ICSJWG 2016 Spring Meeting, Scottsdale, AZ - Final Agenda

Tuesday, May 3, 2016
8:30 - 8:45am
Main Room
Welcome & Meeting Opening Remarks - Presentation Not Available
Neil Hershfield
Deputy Director, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
U.S. Department of Homeland Security
8:45 - 9:00am
Main Room
IST Welcome To The Spring Meeting - Presentation Not Available
ICSJWG Steering Team (IST)
9:00 - 10:00am
Main Room
Keynote Address - Presentation Not Available
Frank Grimmelmann
President & CEO, Arizona Cyber Threat Response Alliance
Frank J. Grimmelmann is President & CEO/Intelligence Liaison Officer for the non-profit Arizona Cyber Threat Response Alliance ("ACTRA"), independent of but closely affiliated with the FBI's AZ Infragard Program. In this capacity, Mr. Grimmelmann represents the private sector in the Arizona Counterterrorism Information Center ("ACTIC"), and is the first private sector representative on its Executive Board. ACTRA’s Members include both public and private sector organizations. He also serves as the private sector cyber intelligence liaison to the FBI, the ACTIC, and the FBI's Arizona Infragard Program. ACTRA's focus is to enable private/public sector Member Organizations to empower themselves to respond to the escalating national cyber threat, and to leverage Infragard's vast private sector volunteer membership as a force multiplier in protecting our Nation's critical infrastructure and National Security interests. Mr. Grimmelmann was recently appointed as the National Co-Chair for the recently formed Information Sharing & Analysis Organization Standards Organization’s (‘ISAO SO’) ‘ISAO Creation Workgroup’, created under the President’s Executive Order 13691. He also serves on ASU’s Center for Emergency Management & Homeland Security Advisory Board, on the Estrella Mountain Community College Cybersecurity Advisory Committee, on the Arizona Technology Council Cybersecurity Committee, on the Greater Phoenix Chamber of Commerce’s Advanced Business and Finance Council, and as a Phoenix Rotary 100 Member.
10:20 - 11:05am
Main Room
How Do You Know If You Are Doing Enough?
Markus Braendle, ABB
Jano Bermudes, KPMG
Cyber Security discussions often gravitate quickly towards technical topics and trying to find solutions to problems aligned with the our engineering mind-set. However, how do we communicate the value of cyber security programs and cyber security spending to our leadership? When asked the questions ‘are we doing the right things?,’ ‘are we doing them fast enough?’ are we able to articulate that story and present the value of a mature security capability in business terms, to our most senior leadership? This presentation will show the journey that started in a board room and the steps taken by the cyber security organization to answer what seemed to be simple questions. The presentation will not only feature the insights and lessons learned from ABB but also the views and challenges as seen by KPMG, the external experts that were brought in to help assess ABB’s global cyber security initiative.
10:20 - 11:05am
Breakout 1
Hacking the Power Grid: Analyzing What Hackers Do When They Have Access to the “Power Grid Honeypot”
Dewan Chowdhury, MalCrawler
The nightmarish scenario of the power grid being hacked and causing disruption to the electric grid has been used by the entertainment industry to politician to show the public the seriousness of cyber threats. Energy companies are the number one target for cyber attacks against critical infrastructure based on DHS reporting, so it is well known in the industry that hackers are trying to access the ICS/SCADA side of energy companies.  We created a honeypot that replicates the Energy Management System (EMS/SCADA) of a modern electric company. The EMS/SCADA is used by electric companies to monitor, control, and optimize power grid. The EMS/SCADA honeypot allows attacker to control key component of the power grid such as Nuclear power generator, major transmission lines that affect the BES (Bulk Electric System). We added component to mimic the Smart Grid such as distributed generation (Solar, Wind) to distributed automation.  This honeypot allows the community to understand what hacker would do if they have access to the most important system in the GRID the “EMS/SCADA”. We examine a wide variety of skill set from novice hackers to APT actors on the Honeypot. We try to understand their actions and objective. When they are controlling the grid, is it sabotage or espionage?
10:20 - 11:05am
Breakout 2
Malware Trends 2016 - Presentation Not Available
Kyle McCready, Idaho National Laboratory
David Hudson, Idaho National Laboratory
Malware Trends 2016 will discuss general trends in malware evolution to date.  This topic will cover recent developments in malware capability, tactics and techniques.  During this talk we will discuss these developments, specific examples, and recommend ways to mitigate current and future threats.  This presentation will wrap up with a question and answer session with the audience.
11:10 - 11:55am
Main Room
Efforts to Develop Implementation Guidelines in Support of the NIST Cybersecurity Framework
Kerry O’Connor, Department of Homeland Security
Sharla Artz, Schweitzer Engineering
In February 2014, the National Institute of Standards and Technology (NIST) released the voluntary “Framework for Improving Critical Infrastructure Cybersecurity” in order to provide general guidance that critical infrastructure owners and operators can leverage to better assess and manage cybersecurity risk. The Framework enables an organization—regardless of sector, size, degree of risk, or cybersecurity sophistication—to apply the principles and effective practices of cyber risk management to improve the security and resilience of its critical infrastructure. It recommends an approach that enables organizations to prioritize their cybersecurity decisions based on individual business needs, without additional regulatory requirements. The Framework is designed to complement, and not replace, an organization’s risk management process and cybersecurity program. Each sector and individual organization can use the Framework in a tailored manner to address its distinct cybersecurity risks and objectives.
In order to position critical infrastructure owners and operators to most effectively implement the Framework, the U.S. Department of Homeland Security (DHS) National Protection and Programs Directorate led an effort to develop implementation guidelines in support of the Framework. The Office of Infrastructure Protection and Office of Cybersecurity and Communications, in collaboration with public and private sector partners from six (Chemical, Critical Manufacturing, Commercial Facilities, Dams, Emergency Services, and Nuclear) of the 16 critical infrastructure sectors, initiated the development of comprehensive guidance documents in order to help owners and operators implement the Framework using sector-specific tools and resources. Once finalized, these documents will be publically available and distributed using a variety of methods including the Homeland Security Information Network (HSIN). DHS will work with private sector partners to ensure these guidelines are appropriately updated to account for changes on available resources or the dynamic threat environment.
The development of these guidance documents highlight the strength of the public-private partnership outlined in the 2013 National Infrastructure Protection Plan. This partnership model, which allows for an open dialog between DHS and the private sector to strengthen critical infrastructure security and resilience, serves as a very effective collaboration mechanism in support of a broad spectrum of efforts addressing the dynamic risk environment. The presenters will describe the sector-specific Framework implementation guidance, discuss the processes used for their development, and provide an overview of additional resources and relevant programs.
