Singapore ICS Cyber Security Conference | 2019

The Impact of Visibility, Control and Analytics in an Era of Convergence

In today’s connected world, the convergence of IT and OT continues to impact an organizations security strategy. The merging of the cyber and physical worlds requires an enterprise to work faster and smarter while keeping legacy and modern systems secure. During this session, we’ll explore an approach to securing your environment that leverages legacy technology and plans for future technology advancements.  As IT and OT convergence is a given, we’ll examine three key ingredients needed in your cybersecurity strategy - visibility, control, and behavioral analytics – and their impact on the future of your business.

ICS and OT Cybersecurity is no longer a topic in its infancy.  Over the last decade, much of the focus has been around the awareness and technology, and less on people, processes and frameworks.  In this conference, undoubtedly we will again be presented with some great technology and their use cases.  However, organizations also need a holistic view on when, where and how to position these cybersecurity investments.  They also need to be able to articulate the risk reduction, justify cybersecurity investments to C-levels and boards.  In this session, we will analyze the feedback provided by  ICS Cybersecurity professionals  interviewed, on real-world advice they would give to their C-levels in making their OT organization more secure and leveraging frameworks in building their programs.

Learning objectives:
To elevate the cybersecurity maturity of the attendees in understanding and articulating the importance of building a comprehensive ICS Cybersecurity governance program for their organizations, rather than individual stand-alone technical solutions or processes. To learn from real-world advice and experience of ICS Cybersecurity experts.

A seaport is vital Critical National Infrastructure (CNI) required to maintain competitiveness in a global, supply-chain driven marketplace.  Seaport automation can increase productivity and reduce operating costs but also increases an organizations's cyber risk.  Seaports choosing to automate must adopt inherently insecure industrial control technology while greatly expanding its technology footprint and attack surface.   Business and technology choices made early-on in the automation planning process, such as OT governance and network design, are crucial to the successful and secure delivery of automation.

In this presentation, Ayman AL-Issa, Chief Technologist for Industrial Cyber Security in the Middle East & North Africa for Booz Allen Hamilton, will highlight lessons learned, challenges and solutions that benefit critical infrastructure operators through converging IT and OT efforts including enabling cybersecurity mandate, organization structure, governance, risk management and cybersecurity architecture design.

The adoption of Industry 4.0 across various ICS sectors is gaining momentum over the years as organizations want to optimize Internet-of-Things to maximize productivity while reducing cost. In contrast, the development of ISO/IEC 62443 Standards is still evolving and is largely aimed at traditional non-Industrial 4.0 setup. The adoption of Industry 4.0, if unplanned with cyber security, could potentially bypass the concept of Defense-in-Depth, Zoning and Conduits in ISO/IEC 62443 Standards.

Critical Infrastructure has seen an increase of Cyber Security legislation on a national and on an international level. In addition to this increase, stakeholders now pay more attention to compliance to external standards; and compliance has become a benchmark; even a competitive differentiator. But to organizations this may feel like more effort and attention is put on achieving compliance than actually improving cyber security. In this talk, we will discuss:

• What new legislation, including Singapore's Cybersecurity Act,  means to Critical Infrastructure
• How to manage additional and evolving compliance requirements
• Why compliance for compliance sake isn’t the answer
• How to use compliance to drive improvement
• Case study: What does the journey to compliance look like for the example of the NIS Directive

This session will share key take aways and best practices from years of field experiences at leading utilities, energy, manufacturing, and other industrial companies to help organizations pave the way for successful OT visibility and cyber security on a local or global scale.  ICS Cyber security deployments are accelerating at a rapid pace. In this session Michael Dugent will take a deep dive with those on the front lines of innovation and implementations.  You’ll hear the lessons learned and understand the critical success factors for asset owners looking to secure their OT environments.

While in theory, security architectures for IACS (Industrial Automation & Control Systems) are expected to be implemented in accordance with guidance from industry standards and good practice, this can pose challenges when it comes to brownfield or expansion projects. This presentation examines the security vulnerabilities when working with existing installations and legacy systems.

Join this technical session as we review existing examples of industrial control systems that were designed with insufficient consideration to the cybersecurity risk factors while used for safety.

It is known that a well-placed cyber attack on a critical infrastructure can be fast and furious. A poorly designed incident response plan will indirectly aid cyber attacks by hindering pragmatic direct responses through cumbersome escalation procedures, approvals and authorizations.

This session will touch on a pragmatic responses for the First-Responders in your control room; your ICS operators, shift leaders, and instrumentation & maintenance folks to help you keep your basic operations under duress with on-stage live demos.

Adoption of IEC 62443 in Singapore

The Industrial IoT or Industry 4.0, though just at the beginning of its transformative paradigm shift, will shake up the industrial sector fundamentally in the next years to come. One of the main hurdles for it to unfold its full potential is the protection of data and systems by cyber threats. Although many of cyber security solutions and respective methodologies are being offered already, Industry 4.0 or smart and connected systems, will be deployed on a large scale only, if they are based on best practice. This session will introduce the industrial cyber security standard IEC 62443, its basic concept and application, but also its introduction into Singapore.

Security is a journey, not a destination. Take others with you.

A growing number of industries are already integrating networking and digital communications into the OT space by deploying new Industrial IoT (IIoT) devices such as smart meters, automated asset distribution systems, and self-monitoring transformers. It follows, then, that the convergence of information technology (IT) and operational technology (OT) has become a business imperative.

As this technology advances and converges with networked tech the need for OT security grows exponentially. This session investigates how the OT environment can be safeguarded as the line separating OT/IT environments fades, what is the availability of skilled resources in OT security space, and what organizations need to do to close the security gaps.

Key Focus areas of the presentation

• What security challenges has the IT-OT convergence brought to ICS security and what are the typical OT cybersecurity risks?
• Given that cybersecurity is more IT-focused than OT, how do we bring cybersecurity into OT and begin to secure those systems?
• Are regional enterprises well equipped to tackle OT security threats?
• There are great disparities between IT and OT environments. So, do ‘OT Security Professionals’ need separate skill sets when compared to Cyber Security?
• Are such skill sets available in the region for OT security professionals?
• What further needs to be done to upgrade the skill sets of an organization’s workforce and tackle the issues of OT security?
• Is it possible to secure industrial networks without disrupting operations or risking non-compliance?