S4x17

S4x17 has three stages running at the Jackie Gleason Theater

  • The Main Stage where the big name speakers, related topics and information needed by the Plant Manager or CIO is presented. This is still advanced content assuming the audience is well versed in ICS and security, but it is less technical than Stage 2.
  • Stage 2: Technical Deep Dives is the place to see the most technical ICS security content in the world. There is no other event that goes this deep into the technical detail.
  • Sponsor Stage: Just like it sounds. Sponsors are given 30 minutes to present on the ICS security or OT topic of there choice. The Sponsor Stage speakers and agenda rivals the other top ICS security conference programs so make sure you consider these talks as well.

We have a great agenda lined up for S4x17 and only the first 25 sessions are listed here. There are 23 more sessions that we are finalizing for the Main Stage and Stage 2: Technical Deep Dives, and there will be 17 more sessions on the Sponsor Stage.

Agenda

  Go
  • Tuesday, January 10, 2017
  •  
    5:00 PM  -  8:00 PM
    Welcome Party - Come Together

    Join us in the Miami Botanical Gardens for fun, food and drink with your fellow attendees.

    The S4 Welcome Party is famous for its unusual entertainment and vibe. This year looks better than ever. Spouses and significant others are welcome to attend.

     

    Main Stage

    9:00 AM  -  9:30 AM
    Come Together!

    Dale Peterson kicks off S4x17 with a mini-keynote to introduce the theme of the event: Come Together!

    Keynote Speaker:
    9:30 AM  -  10:00 AM
    Keynote: Protecting National Assets Against Nation State Threats

    Mary B. McCord is the Acting Assistant Attorney General and Principal Deputy Assistant Attorney General for National Security at the U.S. Department of Justice. Ms. McCord oversees nearly 400 employees responsible for protecting the country against international and domestic terrorism, espionage, cyber, and other national security threats. She also works closely with the nation’s 93 United States Attorney’s Offices in the investigation and prosecution of national security matters in their districts.

    Ms. McCord joined the National Security Division in 2014 from the U.S. Attorney’s Office for the District of Columbia, where she served for nearly 20 years, most recently as the Criminal Division Chief. In that capacity, she supervised the prosecution of all criminal matters in federal district court. Ms. McCord also served for more than five years as a Deputy Chief in the Appellate Division, where she supervised and argued hundreds of cases in the U.S. and District of Columbia Courts of Appeals. Ms. McCord graduated from Georgetown University Law School, and clerked for Judge Thomas Hogan of the U.S. District Court for the District of Columbia.

    Speakers:
    10:00 AM  -  10:15 AM
    News From Ukraine

    A quick, 15-minute preview of a longer talk in the afternoon. This session will provide the news and important facts from the 2016 attack on the Ukrainian electric grid. The afternoon talk will delve into the technical details.

    Speakers:
    11:00 AM  -  11:30 AM
    Sitting Under the Industrial Sword of Damocles: Four Predictions Everyone Must Consider

    The new age of automation will present immense wealth, luxury and power to its masters but they will also be living under a very real threat. Learn about four trends that will change the way we think about risk and dictate new approaches to address them. This talk relies on case studies to dive into the implications of Scale, Consequences, Convergence, Concentration, Control and Access in tomorrow’s world. Find out how Dale’s warnings are coming home to roost. Beware, the audience will be asked to resist the siren song of today’s vision for the Industrial Internet of Things.

    Speakers:
    11:30 AM  -  12:00 PM
    Uncomfortable Truths Require Uncomfortable Response

    CyberPolicy is upon us. Ready or not, like it or not, the public policy world is acting with regards to CyberSecurity and CyberSafety issues. Many of you knew this day would come. Many of you were right, but you were early. They say timing is everything, and the time has come. 2016 was an inflection point and a flurry of action (both informed and less so). 2017 promises to be even more turbulent. Together we'll review many of the most substantive government and policy events/actions of 2016 - and talk about taboo topics which we can no longer avoid as we head into 2017.

    We will walk through regulation, coordinated disclosure, guidance for connected vehicles (NHTSA) and medical devices (FDA), DHS guidance for IoT, the Presidential Commission Report, and yes... even Nutriotn Labels for SW/IoT and Software Liability. We don't all have to agree. We don't all have to like it. We do need to be ready to engage - and (more importantly) to help shape, sculpt, nudge, influence, drive what we end up with.

    Speakers:
    1:00 PM  -  1:30 PM
    MUD - To Help Secure IoT

    This session will describe the basics and purpose of the Manufacturer Usage Description (MUD) protocol, a proposed modification to the DHCP standard and currently under review by IETF.

    Many IP-enabled devices, such as IoT devices, cannot or will not provide their own protection. So rather than expect that manufacturers will keep up with all of their devices and provide solid security, MUD spreads the security load. The result is that the manufacturers provide their expertise on what’s appropriate behavior for their devices and network security vendors can ingest that info to create network policy, primarily to prevent lateral movement within the network.

    Speakers:
    1:30 PM  -  2:15 PM
    Panel: Will ICS Certification Make A Difference ... And When?

