IMPORTANT: This is for limited online/virtual access only - To register for the in-person event in Atlanta, register here.
SecurityWeek’s Industrial Control Systems (ICS) Cyber Security Conference is the largest and longest-running event series focused on industrial cybersecurity. Since 2002, the conference has gathered ICS cyber security stakeholders across various industries and attracts operations and control engineers, IT, government, vendors and academics.
08:00
As industries become increasingly reliant on interconnected systems, securing operational technology (OT) and industrial internet of things (IoT) environments is paramount. This presentation explores the unique challenges of OT/IoT security, highlighting critical pain points such as a lack of visibility, limited resources, and evolving attack surfaces. We will dive into a proactive approach to cyber resilience by outlining key components such as deep visibility, threat and risk management, vulnerability management, and lifecycle management. Followed by practical steps to enhance OT/IoT security with a focus on best practices for proactive and reactive approaches. Join us to learn how to navigate these complexities and build a robust cyber resilience strategy for your critical infrastructure.
Carlos Buenano
CTO, OT, Armis
CTO, OT, Armis
<p>Carlos possesses a degree of Electronic Engineering and a master's degree in telecommunications with more than 30 years of progressive experience in the control systems and telecommunications field. Carlos’ history includes positions such as Principal Systems Engineer, Senior ICS Cybersecurity Consultant, Solutions Architect and Technical Account Manager and Principal Solutions Architect around the world. Carlos has been actively involved in several brown and green field industrial control systems projects in Manufacturing, mining and Oil and Gas, from the concept definition to the commissioning stages of the projects. Carlos has spent the last 5 years of his career operationalizing cybersecurity Solutions focusing on industrial networks.</p>
09:55
As AI emerges as both a powerful tool for asset owners and a formidable weapon for attackers, the convergence of IT and OT is blurring the lines between people, processes, and technology, creating new vulnerabilities. In this rapidly shifting landscape, attackers stand to gain the upper hand if organizations fail to adapt their security strategies. This presentation draws on insights from a global "State of OT Security" survey, revealing how industry leaders are leveraging AI, Zero Trust Architecture, and converged IT-OT security platforms to stay ahead of the evolving threat landscape. Join us to explore how these strategies are essential for navigating the new nexus of OT security.
Qiang Huang
VP of Product Management, IoT and OT Security | Palo Alto Networks
VP of Product Management, IoT and OT Security | Palo Alto Networks
Qiang Huang is the VP of product management in Palo Alto Networks leading IoT and OT security products and solutions. He has over 20 years of deep experience in a wide range of technologies including network security, enterprise networking, and IoT. In recent years, Qiang incubated several industry-first IoT and OT products and solutions, and developed partnerships across industries such as manufacturing, smart building and smart cities.Qiang holds a MS in EE from Colorado State University. He is also a co-author of the book: SSL Remote Access VPNs.
11:40
In the rapidly evolving landscape of Operational Technology (OT), passive monitoring projects are essential for ensuring security and operational efficiency. However, many of these initiatives encounter significant challenges that lead to their failure. This presentation delves into the common pitfalls and obstacles faced by organizations implementing OT passive monitoring systems. Drawing on real-world case studies and experiences from the field having performed numerous deployments, we will explore critical factors such as inadequate planning and design resulting in limited asset visibility and fidelity of results, lack of stakeholder engagement (e.g., who owns the solution, what the value is beyond a cyber-solution), integration issues, and insufficient response strategies (e.g., proper playbooks on how and who will deal with alerts). Attendees will gain valuable insights into the root causes of these failures and practical recommendations for overcoming them, ultimately paving the way for more successful and resilient OT passive monitoring projects.
11:40
Are you struggling with fragmented security tools, reactive processes, and a lack of visibility into your risk landscape? This session offers a solution. Discover how integrating risk management with a lifecycle-aware approach to asset management can transform your OT security posture, ensuring compliance while proactively mitigating risks and enhancing operational resilience. Key Takeaways: Overcome Fragmentation: Bridge the gap between security and operations, creating a unified and cohesive approach to OT security. Proactive Risk Mitigation: Identify, assess, and prioritize risks throughout the entire asset lifecycle, enabling proactive measures that prevent incidents and minimize downtime. Data-Driven Decisions: Leverage real-time asset data and lifecycle information to make informed security decisions and optimize resource allocation. Operational Resilience: Achieve a resilient OT environment that can withstand evolving threats and ensure the continuity of critical operations.
12:15
In 2023 Elanco Animal Health, a pharmaceutical company which produces medicines and vaccinations for pets and livestock, began the investment in a inventory and vulnerability management application for some of our manufacturing locations. This session shares some of the lessons we learned: the good and the hard. Pulling together the requirements. Vendor selection hits and misses. Working with the IT team - right-sizing expectations. Working with the OT team - early and clear detailed directions. A great window into OT spaces. Document lessons learned and plan for the next phase.
Stuart Powell
OT Security Engineer with Elanco Animal Health
OT Security Engineer with Elanco Animal Health
<p>Stuart has 40 years of professional experience with varying tenure lengths in; college level technical instruction, project management, industrial control systems engineering, business IT administration for Unix, Windows, and infrastructure and now OT security.</p>
12:15
Segmenting industrial networks in small zones of trust is an efficient way to protect operations and avoid attacks to spread. But in many cases, it can be too complex to modify the network, deploy zone-based firewalls, and ensure assets are placed in the proper segment without disrupting production. This session will look at the roadblocks asset owners are facing and discuss ways to make segmentation projects finally move forward: Why is network segmentation so hard to do in OT? What are the software-based segmentation options? Why are these solutions not widely adopted? What is virtual segmentation and how can it help deploy software-based segmentation? How can AI help automate asset grouping to inform segmentation policies?
Fayce Daira
Solution Architect OT Security, Cisco
Solution Architect OT Security, Cisco
Fayce has been working in cybersecurity for 21 years. He started his career as a systems engineer for a network security distributor in Europe and co-founded Skyrecon Systems in 2008, an endpoint security vendor which was later acquired by Airbus Defense to form Stormshield. He lives in the US since 2009 where he helps organizations secure their industrial operations. He joined Cisco in 2019 where he is a technical architect focusing on industrial networking and cybersecurity solutions. Fayce holds a Master degree in Cybersecurity from Epitech, France and is a Certified Information Systems Security Professional (CISSP).
12:50
OT Security tools are evolving rapidly - from network monitoring, intrusion detection to endpoint sensors and wireless detection. The use cases besides asset visibility and vulnerability & risk management, threat detection etc., are also evolving as business demand that any investment in security also leads to operational efficiency and greater ROI. How can ICS personnel and OT Security practitioners build a technical and business case to get executive buy-in?
Ben Callaway
Regional Sales Director, Nozomi Networks
Regional Sales Director, Nozomi Networks
Ben Callaway has 15+ years of experience in Industrial Automation, spending the last 6 years in OT Security. He currently serves customers in the Mid-Atlantic and Southeastern US for Nozomi Networks with market-leading OT and IoT Security & Visibility solutions. Having started his career in ICS in Instrumentation and Software Sales for Emerson, he spent over a decade on plant floors across all industrial verticals. Over his career, Ben has held multiple roles including Sales, Marketing & Business Development and Services covering Control systems & Cybersecurity solutions for Critical Infrastructure (Power, Oil & Gas, Water, Mining). Ben has a Bachelors Degree in Economics from The University of Georgia.
13:45
The separation between IT and OT environments is increasingly analogous to the traditional separation between U.S. Government networks of differing security levels. Both require strictly defined data flows and rigorous control over information exchanges to prevent unauthorized access and breaches. OT environments face many of the same threats as national security networks, and the evolving complexity and sophistication of threat actors and incidents like Ripple20 have highlighted the need for security measures that evolve to meet them. As such, U.S. Government network security technology is increasingly shaping the future of Operational Technology (OT) security by informing new practices and influencing next-generation solutions. ?In this session, well discuss the application of robust OT security principles and technologies derived from experience defending the most sensitive U.S. Government networks. Well delve into the application of security principles such as Defense In Depth and Zero Trust, the current state of hardware- and software-based security technologies, and how we can take lessons learned from government network defense and apply them to the mitigation of future OT threats. By implementing the latest security principles and best practices, and leveraging government-driven innovations, OT systems can be fortified against evolving threats, ensuring the safety and reliability of critical infrastructure.
13:45
An OT cyber breach is underway. Is there an Incident Response plan in place? This session will provide a deep dive into the role of process-oriented OT cybersecurity during the expression phase of an OT cyber breach. Attendees will learn about a multi-level IR approach that includes unfiltered visibility from Level 0 to Level 4 of Purdue model. This approach provides early detection of OT cyber-attacks like False Data Injection (Stuxnet like), Aurora and others as well as crucial decision-making support to the attack containment stage. Helping to determine whether to shut down operations or continue with caution. Join us to explore advanced and effective incident response and operational resilience in the face of OT cyber threats.
14:35
Awareness of existing vulnerabilities is crucial in the industrial control systems (ICS) landscape. Memory safety vulnerabilities are recognized as pervasive threats that demand immediate action. CISA highlighted them as a top-risk class, and they pose significant threats to ICS environments. Its imperative we address memory safety issues head-on, focusing on strategies to mitigate these vulnerabilities and secure ICS infrastructure. Traditional patching approaches often lag or remain incomplete, and current best practices are clearly not working given the increase in memory safety vulnerabilities year over year. This presentation confronts the reality of memory safety risks in ICS environments, focusing on current strategies and actionable steps to fortify defenses. Acknowledging the omnipresence of memory safety vulnerabilities, we explore proactive measures available today to mitigate these risks proactively. Central to this discussion is the role of Runtime Application Self-Protection (RASP) technology in ensuring robust memory safety without compromising operational performancea critical consideration in ICS's precision-driven operations. Real-world examples underscore how RASP can mitigate memory safety threats, urging OEMs and asset owners to prioritize proactive security measures. Attendees will leave with actionable insights into immediate actions to strengthen device security today and lay the groundwork for protecting ICS devices against evolving memory safety vulnerabilities in the future.
Shane Fry
Chief Technology Officer, RunSafe Security
Chief Technology Officer, RunSafe Security
Shane Fry is the Chief Technology Officer at RunSafe Security, Inc. He has over a decade of experience in cybersecurity, on both the offensive and defensive sides of the house. He has performed vulnerability research on all layers of the hardware and software stack, including physical circuit security, secure boot, software update, memory corruption, and web-application vulnerabilities.
14:35
Cybersecurity incidents in manufacturing facilities present unique problems that are not typically found in IT environments. This session will explore these specific issues and differences by describing a project that was developed and executed at National Cybersecurity Center of Excellence (NCCoE) Manufacturing Lab to test Response and Recovery capabilities in an Operational Technology (OT ) environment. Speakers will incorporate a unique video demonstration of a specialized Manufacturing Lab at NIST, which includes typical OT components such as: programmable logic controllers (PLCs), human machine interfaces, a conveyor system, a robotic system, a supervisory system, and various networking components. The presenters will also discuss various types of cybersecurity incidents tested in the lab, which map to: MITRE ATT&CK for ICS; the CSF categories and subcategories associated with Response and Recovery; the risk-based decisions made during an incident response for an operational facility; some critical technologies implemented in an OT environment; and the dependence on planning and communication for incident response. This presentation is intended to encourage attendees to discuss and plan for a response to and recovery from cyberaattacks against OTand highlights NCCoE manufacturing guidance relative to this topic. The expertise gained from working alongside other NIST experts in a technical manufacturing lab brings unique perspectives that the speakers can share as lessons learned and ideas to consider. Speakers will share tips, ideas, and information that will serve as helpful starting points for cybersecurity professionals throughout their presentation.
15:10
As somebody who began their career working in air traffic control for fighter jet operations in the Royal Air Force, I know a thing or two about risk! Understanding and mitigating OT risk is akin to navigating the fast-paced, high-risk environment of fast jet operations in air traffic control. Drawing from my extensive experience in my years since those miliotary days, my presentation will delve into the intricacies of measuring OT cybersecurity risk using scenario analysis, a methodology that mirrors the precision and strategic foresight required in aviation. Presentation Agenda 1. Introduction to OT Cybersecurity Risk: Overview of OT environments and the unique challenges they pose. Importance of accurate risk assessment to ensure safety, reliability, and operational continuity. 2. Lessons from the tower: Insights from air traffic control and fast jet operations. How managing risks in high-speed aviation parallels OT cybersecurity challenges. Real-life anecdotes and experiences from my tenure in the air force. 3. Scenario Analysis: A Strategic Tool: Explanation of scenario analysis and its application in risk assessment. Step-by-step guide to developing effective scenarios. Techniques to identify, analyze, and prioritize risks based on potential impact and likelihood. 4. Case Studies: Fast Jet Operations vs. OT Cybersecurity: Comparative analysis of real-world scenarios in fast jet operations and OT cybersecurity. How scenario planning in aviation can inform and enhance cybersecurity strategies. Examples of successful risk mitigation tactics from both domains. Developing Your Scenario Playbook: 5. Practical exercises to create your own scenario analysis framework. Tools and methodologies to tailor scenarios specific to your OT environment. Strategies to engage stakeholders and build a robust risk management culture. Audience Takeaways: Attendees will leave with a deeper understanding of how to leverage scenario analysis for comprehensive OT cybersecurity risk assessment. They will gain actionable insights from the world of fast jet operations, enabling them to anticipate and mitigate potential threats with the precision and foresight of a seasoned air traffic controller. This presentation will empower cybersecurity professionals to develop more resilient and proactive defense strategies, ensuring the safety and security of critical OT environments.
Stuart King
Advisor to the OT Cybersecurity Industry
Advisor to the OT Cybersecurity Industry
<p>Stuart's career began in the Royal Air Force where, as an air traffic controller, he learnt a lot about what it means to manage risk. Over the years, Stuart's civilian career has been focused on mitigating cybersecurity risks for a diverse range of organizations all around the world. Stuart was one of the founding members of the Chartered Institute of Information Security Professionals - a UK body dedicated to professionalism in the cybersecurity industry, holds an MBA in Technology Management, and is GICSP certified.</p>
15:10
This session will present a simplified approach to taking what you already know about the Purdue model and applying it to your OT cloud applications. It will provide a brief history of connecting networks from Multiprotocol Label Switching (MPLS) to wide area networks (WAN) and a summary of the most relevant aspects of the Purdue model to consider for OT cloud integrations. We will explore common cloud architectures with Google Cloud, Microsoft Azure, and AWS OT, and outline effective strategies for leveraging the Purdue model principles within a modern, cloud-based OT architecture.
15:10
In the IT world, syslog is the universal protocol for logging. With syslog, endpoint events and information that would be impossible to see from network monitoring alone are streamed to a central location for correlation and analysis of the bigger picture. However, syslog is only available on some of the most modern PLCs, leaving a huge gap in visibility for legacy PLCs. Then where syslog is available, it typically isnt flexible enough to let users log sensitive process events that could provide important context. In this talk we will first demonstrate the security events that can be logged with existing syslog libraries from top PLC vendors, and then show how a new open source library can bring deep syslog visibility to PLCs that didn't have it before.
David Formby
CEO/CTO, Fortiphyd Logic
CEO/CTO, Fortiphyd Logic
<p>David Formby is CEO/CTO and co-founder of Fortiphyd Logic. He received his Ph.D. from the Georgia Institute of Technology where he focused on developing novel attacks and defenses for industrial control system networks and PLCs. Formby now leads Fortiphyd Logic in developing innovative solutions for industrial cybersecurity training and PLC endpoint detection. He is a member of the ISA and the Top 20 Secure PLC Coding Practices community.</p>
15:55
Industrial control systems face persistent threats due to plaintext protocols and improper authentication mechanisms, leading to an over-reliance on network segmentation and the Purdue Model. In this presentation, we delve into the fundamentals of cryptography and explore best practices for implementing robust cryptographic controls. Well talk about what infosec researchers look for, and provide valuable insights for asset owners seeking more secure ICS solutions. Well wrap up with a few case studies and examples seen in real products.
Nicholas Miles
Staff Research Engineer, Tenable, Inc.
Staff Research Engineer, Tenable, Inc.
<p>Nick has worked for Tenable Research since 2011. He has written hundreds of Nessus plugins, and has published research on multiple vulnerabilities, with a focus on IoT / OT devices. He now works on Tenable's Zero day research team researching industrial control systems. Nick has a Masters' Degree in Computer Engineering, and is an inventor on 3+ patents.</p>
15:55
The US Energy sector is a complex ecosystem with a vast multitude of components to analyze, enumerate, and test for vulnerabilities. But where would you begin? What systems would you choose? And how would you make that decision? This question drives the Department of Energy's Cyber Testing for Resilient Industrial Control Systems (CyTRICS) Prioritization research. This talk will cover years of National Laboratory research to determine how to prioritize critical energy systems in an ongoing attempt to buy down risk and strengthen the security and resilience of the U.S. energy sector. CyTRICS researchers have developed a unique, ICS focused approach to prioritizing systems based on quantitative factors like impact, prevalence, and technical characteristics. Additionally, we've explored how to accommodate shifting stakeholder priorities though qualitative factors like balancing existing versus emerging technologies. We'll discuss the herculean task of developing assumed operational context, comparing wholly unlike systems, and making all this data actionable. The audience will leave inspired to take a new approach on how to measure risk in their environments, and will see the energy sector through a new lens.
Anna Skelton
Control Systems Cybersecurity Analyst
Control Systems Cybersecurity Analyst
<p>Anna Skelton is a Control Systems Cybersecurity Analyst at Idaho National Laboratory (INL), where she leads the CyTRICS Prioritization and Initial Engagement workstream. Prior to INL, she was a Senior Intelligence Analyst at Dragos, and even before that, she worked as a Cyber Threat Intelligence Analyst at Bank of America. She is passionate about securing critical infrastructure, spending as much time outside as possible, and creative problem solving.</p>
15:55
Bowtie Analysis is graphical risk management methodology to evaluate and document information about risks in situations where an event has a range of possible causes and consequences. Originally developed in the 1970s to study chemical process safety risks, bowtie analysis has expanded into a wide variety of applications including health & safety, aviation safety, financial, and cyber security. Because of its intuitive approach, visual presentation, and roots in process safety, the methodology has proven especially beneficial in studying the cyber-physical risks associated with ICS cybersecurity events. A significant benefit of applying the methodology in OT cybersecurity is the ability to visualize, on one diagram, the cause-and-effect relationship between a cyber incident and operational impacts for a particular event. This is because the methodology graphically depicts the entire pathway from the initiating events, to the prevention barriers (typically referred to as cybersecurity controls), to the mitigation barriers (typically referred to as safeguards), and finally to the operational consequences and their impact. Furthermore, the methodology aligns well with OT cybersecurity industry standards, such as ISA/IEC 62443-3-2 - Security Risk Assessment for System Design, NIST 800-82 - Guide to Operational Technology (OT) Security, and API 1164 - Pipeline Control Systems Cybersecurity. This presentation will discuss and demonstrate, through oil and gas industry examples, how Bowtie Analysis has been applied to study OT cybersecurity risk and how the output of such as study can serve as the basis for the development of a site-specific cyber risk model that can be integrated with real-time data to provide a dynamic cyber risk dashboard for an industrial facility.
John Cusimano
CFSE, CISSP, GICSP, Armexa VP of OT Cybersecurity, Experienced ICS / OT Cybersecurity Leader w/ Strong Process Control and Safety Background
CFSE, CISSP, GICSP, Armexa VP of OT Cybersecurity, Experienced ICS / OT Cybersecurity Leader w/ Strong Process Control and Safety Background
<p>John Cusimano is an ICS/OT cybersecurity expert with a background in process control and functional safety engineering. Since 2009, John has started up and successfully led 2 ICS/OT cybersecurity consulting practices at boutique consulting/engineering firms (exida and aeSolutions).John has personally performed countless ICS cybersecurity vulnerability and risk assessments in wide range of industries per NIST, ISA/IEC 62443 and NERC CIP standards. He developed the CyberPHA methodology through a combination of his work on standards committees and by working with key clients who shared his interest in applying process safety engineering discipline to ICS cybersecurity. The CyberPHA methodology has become a globally recognized method of performing risk assessments of ICS and safety systems.</p>
16:30
This session is for OT companies with deep complexity in their software supply chains: lots of assets, countless 3rd-party suppliers, multiple eras of technology, and frequent M&As. With new supply chain legislation arising in both North America and Europe, OT vendors are now required to disclose the contents of their products their inherited DNA. To illustrate the value of this push for transparency, we scraped the Download/Support portals of multiple critical infrastructure industry OEMS and analyzed over 2TB of raw data (and over 10+ TB when unpacked). Much like the genetic testing analysis of 23andMe, we discovered a complex portrait of their suppliers, ownership, and end-of-life products. Our research revealed multiple risks that companies need to consider when choosing products and working with their vendors: * Products full of inherited subcomponents and added suppliers * Historically dead or acquired companies that bear inherited risks * Incomplete knowledge of the subcomponents in products or deployed assets * Product assessments with gaps between assumption and reality * Illicit sharing of OT software as a distribution system for malware This talk will describe the scraping research project, share the trends and symptoms to watch out for when tracking suppliers and subcomponents, and provide a vendor-agnostic approach to integrating the supply chain into existing programs and risk management capabilities. It is suitable for all audiences and provides attendees with key takeaways on how to reduce risk in your software supply chain DNA.
Ron Brash
VP Technical Research & Integrations, Exiger
VP Technical Research & Integrations, Exiger
Ron is an ICS/OT cybersecurity and embedded vulnerability research expert. He was instrumental in creating datasets for the S4 ICS Detection Challenges, received the 2020 Top 40 under 40 award for Engineering Leaders from Plant Engineering, was an embedded developer at Tofino Security, advised large OT asset owners in multiple industries, and brought several products to market, including consumer neuroscience devices and industrial networking appliances.Ron obtained a Bachelor of Technology from BCIT and a Master of Computer Science from Concordia University. He was a contributing committee member for the CSA T-200 IoT/OT Secure Software Development Lifecycle initiative, was VP of the ISA Montreal chapter, is a certified ISA 62443 "expert,"" and has over a decade of industry experience.
16:30
Whether a simple manufacturer or critical infrastructure, OT based organizations have been targeted. In fact, the severity and frequency is only increasing. In this session, we'll unwrap several recent attacks to understand the TTPs hackers are using, who they are and the motivation for their attack. We'll look at the attack path progression and the behaviors of the attacker. We'll then discuss how AI is increasingly being used to stop attacks while still in the formulation stage by leveraging four crucial telemetry inputs. Finally, we'll outline best practices and discuss what attendees can so next (whether operating in a converged environment, airgapped or possibly accidentally converged) to best secure their environment for both today's and future threats.
Michael Rothschild
Senior Director of Product, Armis
Senior Director of Product, Armis
Michael Rothschild is a prominent figure in the cybersecurity industry, serving as the Senior Director of Product at Armis, a leading company specializing in asset visibility and security for enterprise environments. Michael held various significant roles in several renowned technology companies over the last 25 years, where he developed a deep understanding of the cybersecurity landscape. Michael has been recognized for his thought leadership in cybersecurity, often contributing to industry discussions through speaking engagements, webinars, and published articles. A past professor of marketing, Michael hold advisory board positions at Ithaca College and Rutgers University.
