As industries become increasingly reliant on interconnected systems, securing operational technology (OT) and industrial internet of things (IoT) environments is paramount. This presentation explores the unique challenges of OT/IoT security, highlighting critical pain points such as a lack of visibility, limited resources, and evolving attack surfaces. We will dive into a proactive approach to cyber resilience by outlining key components such as deep visibility, threat and risk management, vulnerability management, and lifecycle management. Followed by practical steps to enhance OT/IoT security with a focus on best practices for proactive and reactive approaches. Join us to learn how to navigate these complexities and build a robust cyber resilience strategy for your critical infrastructure.

As AI emerges as both a powerful tool for asset owners and a formidable weapon for attackers, the convergence of IT and OT is blurring the lines between people, processes, and technology, creating new vulnerabilities. In this rapidly shifting landscape, attackers stand to gain the upper hand if organizations fail to adapt their security strategies. This presentation draws on insights from a global "State of OT Security" survey, revealing how industry leaders are leveraging AI, Zero Trust Architecture, and converged IT-OT security platforms to stay ahead of the evolving threat landscape. Join us to explore how these strategies are essential for navigating the new nexus of OT security.

Experience a dynamic simulation of an OT cyberattack that illustrates how SigaGuardX detects and responds to evolving threats across multiple levels of the Purdue model. Watch as the attack begins unnoticed, then rapidly escalates, threatening critical assets. This demonstration highlights how SIGAs advanced tools detect suspicious asset behavior, construct real-time event narratives, and empower Incident Response teams to make critical decisions. Discover how SIGA technology protects critical infrastructure by uncovering and responding to hidden cyber threats that evade traditional detection methods.

In the rapidly evolving landscape of Operational Technology (OT), passive monitoring projects are essential for ensuring security and operational efficiency. However, many of these initiatives encounter significant challenges that lead to their failure. This presentation delves into the common pitfalls and obstacles faced by organizations implementing OT passive monitoring systems. Drawing on real-world case studies and experiences from the field having performed numerous deployments, we will explore critical factors such as inadequate planning and design resulting in limited asset visibility and fidelity of results, lack of stakeholder engagement (e.g., who owns the solution, what the value is beyond a cyber-solution), integration issues, and insufficient response strategies (e.g., proper playbooks on how and who will deal with alerts). Attendees will gain valuable insights into the root causes of these failures and practical recommendations for overcoming them, ultimately paving the way for more successful and resilient OT passive monitoring projects.

Are you struggling with fragmented security tools, reactive processes, and a lack of visibility into your risk landscape? This session offers a solution. Discover how integrating risk management with a lifecycle-aware approach to asset management can transform your OT security posture, ensuring compliance while proactively mitigating risks and enhancing operational resilience. Key Takeaways: Overcome Fragmentation: Bridge the gap between security and operations, creating a unified and cohesive approach to OT security. Proactive Risk Mitigation: Identify, assess, and prioritize risks throughout the entire asset lifecycle, enabling proactive measures that prevent incidents and minimize downtime. Data-Driven Decisions: Leverage real-time asset data and lifecycle information to make informed security decisions and optimize resource allocation. Operational Resilience: Achieve a resilient OT environment that can withstand evolving threats and ensure the continuity of critical operations.

Owl is thrilled to introduce our latest Data Diode software, Owl Talon, along with it newest developments that are revolutionizing how data diode solutions are deployed. Join our session for an in-depth look at the product, experience a live demo, and engage with our product manager to answer any questions you may have.

In 2023 Elanco Animal Health, a pharmaceutical company which produces medicines and vaccinations for pets and livestock, began the investment in a inventory and vulnerability management application for some of our manufacturing locations. This session shares some of the lessons we learned: the good and the hard. Pulling together the requirements. Vendor selection hits and misses. Working with the IT team - right-sizing expectations. Working with the OT team - early and clear detailed directions. A great window into OT spaces. Document lessons learned and plan for the next phase.

In this presentation we will explore the evolving industrial remote operations landscape and how Secure Access Service Edge (SASE) technology has emerged to provide a more flexible and scalable approach to securing OT remote access, asset-to-asset and asset-to-cloud security, and even SD-WAN based OT infrastructures. Well dive into how SASE enables Zero Trust in OT settings and examine use cases that highlight the tangible benefits of SASE for OT remote access and securing site-to-site and site-to-cloud communications.

Segmenting industrial networks in small zones of trust is an efficient way to protect operations and avoid attacks to spread. But in many cases, it can be too complex to modify the network, deploy zone-based firewalls, and ensure assets are placed in the proper segment without disrupting production. This session will look at the roadblocks asset owners are facing and discuss ways to make segmentation projects finally move forward: Why is network segmentation so hard to do in OT? What are the software-based segmentation options? Why are these solutions not widely adopted? What is virtual segmentation and how can it help deploy software-based segmentation? How can AI help automate asset grouping to inform segmentation policies?