11:10 - 11:55am
Breakout 1
Stop Patching, It’s Stupid
Lior Frenkel, Waterfall Security Solutions
There is more value in ICS perimeter security, than in patching.
Among the first security measures any industrial cybersecurity program recommends are passwords, firewalls, anti-virus systems, patching, and intrusion detection systems. These measures are costly, and backwards-looking. These controls address "last year's" set of high-frequency, low-impact (HFLI) common malware incidents and insider errors/omissions.
How are these measures working for us? Well anti-virus often impairs safety and reliability and so can't be used everywhere. Patching is really expensive, and introduces its own safety and reliability risks, even though security measures are supposed to be defending safety and reliability. Worse, patching addresses only known vulnerabilities, and vulnerabilities are the wrong way to think about ICS security. High-impact, targeted attacks, such as the LA hospital's targeted ransomware, and the Ukrainian power outage, exploit permissions, not vulnerabilities. Conventional intrusion detection is another costly security measure that catches only some targeted attacks, months after equipment has been compromised, and long after the damage is done. None of these measures address the most common high-impact, low-frequency (HILF) attacks we see happening in the field today.
A better way to think about security is to consider a threat spectrum and decide how high in the spectrum to "raise the bar." No security system is or ever can be perfect. Important control systems should raise the bar to just below Stuxnet-class attacks. That is: the only high-impact attack our defenses may not have a high degree of confidence in deflecting, are the most-sophisticated, autonomous, targeted attacks, which are designed to defeat one site's defenses specifically, with the active assistance of compromised insiders at the targeted site.
Working from this "bar" down the threat model, we first address HILF attacks. We observe that important control systems all have physical and cyber-security perimeters. Perimeters may be "evaporating" in IT networks, but would we ever put our safety systems in our lobbies, or on the Internet? Of course not. Perimeters are fundamental to important control systems. For a system to change from an "uncompromised" to "compromised" state, an attack must cross a perimeter - in a message, on a USB stick, or in the head of a human actor.
A top-down approach to security starts by deploying a strong, physical perimeter. We then deploy a strong, unidirectional, cyber perimeter. Unidirectional gateways defeat high-impact, remote-control attacks, no matter how sophisticated those attacks might be. We next deploy strong removable media and removable device controls, both technological and procedural. This eliminates another important perimeter-crossing attack vector. Industrial-focused intrusion detection systems have a role here as well, especially to alert when someone has violated these procedures.
Last, we consider LIHF incidents at the "bottom" of the threat spectrum. Many of these incidents have been addressed by the HILF protections, but not all of them, particularly insider errors and omissions. We might still deploy some kind of password/AV/patching programs, to address LIHF incidents, but now we can compare the costs of these programs to the limited of addressing LIHF risks, and scale these costly programs appropriately.
In summary - our goal for our important control systems should be to raise the bar to the point where the only credible, high-impact attacks are the most sophisticated, autonomous attacks, with active, deliberate cooperation from compromised insiders. With this goal in place, and a clear path to achieving it, we need only determine which of our control systems are important.
11:10 - 11:55am
Breakout  2
U.S. Department of Homeland Security Protective Security Coordination Division Overview
 - Presentation Not Available
Christine Figueroa, DHS Office of Infrastructure Protection
1:20 - 2:05pm
Main Room
Keynote Address - Presentation Not Available
Gregory Touhill
Deputy Assistant Secretary, Cybersecurity and Communications
U.S. Department of Homeland Security
Brigadier General (retired) Gregory J. Touhill is the Deputy Assistant Secretary of Cybersecurity and Communication at the Department of Homeland Security (DHS).
General Touhill retired from the United States Air Force in July 2013 after a distinguished career culminating as the Chief Information Officer and Director of Command, Control, Communications, and Cyber Systems at U.S. Transportation Command—one of the nation’s 10 combatant commands. As the Senior Cyberspace Operations officer, he led the command’s cyberspace defense mission and oversaw a $500 million information technology portfolio.
General Touhill is a highly experienced combat leader who commanded at the wing, group, and squadron level. Prior to his assignment at United States Transportation Command, he was the United States Defense Attaché to Kuwait, where he coordinated a new long-term bilateral defense agreement that enabled U.S. forces to withdraw from Iraq through Kuwait. As commander of the 81st Training Wing, he established the Air Force’s Cyberspace Operations training programs and led the $1 billion rebuilding of Keesler AFB, Miss., after Hurricane Katrina. The Air Force’s only three-time winner of the Communications-Computer System Professional Achievement Award, General Touhill was the recipient of the 2006 Air Force Science and Engineering Achievement Award for his work leading the team that created the lifesaving Radio-Over-Internet Protocol Network (RIPRNET) supporting convoy operations in Iraq, for which he was also awarded the Bronze Star medal.
General Touhill is a distinguished graduate of the Squadron Officer School, Air Command and Staff College, and the Advanced Communications Officer Training school, where he received the Webb Award as the top graduate. He also is a graduate of the Air War College, the Armed Forces Staff College, the Harvard University John F. Kennedy School of Government Senior Executive Fellows program, and the University of North Carolina’s Logistics and Technology Program for Executives.
 General Touhill was previously an adjunct instructor and staff member of Washington University in the St. Louis College of Engineering and Applied Science graduate program in Cybersecurity and Information Systems Management. He is the co-author of Commercialization of Innovative Technologies, Bringing Good Ideas to the Marketplace and the upcoming Cybersecurity for Executives, A Practical Guide (John A. Wiley & Sons). He maintains the Certified Information Systems Security Professional (CISSP), Certified Acquisition Professional in Information Technology and Program Management, and the American College of Corporate Directors Professional Director certifications.
2:10 - 2:25pm
Main Room
Lightning Round
Have You Made Yourself a Target? - Presentation Not Available
Terrence McKay, Idaho National Laboratory
ICS-CERT has conducted numerous cybersecurity assessments, provided incident response support, and learned many lessons from industrial control systems that became a target of cyber threat actors. Remote access security is a common problem identified across all critical infrastructure sectors. We will discuss tools and technologies that will help to identify problems, and provide recommendations to help you avoid making yourself a target. Additionally, we will discuss continuing trends of Internet connected devices; are we getting better? Join us and learn how not to make yourself a target.
