PROGRAM WWW.ISC-CPH.COM
INDUSTRIAL SECURITY CONFERENCE COPENHAGEN 13-14-15 NOV 2023
InsightIT
INDUSTRIAL SECURITY CONFERENCE COPENHAGEN 13-14-15 NOV 2023
SPEAKERS
Carlo Meijer, Co-founding Partner and Security Researcher, Midnight Blue (NL) Dan Ricci, Founder, ICS Advisory Project (US) Danielle Jablanski, OT Cybersecurity Strategist, Nozomi (US) Dieter Sarrazyn, Freelance OT Security Expert, Secudea (BE) Emma Stewart, Dr. Chief Power Grid Scientist and Research Strategist, Idaho National Laboratory (US) Emma Rubira, industrial cybersecurity consultant, Innotec Estefania Rojas, leader of the Industrial Cybersecurity team, Innotec James McQuiggan, Security Awareness Advocate, KnowBe4 (US) Javier Dieguez, General Manager, Basque CyberSecurity Centre (ES) John Cheng, Senior OT Cybersecurity Advisor, Siemens Gamesa (DK) Jos Wetzels, Co-founding Partner and Security Researcher, Midnight Blue (NL) Krystian Rykaczewski, Senior Project Engineer, Ethical Hacker, Rockwell Automation (PL) Lars Erik Smevold, Security & Process Control Architect, Statkraft & KraftCERT (NO) Maite Carli García, Communication Manager & European CCI Coordinator, Industrial Cybersecurity Center Maja Horvat, Project Manager, national SI-CERT (SI) Michael Weng, Senior OT Security Specialist, SektorCERT (DK) Patrick Miller, CEO, Ampere Industrial Security (US) Peter Frøkjær, Senior Security Architect, Vestas & President, Isaca Denmark (DK) Peter Panholzer, Founder, General Manager and Principal OT Security Consultant, Limes Security (AT) Roni Gavrilov, Security Researcher, OTORIO (IL) Sean R. Bouchard, Principal & CEO, XenonCyber Dynamics Inc. (CA) Søren Egede Knudsen, CEO & IT/OT Security Expert, Egede (DK) Tobias Halmans, Automation-Security Consultant, admeritia GmbH (DE) Wouter Bokslag, Co-founding Partner and Security Researcher, Midnight Blue (NL)
2
IN PARTNERSHIP WITH
CONFIRMED PARTNERS
PROGRAM TUESDAY 14 NOV 2023 08.00
Registration and breakfast Register at the conference reception, receive your nametag and conference material
09.00
Opening of the conference by Nina Meyer, Senior Project Manager, Insight Events
09.05
Chairman Peter Frøkjær, Senior Security Architect, Vestas & President, Isaca Denmark introduces today’s program
09.10
Development of a leading industrial cybersecurity ecosystem in Southern Europe
The Basque Government created the Basque CyberSecurity Centre (BCSC) in September 2017. Unlike other regional initiatives in the public sector related to cybersecurity within Spain, the BCSC was oriented to economic development while the approach of all other initiatives had been to serve as internal instruments for regional governments and they had public governance as their purpose. The evolution of the BCSC has achieved remarkable success and is currently a reference model that tries to be replicated by other European regions. In September 2023, the Centre has evolved to a new Agency called Cyberzaintza expanding its activities beyond economic development and reaching also the protection of the regional publica administration as well as impulse the citizenship awareness The presentation will explore the origins of the cyber business fabric in the Basque Country, the role of Cyberzaintza as a key element to shape, unite and improve the ecosystem, why it is important to be connected with the international community and which is our vision to create a promising future for the sector in our region. Javier Dieguez, General Manager, Basque CyberSecurity Centre
09.50
Short break with Refreshments
10.05
The ICS Advisory Project: Open-source data and interactive dashboards for small and medium-sized ICS asset owners In this presentation, we will discuss the design and development of the ICS Advisory Project, including the technology stack used to build the database and dashboards. We will also provide a brief overview of the features and functionality of the project, including the data sources used to populate the database, the methods used to ensure the accuracy and completeness of the data, and the tools available to users for filtering and visualizing the data. Additionally, Dan will present case studies of ICS asset owners who have used the ICS Advisory Project to identify and mitigate vulnerabilities in their environments. The presentation also discusses the project’s impact on the ICS security community, including how it is filling a critical gap by providing a free resource for asset owners with little or no security budget. Finally, Dan will explore the broader implications of open-source data and interactive tools for improving ICS security, including how this approach can be applied to other areas of cybersecurity. Finally, Dan discusses the future of the ICS Advisory Project and potential directions for future research and development. Dan Ricci, Founder, ICS Advisory Project
10.45
Networking break
4
PROGRAM TUESDAY 14 NOV 2023 11.15