    We have a growing number of ICS cybersecurity certification efforts, but arguably none have become "THE" certification or had a significant impact.

    This panel will discuss what challenges need to be solved to result in a helpful ICS security certification; what the certification landscape is likely to look like in the next 1, 3 and 5 years; and what we can realistic expect from a certification. While two of the panel members represent certification entities, the third is a certification skeptic and the moderator is undecided on the issue.

    Additional Panelists To Be Announced

    Moderators:
    Panelists:
    2:15 PM  -  2:45 PM
    Cyber Nationalism: How Nations’ Offensive and Defensive Ops Affect All of Us

    ICS Vendors and Asset Owners that do business around the world are facing an increasingly difficult and complex challenge with the rise of cyber nationalism. On the defensive side, there is a need to comply with a different set of security regulations in each country. Even more challenging can be convincing a foreign government, even an allied foreign government, to allow access to critical infrastructure. The offensive side can be even more tricky. What happens when the government knocks on the door and demands access?

    This session will give examples of the key challenges and what multi-national organizations can expect in the future. Solutions will be difficult, but you will at least learn of the problems and some approaches to consider.

    Speakers:
    3:15 PM  -  4:00 PM
    Breaking News: Ukrainian Power Grid Hack

    Ukraine is the sight of the latest ICS cyber attack again just prior to S4.

    We will bring you the latest news and technical information on the incident straight from Ukraine.

    4:00 PM  -  4:30 PM
    Security Economics for an Engineering, Procurement and Construction (EPC) Company and Their Customer

    Industrial companies and critical infrastructures want to have cybersecurity injected in their projects, processes and facilities, and they include “some” requirements in their scopes of work. Automation vendors provide the technology (and sometimes knowledge) for the process, and have different postures on cybersecurity (developing their own cybersecurity offering, partnering with cybersecurity vendors, etc.). EPC (Engineering, Procurement and Construction) companies carry out the detailed engineering design of industrial projects, procure all the equipment and materials necessary, and then construct a functioning facility for their clients ... or at least that's the way it is suppose to work.

    Cybersecurity has brought a new layer of complexity to the mega-projects, adding new costs and risks to the already costs-sensitive and high risk projects. And cybersecurity "success" is hard to objectively measure.

    The lack of the right cybersecurity skill sets and capabilities in the EPC bring additional problems to the project, with unclear compliance to the scope of work, scope deviations, hard relationships issues,or hidden costs throughout the years. All of this makes the economics of injecting cybersecurity into an EPC project a big challenge for them. What financial incentives the EPC can identify to view cybersecurity as profitable, or at least, not as a cost black-hole? How EPCs, automation vendors and industrial companies can work together to improve the protection of our industrial processes? What’s the reality in the EPC world? A case will be shared on the reality of cybersecurity in a multi-year mega-project, its challenges, stakeholders, role of the EPC, the automation vendor, etc.

    Speakers:
    4:30 PM  -  5:00 PM
    History of Industrial Cyber (in)Security – The Mashup

    This presentation will take a look at the history of the industrial cyber world from the early PLC days to present; How and why we got here, the hurdles along the way, the incidents that made the news and the personalities that have emerged will all be explored – all in a light-hearted, irreverent “mashup” style montage using famous songs and movie clips.

     

    Sponsor Stage

    10:30 AM  -  11:15 AM
    From WTF to CTF

    Drawing from case studies, security engineering, 3rd party reports and our own experiences with vulnerability disclosure, the OSIsoft team sought to create an environment that highlights common mistakes, misconfigurations and misuse in a way that is both informative, and hopefully jarring. This talk will share the philosophy and methodology behind OSIsoft’s contribution to the Killer Robots, Inc. CTF environment. We also provide a primer on PI security for any CTF player interested in attacking the safe harbor for data between IT and OT networks, the PI System.

    Speakers:
    11:15 AM  -  12:00 PM
    Down the Rabbit Hole: Insights from Real-World ICS Vulnerability Assessments & Threat Research

    According to Deloitte, 31% of manufacturers have never conducted a vulnerability assessment, and 50% only do them occasionally. Most have no idea what vulnerabilities and malware are in their OT networks or where to start to address them. This talk will cover what CyberX has learned about the current state of ICS security, by performing automated vulnerability assessments in real-world OT environments across a diverse range of industries.

    We’ll also discuss the zero-day vulnerabilities that our threat research team has discovered in commercial products such as industrial firewalls and PLCs. Finally, we’ll describe RADIATION, the IIoT DDoS malware our platform discovered in the network of one of our customers – several months before Mirai took down Brian Krebs’ website. Unlike Mirai, RADIATION can’t simply be mitigated by closing open ports and changing default credentials, because it exploits a zero-day vulnerability in IIoT devices. RADIATION has already infected more than 25,000 devices, which are currently mobilized as a massive botnet army by cybercriminals providing DDOS-for-hire services.

    Speakers:
    12:00 PM  -  12:45 PM
    Steps and Tips to Make Your Next Cybersecurity Project Successful!

    Grab your lunch and come join us for a BEER on Parsons!

