This year’s Annual Security Summit has concluded. Thank you to all who participated and helped make this a huge success! Be sure to mark your calendars for next year’s summit:
August 18-22, 2014
Barton Creek Resort
8212 Barton Club Drive
Austin, Texas 78735
Below you will find the presentations from all presenters and moderators. We were truly honored to have such talented people willing to come to our summit and share with out attendees. Enjoy!
Abstract: Learn what the hackers know. See the tools used by hackers to scan your networks, guess your passwords, and break into your un-patched Windows® XP systems to take full control in this live demonstration. Use the knowledge you gain to better prepare yourself and your systems against attacks.
Abstract: Do you find compliance challenging? Do you feel blindsided by auditor interpretations of regulations? Do you spend countless hours debating the meaning of the language of a standard internally? You are not alone. Help is out there.
There are multiple communities out there that are composed of people just like you. But which one is the best fit? This presentation will explore the benefits that these communities can offer. The benefits can be seen at the individual, company, and industry level. The presentation will explore the communities that exist today and will also discuss the communities that may not even exist yet, but should. Information sharing can be key in driving community-driven solutions. Additionally, communities can be a big influence to the future of security-based compliance.
Abstract: In the physical world, the human brain has evolved to avoid danger. The threat of physical pain triggers fear – and we have learned to avoid behavior that causes pain. In the electronic world of email, however, this concept doesn’t translate. Clicking on a malicious link or opening an attachment laced with malware doesn’t cause pain, and often a user won’t even notice anything is wrong after doing it. How then, can we teach fear perception in the electronic world? Is it even possible? In this presentation I’ll discuss how immersive training can key on psychological triggers to teach people to become skeptical email users who not only avoid undesired security behavior but can aid intrusion detection by reporting suspicious emails, helping to mitigate one of the most serious problems in security: slow incident detection times. According to reports from Mandiant and Verizon, average detection time for an incident is in the hundreds of days. A properly trained workforce is not only resilient to phishing attacks, but can improve detection times as well.
Abstract: The evolution of wireless technologies has allowed industrial automation and control systems (IACS) to become strategic assets for companies that rely on processing plants and facilities. When sensors and transmitters are attacked, remote sensor measurements on which critical decisions are made might be modified, this could lead to unexpected, harmful, and dangerous consequences.
This presentation demonstrates attacks that exploit key distribution vulnerabilities we recently discovered in every wireless device made by three leading industrial wireless automation solution providers. We will review the most commonly implemented key distribution schemes, their weaknesses, and how vendors can more effectively align their designs with key distribution solutions.
Abstract: This session will present Mr. Griffin’s observations made while working directly with utilities as they developed and built incident response processes and the teams to support them. Topic covered will be the architectural development of visibility into different types of networks using different technologies. Having the technology to gain visibility into your networks is less than half the battle, the next step is to properly tune down the “noise” to determine whether an incident is happening.
Extra Material: Incident Response Kit
Abstract: Firewalls are a given – everyone assumes that every security posture includes a firewall. But are they really secure? Join us to see 13 kinds of ways to break through a firewall. Each kind of way through a firewall has between dozens and thousands of examples circulating in the wild. Up to 5 of the kinds of breaches will be demonstrated live, time permitting. For each kind of attack, seven compensating measures are briefly discussed and compared.
Achieving Compliance Through Security
Abstract: This presentation emphasis the importance of building an environment where compliance is a natural byproduct of effective security controls. The presenters discuss how to establish info security controls that reinforce a culture of controls, by being plugged into the daily operational processes of IT operations, software and service development, project management and Internal audit.
Additionally, the presenters explore the various benefits of continuous monitoring and how to achieve it through a step-by-step practice.
Abstract: Understanding, managing and responding to risk is one of the core functions of any information security program. However, for many organizations risk assessment is cumbersome and time consuming process. IT leaders, as well as security regulations, are demanding risk management practices that can deliver quick and actionable results.
Rapid Risk Assessment is a new approach to risk management that dramatically reduces the time, effort, and complexity for IT security risk assessment. Using the existing principles of risk management defined in NIST 800-30 documents, Rapid Risk Assessment can deliver more actionable and reliable results empowering business leaders to make sound decisions about risk. The key to this approach is a unique combination of skills, organization, and documentation that accelerates every aspect of the risk management process.