A case study on developing a unique OT Disaster Recovery plan for industrial operations This case study delves into the complexities and challenges of developing a Disaster Recovery Plan specific to operational technology, remotely, for a large industrial client with existing operations. Creating a plan that was aligned with existing business continuity strategies, departmental priorities, varying terminology, and documentation silos was critical to ensuring adoption by Operations. A typical Disaster Recovery Plan starts by identifying critical processes and infrastructure and prioritizing them based on their importance to business operations. However, a successful operational technology disaster recovery plan must be adapted to start with the availability centric nature of operations. The development of the plan under study started by analysis of the operational processes, procedures, and engineering drawings to build a basis for asset criticality. This filtered result reduced the asset list considerably and provided guidance through an iterative process for filtering and prioritization of operational assets with minimal involvement from the client’s team. Once the critical assets were identified, the next challenge was to assess the risks and vulnerabilities to these systems through risk scenarios and (remote) tabletop sessions. This involved establishing a cross-functional team to work on the project and ensure all relevant stakeholders was involved in the process. Challenges in this phase included time management across departments and varying definitions of critical terms. Sean R. Bouchard, Principal & CEO, XenonCyber Dynamics Inc.
12.00
Lunch and networking
13.00
NIS2 discussion The Network and Information Security 2 (NIS2) Directive builds on the first NIS Directive which sought to establish a common level of cyber security standards across the EU. The directive had limited success and in the face of a surge in cyberattacks on Member State infrastructure in recent years. The new NIS2 Directive aims to address emerging technologies, the modern threat landscape and fragmentation across Member States and to significantly increase cybersecurity capabilities throughout the EU. Patrick Miller, CEO, Ampere Industrial Security Søren Egede Knudsen, CEO & IT/OT Security Expert, Egede Peter Frøkjær, Senior Security Architect, Vestas & President, Isaca Denmark Maite Carli García, Communication Manager & European CCI Coordinator, Industrial Cybersecurity Center Moderator: James McQuiggan, Security Awareness Advocate, KnowBe4
13.50
Short break
14.00
Practical security FAT/SAT Performing security testing during Factory Acceptance Testing and Site Acceptance testing is a way of knowing the security weaknesses and issues with new equipment or new solutions being introduced into your industrial network environment. However, one must be sure to tackle every aspect of said security testing to really know all potential issues so these can be dealt with in an appropriate way. Afterall security Fat/Sat testing is part of a risk management approach. This talk will show the different test components that should be part of a security Fat/SAT testing program and what pitfalls there might be when dealing with program managers that don’t see the benefit of this. Tools/equipment needed to perform such testing is mentioned during the talk. Dieter Sarrazyn, Freelance OT Security Expert, Secudea
14.35
Refreshments and networking 5
PROGRAM TUESDAY 14 NOV 2023 15.00
Fences don’t stop radio waves: analyzing & breaking TETRA for OT This talk will present the first public disclosure and security analysis of TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, prisons, emergency services and military operators. Additionally, TETRA is widely deployed in industrial environments such as factory campuses, harbor container terminals and airports, as well as critical infrastructure such as SCADA telecontrol of oil rigs, pipelines, transportation, and electric and water utilities. Authentication and encryption within TETRA are handled by proprietary cryptographic cipher-suites, which by now have remained secret for over two decades through restrictive NDAs. This secrecy thwarts public security assessments and independent academic scrutiny of the protection that TETRA claims to provide. In this talk, we will make public these cipher suites (TEA and TAA1 to be precise), and finally enable public review of one of the last bastions of widely deployed secret proprietary cryptography. As we will show, this security-through-obscurity has led to previously undisclosed flaws in Air Interface Encryption (AIE), authentication, and identity protection schemes going unnoticed and unaddressed, enabling both passive and active adversaries to intercept, manipulate, and inject TETRA network traffic. This is particularly worrying for TETRA users in critical infrastructure. Here, the radiobased SCADA WAN networks (carrying protocols such as IEC-101/104, DNP3, or Modbus) typically cover large geographic areas and as such an SDR-equipped attacker residing outside the physical perimeter of a substation or plant could break into the TETRA network to drop themselves directly into the OT network. We will discuss several relevant attack scenarios on such TETRA SCADA networks as well as corresponding hardening and mitigation advice. Carlo Meijer, Co-founding Partner and Security Researcher, Midnight Blue Wouter Bokslag, Co-founding Partner and Security Researcher, Midnight Blue Jos Wetzels, Co-founding Partner and Security Researcher, Midnight Blue
