EnergySec 11th Anniversary Security Summit Presentation Archive

This year’s Annual Security Summit held in Alexandria, VA from September 14-16 has concluded. Thank you to all who participated and helped make this a huge success! Be sure to mark your calendars for next year’s summit:

12th Annual Security & Compliance Summit
August 22-24, 206
Disneyland Hotel, Anaheim, CA

Below you will find presentations from the Security & Compliance Summit. We were truly honored to have such talented people willing to come to our summit and share with our attendees. Enjoy!

Industrial Technology Trajectory – Running With Scissors

Presented by: Patrick Miller, EnergySec (President Emeritis)

Abstract:  Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future infrastructure organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IOT, and more IT – and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the industrial cybersecurity risk profile. In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience.

Where Are All The ICS Attacks?

Presented by: Chris Sistrunk, Mandiant

Abstract:  Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.

In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.

Please, Come and Hack my SCADA System!

Presented by: Mikael Vingaard, EnergiNet.dk

Abstract: The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?

The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.

The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.

The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.

NERC CIP Version 5 and Beyond – Compliance and the Vendor’s Role

Presented by: Joseph Loomis, Southwest Research Institute (SwRI)

Abstract: Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.

Wireless Sensor Networks: Nothing is Out of Reach

Presented by: Daniel Lance, Layered Integration

Abstract: After years of installing wireless sensor networks in homes and businesses we are now faced with a question “How is this all secure? Or is it?” A look into WSN (Wireless Sensor Networks) history and original design concepts that paved the road to us using these in our every day life.

This presentation will be a deep dive into wireless and reveal new challenges we have in protecting our perimeter when all of our core monitoring devices are riding a wave into the public space as most industrial control providers look to capitalize on fast installation times and inexpensive adaptive solutions. This research shows us start to finish how anyone with a laptop and SDR (Software Defined Radio) can hack into and take control of WSN’s from outside the front gate.

The presentation will demonstrate how a device inside your facility might reveal itself through spectrum analysis than how a hacker might flank the security of the device and own the network with very simple replay attacks that can grant them physical access, and how social engineering pre-installation and post-installation will cause you to disregard warning signs that someone is tampering with the network. A high level understanding of radio is no longer needed for packet analysis with open source tools, proper implementation has never been more important as even a encrypted device can be compromised by the last mile before installation. We will talk about the tools security professionals are lacking from the manufactures of these devices to scan for a compromised device and what can be done in the future to protect WSN’s.

Where Cyber Security Meets Operational Value

Presented by: Damiano Bolzoni, Security Matters

Abstract: What if cyber attacks were not the most prominent threat to industrial networks and systems? Although malware is still a major point of interest, the sword of Damocles for industrial networks is represented by insider threats such as system misuse performed by disgruntled employees, contractors and vendors, unintentional operator mistakes, as well as network and system misconfiguration and uncontrolled configuration changes; all this could lead to the divergence or failure of critical processes.

In this talk we reshape the concept of ICS security and demonstrate through case studies in different critical infrastructure sectors that the real value of industrial network monitoring goes beyond the detection of cyber attacks, but includes above all the need to maintain awareness about network and process operations, and obtain actionable intelligence that allows to preserve their overall health. We will show how the use of innovative network monitoring approaches can support security, operations, and network managers to:

  • Gain IT visibility of OT networks and full situational awareness of the network and process
  • Detect complex and advanced cyber attacks against industrial networks
  • Mitigate operational mistakes and misconfiguration

The Path to Confident Compliance and the Transition to NERC CIP Version 5 – A Case Study

Presenter: Robert Landavazo, PNM Resources and Katherine Brocklehurst, Tripwire

Abstract: With countless hours of work to go, PNM was far from ready for its coming audit in just 18 months. Confidence levels in its existing manual, and incomplete security controls, were at an all-time low; and the visibility into control center environments for quantifying its status and progress towards compliance was immeasurable.

With Tripwire, PNM’s preparation of the looming CIPv3 audit noticeably improved. With efficient reporting and automation, PNM’s now positioned to hold itself accountable for CIP auditable compliance of more than 3,500 explicit and supporting control points, satisfying CIP-002-3, CIP-004-3, CIP-005-3, CIP-007-3 and CIP-009-3. In addition, enhanced visibility and better control gave PNM the ability to effectively communicate meaningful and measurable initiatives to executive teams – resulting in increased support for their funding needs.

In this session, PNM – New Mexico’s largest electricity provider – will share a case study on its journey towards achieving continuous NERC CIP compliance despite a highly limited headcount, how it saved countless hours of labor-intensive manual effort, and the essential role that automation played in its success.