2:25 - 2:40pm
Main Room
Lightning Round
Building C2M2 and Its Successful Testing at Several Government and Academic Institutions
 - Presentation Not Available
David McKinnon, Pacific Northwest National Laboratory
In the past, building control systems were unconnected, independent, and analog.  Even digital building control systems frequently relied on proprietary operating systems, logic and algorithms and fundamentally lacked digital connections with other systems even though the digital systems were commingled with the control systems.   However, today’s buildings have digitally evolved – building control systems are increasingly automated, connected, and available on internal and external networks.  In a recent Building Operating Management survey, 84-percent of respondents said that their building automation systems were connected to the Internet.
Building control systems are at risk when well-intentioned but inadequately informed building owners/operators configure their sophisticated control systems without adequate cybersecurity controls.  Often the problem is that building managers and their system engineers are unaware of the cybersecurity risks or the appropriate elements found in an effective cybersecurity program.  To help building decision makers understand the maturity of their cybersecurity program, identify programmatic strengths and weaknesses, and evaluate how their program is evolving over time the US Department of Energy (DOE) Building Technologies Office (within the Office of Energy Efficiency and Renewable Energy) is adopting a streamlined version of the DOE Cybersecurity Capability Maturity Model (C2M2) for use by building managers and their staff.  This tool allows building control system managers and personnel to assess the maturity of their cybersecurity program in less than 60 minutes.  In this presentation we will describe the Building C2M2 and its successful testing at several government and academic institutions.  We will report on lessons learned and the feedback received from building managers, control system engineers, and information technology personnel. 
2:40 - 2:55pm
Main Room
Lightning Round
Factors that Influence the Structure of Cyber Organizations - Presentation Not Available
CPT Michael Quigg, AFIT
Dr. Mason Rice, AFIT
Now more than ever, organizations are being created to protect the cyberspace environment. The capability of cyber organizations tasked to defend critical infrastructure has been called into question by numerous cybersecurity experts. Organizational theory states that organizations should be constructed to fit their operating environment properly. Little research in this area links existing organizational theory to cyber organizational structure. Because of the cyberspace connection to critical infrastructure assets, the factors that influence the structure of cyber organizations designed to protect these assets warrant analysis to identify opportunities for improvement.
This research analyzes the cyber‐connected critical infrastructure environment using the dominant organizational structure theories. By using multiple case study and content analysis, 2,856 sampling units relating to environmental uncertainty (complexity, dynamism, and munificence) are analyzed to show the general external environment of cyber organizations tasked to protect critical infrastructure is highly uncertain thereby meriting implementation of organic structuring principles. Pragmatic recommendations are offered.
2:10 - 2:55pm  Breakout 1
What’s Missing in Our ICS Security Program? Profiling the Current State of a Program and Developing a Site-Specific or Company-Wide Roadmap Leveraging 62443, NIST CSF, and Maturity
Donovan Tindill,  Honeywell
ICS security professionals and experts have a large number of security standards and guidance to reference in the development of their ICS security program (e.g., ISO 27000, IEC/ISA 62443, NIST CSF, COBIT). The challenge is selecting a standard and then trying to apply it to a control systems environment at a single site or across a fleet of facilities and systems. This presentation begins by describing the traditional ‘assessment-based’ approach to ICS security, its weaknesses, and how it will struggle to “get ahead” of the problems that lead to insecure ICS. The next topic is sharing a cyber security framework that builds upon existing technical frameworks (e.g., 62443-3-3 security levels), maturity models (e.g., CMMI, MIL), and procedural frameworks (e.g., NIST CSF, 62443-2-1). Using examples, this framework is then used to benchmark the ‘current state’ of any asset owner’s ICS security program, the target state, and how to lay out a roadmap to achieve it.
2:10 - 2:55pm  Breakout 2
The Stages of Cyber Attack Against ICS Networks
Dario Lobozzo, Radiflow
Cyber-attacks against ICS networks have been on the rise in recent years. However, while most critical infrastructures (power, water, oil, gas, hospitals and factories) are aware their risk of being cyber-attacked, many don’t fully understand what happens during a cyber-attack and the methods used by attackers to compound the damage. 
To demonstrate the course of a typical cyber-attack and the damage it can cause, Radiflow has created a functional model system that includes PLCs, Malware and Physical processes.
During the demonstration we will go over the different stages of the attack, how it propagates from the IT network to the OT network, how the attacker is able to scan and model the network in order to identify points of vulnerability, and finally the actual execution of the attack.
Following the demonstration we will cover a few of the methods and tools infrastructures can implement to reduce their vulnerability to cyber-attacks.
2:10 - 5:30pm
Mohave 1
Hands-On Forensics Technical Workshop - Presentations Not Available
This hands-on technical workshop will allow attendees to learn recommended best practices for performing hard drive and memory captures on a live system.  Attendees will work one-on-one with ICS-CERT’s Advanced Analytical Laboratory staff to learn techniques used to capture forensic copies for analysis.  This workshop will operate throughout the ICSJWG meeting.  Sessions typically take approximately 30 minutes or less.
3:15 - 4:00pm
Main Room
Hands-On Demonstration Using Pre-Built Wizards
Matthew Luallen, Cybati
Provide a hands-on demonstration using pre-built wizards discussing attack surface and mitigating controls of ICS categories of vulnerabilities. We would use the open CybatiWorks education platform examples for the presentation.
3:15 - 4:00pm
Breakout 1
Safety and Security in the Industrial Internet of Things
Dr. Christine Zhang,  Johns Hopkins University – Applied Physics Laboratory
The emerging Industrial Internet of Things (IIoT) have been showing tremendous potentials of improving the operational safety of industrial systems, while also bringing new safety and security challenges due to the scale, complexity, and potential integration models of IIoT systems. In this talk, we will give an overview of current research and technology development activities for safety-critical industrial control systems. Particularly, we will discuss the needs and challenges of developing safe and secure IIoT systems, the interplay between safety and security, and other crosscutting system aspects (e.g., privacy). Toward this end, we will
  • Describe new safety capabilities enabled by IIoT.
  • Identify unique safety challenges posed by the Industrial Internet’s scale, complexity, and possible systems integration paradigms.
  • Investigate relationships and correlations between safety, security and other architectural crosscutting concerns.
  • Define key capabilities that support the development of safe systems and how those could be implemented in the reference architecture.
  • Identify existing safety standards and regulatory compliance guidance that relates to IIoT application domains.
  • Evaluate techniques, methodologies, and technologies for the safety analysis and development of IIoT.
  • Identify technology and methodology gaps arising from the safety challenges unique to IIoT.
  • Define requirements for reference test beds to validate technologies designed to support safety critical functions and de-risk those technologies.
3:15 - 4:00pm  Breakout 2
Re-Examining Network Connectivity to Industrial Infrastructure
Jeff Melrose, Yokogawa
With the new network gear backdoors being disclosed companies are being forced to re-examine network connectivity to industrial infrastructure. This presentation will cover the network backdoor threat, industrial networking best practices, secure architectures and segregation techniques that can be used by all businesses to prevent a minor business network breach from becoming an industrial catastrophe.  
4:05 - 5:30pm
Networking, Technical Workshop, and Vendor Expo through 5:30pm
Wednesday, May 4, 2016
8:30 – 8:35am
Main Room
Daily Opening Remarks
Elke Sobieraj
ICS-CERT, Outreach & Awareness
U.S. Department of Homeland Security
8:35 – 9:35am
Main Room
Keynote Address - Presentation Not Available
Mark Fabro
President & Chief Security Scientist, Lofty Perch
Mark Fabro is the President and Chief Security Scientist for Lofty Perch, Inc., a market leading security technology company focused on SCADA and control system cyber security. As a recognized expert in attack methodologies and adversarial techniques, his work is focused on threat modeling, incident investigations and counter-attack planning. His projects have included supporting some of largest infrastructure asset owners in the world, and in addition to being involved in the development of several security standards for transportation, energy, and water sectors, he has testified to Congress on cyber security risk and threats to the North American Bulk Power System.
Mr. Fabro was a contributing specialist to the U.S. National Strategy to Secure Cyberspace, the Cyber Annex to the National Response Framework, the post-Katrina control systems recovery plan for Oil and Gas, and, most recently, the DoE Cybersecurity Capability Maturity Model (C2M2). He has authored several of the Recommended Practices for the DHS ICS-CERT, helped found the Repository for Industrials Security Incidents (RISI), and is a member of both the NERC Smart Grid and Cyber Attack Task Forces. Over his 20-year career, he has been instrumental in helping shape the security technology landscape whether it was creating first generation hardened OS firewalls or assisting the White House in crafting the National Strategy to Secure Cyberspace.
On the research side, he is well known for the discovery of numerous critical vulnerabilities in infrastructure technology, authored early proof-of-concept code for next-gen weaponized malware and is a contributing developer to numerous assessment frameworks.  He is regularly published for his work in Smart Grid, integrated radio mesh communications, and control systems forensics. He is the co-founder of numerous security mailing lists, and is involved in several international working groups addressing ‘denial of control’ within the process control and SCADA domain.  He has also contributed to several standards and practices specific to SCADA/EMS security, namely NIST 800-82 and NISTR 7628, and is on the American Public Transit Association (APTA) Control Systems Cyber Security Working Group.
Mr. Fabro has a degree in applied physics and mathematics and is currently working on his PhD in Electrical and Information Engineering. He has completed post graduate studies in national security and counterterrorism at both the American Military University and the United Nations, and has taught cyber security theory at several universities and government agencies around the globe. He is a regular instructor/speaker at many international security events, including GridSecCon, ICSJWG, SecTor, AUSCERT, BlackHat, SANS and many others. Recently, for his work in critical infrastructure protection, he was recognized as one of the ’25 Most Influential Consultants in the World’ and was named ‘Information Security Professional of the Year’ by SC Magazine.
9:40 – 10:25am
Main Room
NIST Cybersecurity Framework
James McCarthy, NIST
The keystone of a cybersecurity community is a unified understanding of the cybersecurity outcomes we wish to achieve.  Cybersecurity Framework provides a common set of cybersecurity outcomes that are just as meaningful in the board room as they are in the data center.  A shared view of cybersecurity outcomes brings efficiency and precision to our community dialogs.  In this presentation, NIST will provide an overview of Cybersecurity Framework and highlight some recent NIST and industry Cybersecurity Framework initiatives.  This presentation will also summarize NIST collaborations to create Cybersecurity Framework Profiles for the manufacturing setting, including application for industrial control systems.  The security measures described in these Profiles are designed with special consideration of the performance ramifications of security.
9:40 – 10:25am
Breakout 1
Federal Law Intended to Encourage and Facilitate Confidential Sharing of Cyber Threat Information
Patrick Fowler, Snell & Wilmer LLP
On February 16, 2016, the Department of Homeland Security (DHS) and Department of Justice (DOJ) issued “guidance” to assist federal agencies and non-federal entities in implementing the Cybersecurity Act of 2015.  The Act was signed into law on December 18, 2015. The Act is a long-anticipated federal law intended to encourage and facilitate confidential sharing of cyber threat information within and between the private sector and the federal government.  As part of the new law, Congress directed DHS and the Attorney General to jointly create and publicly issue initial guidance to help implement key aspects of the Act.
The initial, “interim” guidance consists of four documents, as follows:
  • Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities
  • Interim Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government
  • Interim Guidance on Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government
  • Privacy and Civil Liberties Interim Guidelines
Obviously, these four documents contain a considerable amount of detailed information, processes and procedures.  Any company that is considering sharing cyber threat information with the federal government under the Act will need to carefully study these documents before taking any such action. 
9:40 – 10:25am
Breakout 2
Anatomy of Industrial Cyber Attacks
Barak Perelman, Indegy 
We will skip the standard pitch about why ICS networks are vulnerable and the criticality of operational continuity, and go right to the point, which is to explain how ICS cyber-attacks really operate and where are the security gaps that enable these attacks. Industrial networks are inherently different than IT networks. In most IT cyber-attack scenarios, the same protocols are used for configuration and production operations. However, in industrial networks, different protocols are used for different types of operations. The builders of Stuxnet understood this more than 5 years ago, yet most security specialists still don’t fully understand the difference.
In this session we will discuss:
  • The need to monitor the proprietary network protocols and track all changes to the controllers
  • Why changes to PLC code blocks are transparent to “standard” OT protocol inspections (i.e., MODBUS/DNP3/ICCP) and what should be monitored
  • Which additional security gaps must be addressed in order to protect ICS networks against cyber-attacks, malicious insiders and human errors
Join us for this myth-busting session in which we will dispel common fables around industrial cyber-attacks and explain how they really operate.