    An EPC (Engineering / Procurement / Construction) company can help execute a cybersecurity plan for your OT and IT cyber infrastructure. Most ICS asset owners understand that cybersecurity is necessary, but many are not sure how to start seeking help (from an EPC or others) or how to put that request for help into writing. This presentation will review what is needed to be successful in your next cybersecurity project including:

    • How to ask for a pen-test of your ICS without getting bricked
    • Getting buy-in from other departments and how to utilize their budgets
    • Funding sources
    • Risk Management and how cyber insurance may play into it
    • Roles and Responsibilities between your, the EPC, and other stakeholders 
    Speakers:
    1:00 PM  -  1:45 PM
    Effective ICS Resilience – A Critical Review of Cyber Security Best Practice Recommendations
    Threats to infrastructure are increasing at an alarming rate. Success of the adversary to this point has been based on the failure of those responsible for securing industrial systems to sufficiently define the threats to business essential operations. Most fall back on traditional risk management frameworks that attempt to solve an operational security problem from an information security point-of-view. This shortcoming results in organizations protecting their industrial systems using information security weaponry, rather than fighting the battle with dedicated industrial cyber armor. This specialized armament must be strategically placed based on a comprehensive assessment process that targets a converged architecture of logical (cyber), physical (mechanical), and electromagnetic (wireless) assets.

    The result is an approach that shifts the focus from a particular “physical” ICS asset to the “logical” function which the asset supervises. The foundation of this methodology depends on the ability to properly identify physical and logical assets, while at the same time characterizing how these assets interoperate. This allows for the creation of security zones and their associated inter-zone conduits providing the ability to implement new levels of security that leverage the functions performed within these zones and not any particular component. The benefit to the end-user is a more resilient architecture designed to maintain business integrity, rather than simply looking at the operation of isolated assets. This integrated, holistic solution to cyber security and operational resilience bolsters an organization’s ability to anticipate, avoid and absorb threats.

    Speakers:
    1:45 PM  -  2:30 PM
    Practical ICS Security: Lessons Learned from 12,000 Deployments

    In this presentation we will share some practical insights about the challenges in deploying security products in ICS networks. We will describe the different steps of securing ICS networks, from network assessment and auditing to final successful deployment. We will talk about best-practice procedures that operators should implement, even before installing any security products. This will be followed by a discussion of the products that can help operators achieve the required level of security.

    In addition, we will cover overcoming challenges involved in deploying inline firewalls without causing network disruptions, and in deploying Intrusion Detection Systems (IDS) in large distributed networks.

    Speakers:
    2:30 PM  -  3:15 PM
    Critical Infrastructure v. Botnet Attacks – Winner Takes All

    In 2016 there are 5.5 million connected devices being added per day with a minimum estimate of nearly 21 billion internet-connected “things” running our world by 2020. On October 21, 2016 the Mirai variant of a botnet DDoS attack was used against Dyn’s managed DNS service. It took 11 hours to restore most of their services and user access was degraded and denied during that period.

    Is such an attack feasible against industrial and critical infrastructures? What would be the obstacles and opportunities for bad actors to use this publicly available malicious code to disrupt and even cause public harm? In this talk Belden’s Erik Schweigert will:

    • Discuss the levels of challenge for and against this type of industrial and critical infrastructure threat
    • Outline how the Mirai botnet and similar code can infect and take control of normally harmless and helpful smart devices
    • Show how Belden’s Tofino Xenon technology with granular Deep Packet Inspection could protect against similar DDoS attacks aimed at control systems
    3:15 PM  -  4:00 PM
    Cybersecurity Services for the Next Level of Automation

    Driven by business sustainability requirements, access to (near) real-time data within the automation industry has created a growing trend towards interconnectivity between control system and enterprise environments. A component of this trend is the movement away from proprietary control system platforms and technology, to a more open and interoperable Asset Control System. This development creates opportunities for businesses, but can also simultaneously increase their exposure to potential vulnerabilities. Due to the evolving, complex nature of control systems in the enterprise today, many asset owners simply do not know where to start when it comes to devising a security strategy. A lack of awareness about their current vulnerability state makes the effective application of security controls and /or processes difficult. Many customers lack experience in determining vulnerability levels, exposure, and possible impacts of threats to network and critical assets. They also face difficulty in effectively distributing and enforcing appropriate policies and procedures.

    This presentation will describe how an external Cybersecurity Services team can provide valuable assessment, implementation, maintenance, and education services for businesses focused on minimizing Operational Technology (OT) cybersecurity risks within their ICS environment. It will also include an overview of how IT / OT environments are converging today, the challenges with managing that process and the sprawl of the Industrial IoT. Finally, we’ll discuss some best practices that have been assembled from lessons learned in Building Automation Systems, Water / Wastewater, Refineries, and other critical infrastructure.