15.35
6
Short break
PROGRAM TUESDAY 14 NOV 2023 15.40
Security Parameters for library-based Security-by-Design During the design of an automation system, many design decisions are made that are also relevant for security. In most cases, system engineers do not know that they are making a security-relevant decision, because they may not have sufficient security experience. In other cases, the security-relevant decisions are simply not made because the engineers are not aware of the presence of the decision (the failure to decide is a decision). Tobias Halmans will deliver a simple approach to increase the visibility of security decisions within the engineering process by using Security Parameters. Security Parameters are defined as security relevant properties of a system. They should enable system engineers to make conscious security decisions by pointing at the security-relevance of a certain system property. For easy integration into engineering workflows, security parameters are compiled in a library and attached to commonly used system types. Each parameter can be set to a certain value and the library highlights parameter values that may be undesirable from a security perspective. For example, when it comes to integrating a PLC into an automation system, the mechanism used to switch between Operating and Maintenance mode is such a security parameter. The potential values for this parameter may include: a password, physical token (e.g., a key), or nothing (where nothing would be an undesirable value). This is one example of a security-relevant design decision that is made visible through a security parameter. The presented approach will deliver further examples of security parameters and how they have been used in real-world engineering projects. Furthermore, it will highlight further requirements to be fulfilled by the library so that it can be applied in engineering projects. Tobias Halmans, Automation - Security Consultant, admeritia
16.15
Refreshments and networking
16.30
Cybersecurity in the electrical power and energy system The CyberSEAS project is a collaborative project improving the cyber security of the European electrical power energy systems (EPES) and the overall resilience of energy supply chains, protecting them from disruptions that exploit the enhanced interactions. CyberSEAS (Cyber Securing Energy dAta Services) aims to improve the overall resilience of energy supply chains, protecting them from disruptions that exploit the enhanced interactions, the extended involvement models of stakeholders and consumers as channels for complex cyber-attacks, the presence of legacy systems and the increasing connectivity of energy infrastructures, data stores and services retailers. CyberSEAS has 3 strategic objectives: 1. Countering the cyber risks related to highest impact attacks against EPES. 2. Protecting consumers against personal data breaches and attacks. 3. Increasing the security of the Energy Common Data Space. Maja Horvat, Project Manager, national SI-CERT
7
17.10
Dominos – An offensive approach to understand your system of systems and their dependencies The transformation in the electricity grid that we are experiencing now has not been more extensive since the late 80´s. The critical infrastructure the society are dependent on, are moving to a more complex infrastructure. Utility companies, transmission System Operators, generation companies, energy market, third party vendors and more are all involved to build a secure, safe, and functional critical infrastructure. This is a value chain to make all of us able to do our financials, connect with family and friends, to keep us warm, cooking food, and make us safe. To understand what kind of smarter grid we are building, why we are building it and the dependencies it relates on are of outmost importance. This talk will use an offensive approach and give input to help your organization to understand what, why, when, where, who and how – this could affect the technical, operational, and strategic levels of your company. Examples: Approach people you need, walkthrough of technical drawings connected with attack diagram, see critical components in a system and dependencies in system of systems. Lars Erik Smevold, Security & Process Control Architect, Statkraft & KraftCERT
17.50
Chairman Peter Frøkjær, Senior Security Architect, Vestas & President, Isaca Denmark rounds up today’s learnings 18.00 Networking reception Enjoy refreshments and network with your security colleagues 18.40 – 20.30 Dinner & networking (requires separate signup) 3 course dinner in the restaurant including wine/beer/water ad libitum.