10:45 – 11:30am
Main Room
Case Studies on the Implementation of Proactive Controls to Safeguard Access to Industrial Control Systems
Alex Leemon, CyberArk
In 2015, ICS-CERT highlighted the increased frequency of attempted attacks against Industrial Control Systems (ICS). According to a DHS/FBI/NSA joint publication “Seven Steps to Effectively Defend Industrial Control Systems,” of the 295 incidents reported in FY 2015, 98 percent of those incidents could have been prevented if certain controls had been in place.
In this session, Alex Leemon of CyberArk will present the case studies of two companies that have put in place proactive controls to safeguard critical systems from malicious insiders or external threats as recommended by the DHS/FBI/NSA publication.
Attendees will learn about the practical steps that can be taken to protect Industrial Control Systems. The use of shared accounts with no individual oversight, the prolific use of interactive remote user access, and network connections to the IT/Corporate environments represent some of the vulnerabilities that can be managed with the implementation of a privileged account security solution.
With cyber-attacks posing an increasing threat to critical infrastructure, organizations must re-evaluate their security strategy, working from the assumption that an attacker will inevitably infiltrate their networks.  With this in mind, we’ll shift our focus to ensuring that all critical systems in the operational environments are appropriately segregated, secured and monitored in real-time. It only takes one vulnerable system to be exploited for an attacker to cause significant damage that could compromise system performance and even their operation. It is therefore essential that organizations proactively safeguard their systems with a practical set of steps that includes securing all privileged accounts existing in their networks.
We will review important steps that organizations can take to reduce the attack surface area and take a proactive approach to the ICS security problem.  This is a key step in safeguarding critical assets given the risks associated with direct connectivity to untrusted endpoints. 
10:45 – 11:30am
Breakout 1
Assessing Cybersecurity Risk
Marc Ayala, aeSolutions
Assessing cybersecurity risk is generally considered to be one of the first and most fundamental steps in any solid IACS cybersecurity management program. ISA 99.02.01 (now ISA 62443-2-1) published in 2009 includes requirements that organizations perform both high-level and detailed cybersecurity risk assessments on all identified IACSs.  These requirements were reinforced in 2014 by the NIST Cybersecurity Framework that also specifies cybersecurity risk assessments and directly references the ISA 62443 requirements.
While both of these documents require risk assessments neither provide information regarding "how" to perform such an assessment.   Guidance on how to perform IACS cybersecurity risk assessments is now available in the recently developed ISA 62443-3-2, "Security Risk Assessment and System Design”. This presentation will provide an overview of the 62443-3-2 standard and demonstrate the IACS cybersecurity risk assessment process through a chemical industry example.
10:45 – 11:30am
Breakout 2
Successfully Bridging the Gap Between IT and OT
Travis Smith, Tripwire
Jeff Lund, Belden
According to ICS-CERT, sophisticated cyber-attacks are increasingly targeting critical infrastructure and more of these attacks are making it through to the control system layer of industrial networks. Illicit access to control systems makes it possible for cyber criminals to cause physical damage to industrial systems and has the potential to affect the availability, reliability and safety of mission critical services. At the same time, the number of industrial control devices connected to the Internet continues to grow rapidly, dramatically expanding the attack surface for cyber criminals targeting these systems. These factors are making the addition of cyber security controls a priority for critical industries around the world.
However, improving the cyber security of industrial systems without affecting availability or reliability is no small feat. One of the biggest challenges critical infrastructure organizations face as they improve cyber security capabilities is successfully bridging the gap between IT (information technology) and OT (operational technology).
Traditionally, both IT and OT have served distinct roles – each have their own goals, technologies and business processes. Recent developments, including the rapid shifts in the cyber threat landscape and the emergence of the Industrial Internet of Things (IIoT), are creating new business pressures that require cooperation and collaboration between these two groups.
1:30 – 2:15pm
Main Room
Arizona Office of the FBI on Cyber Threats - Presentation Not Available
Paul Schaff, FBI
2:20 – 3:05pm
Main Room
Meeting the Challenge for Cyber Assurance with UL CAP - Presentation Not Available
Radhika Chaturvedi, UL, LLC
Marty Edwards, ICS-CERT
Mike Ahmadi, Synopsys
Ken Modeste, UL, LLC
On February 9th, 2016 the Whitehouse issued an executive order calling for a "Commission On Enhancing Cybersecurity".  In the fact sheet (https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan) titled "Cybersecurity National Action Plan" issued coinciding with this executive order, the White House called out a plan for "Enhancing Critical Infrastructure Security and Resilience", where it is stated:
"The Department of Homeland Security is collaborating with UL and other industry partners to develop a Cybersecurity Assurance Program to test and certify networked devices within the "Internet of Things," whether they be refrigerators or medical infusion pumps, so that when you buy a new product, you can be sure that it has been certified to meet security standards."
Please join this session for an overview of the action plan and how multiple stakeholders are teaming together to achieve the goal of building a cyber assurance program.
2:20 – 3:05pm
Breakout 1
Methods and Best Practices to Help Reduce Supply Chain Cyber Security Risk
Dee Kimata, GE Oil and Gas
The boundaries between supplier and customer have changed dramatically as more connected industrial components “talk” to each other, making traditional supply chain security methods obsolete. In many highly publicized cyber-attacks, such as the 2013 Target case, the incident point of entry is directly linked to a supplier component … the risk is real. Despite this risk, there is limited awareness and rigor around supply chain security. Since industry trends predict an increased level of risk, amplified supply chain security focus and knowledge needs to adapt to address new component and supply chain relationship characteristics.
This presentation uses real-life experience to share new innovative methods and best practices to help you reduce supply chain cyber security risk. Best practices include cross-functional methodologies to address the technical, legal, and operational dimensions of supply chain security within industrial control environments. The presenter has first-hand knowledge of the best practices, and in the Q&A portion of the presentation can offer insights into practices to suit different use cases.
Presentation topics will include:
  • The role of ICS product development teams:
Training techniques for your development teams to identify components sourced from suppliers and determine if the components carry security risk, including use of modernized risk assessment tools.
  • New supplier cyber security requirements:
Sourcing documents historically do not incorporate supplier security requirements, yet international standards such as the IEC 62443 require supply chain security. Define and document appropriate new requirements to limit cyber security risk.
  • Operationalizing security requirements into sourcing processes:
Developing secure supply chain program elements is not enough.  Effective methods to educate suppliers and “launch” supply chain security, including instrumenting supplier security checks in the onboarding, qualification, and audit processes to ensure adherence.