    Speakers:
    4:00 PM  -  4:45 PM
    Rolling in the Deep: Why OT Specific DPI is Necessary for Complete Operational Awareness

    In order for anomaly detection to be effective, it needs to holistically discern deviations from ‘normal’ that includes application level details. DPI technology supports this by providing visibility and controls to the critical commands and values shared between devices, networks and machines that define how the overall operation behaves. This requires the DPI technology to fully parse and understand the protocols used for this communication with no impact to the operation. This session will highlight how CyberFence’s DPI functionality can provide enhanced visibility and controls filling the voids left by existing ICS devices and technology. Hear how this technology can be used to enforce an application whitelisting policy (with relative ease) that protects embedded devices at the network layer. We will also discuss how CyberFence can also increase network visibility for external software based anomaly detection tools. Also make sure to listen closely for flag clues as we reference implementation examples from the S4 Capture the Flag (CTF) where CyberFence technology is protecting a Variable Frequency Drive (VFD) and a Building Automation controller for two different challenges!

    Speakers:
     

    Stage 2: Technical Deep Dives

    10:30 AM  -  11:00 AM
    The Antikernel - Hardware and Unprivileged Software

    Modular design has long been used in critical systems in order to ease verification and contain damage in the event of a failure (whether accidental or maliciously induced). Truly compartmentalized real-time operating systems, however, have remained elusive. We present Antikernel, a novel decentralized operating system architecture composed entirely of hardware and unprivileged software, and discuss the applicability of the architecture to SCADA systems.

    Speakers:
    11:00 AM  -  11:45 AM
    STIX and Stones... and your Security Controls
    This session will focus on leveraging machine readable threat intelligence, specifically Structured Threat Information eXpression (STIX), in the context of ICS/SCADA. The goal of the presentation is to dissect the automated process of ingesting STIX files and utilizing this information to validate your security controls. Attendees will learn about: ingesting STIX, the different types of cyber observables and associated security controls, the automated conversion to an attack scenarios and the validation of security controls. The session will conclude with a demonstration using real-world ICS specific threat intelligence.

    11:45 AM  -  12:15 PM
    Secure Modbus With Role Based Authorization
    Daniel Clarke of Schneider Electric provides all the technical details on a Secure Modbus protocol that Schneider Electric is proposing. Of particular interest is the way they are working role-based authorization into an ICS protocol.
    Speakers:
    1:15 PM  -  2:00 PM
    Digital Forensics and Incident Response for PLC's and Other Embedded Devices

    On Friday there is a full day course on this topic, but for those that can't attend the course this will provide an overview of the techniques and technology. Of special interest is the toolkit to perform forensices on VxWorks and Windows CE, two operating systems commonly seen in ICS embedded devices.

    Speakers:
    2:00 PM  -  2:30 PM
    How Deep Is Your ICS Deep Packet Inspection?

    NextGen Firewalls, Anomaly Detection, IPS, and Industrial Gateway devices are adding deep packet inspection (DPI) "support" for ICS protocols ... a positive trend. However support is in quotes because this can range from full protocol support to checking only a single byte in the protocol. How is an asset owner to know how deep is the DPI?

    This session will provide ideas on how to answer that important question, beginning by introducing the terms of the control plane and data plane as applied to ICS protocols. It will continue by identifying different types of protocol communication and qualitatively rate the security importance of each type. This will provide advice on what to consider for your RFP and product evaluations.

    Speakers:
    2:30 PM  -  3:15 PM
    Tools for Practical Attacks on Analog-to-Digital Converter

    We live in the analog world but program and develop digital systems. The key element connecting these two worlds are ADC (analog-to-digital converters), small integrated circuit (IC) that transforms physical variable (amperage or voltage) into a bunch of bytes. It is important for the ADC to interpret and transform its data correctly. Ignoring this fact, especially in the ICS and embedded world, could lead to decreasing safety of the process, and in the worst case to the catastrophic consequences.

    Due to the nature of the ADC's conversion mechanisms it is possible to generate special signals (with arbitrary waveform, frequency and amplitude) that could be interpreted differently by devices on the same fieldbus. This "features" could be used for attacking or hiding attacks against ICS infrastructures. This session will discuss how to use AA-filters features for attack and defense, talk about other types of ADCs, like flash and pipeline. The main part of the talk will be about tools that could be used for such attacks: custom hardware boards for modeling and experimenting and special firmwares for PLCs, sensors and transmitters.

    Speakers:
    4:15 PM  -  4:45 PM
    Analysis of IoT Botnet Techniques

    The CCTV-IoT botnet that hit Krebs and others with DDoS attacks introduced new techniques in attacking ARM processors not commonly found in PC botnets as well as new propagation methods. This session will go deep into reverse engineering IoT botnet software that has been seen to date and make some predictions on what we can expect in the future.

    Speakers:
  • Wednesday, January 11, 2017
  •  
    1:00 PM  -  5:00 PM
    The Cabana Sessions

    The S4 Cabana Sessions are a chance to maximize your time with fellow attendees and sponsors, around the pool in the great Miami South Beach weather.

    There will be special CTF challenges, Q&A with speakers, and other technical activities that cannot get enough advanced content.