This presentation shows why current risk management tactics are failing and how Rapid Risk Assessment can correct those deficiencies.
Abstract: Over the past 40 years, the energy industry has evolved to a position of dependence upon information technology to accomplish its mission. Cyber attacks have become a “way of life”; as the Nation, industry, organizations, and individuals strive to operate safely and securely in cyberspace. Most rely on a compliance-based “whack-a-mole”; approach to cyber defense which presents multiple barriers to hackers, based on the last attack, with efforts to “hit” any that get inside the organization’s defenses. While still valid, this compliance-based approach has significant challenges: stopping intruders, mitigating the problems they create, and positioning an organization to achieve its mission under a cyber attack. Cyber experts across the Nation are increasingly turning to resiliency as a means for fighting through these attacks with the objective of meeting operational and mission requirements in spite of the attacks. This shift is driving organizations to rethink their organizational structures to achieve unity of effort and streamlined decision-making in the face of a fast paced set of operational demands. This presentation will highlight the strategies to promote a cyber resilient organization.
Abstract: Two aspects of cyber security that everyone struggles with are metrics and business impact. How do we measure it to improve and how do we make it meaningful to business decision makers? This gap appeared again recently in the NIST Cyber Security Framework (CSF) process RFI responses. But there is no need to wait for NIST CSF or anything else because there is a viable method available now that you can use to build your own CSF. Namely the “Balanced Scorecard” method.
The key idea is to focus on performance against measurable objectives in all critical dimensions that, taken together, will lead to better security, privacy, and resiliency outcomes, even in a dynamic and highly uncertain threat environment. In this presentation, we’ll explain the ten critical dimensions of cyber security performance, explain how they are interrelated and feed off each other, show how to create a performance index in each dimension, and describe how the balanced scorecard can be used to drive executive decisions. This presentation should be valuable to managers and executives in every type of organization in the energy sector, including the supply/service chain. Consultants, regulators, and academics should also find it interesting and useful.
Abstract: Control Systems are responsible for the safe and reliable governing of physical processes, and are designed to report conditions that could affect reliable operations to operators for action. These conditions may vary in their severity, from minor inconveniences to those that can bring the process to a full halt. While engineers have predicted certain events and consequences, others are “unknown unknowns”, and may only be detected due to variances from normal function.
Cyber security conditions are similar in nature. Cyber security conditions can vary in severity and cyber security professionals can classify and alert on some, but not all cyber security events. In this presentation, Michael Toecker will discuss cyber security conditions that are known, and that could be integrated into the operational display.
Treating cyber security events as analogous to control system events has many benefits and drawbacks, and Toecker will expand on criteria for determining what is appropriate for an operator display, and what is not. The purpose of this presentation is to demonstrate that cyber security can have a place in operational decisions, so long as conditions are carefully analyzed and response actions developed beforehand.
Extra Material: Failed Login Response Procedure
Abstract: IT folks have been doing it for years – building labs to test new products before rolling them out – but the concept is still rather revolutionary to most practitioners of SCADA security. Yet the benefits of a lab are many, including training staff and solving real-world problems by replicating and attacking them in the relatively low-risk lab environment.
But how do you pitch this (not inexpensive) idea in a way that gets organizational buy-in? And if your organization is just too small, what are the factors to considering when using a third-party lab? Hear ideas and ask questions of someone who evolved his organization’s capabilities from one small lab to five complete labs.
Abstract: This presentation will review useful concepts and tools that can be applied by DevOps team with “Controlled Remediation”. We’ll demonstrate the application of non-security, system administration, deployment, monitoring and change tracking using tools to achieve controlled remediation. This will build a foundation through which security, compliance, and change management goals can be achieved in an automated fashion within control system environments.
DevOps is a juxtaposition of the words “development” and “operations” and is meant to portray a tight relationship between the two traditionally separate roles which build and operate complex computer systems and software applications. DevOps groups work with a unified goal to rapidly and reliably deploy and manage the underlying systems which organizations rely upon to make a profit while balancing resource constraints.
“Controlled Remediation” is a concept used to describe the use of automation to maintain acceptable configuration and settings on industrial cyber assets. Additionally, this presentation will discuss the variations of “Automated Remediation” and “Manual Remediation”.