2:20 – 3:05pm
Breakout 2
Disassembly and Hacking of Firmware Where you Least Expect It: In Your Tools
Monta Elkins, FoxGuard
In this session we'll cover:
  • Physical ramifications of tool attacks
  • Vulnerability and capability assessment
  • Finding and accessing firmware
  • Some instances where "less security" is better
  • Safety / Security tips for tools
2:20 – 5:30pm
Mohave 1
Hands-On Forensics Technical Workshop - Presentation Not Available
This hands-on technical workshop will allow attendees to learn recommended best practices for performing hard drive and memory captures on a live system. Attendees will work one-on-one with ICS-CERT’s Advanced Analytical Laboratory staff to learn techniques used to capture forensic copies for analysis.  This workshop will operate throughout the ICSJWG meeting.  Sessions typically take approximately 30 minutes or less.
3:20 – 3:35pm
Main Room
Lightning Round
Are We There Yet?
Chris Sistrunk, Mandiant
Now that Network Security Monitoring has been discussed and implemented in ICS, some consideration should go to measuring effectiveness. What are the milestones in a successful NSM effort? What sort of maturity model can we suggest to determine our progress? What are the next steps to improving a NSM installation to provide more value to a site or plant owner? We’d like to host a discussion of these and related topics during the spring ICSJWG with hopes to continue during the Hallway track and beyond!
3:35 – 3:50pm
Main Room
Lightning Round
DoD Energy Managers/Control System Owners Self-Assessments within the NIST Risk Management Framework
Aura Lee Keating, IPERC
During IPERC's installation of cyber-secure microgrids for the DoD, we have gathered several lessons learned, regarding cybersecurity and risk management beyond the system-specific requirements. I will discuss DoD Energy Managers/Control System Owners Self-Assessments within the NIST Risk Management Framework - strategies, how-to’s, potential pitfalls and benefits.  This presentation will also discuss how to bridge the IT/OT gap with recommendations for the structure of service agreements between energy control system owning organizations (i.e., Public Works), for whom cybersecurity is largely new, and IT organizations (i.e., Network Enterprise Centers), who have a day job with the networks and systems in their footprint.  This will include a discussion on inheritance of security protections and potential supporting architectures and (secure) interconnections. Going through the 6 Steps of RMF and the security control families of NIST 800-53A Rev 4, I will discuss what organizational policies and procedures need to be in place and how to appropriately incorporate system and technical security requirements into vendor contracts and acquisition documents so that Authorization to Operate may be achieved.
3:50 – 4:05pm
Main Room
Lightning Round
A Framework for Streamlined Threat Modeling of Cyber Physical Systems
Brian Wisniewski, Rockwell Automation
This presentation will provide an overview of current Thread Modeling approaches and how these could be leveraged within the ICS realm.  Utilizing existing commercial models and combing these with Cyber Key Terrain Analysis frameworks may allow analysts to avoid the ‘boil the ocean’ challenge while getting into the real issues facing cyber physical systems and how component vendors, systems integrators, and asset owners could address them. 
3:20 – 4:05pm
Breakout 1
Situational Awareness for the Energy Sector
Jim McCarthy, National Cybersecurity Center of Excellence, NIST
The United States Coast Guard has informally defined situational awareness as “… knowing what is going on around you.” More formally, situational awareness is “the perception of elements in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.” The ability to observe the environment, understand what is happening, determine the potential consequences, and respond is critical to availability.
While utilities monitor the environment, this is often done in balkanized silos such physical security monitoring, cybersecurity monitoring, and operational monitoring. Each silo has a discipline-specific view of the environment and a discipline-specific approach to response. A 2013 sniper attack on Pacific Gas and Electric’s Metcalf substation illustrated the impact this discipline specific view can have on effective response to incidents. In the Metcalf incident, physical security monitoring indicated some anomalies but a police drive-by did not identify any specific problem. Meanwhile, operational monitoring received equipment failure alarms for the substation. Ultimately, it was determined that a gunman damage 17 transformers.
During the incident, the police responding to the physical security alert were unaware of the equipment failures. Had they known, the response may have been more thorough than a drive-by. The operators did not know there was an active shooter at the substation. They might have dispatched a line crew into harm’s way.
The National Cybersecurity Center of Excellence’s (NCCoE’s) Situational Awareness for the Energy Sector project augments existing discipline-specific situational awareness by using commercial and open-source products to collect and aggregate monitoring information from across multiple silos. The aggregated information is analyzed and relevant alerts are provided back to the discipline-specific monitoring capabilities, improving each discipline’s understanding of the environment. This, in turn, leads to more appropriate response.
This presentation explains the approach taken to collect, aggregate, and analyze information from different disciplines. It presents the overall architecture of the solution and describes the products used to implement architectural capabilities in a proof-of-concept prototype.
3:20 – 4:05pm
Breakout 2
Defense in Depth – Network Segmentation and the Clark Wilson Model
Markinko Kimmer, Phillips 66
Cindy Satterfield, Phillips 66
For the last 20 years, information security practitioners have repeated the mantra of protecting one’s organization through defense in depth.  The base principle of defense in depth is network segmentation.  Network segmentation is also a fundamental concept of NIST 800-53 framework.  Consequently, all security standards developed by individual organizations have been based on this framework, including the Clark Wilson Security model.  Clark Wilson does not allow for data flow across network boundaries.
Today, dynamic data flow provides competitive advantage to those who can leverage it.  Data flow then becomes a conversation about risk versus reward.  Ensuring the safety of certain network zones by restricting data flow is a security imperative, this is also the dreaded juncture at which security can begin to work against business rather than enable it.
This presentation will examine this conundrum and, in the context of current threats, will provide solutions that can be leveraged to move data across security zone boundaries without generating additional risks or negating the value of network segmentation.
4:10 – 5:30pm
Networking, Hands-On Technical Workshop, and Vendor Expo through 5:30pm
Thursday, May 5, 2016
8:30 - 8:35am 
Main Room
Daily Opening Remarks - Presentation Not Available
Elke Sobieraj
ICS-CERT Outreach & Awareness
U.S. Department of Homeland Security
8:35 - 9:20am
Main Room
Keynote Address - Presentation Not Available
Marty Edwards
Director, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
U.S. Department of Homeland Security
9:25 - 10:10am
Main Room
Critical Infrastructure Cyber Security - Presentation Not Available
Sandra Bittner, IST Private Sector Co-Chair
Arizona Public Service
9:25 - 10:10am
Breakout 1
Cyber Risks to the Supply Chain - Presentation Not Available
Joe Doetzl, ABB
Robert Smith, MSC/INL
David Coher, Southern California Edison
Lisa Carrington, APS
Threats to the ICS Supply Chain. Best practices to mitigate risks to supply chain security. Steps ICS Vendors can take to ensure the security and integrity of systems. Actions the DOE, DHS and other are taking to mitigate risks.