8
PROGRAM WEDNESDAY 15 NOV 2023 08.30
Refreshments & morning network
09.00
Chairman Peter Frøkjær, President, ISACA Denmark introduces today’s program
09.10
Think Sandworm, CaddyWipper, and new novel malware techniques… In a world of geopolitical conflicts, evolving requirements to cyber security, and ever-growing adversary strength, the Danish SektorCERT strive to protect and defend the Critical National Infrastructure of Denmark. As a CERT we deploy sensors to collect traffic information and send the data to a SIEM for monitoring and alerting purposes. This talk will demonstrate how we orchestrate the daily SOC work, but also how we try to advance our members compliance, by adding services to i.e., new NIS2 requirements. We’ll present a new initiative, that we believe will benefit our members considering the NIS2 requirements, especially within Incident Response. Finally, we’ll do a quick spin on the latest development within adversary TTPs, and their impact on the outlook for OT/ICS Cyber Security – Think Sandworm, CaddyWipper, and new novel malware techniques… Michael Weng, Senior OT Security Specialist, SektorCERT
09.45
Short break
10.00
Navigating the Complexities of Cybersecurity and Resilience in the Global Energy Transition: Pick Your Poison Energy delivery worldwide is undergoing disruptive change with unprecedented levels of funding, motivation, and international coordination aiming toward modernized, clean, secure supply and delivery. This transition depends upon a mix of distributed, decentralized, and centralized resources working in concert, meaning enhanced communications and control across the board. Cybersecurity and resource interdependency of this influx of distributed and connected systems is not a new concern. Geopolitical tensions along with significant criminal activities mean choices being made on energy delivery now, without equivalently strategic choices on security, could bring a catastrophic failure. Failure not just of the immediate energy delivery, but in the long-term transition to cleaner generation. Energy delivery has reached a breaking point in terms of resilience to increase large-scale weather events, an increase that is driven by close to irreversible climate damage. Equity is a vital component of the transition, providing energy security and improved environments to disadvantaged communities. Grid operators are in a reactive cycle of responding to events, and a dual crisis of affordability with consumers understanding and expectations of energy delivery increasing exponentially. No single choice solution can meet all these objectives at once, but to mitigate the potential for climate disaster, a wide range of these energy transition solutions must be rapidly and securely implemented. Energy poverty also leaves communities more vulnerable to multi-layered and longer grid events, cyber of their new resources being a new layer. Interconnection and bankability studies do not consider product security above least cost, and few tools exist which can evaluate security risk as a function of long-term finance for renewable interconnections. We could armor plate it, but no one could afford to turn on their heating. With energy bills escalating to unprecedented levels, spending must be commensurate with benefit, which in cybersecurity for distribution components has been close to impossible to calculate. This talk considers tools and solutions, with a discussion on how to evaluate distributed energy risk effectively and appropriately along with the challenges customers, energy providers and operators are facing in the new digitalized energy infrastructure era. Dr Emma Stewart, Chief Power Grid Scientist and Research Strategist, Idaho National Laboratory
9
PROGRAM WEDNESDAY 15 NOV 2023 10.35
Refreshments and networking
11.05
Pentesting IoT devices - Fuzzing network protocols In the world of IoT, where there is lack of dedicated tools for binaries protocols and not enough performance to handle encryption and use secure transport layer, very important is it to fuzz network protocols on each ISO OSI layer. Krystian Rykaczewski will share his knowledge and empierce and demonstrate how we can achieve it. • Fuzzing technique – introduction • Open-source tools • Dummy fuzzing • Reverse engineering of network protocols • Intelligent fuzzing with python TCP UDP stack libraries • Simple tool architecture by examples • Testing low level protocols with scapy (TCP layer as example) Krystian Rykaczewski, Senior Project Engineer, Ethical Hacker, Rockwell Automation
11.40
Lunch and networking
12.40
