S4x20 took place Jan 20-23 in Miami South Beach. It began on the 20th with the one-day, 201-Level ICS Security Workshop that we called the Highway. Eight of the world’s best trained 120-students, and their content lives on in the online Highway Workshop that is offered for free about every two months.
The three-day S4x20 kicked off on Tuesday the 21st with a record 719 people in attendance for the three-day, three stage event.
S4x20 also hosted the inaugural Pwn2Own aimed at ICS software. ZDI ended up awarding $280,000 for researchers who were able to exploit the targets, and they covered the Pwn2Own Miami contest in detail on their site.
The official social events were the Welcome Party on Tuesday night (unusually cold), Cabana Sessions on Wednesday afternoon, and Craft Beer Bash to close things out on Thursday. There were many more informal or vendor sponsored social events. The opportunity to make and renew relationships in a creative environmen with the best-in-world is for many the highlight of S4 week.
The sessions were great. Advanced and innovative content, both technical and non-technical. We are releasing the S4x20 videos, one per stage each week. Below are links and descriptions by Stage. You should subscribe to the S4 Events YouTube Channel so you also can see clips, interviews, and other S4 content.
Dale kicks off S4x20 with 15-minutes discussing ICS security community growth, failure to stop predicted incidents, and the focus on executive communication and risk management. He closes with a recommendation and plea that ICS security professionals use this fantastic demand for their talent to find something they believe, enroll in it, and help create the future of OT / ICS security.
Dale Peterson interviewed electric sector and ICS legend S4x20 Main Stage. He was the perfect person to interview related to the event theme: Create The Future in OT and ICS security. It’s a wide ranging and fun interview. Ed has a great sense of humor).
ZDI ran the first Pwn2Own competition on ICS software at S4x20 in Miami South Beach. They gave away $280K in prize money for 0day exploits. In this session Dustin Childs of ZDI goes over the competition and results. And he awards the Master of Pwn award to the team that got the most points in the competition.
Director Krebs came down to S4x20 in January ’20 to tell the ICS security influencers what CISA is doing to help protect ICS and how the community can get involved.
Lisa Sotto of Hunton Andrews Kurth LLP presents the current law related to executive and board governance and cyber risk. What is in place today and what is coming. This can help ICS security professionals understand how to communicate with executives.
Ralph Langner, Art Manion and Dale Peterson tackle this difficult and oft discussed topic. There were two main goals: 1) Use a risk based approach to significantly reduce the number of patches that need to be applied immediately or frequently. 2) Automate the evaluation of the patches so creating this prioritized patching list is simple and not time consuming.
Megan Samford of Rockwell Automation proposes that the Incident Command System approach that the federal, state and local governments use to address natural disasters, such as hurricanes, fires and floods, be adopted to provide a similar response capability for ICS cyber incidents.
Rebekah Mohr of Accenture begins by talking about her experience in the early days of anomaly detection in OT. When she didn’t select it, or even want it, and one day it generated so much traffic that it caused an outage resulting in a $1M+ loss. And then it was unplugged.
The need for a software bill of materials (SBOM) is widely agreed upon, and there are efforts underway on how to create and provide a SBOM. This then begs the question what do asset owners and vendors with a SBOM?
Derek explains three of the challenges they are facing. The one I find most interesting is the fidelity vs. effort tradeoff and decision. Interestingly Moody’s thinks it is important that they do not provide remediation services so there is true independence.
Thrilled to welcome Jason Larsen back to the S4 Stage. In this session Jason goes over hour by hour what he did in the first 14 hours of an assessment / pen test of an electric system. It shows how a highly experienced and talented pro would approach the problem and how they could succeed.
Tobias Scharnowski presented the work that he, Ali Abbassi and others at Ruhr-University Bochum, Germany did on the Siemens S7-1200 PLC. They extracted and reverse engineered the bootloader code and found a ‘special access feature’. They go into detail on the S7-1200 architecture, where the special access feature was found, and how they can use this to get unconstrained code execution on the device. This includes a video showing how it was done.
Mark Carrigan of PAS looks at a different type of vulnerabilities, really more of weaknesses or flaws related to the process that can be exploited by an attacker with automation and engineering skills. He goes over examples ubiquitous weaknesses (found in most systems) and unique weaknesses (specific to a vendor / model). He also covers the number of classic vulnerabilities by ICS vendor.
Matthew Backes of MIT Lincoln Laboratory highlights the need to reassert control over our control systems through positive control / configuration control. Current approaches tend to be ad hoc and vendor specific.
Bryan Singer is one of the real pioneers in cyber / physical attacks on ICS, and still is on the leading edge in thinking about and figuring out how to stop these attacks. In this session he introduces his Critical Attack Flow Modeling, including some interesting questions. For example, “what happens if we mess with this?” The model includes looking at the likelihood of attack , likelihood of successful compromise, and likelihood of creating damage.
Jake Brodsky of Jacobs provides important examples of Security Coding Practices for PLC’s on the S4x20 Stage 2: Technical Deep Dives. He points out that it is too often assumed that bad things won’t happen because the HMI won’t send such a command, but what if it is an attacker who chooses not to use or respect the HMI limitations.
Maggie Morganti of Oak Ridge National Lab (ORNL) looks at “demand side” attacks – getting into devices on the consumer side and causing the problems with grid reliability. Particularly looking at demand side attacks on low inertia systems. A utility doesn’t have jurisdiction to protect a customer’s system.
5-minutes from Jason’s Highway training session. In this clip we show excerpts of “physics payloads” in a cyber / physical attack on an ICS. Jason covers a number of different categories of physics payloads, quickly and yet still in technical detail. The whole 40-minute session is amazing.
It was actually the first time I’ve met or spoken with Chris. I found him to be frank, thoughtful and most importantly less constrained into bureaucratic speak than usual for someone at his level in government. We talk about the effective use of DHS’s big megaphone, the status of information sharing, reaching out to small / medium critical infrastructure, the future of ICSJWG and more.
This Forescout session looks at the five functions in the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover. For each function Brian Proctor and Sandeep Lota cover industry trends and then how Forescout products can help meet the requirements for the function.
Anton Shipulin and Vladimir Dashchenko of Kaspersky take 20 minutes to go over all the contributions Kaspersky is making to educate and help the ICS security community. It’s an impressive list.
Dan Shugrue of CyberX presents the key findings from their 2020 Global IOT and ICS Risk Report. And then introduces some broad based suggestions on how to address these risks leveraging some of the guidance from INL’s CCE.
Andrew Ginter of Waterfall Security Solutions shows how OT / ICS networks can be monitored without providing external access to these networks. It involves passing mirrored switch traffic through a unidirectional gateway to a sensor on the enterprise. This allows the analyst to access and tune the sensor without requiring access to the ICS zone.
Scott Coleman and Dennis Lanahan of Owl Cyber Defense show how data diode technology can meet many of the US DHS recommendations and stop 583 documented cyber incidents. Approaches include one-way out, one-way in, and a two-way solution the uses two one-way data diodes.
Ian Schmertzler of Dispel on how Dispel’s solution provide rapid, secure remote access to ICS. What is unique about this session is he focuses on the time savings and user preference / happiness with being able to simply get remote access (as opposed to jumping through multiple servers and hoops to get to the ICS). Of course he also covers the security of their solution.
Yiannis Stavrou of Nozomi Networks talks about encryption in ICS: – the challenges in terms of latency and key management – where it is being used today and in the future – IEC 62351 with emphasis on Parts 3 and 7 – How to passively monitor an encrypted ICS network.
Nick Ritter and Marcelo Carvalho of GE discuss how they have integrated security into their development process. They focus on some of the challenges with agile / rapid development that is not going to wait for a traditional security development approach. For example, a two to four week pen test is way to long for a 4 to 6 week sprint. It can support about 48 hours of testing
Andrey Ristaino of ISA covers the latest in ISASecure certifications, the ISA Global Cybersecurity Alliance (ISAGCA), and project LOGIIC. There is a compelling reason to participate in ISA at the end.