OT Security tools are evolving rapidly - from network monitoring, intrusion detection to endpoint sensors and wireless detection. The use cases besides asset visibility and vulnerability & risk management, threat detection etc., are also evolving as business demand that any investment in security also leads to operational efficiency and greater ROI. How can ICS personnel and OT Security practitioners build a technical and business case to get executive buy-in?

The separation between IT and OT environments is increasingly analogous to the traditional separation between U.S. Government networks of differing security levels. Both require strictly defined data flows and rigorous control over information exchanges to prevent unauthorized access and breaches. OT environments face many of the same threats as national security networks, and the evolving complexity and sophistication of threat actors and incidents like Ripple20 have highlighted the need for security measures that evolve to meet them. As such, U.S. Government network security technology is increasingly shaping the future of Operational Technology (OT) security by informing new practices and influencing next-generation solutions. ?In this session, well discuss the application of robust OT security principles and technologies derived from experience defending the most sensitive U.S. Government networks. Well delve into the application of security principles such as Defense In Depth and Zero Trust, the current state of hardware- and software-based security technologies, and how we can take lessons learned from government network defense and apply them to the mitigation of future OT threats. By implementing the latest security principles and best practices, and leveraging government-driven innovations, OT systems can be fortified against evolving threats, ensuring the safety and reliability of critical infrastructure.

An OT cyber breach is underway. Is there an Incident Response plan in place? This session will provide a deep dive into the role of process-oriented OT cybersecurity during the expression phase of an OT cyber breach. Attendees will learn about a multi-level IR approach that includes unfiltered visibility from Level 0 to Level 4 of Purdue model. This approach provides early detection of OT cyber-attacks like False Data Injection (Stuxnet like), Aurora and others as well as crucial decision-making support to the attack containment stage. Helping to determine whether to shut down operations or continue with caution. Join us to explore advanced and effective incident response and operational resilience in the face of OT cyber threats.

Awareness of existing vulnerabilities is crucial in the industrial control systems (ICS) landscape. Memory safety vulnerabilities are recognized as pervasive threats that demand immediate action. CISA highlighted them as a top-risk class, and they pose significant threats to ICS environments. Its imperative we address memory safety issues head-on, focusing on strategies to mitigate these vulnerabilities and secure ICS infrastructure. Traditional patching approaches often lag or remain incomplete, and current best practices are clearly not working given the increase in memory safety vulnerabilities year over year. This presentation confronts the reality of memory safety risks in ICS environments, focusing on current strategies and actionable steps to fortify defenses. Acknowledging the omnipresence of memory safety vulnerabilities, we explore proactive measures available today to mitigate these risks proactively. Central to this discussion is the role of Runtime Application Self-Protection (RASP) technology in ensuring robust memory safety without compromising operational performancea critical consideration in ICS's precision-driven operations. Real-world examples underscore how RASP can mitigate memory safety threats, urging OEMs and asset owners to prioritize proactive security measures. Attendees will leave with actionable insights into immediate actions to strengthen device security today and lay the groundwork for protecting ICS devices against evolving memory safety vulnerabilities in the future.

Cybersecurity incidents in manufacturing facilities present unique problems that are not typically found in IT environments. This session will explore these specific issues and differences by describing a project that was developed and executed at National Cybersecurity Center of Excellence (NCCoE) Manufacturing Lab to test Response and Recovery capabilities in an Operational Technology (OT ) environment. Speakers will incorporate a unique video demonstration of a specialized Manufacturing Lab at NIST, which includes typical OT components such as: programmable logic controllers (PLCs), human machine interfaces, a conveyor system, a robotic system, a supervisory system, and various networking components. The presenters will also discuss various types of cybersecurity incidents tested in the lab, which map to: MITRE ATT&CK for ICS; the CSF categories and subcategories associated with Response and Recovery; the risk-based decisions made during an incident response for an operational facility; some critical technologies implemented in an OT environment; and the dependence on planning and communication for incident response. This presentation is intended to encourage attendees to discuss and plan for a response to and recovery from cyberaattacks against OTand highlights NCCoE manufacturing guidance relative to this topic. The expertise gained from working alongside other NIST experts in a technical manufacturing lab brings unique perspectives that the speakers can share as lessons learned and ideas to consider. Speakers will share tips, ideas, and information that will serve as helpful starting points for cybersecurity professionals throughout their presentation.

