Singapore ICS Cyber Security Conference | 2019

Welcome address and conference introduction for SecurityWeek's 2019 Singapore ICS Cyber Security Conference.

Many talks outline important but theoretical activities useful to help minimize impacts from poor industrial cyber security. This is not one of those talks. It's time to get moving, get practical and begin to admit there are big problems with industrial cyber risk.

This talk will share practical lessons from dozens of large organizations as they embarked on this journey across people, process and technology. From getting executive support, establishing clear accountability, and understanding the true extent of the exposure, this session will discuss case studies, prioritization, measures, and how to expand into OT network from real world examples.

Learning Objectives:

• Learn practical steps to take on how to address risks in OT networks
• Learn what type of concrete measures have worked best for other large organizations
• Learn how to translate technical risk into business impact and communicate better with boards and C-levels.

This session will discuss the march of digitalization in industrial automation, why it is compelling, and how associated cyber risks are perceived and treated by industry and within companies.  The perspective will span a spectrum of people, process, and technology and include results from recent SANS market studies that analyzed the State of Industrial Control System (ICS) and Industrial IoT (IIoT) Cybersecurity. Details will be shared that represent the experiences of IT, OT, and IT/OT-hybrid cybersecurity practitioners responsible for operational technology (OT) systems.

Attendees of this session will gain insight into what organizations are doing to understand, communicate, and address security risks, and how their efforts compare with industry peers. It will help highlight some of today’s risk-management trends and where added investments are still needed. This information is intended to benefit owners-operators, service providers, suppliers, consultants, and researchers who hold responsibility for managing cyber risks to industrial systems.

This presentation will describe real-world, end-user experience of building a security program around the work processes, and the lessons learned. Such an approach has the considerable payoff of making the field operations more efficient as well. The IT needs of field personnel have long been neglected and, as this presentation discusses, the activities around securing the field operations has the potential to improve productivity in the field as well as ICS security.

Learning Objectives

• What are field operations and why securing it is important?
• What are three common weaknesses in field operations that can be exploited by an adversary?
• What are the three main challenges in securing field operations?
• How do you secure field operations without impacting work?

The APT group GreyEnergy has been targeting industrial networks in Ukraine and other Eastern European countries for the past several years. The advanced persistent threat (APT) group uses stealth attacks to access various elements of ICS. In this session, Andrea Carcano will tap into the latest research from Nozomi Labs to explain how GreyEnergy’s ability to avoid detection is linked to the way they program their malware. He will detail how GregyEnergy social engineers their way into ICS networks via phishing emails, how their malware is able to cause damage without detection and share a free tool designed to help facilitate further discovery and analysis within the ICS cyber security community.

Forescout research recently uncovered several dangerous vulnerabilities in popular building automation devices. This is particularly alarming because these discovered vulnerabilities prove that various controllers and Building Automation Systems (BAS) used for physical access control in hospitals, schools and airports are open to coordinated attack. While malware targeting BAS has not been widely reported yet, the Forescout team strongly expects to see an uptick in attacks, and has used this research to drive our solution innovation.  In this session, Daniel will share the specifics of our research, cover the anatomy of a typical BAS cyber attack and detail what we’re doing at Forescout to ensure coordinated and scalable solutions that identify and thwart threats to BAS systems. 
 

Welcome remarks for Day 2 of SecurityWeek's 2019 Singapore ICS Cyber Security Conference.

While many companies recognize the cybersecurity benefits of early OT threat detection, many struggle to select a suitable solution that matches their key concerns and their current industrial cybersecurity capabilities. This presentation by ARC describes the industrial threat detection and response landscape, how the solutions vary in focus, scope, and capabilities, and the importance of aligning with a company's overall cybersecurity management strategy. The information will be of benefit to owner-operators as well as to suppliers of cybersecurity solutions in the industrial sector.

Despite the rapidly growing deployment of IP-based technologies around us, the security of these deployments remains susceptible to basic cyber security attacks. What began as a small enumeration of the exposure of Security Access Control Platforms on several Internet-connected device search engines, grew into a research project covering several Building Management Systems (BMS) or Building Automation Systems (BAS) and its various sub-categories.

The execution of such attacks enables an unauthenticated attacker to access and manipulate doors, elevators, air-condition systems, windows blinds, cameras, boiler, PLCs, lights, alarm system in an entire building. In the case of this research, more than 10 million people could be affected by the findings presented.

This presentation discusses vulnerabilities found by Applied Risk research team across several BMS components and products from various vendors in the industry. Multiple vulnerabilities have been identified that could result in the total compromise of entire buildings and critical facilities (e.g. banks, hospitals, industrial facilities, government, residential…etc.).

In addition to the discovered vulnerabilities, the process we followed during our research will be discussed. Examples will be given for topics like:

• Firmware analysis  
• Device assessment

The ICS cybersecurity market is swirling with hot buzzwords. More than 20 startups have emerged in the ICS market in response, offering products that attempt to meet this demand. But what do  terms like “anomaly detection” and “machine learning” actually mean in the context of ICS threat monitoring? What does machine learning do and how does it work? Is it providing real value or is it yet again clever marketing? Is machine learning really even being used? If so, how can anomaly detection and machine learning enhance ICS threat monitoring? Is it really needed? What strategies, tools, and techniques can really help you with your ICS environment situational awareness and threat monitoring? Are there options for budget-constrained organizations? This session will explore how anomaly detection and machine learning work, and how they can be deployed for effective ICS situational awareness. The audience will be armed with what they need to cut through the buzzwords and confusion. Attendees will be introduced to several open source tools available that will help them learn more about passive asset identification, anomaly detection, and threat monitoring, and potentially even deploy their own “DIY” situational awareness solution.

FireEye Intelligence arrived at a high confidence assessment that the TRITON attack was sponsored by a Russian Government-owned research laboratory. This talk will share  analysis to illustrate the process  followed to connect the dots. It highlights some creative research techniques and pivot points used in this analysis and will share how other organizations can use FireEye's public reporting to hunt for evidence of the same attacker.

The development of an incident response strategy is often a top-down driven development process, resulting in a response strategy that is often not quickly enough to disrupt a cyber attack as much as the it would like to disrupt or destroy the ICS operations.

This panel aims to gain unbiased expertise views on the development of a pragmatic ICS incident response strategy at ground-zero; the ICS Control Room

SecurityWeek's 2019 Singapore ICS Cyber Security Conference is winding down, but be sure to register for advanced training sessions on Thursday (space permitting) - See the SecurityWeek event staff to register.