     

    Main Stage

    9:00 AM  -  9:30 AM
    Keynote: D. Renee Tarun, Deputy Special Assistant to the Director, NSA for Cyber

    Ms. Tarun is the Deputy Special Assistant to the Director, NSA for Cyber and Deputy Director for the NSA Cyber Task Force

    Speakers:
    9:30 AM  -  10:00 AM
    An Interview with Justine Bone, CEO of Medsec

    Medsec made the news in August when they released information on vulnerabilities in St. Jude's pacemaker products that could endanger human lives. The release of a vulnerability is not new. What makes this novel and controversial is Medsec is working with the investment firm Muddy Waters who is shorting the St. Jude stock.

    Dale Peterson will interview Medsec CEO Justine Bone on the S4 Main Stage.

    Speakers:
    10:00 AM  -  10:30 AM
    Identifying the Malicious Insider

    Dr. Shaw will review the problematic personal characteristics and experiences past insiders have brought to our organizations, the stressors or triggers which set them off, the concerning behaviors or signs that indicate their risk has increased and the things we do and don't do that make matters worse. He will also discuss the essential ingredients for an effective insider threat team and some innovative and proven methods for detecting and managing insider risk before it becomes critical, including a technique to statistically evaluate non-malicious email to detect the attacker.

    Speakers:
    11:00 AM  -  11:45 AM
    Drone Threat Landscape & Forensic Approaches

    Given the continually emerging threat landscape centering around consumer off the shelf drone platforms, it is important to have a framework, and toolset to highlight the potential impact of unwanted drones in your environment, and on your property. This talk seeks to familiarize you with 'in-theater' COTS, and DIY drone threats in warzones such as Syria, and Iraq. Likewise several 'domestic' annoyance examples will be discussed in the context of various Utility environments such as remote substations, or neighborhood RF meshes. A simplistic threat modeling example based on a modified version DREAD will be presented as a point of discussion on how to move forward with this asymmetric threat that we commonly know as "RC aircraft", "Drones", "UAV's", or "UAS" platforms.

    11:45 AM  -  12:30 PM
    PLC Attacks That Avoid Active Detection Efforts

    This session investigates attacks against PLCs from two different perspectives. We show how to circumvent current host-based detection mechanisms applicable to PLCs by avoiding typical function hooking and by leveraging dynamic memory. We then introduce a specific type of attack against a PLC that allows the adversary to stealthily manipulate the physical process it controls by tampering with the device I/O at a low level. The attack exploit the latency in the I/O interfaces of a PLC which make it hard to differentiate between a clean and infected PLC. Our study is meant to be used as a basis for the design of more robust detection techniques specifically tailored for PLCs.

    Speakers:
    12:30 PM  -  1:00 PM
    Ransomware in ICS ... It Begins

    We have moved from theory to practice. This session will go over the details of two ransomware attacks on ICS. Not on corporate networks of companies that have ICS, but true ICS servers and workstations.

    The session will include the decision process the asset owners made on whether to pay, and the incident response aspects of this attack.

    Speakers:
     

    Sponsor Stage

    10:45 AM  -  11:30 AM
    The Industrial Internet of Things (IIOT): Great benefits, increasing security vulnerabilities

    The increase in the potential attack surface brought on by the IIOT is of great concern. Security for the IIOT needs to be viewed precisely like ICS security, in contrast to IOT or IT security. If not approached correctly, we can expect to see frequent cyber attacks with physical consequences. Strong, unidirectional IT/OT integration protection is critical to the IIoT, and an innovative option is the Waterfall Unidirectional CloudConnect.

    Speakers:
    11:30 AM  -  12:15 PM
    Industry Impacts of Ransomware

    Ransomware is not new but quickly escalated to a respectable threat grabbing the attention of the media and routinely making headlines. This session will examine a case study of RSA handling ransomware on an ICS network in coordination with the FBI and then discuss the real impact of ransomware; an expanded threat landscape not previously targeted and new threat actor methodologies. Security Analytics and ECAT will then be used to demonstrate potential detection and preventative methods.

    Speakers:
    12:15 PM  -  1:00 PM
    IoT and ICS - Functional Safety Meets Cybersecurity

    The challenge of Industry 4.0 is to address requirements of Functional Safety and Security and to effectively manage risks related to digital technology. Organizations and their production facilities – especially those operating in support of critical infrastructure –have to be secured to enable continuous business and drive innovations. Key issues include how to monitor and assess components, systems and networks for technical vulnerabilities, as well as how to define and implement effective control measures.

    IEC 62443 is an internationally recognized standard for “IT security in Industrial Control Systems – Protection of Networks and Systems “, combining Functional Safety & Security to achieve necessary levels of protection. Joerg Krämer, Expert for Functional Safety and Nigel Stanley, Expert for Cyber Security will present and interpret the requirements of the IEC 62443 standard. They’ll demonstrate how system integrators, component vendors and system operators, (working at different risk levels), can implement a proportionate response to safety and security issues. In addition, they provide best practice advice on how to secure Industrial Control Systems against cyberattacks using technical and organizational measures, including conducting a targeted risk and threat analysis, implementing security by design, and comprehensive risk assessments that go beyond the requirements of the IEC 62443.

