The Autobahn – 301 Level ICS Security Training
S4x19 had The OnRamp – 101 Level ICS Security Training. S4x20 had The Highway – 201 Level ICS Security Training. Now at S4x22 we are bringing 301-Level ICS Security Training the day before S4x22 in what we are calling The Autobahn. (and yes we are working on a fun poster for it)
The Autobahn will have four 1.5 hour sessions, with time for your questions, on the following topics:
Digital Forensics and Incident Response for PLCs
Instructors: Glen Chason and Ken Proska of Mandiant
Collecting and analyzing forensic data is a core component of the incident response process. This process is central to determining the scope of a compromise, the tools used by adversaries, and their capabilities. However, obtaining digital forensics and incident response (DFIR) data in PLCs and other level 1 devices. Embedded systems are normally outside of the scope of traditional forensic methodologies, defenders need to identify or define tools and new methodologies to gather data from these systems.
This session will help students take a systematic approach is to gather forensic data, build collection frameworks, set security baselines, and establish structured incident response processes related to PLC’s. Where possible native functionality built into OT devices will be used. Specialized tools will also be introduced that support this methodology.
Top 20 PLC Secure Coding Practices
Instructors: Vivek Ponnada and Dirk Rotermund
At S4x20, Jake Brodsky asked why engineers and technicians aren’t trained to code and configure PLC’s in a secure manner, and then gave examples of what should be taught and done. The S4 community took this great idea and created the Top 20 PLC Secure Coding Practices. These practices are not classic security controls, and they can be implemented in most PLC’s. You will get some vivid examples of how to implement some of the practices and why the practices are important. The kind of information you can use to get your team that programs your PLC’s to dig into this issue and the top 20 list.
Software Defined Networking (SDN) Technology, Use and Management in ICS
Instructor: Tim Watkins of SEL
The zero trust principle and buzzword have been getting a lot of attention in 2021. SDN is one technical approach to achieving zero trust and is being deployed in leading/bleeding edge ICS. This session will begin by briefingly describing SDN and its benefits. The marjority of the session will provide examples and lessons learned from early SDN deployments. Learn what systems are good candidates (and what are not) for SDN; what are some of the major challenges in deployments and ongoing operations; and how the SDN deployment can provide network resilience.
As an added bonus, the session will describe how the SDN controllers can be deployed as containers.
Security, Orchestration, and Automation (SOAR) in ICS
Sure, data from OT is being exported to SIEM and then SOAR, but is anyone doing anything with it? Yes, and in this session you’ll learn where some of the early, low risk wins are and the who and how much is required to get those wins. Learn how automated isolation, workflow tickets, updates to asset management and more can be achieved. The session will use Swimlane, QRadar, Tripwire and other systems as examples, but the techniques can be used with any vendor systems.