Abstract: For the last few years, energy companies, particularly electric utilities, have been scrambling to meet the onslaught of cybersecurity regulations. However, hackers don’t follow regulations, so the need to rapidly address evolving threats is imperative to meet expectations of senior leadership, board members, and shareholders. This session will discuss how a mature governance structure and a cybersecurity strategy based on a comprehensive understanding of business risk can be used to address threats, comply with regulations, and obtain support from company stakeholders.
Abstract: A variety of recent breaches and vulnerabilities demonstrate that software and hardware supply chain is a serious concern in the ICS space. Asset owners/operators and suppliers are in a symbiotic relationship – acquirers cannot conduct business without the supplier products and services. Where do the subcomponents come from and what do we know about their contents? Which code libraries were used by the sub-supplier? Why do we need to know? Several solution sets have emerged over the last 6 years, developed in IT/communications, defense, and ICS space. These include soon-to-be-published ISO and IEC standards, NIST documents, certification framework, Common Criteria extensions, and efforts by software industry consortium. The presentation will survey ICT supply chain security problem space, provide an overview of available solutions developed to date, and recommend how to use these solutions in the ICS context.
Security Updates Matter: Exploitation for Beginners
Presented by: William Whitney, Garland Power & Light
Abstract: This is a presentation explaining the purposes behind why security updates should be installed on systems and why it matters to protect the bulk electric system. Many people don’t understand the full purpose of installing security updates and this presentation walks through the reasons at a very high level so that everyone can understand. At the end, there will be a live demonstration showing how easy it is to hack into systems that are missing security updates.
Abstract: MISO embarked on a structured, comprehensive process improvement program to make advancements in cyber security risk reduction as well as CIP compliance. The program utilizes the Six Sigma framework to reduce process defects and gain efficiencies. The 13 month effort comprises process level health checks; assignment of functional roles, responsibilities, and oversight; cross-functional process improvement events; and training/awareness curriculums to lock in the improvements. As a result, MISO not only is strengthening its cyber security and compliance posture, but also positioning the company for a smoother adoption of controls based audits when applicable. In this presentation, Mr. Unton will walk through the process and show how this has been instrumental in greatly enhancing MISO’s security and compliance environment.
Abstract: Smart Meter Security is a growing topic in the security industry that hasn’t been discussed to its full potential. This presentation will discuss the types of vulnerabilities that have been found in Smart Meters, and give examples from real world assessments we’ve conducted. Different methods of accessing the meter will be presented such as over the optical interface and the Zigbee wireless radio. In addition, we will discuss a testing methodology we’ve developed which covers Smart Meter testing with the open source Termineter framework developed by the presenter. Finally a live demonstration of the attacks that were discussed will be performed on a real Smart Meter during the presentation for the audience. Finally the newest features in the Termineter framework will be discussed including the support for connecting to Meters over TCP/IP networks using C12.22.
Audience members will leave the presentation with a detailed understanding of the types of vulnerabilities that affect smart meters and how they can be leveraged by an attacker.
Abstract: The cyber threat landscape is continually evolving. More and more, the critical infrastructure of our nation is at risk. Whether by nation-state actors, criminal organizations, hacktivists or any number of hackers looking to prove their skills, our safety and economic prosperity is threatened. There are four things that must be considered in order to address the evolving threats:
1- Becoming more proactive in our cyber defense efforts through intelligence
2- Better user behavior management
3- Assessing risk using meaningful metric
4- Resilience – operating through an intrusion
NESCO Town Hall Workforce Development Presentation
Presented and Moderated by: Andy Bochman,
Discussion Topic: Workforce Development in the ICS WorkPlace
Discussion Abstract: Ask anyone working in the field at an electric utility about cybersecurity and the conversation will inevitably turn to the shortage of a qualified security staff with knowledge of our industry. The need to comply with NERC CIP standards, secure the rapidly proliferating smart grid technologies, and defend against the threat of cyber attacks targeting control systems, makes the short supply of cybersecurity talent is a critical issue.
This town hall meeting focused on a variety of cybersecurity workforce development challenges facing the electric sector. This included:
- The new skills required to secure advanced technology for the smart grid.
- The training programs needed for future utility security professionals, engineers, and IT staff working in control environments.
- The programs needed to encourage people to pursue a cybersecurity career in the electric sector. What existing programs might we need to enhance in this area?
- The role that cybersecurity internships might play in addressing workforce issues. Would a formal national internship program be something the industry would use?
- The skills needed by non-security staff to ensure they are not the weakest link in utility defenses.