Learn what to expect from your critical suppliers and what actions you can take to ensure the availability, security and integrity of the ICS supply chain.
9:25 - 10:10am
Breakout 2
A Framework for Incorporating Insurance into Critical Infrastructure Cyber Risk Strategies
 - Presentation Not Available
Derek Young, AFIT
Juan Lopez, Jr., AFIT
Critical infrastructure owners and operators want to minimize their cyber risk and expenditures on cybersecurity.  The insurance industry has been quantitatively assessing risk for hundreds of years in order to minimize risk and maximize profits.  To achieve these goals, insurers continuously gather statistical data to improve their predictions incentivize their clients' investment in self-protection and periodically refine their models to improve the accuracy of risk estimates.
This research presents a quantitative framework used in making critical infrastructure cyber risk strategies through the incorporation of insurance. Insurance is incorporated into the proposed framework in three ways: (1) as an incentive to increase levels of investment in self-protection, (2) by emphasizing the importance of gathering and sharing data and (3) by incorporating the insurance industry's cycle of continuously refined quantitative models. 
The framework implements optimization techniques to suggest levels of investment for both cybersecurity and insurance for critical infrastructure owners and operators.  More specifically, the outputs suggest ratios of investment in cybersecurity controls and insurance for the insured and discounts from the insurer which will incentivize the insured's investments in self-protection.
10:25 - 11:10am
Main Room
Making Threat Intelligence Sharing Work
Victor van der Stoep, National Cyber Security Center NL
The Dutch National Cyber Security Center (NCSC) is the National CERT for the government and critical infrastructure in the Netherlands. One of the ways the NCSC carries out its mission is by public private partnerships.  In June 2013 the NCSC started the pilot preparations at a government data center for automatically sharing indicators and incident related information, providing a boost to the operational situational awareness of its CSOC. Many challenges had to be overcome. As of December 2014 government organizations as well as critical infrastructure partners have started the new sharing collaboration successfully. Cross-sector threat intelligence sharing is now an emerging effort aiming to increase an organization its resilience. Also the EC believes in the future of sharing (NIS directive) and creating core and common platforms for improving CERT collaboration. Where should you begin? What is available to use for your benefit? Is a valid business case available? This presentation will discuss the prerequisites, technical and non-technical, needed to create an environment in which organizations can share information safely on a voluntary basis.
10:25 - 11:10am
Breakout 1
Open Source Research - Presentation Not Available
Richard Wyman, Idaho National Laboratory
For over seven years, ICS-CERT has worked with its industry partners to improve the cybersecurity posture of their industrial control systems (ICS) through onsite assessments. The assessment offerings include the Cyber Security Evaluation Tool (CSET®), the Design Architecture Review (DAR), and the Network Analysis Verification and Validation (NAVV). Each type of assessment serves a different purpose. The CSET focuses on the administrative aspects of the systems lifecycle (e.g., procure, install, maintain, and dispose) by asking a series of yes and no questions. The DAR is more free-flowing in that it is a facilitated discussion of the industry partner’s network architecture. The NAVV is an analysis of the data traffic captured at key boundary points in the network. Collectively, these three assessments have given ICS-CERT a broad overview of the state of the cybersecurity of control systems that monitor and control the nation's infrastructure.
One of the key observations made by ICS-CERT's assessment team is that the cybersecurity maturity level of the organization is often related to how well the organization knows what information is publicly available on its control system, how this information is controlled, how its system is architected, and how data flows from one node to another, especially as it crosses the ICS/IT perimeter. To simplify it, the cybersecurity maturity level of the organization is dependent on how well it knows and understands its control system and network.
Why is this important? When a malicious actor targets a cyber system, they do extensive reconnaissance of the system using techniques like foot printing, which is a methodical process for profiling the system and scanning to learn everything they can about it. This is an essential step before launching an attack.
When an organization can view its system through the eyes of an attacker, concrete steps can be taken to put controls into place reducing the risk of a malicious actor from targeting its system.
This presentation will share some of the tools and techniques the assessment team uses to help asset owners better understand their system. These tools include open source research, Shodan searches, and passive scans of ICS networks. Richard Wyman (ICS SME) will share his insights from working in industry and conducting assessments for ICS-CERT. He will also make specific recommendations to mitigate vulnerabilities discovered during open source research.
10:25 - 11:10am
Breakout 2
Interactive Critical Infrastructure Training
Daniel Allen, N2 Consultants
I will showcase an Interactive demonstration and display new training tools, techniques and methods in ICS security and situational awareness by demonstrating our 3D interactive training simulations for critical infrastructures. Our demonstration will be approximately 20-30 minutes in length. Critical Infrastructure employees can learn about the specific critical infrastructure they are working at and about the systems and procedures in a safe environment. This allows workers to practice on the specific equipment in the realistic 3D simulation realm which translates to higher skill levels and improved employee performance. Highly realistic simulations allow learners to use tools like voltmeters, gas detectors, stray voltage testers, rotation meters and phase sticks to name a few, to solve realistic problems that could occur on critical infrastructure equipment in the field. 3D Simulators allows learners to make mistakes and understand the consequences without causing real injury or harm to the person or the equipment. This translates into “Saving Lives and Saving Equipment.”
Since our technology can be used over the web, inside the organization, and on mobile devices it is very easy to deploy to large numbers of employees. The 3D simulators can be used in lunch rooms and during inclement weather conditions for continued or updated training. This type of training can eliminate travel costs, and potentially reduce time off the job. Training on a 3D simulation of your system will give employees comprehensive knowledge of how the equipment operates. The work force is aging and will be retiring. Simulations are the best way to capture knowledge to use to train the remaining and incoming work force. For example, the Utility, Fire, HazMat, Police, and EMS departments can work together to simulate an accident and see how each agency handles the mishap. The physics engine capabilities can provide accurate plume modeling for different airborne chemicals as well as explosions. Most emergencies would cost too much to simulate in real life and the simulator can be used over and over again to perfect procedures. Simulators are not only great to simulate the applications and jobs at a control center but also to prequalify employees for the job. This technology is so immersive many stresses are added into the simulations to reflect the real world situations. The simulator can be used to track each item when building an infrastructure for real-time procurement.
