Mike Meason, Deep 6 Security, LLC
This session will instruct students on theoretical and practical concepts which facilitate the creation of network threat hunting operations in utilities. The concepts will be provided as a foundational approach to ensure that all audience members attain knowledge required to begin threat hunting operations no matter the maturity level of their current operations. This course will address prerequisites required as well as more in-depth technical approaches to threat hunting based on the day-to-day experience of utility security operations.
Monta Elkins, Foxguard
Learn control system concepts in this hands-on course. Students will build a demonstration control system utilizing Arduino boards, sensors and controllers. (Limited to 20 participants)
Students may choose one of two tour options: LCRA’s Sim Gideon Power Plant, a 607-megawatt, gas-fired plant, or LCRA’s Tom Miller Dam and River Operations Center, from which LCRA manages its facilities along the lower Colorado River. Transportation and safety equipment will be provided.
Note: Attendees will be required to undergo a criminal background check before being allowed to participate in these tours.
Slade Griffin, Contextual Security
In this half-day course, students will learn the fundamentals of technical security assessments and become familiar with several common tools utilized for such work. Students will come away with the required knowledge to begin assessing their environments for security issues. Those wishing to do more “hands on” work during the course should bring a laptop with virtualization software installed to build an assessment platform.
Monta Elkins, Foxguard
Laptop required. In this half day course, students will learn the fundamentals of network traffic analysis using Wireshark, the de facto standard in packet analysis. Packet captures from a control system test environment will be provided.
In this overview of security for operational technology environments, students will learn how to apply the CIS Critical Security Controls, CIS Security benchmarks, and other frameworks to secure critical systems. For more in-depth learning and discovery, students may visit the Tripwire demo lab during breakout sessions.
Get a hands on look at ICS security technology by visiting the Tripwire Demonstration Lab. Including devices and software from Tofino, Tripwire, Garretcom, and HiVision, students will get a first hand look at an industry-leading security stack for Industrial Control Systems.
Jess Smith, Schweitzer Engineering Labs
Security is challenging to teach through slides – it is trying to show a dynamic problem in a static media – so let’s throw the slides out and walk through a simulated tabletop security exercise. This exercise begins with a basic control system, walks the participants through setting up good defenses and monitoring, introduces a threat actor, and then progresses to an interactive incident response. This exercise will work best with participants from both the traditional IT security and the control system worlds.
Participants will also briefly explore risk analysis, different TTP to defend a network, and data collection and analysis. (Table-top only and no equipment)
Dennis Gammel, Schweitzer Engineering Labs
On December 23, 2015, a “temporary malfunction of the power supply” in three provinces in Ukraine resulted in power outages that lasted up to six hours and affected 225,000 customers. Following the event, an investigation identified evidence that several regional Ukraine power control systems had been compromised by cyber attacks. Both asset owners and government officials around the world are now asking, “What happened and could a similar cyber attack happen in our control systems?”
This presentation will provide an analysis of the Ukraine cyber attack, including how the malicious actors gained access to the control system, what methods the malicious actors used to explore and map the control system, a detailed description of the December 23, 2015, attacks, and methods used by the malicious actors to erase their activities and make remediation more difficult. We then discuss the defense in depth industrial control system network design structure and other best practice techniques, such as whitelisting and continuous monitoring. While it is impossible to say how the Ukraine incident happened, we can work to prevent this sort of attack from happening to our systems.
Dennis Gammel, Schweitzer Engineering Labs
OTSDN takes back the control from traditional Ethernet switching for a control system network. OTSDN systems are deny-by-default traffic systems empowering a network designer to engineer only the flows that are necessary for the control system. With OTSDN there is no more RSTP failover with long, unpredictable convergence times. OTSDN allows for pre-determined fail over paths with consistent network fault recovery times of less than 100 µsec. We will go over how OTSDN redefines mechanisms for network monitoring, intrusion detection, and prevention.
Chad Cook and Todd Wedge, Siemens Industry
Security and compliance requirements include the need for security for removable media and “transient cyber assets”. Traditional methods of tracking USB sticks and similar devices rely heavily on manual and time-consuming techniques. Are there better ways to manage, track, and report on transient devices and remote IEDs?
Chad Cook and Todd Wedge will demonstrate how secure remote access management tools can be used to provide configuration change management, access control, and security management, providing security while meeting compliance requirements. Real-world examples will be combined with configuration and reporting techniques. This session will highlight how remote access management can add to a layered defense strategy for utilities.
Monta Elkins, Foxguard
In this session, students will witness an example of reverse engineering firmware and installation of malware on a device. In the live demonstration, a cordless power drill will be modified to play music, demonstrating the hidden capabilities of common objects.
Slade Griffin, Contextual Security
In this one hour session, students will learn how modern metering infrastructures operate and the common security weaknesses that must be addressed.
Leonard Chamberlain, Archer Security Solutions
Jared Mednel and Yves-Laurent Sivuilu, Palo Alto Networks
Next-generation Firewalls have been seeing increased usage in Utilities ICS/SCADA environments because of their ability to improve traffic visibility, provide more granular access control , and stop advanced cyberthreats, while helping utilities meet their applicable compliance obligations. One of their distinguishing characteristics is the ability to identify and control traffic, even ICS protocol traffic, more granularly at the application layer or Layer 7. Several learning topics will be covered during this session including: