … Radiflow Sponsor Session

From the S4x19 Sponsor Stage, Yehonatan Kfir of Radiflow talks about the end goal of visibility … actions and insights. Visibility of the ICS and ICS communication is not the end goal and “extreme visibility” can lead to “extreme confusion” without the right analysis capability.

Nozomi Networks: Lessons Learned After 1,000 Installations

The Nozomi Sponsor Stage session from S4x19. First 10 minutes are on the company and offerings. 10:25 starts a description of common findings / security issues in the initial days after install. Good questions in the Q&A that starts at 19:20.

Sentryo: Lessons Learned Through Our OT Security Journey

Bob Foley presents on the S4x19 Sponsor Stage. He introduces the company and product, and then spends most of the 25 minute session describing situations they have run into deploying ICS detection technology and lessons learned.

Dragos Sponsor Session: ICS Cybersecurity Technology Selection

Beginning at 11:20 Matt Cowell lays out his view of how to evaluate asset inventory and detection products. He provides an approach and a high level evaluation criteria. The first 11 minutes is an introduction to Dragos and an overview of the asset owner challenge in evaluating ICS cyber security solutions today.

Rockwell Automation’s Approach To An Effective Cybersecurity Strategy

Megan Samford & Umair Masud of Rockwell Automation present their company’s automation product line and how they are helping their customers secure their ICS and processes. It is a combination of products, services and partnerships with some some practical customer examples.

Attack Surface in ICS: Do you have a Badness-ometer?

Harry Paul of OSIsoft and Adam Hahn of Washington State University each demonstrate a tool to measure assess the security of an ICS cyber asset. As you might expect, the OSIsoft tool audits the security posture of deployed PI components. The WSU tool can be run on any cyber asset. Both tools are available free of charge.

Mocana Sponsor Session: Automated Security Lifecycle Management

Dean Weber of Mocana goes into detail on the challenges and crypto and process solutions to the supply chain problem. He covers the development, onboarding, enrollment and update phases, and he stresses how this can be automated to lessen the burden while still providing strong security.