Industrial Control Systems Joint Working Group (ICSJWG)

The Cybersecurity and Infrastructure Security Agency (CISA) hosts the Industrial Control Systems Joint Working Group (ICSJWG) to facilitate information sharing and reduce the risk to the nation’s industrial control systems.

The ICSJWG provides a vehicle for communicating and partnering across all Critical Infrastructure (CI) Sectors between federal agencies and departments, as well as private asset owners/operators of industrial control systems. The goal of the ICSJWG is to continue and enhance the collaborative efforts of the industrial control systems stakeholder community in securing CI by accelerating the design, development, and deployment of secure industrial control systems.

CISA/ICSJWG developed a Fact Sheet for quick reference information about the ICSJWG: ICSJWG Fact Sheet.


ICSJWG Banner and Image

ICSJWG 2020 Fall Virtual Meeting Update

The agency has been monitoring the evolving COVID-19, also known as Coronavirus, situation closely, taking part in interagency and industry coordination calls, and working with critical infrastructure partners to prepare for possible disruptions to critical infrastructure that may stem from widespread illness, should the virus take hold in the U.S. You can find up-to-date information regarding these efforts at https://www.cisa.gov/coronavirus. Additionally, the agency issued a CISA Insights document titled, “Risk Management for Novel Coronavirus (COVID-19)” detailing steps to help executives think through physical, supply chain, and cybersecurity issues that may arise as a result of this ongoing public health concern, CISA.gov/insights.

Fall Virtual Meeting Update!

We appreciate all of the participation and interaction during the presentation sessions!

  • The meeting was kicked on September 21 with an overview of the CISA ICS Mission by CISA Leadership. Day 1 continued with presentations from the community.

  • A Capture the Flag activity was available from the opening of the meeting on September 21 until about 2:30 p.m. Eastern Time on September 22. The CTF exposed analysts to hunting across ICS networks for malicious behavior, with puzzles appropriate for both the beginner and the experienced analyst. Challenges included artifacts generated from IT/OT host forensic data, network data (from both bro logs and pcap), and OT equipment actively being exploited by a threat actor.

  • An updated ICS Training series overview was provided during the virtual meeting on September 22. The overview discussed the CYBER-CHAMP(c) program and allowed questions and answers about the sessions provided after the virtual meeting. These subsequent sessions are scheduled to run after the virtual meeting in September and into October. The training series includes both a Foundational track and an Advanced track. Specific foundational topics will be Cybersecurity Differences within IT and ICS Domains, and Cyber Risks to ICS. Specific Advanced topics will be Analyzing Previously Captured ICS Traffic to Discover Vulnerabilities, and Assessing Wireless Vulnerabilities in an ICS Environment. Flyer for the training will be provided upon request.

  • The Technical Workshop returned on September 22, with various technical topics presented and provided a question and answer opportunity for participants. Topics included Topics include MALCOLM Overview and Demonstration, On-Site Trends, Incident Response (IR) Planning, and Control Environment Laboratory Resource (CELR) Demonstration.

Additional Information

For additional information, please contact us at ICSJWG.Communications@cisa.dhs.gov.

 


Previous Meeting Information

Please find agendas for previous meetings below.

Contact the respective author(s) directly for copies of presentations.  

Please contact us if you have questions.


ICSJWG Newsletters

If you would like to submit an article or whitepaper of general interest pertaining to control systems security, please send it to ICSJWG.Communications@cisa.dhs.gov for consideration. Submitted articles will be reviewed and approved by ICSJWG prior to publishing. Please note that marketing or sales presentations aimed at gaining the audience's interest in services, capabilities, or products cannot be approved.

Article submissions for the September 2020 edition are currently being accepted for review until September 11, 2020.

Copies of the current Newsletter and the previous three Quarter's Newsletters may be requested from ICSJWG.Communications@cisa.dhs.gov.


ICSJWG Products and Materials

NCCIC/ICSJWG Fact Sheet: ICS Cybersecurity for the C-Level (Six Questions Every C-Level Executive Should Be Asking).
 
"Common Industrial Control System Vulnerability Disclosure Framework" developed by the Vendor subgroup (July 2012).