Audit Benefits of a ‘Closed-Loop Control Integration’ Between NERC CIP Vendors

Presenter: Terry Schurter, Sigmaflow

Abstract: Mr. Schurter will discuss automated process driven compliance and maintaining evidence to meet NERC CIP Version 5 standards. As utilities start to implement an automated compliance initiative, multiple vendors may be involved. Terry will discuss the benefits of Closed Loop Controls Integration, which provides an ‘Audit Ready State’ for utilities who leverage the mutual benefits of two comprehensive NERC compliance vendors, SigmaFlow and Tripwire. The discussion will be supplemented with a brief live demonstration of the SigmaFlow NERC Compliance Solution and integration to Tripwire.

The SigmaFlow’s Closed-Loop Controls Framework collects data from the Tripwire Enterprise solution and then verifies actual practices against policy. Evidence is automatically produced and associated to the appropriate NERC compliance standards to ensure audit readiness. The SigmaFlow Compliance Manager is a preconfigured, end-to-end solution that utilizes process driven controls to facilitate compliance for the new CIP Version 5 assessment criteria, cyber asset change management, identity access management, and cyber asset baseline management.

Unidirectional Network Architectures

Presenter: Mike FirstenbergWaterfall Security

Abstract: NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.

Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.

ICS Cybersecurity: How to Protect the Proprietary Cyber Assets That Hackers Covet and WMI Cannot See

Presenter: David Zahn, PAS

Abstract: Mr. Schurter will discuss automated process driven compliance and maintaining evidence to meet NERC CIP Version 5 standards. As utilities start to implement an automated compliance initiative, multiple vendors may be involved. Terry will discuss the benefits of Closed Loop Controls Integration, which provides an ‘Audit Ready State’ for utilities who leverage the mutual benefits of two comprehensive NERC compliance vendors, SigmaFlow and Tripwire. The discussion will be supplemented with a brief live demonstration of the SigmaFlow NERC Compliance Solution and integration to Tripwire.

The following presentations are unable to be shared publicly due to media restrictions, but EnergySec appreciates the speakers sharing their time and expertise with our attendees

Better Operational Technology Situational Awareness with a Side of Cybersecurity

Presenter: Brian Proctor, San Diego Gas & Electric

Abstract: In 2014, San Diego Gas & Electric began a journey to enhance Information Security’s capabilities and visibility in newly build SCADA TCP/IP field area networks and substation LANs.  What it resulted in was a successful implementation of a passive monitoring solution which not only met specific cybersecurity goals but provided SDGE’s operational technology personnel a level of situational awareness that they never had before.

This included identification of field devices with firmware flaws, misconfigurations, devices installed on wrong networks, and much more. This presentation will allow the attendees to learn the following 
key points:

  • Understand SDG&E’s goals and drivers for the project
  • Understand the power network flow monitoring and full SCADA protocol packet parsing can provide for both asset owners/operators and Information Security teams and what value it brings
  • Outline lessons learned for the project and describe next future phases and goals and where we would like the market to go

As more and more TCP/IP networks are deployed for utilities across the nation, asset owners will have to navigate their way through a crowded sea of corporate IT or industrial control system solutions to help secure and monitor their networks.  This presentation will help asset owners make their way through and determine the right path to meet their goals and objectives.

Research Horizon – Agile Defense and Protection

Presenter: Rita Foster, Idaho National Labs

Abstract: This presentation will discuss cyber security past, current and future directions focused on the ability to defend and protect.  Attendees will leave knowing they are on the front lines – pushing research direction.  They will understand the realm of the possible now, emerging agile defense concepts enabling attendees to identify false promises and ask the hard questions from supplies.  Finally attendees will be able to implement their current protections with emerging agile defense concepts in mind allowing for early adoption.

ICS-CERT: Risks to Industrial Control Systems

Presenter: Mark Bristow, Department of Homeland Security

Abstract: This session will provide an overview of industrial control systems (ICS), the risks posed to them and how to best protect your system. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), located within the Department of Homeland Security, is tasked with working with asset owners to protect their systems and this session will cover its mission, responsibilities, products, and services. The session will also provide examples of several recent cyber incidents and ICS-CERT?s responses, how owners can stop threats and improve their overall security, and how to distinguish between different types of threats.

A NERC CIP Journey: To Electronic Security Perimeters (ESP) & External Routable Connectivity (ERC)

Presenter: Jacob Kitchel, Exelon

Abstract: This session will provide an overview of industrial control systems (ICS), the risks posed to them and how to best protect your system. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), located within the Department of Homeland Security, is tasked with working with asset owners to protect their systems and this session will cover its mission, responsibilities, products, and services. The session will also provide examples of several recent cyber incidents and ICS-CERT?s responses, how owners can stop threats and improve their overall security, and how to distinguish between different types of threats.

Tags:

Comments are closed.