New technology implementations in ICS/OT environments pose unique risks for critical infrastructure. Todays risks include lack of support for modern authentication or connectivity methods in traditional environments, connecting existing infrastructure with highly vulnerable end-of-life operating systems, or risk of breaches from third-party remote access. This interoperability is designed to provide OT customers visibility and management of their asset inventory and enhance asset vulnerability detection and remediation capabilities through a seamless secure controlled access platform. As outlined in the CISA Five Pillars of the Zero Trust Model, these tools, combined with AI, machine learning (ML), and User and Entity Behavior Analysis (UEBA), enable Security Operations Centers (SOC) to respond quickly and effectively to advanced and emerging threats. By providing continuous monitoring, real-time reactions to intrusions, and a baseline of expected behavior, these technologies form a robust security layer against cybersecurity threats. Automation and orchestration, including Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR), play a vital role in this process. As outlined in the CISA Five Pillars of the Zero Trust Model, these tools, combined with AI, machine learning (ML), and User and Entity Behavior Analysis (UEBA), enable Security Operations Centers (SOC) to respond quickly and effectively to advanced and emerging threats. By providing continuous monitoring, real-time reactions to intrusions, and a baseline of expected behavior, these technologies form a robust security layer against cybersecurity threats. Overview with Live Demo showcasing key elements of the ICS/OT security framework, the five critical controls that fortify your infrastructure against emerging threats. -ICS incident responsewhich integrates operational insights into incident handling, enhancing system integrity and recovery -Defensible architectureensuring robust visibility, segmentation, and enforcement mechanisms to bridge technological and human aspects of security -ICS network visibility monitoringemploying continuous monitoring and protocol-aware tools to detect and address potential vulnerabilities. -Remote Access Securityensuring safe and secure stringent access control in the face of evolving hybrid work environments -Risk-based vulnerability management prioritizing and addressing vulnerabilities based on their potential to pose significant operational risks, thereby ensuring proactive prevention, response, and recovery actions.

As somebody who began their career working in air traffic control for fighter jet operations in the Royal Air Force, I know a thing or two about risk! Understanding and mitigating OT risk is akin to navigating the fast-paced, high-risk environment of fast jet operations in air traffic control. Drawing from my extensive experience in my years since those miliotary days, my presentation will delve into the intricacies of measuring OT cybersecurity risk using scenario analysis, a methodology that mirrors the precision and strategic foresight required in aviation. Presentation Agenda 1. Introduction to OT Cybersecurity Risk: Overview of OT environments and the unique challenges they pose. Importance of accurate risk assessment to ensure safety, reliability, and operational continuity. 2. Lessons from the tower: Insights from air traffic control and fast jet operations. How managing risks in high-speed aviation parallels OT cybersecurity challenges. Real-life anecdotes and experiences from my tenure in the air force. 3. Scenario Analysis: A Strategic Tool: Explanation of scenario analysis and its application in risk assessment. Step-by-step guide to developing effective scenarios. Techniques to identify, analyze, and prioritize risks based on potential impact and likelihood. 4. Case Studies: Fast Jet Operations vs. OT Cybersecurity: Comparative analysis of real-world scenarios in fast jet operations and OT cybersecurity. How scenario planning in aviation can inform and enhance cybersecurity strategies. Examples of successful risk mitigation tactics from both domains. Developing Your Scenario Playbook: 5. Practical exercises to create your own scenario analysis framework. Tools and methodologies to tailor scenarios specific to your OT environment. Strategies to engage stakeholders and build a robust risk management culture. Audience Takeaways: Attendees will leave with a deeper understanding of how to leverage scenario analysis for comprehensive OT cybersecurity risk assessment. They will gain actionable insights from the world of fast jet operations, enabling them to anticipate and mitigate potential threats with the precision and foresight of a seasoned air traffic controller. This presentation will empower cybersecurity professionals to develop more resilient and proactive defense strategies, ensuring the safety and security of critical OT environments.

This session will present a simplified approach to taking what you already know about the Purdue model and applying it to your OT cloud applications. It will provide a brief history of connecting networks from Multiprotocol Label Switching (MPLS) to wide area networks (WAN) and a summary of the most relevant aspects of the Purdue model to consider for OT cloud integrations. We will explore common cloud architectures with Google Cloud, Microsoft Azure, and AWS OT, and outline effective strategies for leveraging the Purdue model principles within a modern, cloud-based OT architecture.

In the IT world, syslog is the universal protocol for logging. With syslog, endpoint events and information that would be impossible to see from network monitoring alone are streamed to a central location for correlation and analysis of the bigger picture. However, syslog is only available on some of the most modern PLCs, leaving a huge gap in visibility for legacy PLCs. Then where syslog is available, it typically isnt flexible enough to let users log sensitive process events that could provide important context. In this talk we will first demonstrate the security events that can be logged with existing syslog libraries from top PLC vendors, and then show how a new open source library can bring deep syslog visibility to PLCs that didn't have it before.