     

    Stage 2: Technical Deep Dives

    10:45 AM  -  11:15 AM
    Automatic Generation of Process Models Using Motion Acceleration Algorithms

    Trivial disruption of a process is easy. Almost everything can cause a process to shut down. For most non-trivial damage, the attacker needs the process to stay up while he manipulates it. This requires a model of the process. This is one of the least understood parts of ICS hacking. After the attack, focus is placed on the why the payload worked and little is discovered about the process the attacker used to generate the physics payload.

    In general, signals that are related by physics tend to move together. Bumping into the side of a table not only makes the table shake, but all the items on the table shake as well. They also tend to move at the same frequencies. Recent advances in motion acceleration algorithms have the potential to revolutionize this step. If those algorithms are applied to process data, a basic model of the process can be built with little or no human interaction. This presentation will take data from a water treatment plant and use it to show how a process model can be built directly from process data using motion acceleration algorithms.

    Speakers:
    11:15 AM  -  11:45 AM
    CTF Update and Q&A

    Reid Wightman will provide an update on the CTF scoring, hints for contestants, and take questions that may help you win.

    12:15 PM  -  1:00 PM
    Integrating ICS Into Your Enterprise SIEM And Monitoring Strategy

    The number of products focused on detecting security events and incidents on ICS is growing quickly (and there are two sessions on this on Stage 2). The next step is to integrate the information from the ICS with information from the Enterprise and Threat Sources to complete the picture and improve analysis. This session will look at how to do this. Sending and accepting the information is the easy part. How do provide the context of the information is the challenge. The session will provide a number of practical examples where this fusion of information and coordinated analysis could be helpful.

    Speakers:
  • Thursday, January 12, 2017
  •  

    Main Stage

    9:00 AM  -  9:30 AM
    Day 3 Keynote - Richard Clarke

    Richard Clarke is the former U.S. National Coordinator for Security, Infrastructure Protection and Counter-terrorism and later became the Special Advisor to the President Bush on cybersecurity. Today he is an author of both fiction and non-fiction books and Chairman of Good Harbor.

    Richard is always interesting, and we will publish more information on his keynote topic soon.

    Speakers:
    9:30 AM  -  10:00 AM
    Intelligent Control Systems: How Machine Learning Can Transform ICS

    Now that it's possible and affordable to collect, store, and process data from industrial systems, organizations are looking to use sensor data to reduce operating costs, predict system failures, or improve controls and security. But it's not trivial to find value in data: solid applications require creative use statistics and machine learning to find the signal in the noise. This talk will break through the hype around machine learning to explain how popular methods work and how they are applied across industries. We'll examine how oil and gas companies are using natural language generation technologies for maintenance and compliance and how data scientists can tweak algorithms to compute trends on large data sets faster, enabling realtime anomaly detection from mobile devices. We'll close with predictions about how machine learning will impact ICS in the near future.

    Speakers:
    10:00 AM  -  10:30 AM
    Interview with ExxonMobil on Next Generation / Open Automation System

    ExxonMobil is leading a bold industry initiative to create an open and secure automation system.

    Dale Peterson will interview Steve Bitar on the progress of the program, how they are dealing with some of the major challenges, where they have had to alter the strategy, and more. Dale will solicit questions from the audience as well for this candid interview.

    Moderators:
    11:15 AM  -  12:00 PM
    ICSsec 101 - Meet The High School Students

    How many skilled ICS security practitioners are there today? 1000? 5000? Whatever number you believe, there is near unanimity that this number is much less than what the community needs. So where is the ICS security talent going to come from.

    The first two days of S4x17, Matthew Luallen of Cybati has held a hands-on ICS cybersecurity workshop with a high school class based around the CybatiWorks cybersecurity training kit. The high school students and Matthew will be on stage to describe the experience and see if it motivated any students to pursue ICS security.

    Speakers:
    12:00 PM  -  12:30 PM
    CTF Award Ceremony

    Reid Wightman will award the winner of the S4xCTF and interview them to find out how they won.

    1:15 PM  -  1:45 PM
    THE Simple Solution To Securing ICS In An IoT World
    Dale Peterson

    The world is abuzz with the Internet of Things, and for good reason. But how do we get the benefits available from all these sensors and actuators spread outside the traditional ICS while still maintaining the availability and integrity of the ICS?

    This short session unveils the simple solution to securing an ICS in an IoT world and shows its application in practical examples. Let's do it before it is too late.

    Speakers:
    1:45 PM  -  2:15 PM
    Cyber PHA (Process Hazard Analysis)

    Many plants and processes that have a safety concern perform and update a Process Hazards Analysis (PHA). An effective PHA considers probabilistic risk analysis related to component failures, spurious actuation and other factors, and typically requires redundancy and diversity to address cases where the probability of failure exceeds an acceptable measure.

    The traditional PHA does not address cyber attacks where redundancy is not typically effective and the attacker is trying to cause the unsafe condition. In this session you will see a methodology for a Cyber PHA and how it was applied to a manufacturing company.

    2:15 PM  -  2:45 PM
    Fun & Effective Cybersecurity Training??? It's Applied Fiction

    Imagine our employees transformed into an army of cyber-security Defenders. Imagine them on a quest to defend our infrastructure, applying their knowledge and skills every day to keep systems safe as they use them. Sound like fiction? It is.