11:15am - 2:00pm
Main Room
Canadian Cyber Incident Response Centre Operations and Outreach - Presentation Not Available
Frank Turbide, CCIRC
CCIRC is the Canadian national computer security incident response team. In this presentation we will discuss: how we interact with our international partners; how we approach our ten critical sectors and their sub-sectors; how we handle ICS cyber security events; how we reach out to the community; our information products; and the tools we use to make it all happen.
11:15am - 2:00pm
Breakout 1
Assessing Cybersecurity
Eric Leum, Verizon
The National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity V1.0 (Framework) provides a methodology and structure for enhancing and communicating cybersecurity capabilities.  Step 3 of the Framework, "Create a Current Profile," consists of evaluating and documenting the current cybersecurity posture of the in scope critical infrastructure. The assessment of cybersecurity posture requires evaluating security controls for effectiveness and alignment to the Framework’s five functions and associated categories. After evaluation with the Framework's structure, the Current Profile outcomes are reported to stakeholders in an understandable and repeatable format called the Cybersecurity Framework Scorecard (CFS). The Current Profile or CFS supports the subsequent Framework steps "Conduct a Risk Assessment" and "Create a Target Profile." This presentation is primarily focused on Step 3 in the Framework. The presentation describes real world experiences from assessing critical infrastructure, the NIST SP800-115 based assessment methodology, and the control scoring (ex. ISO, NIST, or ANSI/ISA 62443) that produces a Cybersecurity Framework Scorecard of critical infrastructure security.
11:15am - 2:00pm
Breakout 2
BowTie Methodology for Analyzing Cyber Footprint
Bri Rolston, Monsanto
Harry Paul, OSIsoft
OSIsoft has adapted the popular BowTie risk assessment methodology, typically used to analyze safety, to examine the Cyber profile of software installations.  Utilize this methodology to: visualize the Cyber footprint throughout a network, follow the kill chain from corporate presence to control system, drill down through attack vectors and defenses, explore system compromise and evaluate impact reduction and adapt the model to a changing architecture.  Bri Rolston, an ICS Security Lead, will share her perspective on this technique and how she has used it to visualize and analyze problems in actual manufacturing networks.
1:20 - 2:05pm
Main Room
Protecting What Matters in the United Kingdom - Presentation Not Available
Matt B, CPNI
1:20 - 2:05pm
Breakout 1
Arizona Cyber Warfare Range (AZCWR) is Providing a Barrier-Free Opportunity to Become Security Savvy
Brett Scott, Arizona Cyber Warfare Range
Raymond Rivera, Arizona Cyber Warfare Range
The United States has found itself behind the technology curve when it comes to securing its digital information. The loss of this information spans from individuals, to the intellectual property of businesses, to classified government data. This is evidences by reading the headlines or listening to the news every day. The reality is that we are continuing to fall further behind.
Traditional public educational institutions, private entities, federal programs, and Department of Defense tactics are failing to provide the increased skill set that is needed to protect this loss of information.
Arizona Cyber Warfare Range (AZCWR) is providing a barrier-free opportunity for educating people from all walks of life how to become security savvy. Though not a traditional educational institution or a certifying party, AZCWR’s mission is to educate the public regarding cyber security.
“Learn by doing.” That axiom is was true back in the days of the apprentice, and is true today when dealing with the complex and twisted world of Cyber Network Defense (CND). Most Security-focused education curriculums are focused on the theory and standards of computer fundamentals and Information Management.   However, the small group of volunteers in the Desert Southwest that facilitate AZCWR still believe in learning by doing and have created the AZCWR to give security professionals, and the non-professionals alike, the opportunity to “learn by doing,” in fact to “learn by destruction.”
AZCWR is one of largest volunteer staffed organizations in the country focused on innovation and education in cyber security. The range allows members to actively engage in “live fire” Computer Network Attacks (CNA) against a wide variety of platforms. The range is a no-holds-barred environment. No restrictions, no filters, and no rules, thus giving users true CAN/CND and forensic experience they cannot experience outside of the insular confines of the AZCWR.
We are using a transformative grass root approach to increase awareness, knowledge, and individual skill sets with our sub-mission to provide to the general public unfettered access to three cyber centered activities:
1) Computer Network Attack (CNA) = “operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves;”
2) Computer Network Defense (CND) = “defensive measures to protect and defend information, computers, and networks from disruption, denial, degradation, or destruction;” and
3) Digital Forensics = “digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of the forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.”
1:20 - 2:05pm
Breakout 2
Innovative Programmable SoC Architecture Approach With Multi-layer Security for Industrial Control Systems
Dan Isaacs, Xilinx
A new highly integrated multi-processing programmable System on Chip (SoC) architecture offers a world of flexibility for security concerned system architects and embedded developers designing and implementing connected control systems.  Real-time control and networking functionality for Industrial control systems can be managed using a security focused programmable SoC architecture.  When connecting control systems to the internet, the threat surface increases significantly making these systems become even more susceptible to the multitude of on-line cyber and other security threats looking for ways to subvert the software running on these devices, capture critical data, or worse, gain control of these systems.
This paper describes an innovative multi-layer security architecture from the context of software intelligence and hardware optimization.  An in-depth discussion of this multi-layer approach surrounding these combined capabilities will be presented including design considerations critical for any developer of Industrial control solutions.
Topics covered include details of a secure virtualization solution that provides a software platform capable of hosting both real-time operating systems (RTOS) and general purpose operating systems (GPOS) simultaneously in individual secure virtual domains. The second details hardware level functionality of a  programmable SOC platform, including architectural features targeting anti-tamper, DPA, threat detection and isolation, leveraging a large number of on-chip cores and functionality tightly coupled to highly configurable fabric that provide system architects and developers a truly runtime customizable platform to address a broad based of requirements.
Individually, these two technologies offer unique architectural capabilities to build complex control systems.
When combined, they offer a highly differentiated solution with a level of platform security that is highly resilient and resistant to advanced cyber-attacks, while providing not only the flexibility of running off the shelf operating systems and applications with no compromise in performance but also enabling immediate threat detection, remediation, and controllability at both hardware and software levels.
The paper (and presentation) will conclude with discussion of customer real-world use cases addressed by these combined technologies and demonstration(s) of an innovative cybersecurity solution utilizing programmable SoC technology today.
2:10 - 2:55pm
Main Room
Ask Me Anything - Presentation Not Available
Marty Edwards
Director, Industrial Control Systems Cyber Emergency Response Team
National Cybersecurity & Communications Integration Center
Networking And End Of Meeting