Industrial control systems face persistent threats due to plaintext protocols and improper authentication mechanisms, leading to an over-reliance on network segmentation and the Purdue Model. In this presentation, we delve into the fundamentals of cryptography and explore best practices for implementing robust cryptographic controls. Well talk about what infosec researchers look for, and provide valuable insights for asset owners seeking more secure ICS solutions. Well wrap up with a few case studies and examples seen in real products.

The US Energy sector is a complex ecosystem with a vast multitude of components to analyze, enumerate, and test for vulnerabilities. But where would you begin? What systems would you choose? And how would you make that decision? This question drives the Department of Energy's Cyber Testing for Resilient Industrial Control Systems (CyTRICS) Prioritization research. This talk will cover years of National Laboratory research to determine how to prioritize critical energy systems in an ongoing attempt to buy down risk and strengthen the security and resilience of the U.S. energy sector. CyTRICS researchers have developed a unique, ICS focused approach to prioritizing systems based on quantitative factors like impact, prevalence, and technical characteristics. Additionally, we've explored how to accommodate shifting stakeholder priorities though qualitative factors like balancing existing versus emerging technologies. We'll discuss the herculean task of developing assumed operational context, comparing wholly unlike systems, and making all this data actionable. The audience will leave inspired to take a new approach on how to measure risk in their environments, and will see the energy sector through a new lens.

Bowtie Analysis is graphical risk management methodology to evaluate and document information about risks in situations where an event has a range of possible causes and consequences. Originally developed in the 1970s to study chemical process safety risks, bowtie analysis has expanded into a wide variety of applications including health & safety, aviation safety, financial, and cyber security. Because of its intuitive approach, visual presentation, and roots in process safety, the methodology has proven especially beneficial in studying the cyber-physical risks associated with ICS cybersecurity events. A significant benefit of applying the methodology in OT cybersecurity is the ability to visualize, on one diagram, the cause-and-effect relationship between a cyber incident and operational impacts for a particular event. This is because the methodology graphically depicts the entire pathway from the initiating events, to the prevention barriers (typically referred to as cybersecurity controls), to the mitigation barriers (typically referred to as safeguards), and finally to the operational consequences and their impact. Furthermore, the methodology aligns well with OT cybersecurity industry standards, such as ISA/IEC 62443-3-2 - Security Risk Assessment for System Design, NIST 800-82 - Guide to Operational Technology (OT) Security, and API 1164 - Pipeline Control Systems Cybersecurity. This presentation will discuss and demonstrate, through oil and gas industry examples, how Bowtie Analysis has been applied to study OT cybersecurity risk and how the output of such as study can serve as the basis for the development of a site-specific cyber risk model that can be integrated with real-time data to provide a dynamic cyber risk dashboard for an industrial facility.

This session is for OT companies with deep complexity in their software supply chains: lots of assets, countless 3rd-party suppliers, multiple eras of technology, and frequent M&As. With new supply chain legislation arising in both North America and Europe, OT vendors are now required to disclose the contents of their products their inherited DNA. To illustrate the value of this push for transparency, we scraped the Download/Support portals of multiple critical infrastructure industry OEMS and analyzed over 2TB of raw data (and over 10+ TB when unpacked). Much like the genetic testing analysis of 23andMe, we discovered a complex portrait of their suppliers, ownership, and end-of-life products. Our research revealed multiple risks that companies need to consider when choosing products and working with their vendors: * Products full of inherited subcomponents and added suppliers * Historically dead or acquired companies that bear inherited risks * Incomplete knowledge of the subcomponents in products or deployed assets * Product assessments with gaps between assumption and reality * Illicit sharing of OT software as a distribution system for malware This talk will describe the scraping research project, share the trends and symptoms to watch out for when tracking suppliers and subcomponents, and provide a vendor-agnostic approach to integrating the supply chain into existing programs and risk management capabilities. It is suitable for all audiences and provides attendees with key takeaways on how to reduce risk in your software supply chain DNA.

Whether a simple manufacturer or critical infrastructure, OT based organizations have been targeted. In fact, the severity and frequency is only increasing. In this session, we'll unwrap several recent attacks to understand the TTPs hackers are using, who they are and the motivation for their attack. We'll look at the attack path progression and the behaviors of the attacker. We'll then discuss how AI is increasingly being used to stop attacks while still in the formulation stage by leveraging four crucial telemetry inputs. Finally, we'll outline best practices and discuss what attendees can so next (whether operating in a converged environment, airgapped or possibly accidentally converged) to best secure their environment for both today's and future threats.