    In this session, learn about the Applied Fiction method of training and how a few simple principles can produce remarkable results. Using this method, Arizona Public Service saw their employee engagement skyrocket from the typical 5-10% to 83%. Their case study will be used to illustrate the concepts.

    3:15 PM  -  4:00 PM
    Closing Keynote: To Be Announced
     

    Sponsor Stage

    10:45 AM  -  11:30 AM
    Mentoring for Fun and Non-Profit

    When it comes to ICS security, we desperately need help in the field. But we know that, already. If we are to fix this problems we’ll have to do it ourselves, and it won’t take oodles of money, all of your waking hours or require world-class expertise. It may be easier than you think to positively affect your community, and maybe even the world. “Mentoring for Fun and Non-Profit” is a look at how a Californian engine mechanic and a Pakistani human rights advocate inspired the presenter to create 1NTERRUPT, a non-profit cyber security program for students 14-22.

    Speakers:
    11:30 AM  -  12:15 PM
    Become an ICS Jedi; Learning the FORCE of Deep Packet Inspection…. and beyond

    ICS Jedi’s must master their own version of the FORCE. This session will provide instruction from Nozomi’s founder, Andrea Carcano, known among ICS experts and academics as a pioneer in defeating the dark forces that aim to disrupt critical infrastructure operations on this planet.

    Mastering Deep Packet Inspection (DPI) and using it to effectively to detect suspicious anomalies that might be dangerous to Industrial Control Systems is a skill involving many disciplines. Even those that invest the time and effort required to become DPI experts might not be ICS security Jedi though. To truly harness the FORCE, DPI assessment needs to happen very rapidly and be communicated with real-time insight to those whose systems are threatened. Warnings need to take into account deep knowledge of the ICS and its process. Come to this session to learn DPI and its FORCE to secure the control systems in our galaxy.

    Speakers:
    12:15 PM  -  1:00 PM
    Little Green Men, Industrial Cybersecurity, and Life As We Know It

    Do aliens exist? If so, why have we not had a confirmed visit? Why have there been so few examples of cyber attacks on ICS? We’ve seen examples of inadequate ICS cybersecurity’s harmful potential with the Ukrainian power hack in December 2015. It is likely similar attacks have achieved success, but remain unpublicized due to the lack of a disclosure mandate or other reasons.

    How do we keep our power plants and industrial facilities – as well as the people that rely on them – safe and secure? In this session, we’ll discuss what is missing from most ICS cybersecurity approaches today and best practices for mitigating cyber risk, whether from malicious attack or inadvertent engineering mistakes. We will focus specifically on gaining visibility into configuration information within proprietary control systems and smart field instrumentation. With configuration data that covers I/O cards, firmware, control logic, and more; we will describe how you can automatically detect unauthorized changes, identify vulnerabilities, and close the loop on patch management for this unique, proprietary class of endpoints. Finally, we’ll provide a case study of how one major energy company is taking measures today to ensure safe, secure, and compliant operations well into the future.

    Speakers:
    1:00 PM  -  1:45 PM
    Evaluating Active Vs Passive Approaches to Securing the Industrial Internet of Things

    As IT and OT networks, systems, and cultures converge, many claims and counterclaims pitting active vs. passive approaches against each other are clouding the truth. Architects and executives concerned with ensuring the safety and security of critical industrial assets must understand the critical differences in these technologies as they map about IIoT security strategies.

    This talk will provide a vendor and technology neutral review of available options.Listeners will learn: 1) The technical differences between passive and active, in-band, out-of-band, and hybrid approaches 2) Trade-offs, overlaps, and gaps in each approach 3) When to use what – in building a comprehensive best of breed IIoT security posture.

    Speakers:
    2:30 PM  -  3:15 PM
    Mandiant Tales from the Trenches: Hunting for Evil in ICS Networks

    Dan Scali from Mandiant will share a collection of anonymized anecdotes about compromised and vulnerable ICS discovered during Mandiant’s proactive ICS security engagements. The session will conclude with an overview of effective detection architectures observed “in the wild” while visiting savvy ICS asset owners.

    Speakers:
     

    Stage 2: Technical Deep Dives

    10:45 AM  -  11:30 AM
    Tying Bow Ties: From PHA To The Cloud

    Bow Tie risk assessment methodology has traditionally been used to analyze safety, but more recently, cyber threats have made their way into the analysis. OSIsoft has adapted the Bow Tie methodology to examine the cyber profile of their software installations. By chaining Bow Tie diagrams together, this methodology can visualize the cyber footprint throughout a network to effectively enumerate defenses at each layer, and consequences downstream of initial compromise.

    In this session, we will start with a PHA through Bow Tie analysis, incorporating cyber threats along with traditional physical threats. Through the chaining of the Bow Tie diagrams, we will visualize how compromises of cyber assets upstream of the control network lead to physical impacts downstream. More importantly, we will show how this approach allows defenders to organize defenses at each layer, and put them into the context of the whole system. Each member of the team is able to drill into the component under their jurisdiction for actionable information and observe the entire chain to understand their role within the larger system. This provides a common language for operators, ICS security leads, IT administrators and DBAs while allowing each to focus on what is actionable to their group.