ICSJWG Webinar Series

Our Webinar Series is designed to inform the membership and general public about solutions to threats, vulnerabilities, and risks to critical infrastructure and control systems. The search for outstanding and value-added topics is ongoing. Please feel free to send an abstract or short description of any webinar idea to ICSJWG.Communications@cisa.dhs.gov and the Program Office will add it to the topic queue for review and possible inclusion into the series.  Our intent is to have a webinar each quarter of the year.  Please note that marketing or sales presentations aimed at gaining the audience's interest in services, capabilities, or products cannot be approved.

Our Next Webinar is Scheduled

ICSJWG is pleased to announce the next webinar on October 14, 2020 from 1:00 p.m. to approximately 2:15 p.m. Eastern Time.

Robust Cyber Risk Management - Simplified will be provided by Andrew Ginter, VP Industrial Security, Waterfall Security Solutions

"No matter what we do, experts will be found to argue that we are mistaken  - there is no consensus for managing OT cyber risk. When serious incidents occur therefore, it is vitally important that we have a defensible rationale in place for our choices. What does a defensible security program look like?

Well, in this webinar, we start with common OT cyber risk fallacies: compliance is not due diligence, insurance does not keep the lights on, cyber catastrophes are not like hurricanes, we are all targets, and governments have limited ability to protect us from sophisticated attacks. We then explore powerful new approaches to physical & "analog" mitigations for cyber risk, including: Security PHA Review (SPR), Consequence-Driven Cyber-Informed Engineering (CCE), Secure Operations Technology (SEC-OT) and manual operations fall-backs. We then return to CCE to review the intrinsic limits and costs of conventional software-based mitigations, and to explore how all these mitigation fits into a robust, defensible, security program. We conclude by exploring common organizational resistance to robust programs, including: confusing detection with prevention, confusing encryption with protection, confusing statistics with prediction, "air-gapped" fallacies, and "reverse lottery" ROI calculations.

The bad news: macroeconomic trends are driving the pervasive cyber risk landscape to continue to worsen for the foreseeable future.  The good news: there are simple and powerful new approaches to managing OT cyber risk, and the world's most secure sites already use these approaches routinely."

Andrew Ginter is the VP Industrial Security at Waterfall Security Solutions. He spent 20 years developing real-time operating systems, compilers, control systems, and IT/OT middleware products - products that connected IT & OT networks, thereby contributing to the cybersecurity problems that now plague many industries. Andrew spent the last 20 years working to resolve those problems, first as the CTO of Industrial Defender, building the world's first industrial SIEM, and now at Waterfall Security Solutions, where he works with the most secure industrial sites on the planet.  Andrew is a co-author of the Industrial Internet Consortium Security Framework, the author of two OT security books and a frequent contributor to ICS security standards. He holds degrees in Applied Mathematics and Computer Science, and he writes in his spare time.

To register, send an email from a work-related address to ICSJWG.Communications@cisa.dhs.gov. We cannot process registrations from public email addresses. 

Past Webinars

Past webinar presentations which have been released are found below and may be requested from the Program Office through ICSJWG.Communications@cisa.dhs.gov. If they are still available, they will be forwarded to you upon request.

  • March 2020 – OT Needs 'Special Consideration' Which Means a Modified Approach to Security and True IT/OT Convergence to Achieve a Robust VM Program
  • November 2019 – Secure Operations Technology
  • July 2019 – Persistent Threat-Based Security for ICS Systems
  • March 2019 – Five Ways to Ensure the Integrity of Your Operations
  • September 2018 - The Top 20 Cyberattacks on Industrial Control Systems
  • January 2018 – Life After Ukraine: Industrial Control System Cybersecurity Industry Trends and Strategies
  • October 2017 – Creating Predictable Fail Safe Conditions for Healthcare Facility - Related Control Systems and Medical Devices by Use of System Segmentation
  • July 2015 – Protecting M2M Systems at the Edge
  • October 2014 – The New Paradigm for Information Security: Assumption of Breach
  • June 2014 – Online Real Time Monitoring for Change Identification
  • March 2014 – I Think, Therefore I Fuzz!

Membership in the ICSJWG

By adding you to our membership rolls, you will receive all outgoing messages to the ICSJWG community, including newsletters, meeting notifications, training information, calls for comments, and other announcements.

Volunteer participation, by contributing ideas, sharing information, or working toward solutions for CI security, is encouraged. To get involved supporting a working activity which addresses critical infrastructure security, please let us know your ideas and the ICJSWG Steering Team (IST) and Program Management Office (PMO) will consider them. To get involved with the ICSJWG in general, please contact us at ICSJWG.Communications@cisa.dhs.gov.