    Speakers:
    11:30 AM  -  12:15 PM
    Secure SCADA Protocol for the 21st Century (SSP21)

    Most SCADA protocols have no security, but will continue to be used in ICS for many years to come. Bolt-on security extensions introduce additional complexity, expand attack surface, and only function for a particular protocol. SSP21 is an open source development effort to create a secure encapsulation layer for SCADA protocols that can be used as a bump in the stack (master or outstation) or a bump in the wire (outstation only).

    SSP21 is intended to fill a technology gap where existing technologies like TLS are not applicable, namely for serial communication channels and endpoints with limited bandwidth and/or processing capabilities. This presentation will focus on the following key points:

    • Main differences between SSP21 and past efforts to create secure SCADA protocols/wrappers
    • Details of the SSP21 secure encapsulation layer
    • PKI and key management in SSP21 systems
    • Guidelines for what asset owners should consider in vendor implementations
    • Guidelines for network architectures and deployments

    SSP21 is sponsored by California Energy Systems for the 21st Century (CES21).

    Speakers:
    1:30 PM  -  2:00 PM
    How Deep Is Your Deep Packet Inspection?

    NextGen Firewalls, Anomaly Detection, IPS, and Industrial Gateway devices are adding deep packet inspection (DPI) "support" for ICS protocols ... a positive trend. However support is in quotes because this can range from full protocol support to checking only a single byte in the protocol. How is an asset owner to know how deep is the DPI?

    This session will provide ideas on how to answer that important question, beginning by introducing the terms of the control plane and data plane as applied to ICS protocols. It will continue by identifying different types of protocol communication and qualitatively rate the security importance of each type. This will provide advice on what to consider for your RFP and product evaluations.

    Speakers:
    2:00 PM  -  2:30 PM
    Detecting Counterfeit Smart Grid Devices

    The potential use of counterfeit smart grid devices throughout the smart grid represents a real problem. Consequences of propagating fake data, as well as stealing sensitive user or smart grid state information via counterfeit devices are costly.

    This session introduces a novel system level approach to identify counterfeit smart grid devices. It is a configurable framework that combines system call tracing, library interposition, and statistical techniques as part of its detection mechanism. The results were tested in a realistic testbed that includes both resource-limited and resource-rich counterfeit devices. In total, six different counterfeit devices were analyzed in the adversary model, and these results will be presented as well.

    Speakers:
    2:45 PM  -  3:15 PM
    Economic Analysis of ICS Attack Consequences

    Alvaro has performed a detailed analysis of the economic impact of an attack on a Colombian power grid. The analysis uniquely looks at the economic benefit to the attacker and the economic impact to the power utility. In this session, he will present that analysis and extend it to other publicly disclosed ICS cyber attacks.

    Speakers:
  • Friday, January 13, 2017
  •  

    Advanced ICS Security Training

    9:00 AM  -  4:00 PM
    DFIR for PLC's (and other devices with embedded OS)

    Attacks against industrial control systems (ICS) are on the rise. In order to effectively respond to this emerging threat, organizations should be aware about the challenges of performing digital forensics and incident response (DFIR) for ICS. Mandiant developed the “Digital Forensics for ICS” course to give ICS security personnel the fundamental skills needed to identify and understand threats targeting ICS devices that use embedded operating systems such as VxWorks and Windows CE.

    This is a technical course designed to provide hands-on experience with investigating targeted attacks and the analysis steps required to triage compromised ICS systems.

    Note: This course will not cover Standard Windows and Linux, as tools such as RedLine and Volatility exist and many training classes exist for those. We will include references to using RedLine etc on HMIs and Engineering Workstations as part of the class for completeness (overall DFIR strategy). For example, Stuxnet affected Engineering Workstations and PLCs…so we would mention both, but mainly focus on the PLC/embedded systems forensics part.

    Slides, handouts, digital forensic files, and any DFIR tools provided in a VM on a USB drive for each student

    Course Prerequisites

    • Laptop with VMWare Player and 10GB of free space
    • Prior digital forensics experience is helpful but not required.
    • Familiarity with PLCs and their software tools is suggested.
    Speakers:
    Fee  Optional  Closed 
    9:00 AM  -  4:00 PM
    How To Achieve and Maintain A Robust OT Security Program

    Attend this crash course to learn about all the elements of an effective Operations Technology (OT) security program and how to implement it. For more than two decades, Ralph Langner has helped asset owners secure their ICS. In recent years, he has developed and deployed an OT security methodology and toolset called RIPE that is now used in over 1000+ sites.

    In this one day session Ralph will go over the structure and key elements of an OT security program. Practical and real world examples of successes and failures will show the concepts and procedures in use.

    Some of the key areas covered include:

    • pitfalls in risk management
    • how to do system inventories right
    • OT incident response capability
    • being proactive with reference architectures and procurement guidelines
    • and much more

    Prerequisites: None ... except a keen interest to have a robust and secure ICS.

    Instructor:
    Fee  Optional  Closed 
Top