Unlocking Industrial Cybersecurity Monitoring: Key Insights Join us for an insightful conference where we delve into the essential elements of industrial cybersecurity monitoring. Discover the significance of effective communication with OT stakeholders, gain a deep understanding of the monitoring and incident response processes tailored to OT environments, and explore the crucial OT monitoring tools required to maintain real-time visibility. Equip yourself with the knowledge needed to safeguard your infrastructure and respond effectively to potential incidents. Emma Rubira, industrial cybersecurity consultant, Innotec Estefania Rojas, leader of the Industrial Cybersecurity team, Innotec
13.15
Refreshments and networking
13.45
Designing and Testing Security Capabilities according to IEC 62443-4-2 While a secure product development life cycle is a precondition for both a high level of security assurance and any kind of IEC 62443 product certification, we also phase the challenges of selecting, implementing and testing the right security capabilities for a secure product. This talk will discuss how this can be achieved with the help of IEC 62443-4-2 and several challenges development teams are facing in the standard application. We will draw up some solutions but also some fails in implementing security capabilities in products. As a bonus, we show an IEC 62443-42 testing guide. Peter Panholzer, Founder, General Manager and Principal OT Security Consultant, Limes Security
10
PROGRAM WEDNESDAY 15 NOV 2023 14.20
Short break
14.30
Defending from Wireless IIoT Attacks: Practical Recommendations for Enhancing Security The digital revolution in industrial environments has resulted in the widespread use of Wireless Industrial IoT (IIoT) solutions, such as industrial cellular gateways and Industrial Wi-Fi access points. However, with the increased use of these solutions, there is now a need to understand the wireless IIoT attack surface and the vectors that expose industrial environments to external attacks. Our research team conducted a comprehensive examination of the attack surface of wireless IIoT and discovered a new method for detecting exposed wireless IIoT in industrial networks by utilizing publicly available data sources. Additionally, we’ve revealed more than 38 zero-day vulnerabilities in wireless IIoT, including some found in out-of-band management platforms. These vulnerabilities enable external adversaries to perform ”supply chain” attacks, breaching into thousands of industrial networks simultaneously through the wireless IIoT managed under those platforms. To mitigate these risks and enhance the security posture of industrial networks, organizations must understand the attack surface of wireless IIoT and implement appropriate defensive measures. During the talk, we will provide practical recommendations for enhancing security and implementing a secure deployment architecture for wireless IIoT, which can help organizations better protect their industrial networks and ensure the safety, reliability, and continuity of their processes. Roni Gavrilov, Security Researcher, OTORIO
15.05
Short break
15.15
Critical Infrastructure Cybersecurity Prioritization: A Cross-Sector Methodology for Ranking OT Cyber Scenarios and Critical Entities
This presentation discusses the limitations in current standards for prioritization across critical infrastructure cybersecurity, focusing on operational technology (OT), and outlines a methodology for prioritizing scenarios and entities across sectors and local, state, and federal jurisdictions. The methodology can be incorporated into assessments, training, and tabletop exercises in the planning phase of cyber risk mitigation and incident response. It can also be used by leaders to prioritize multiple critical infrastructure sectors or locations in their jurisdiction from a cybersecurity perspective. Though it focuses somewhat on US legislation/regulation with mention of the NIS2 directive as well, the technical considerations, methodology, and case study surrounding a prison scenario are all global in nature and not specific to the US. Danielle Jablanski, OT Cybersecurity Strategist, Nozomi 15.50
Chairman Peter Frøkjær, Senior Security Architect, Vestas & President, Isaca Denmark talks about today’s learnings
16.10
The conference ends
11
VENUE & REGISTRATION DATES & CONFERENCE VENUE The conference will be held 13, 14 & 15 November 2023 at Crowne Plaza Copenhagen Towers Ørestads Blvd. 114 – 118 DK-2300 Copenhagen ACCOMMODATION Accommodation is not included in the registration fee. It is possible to book hotel room for a favorable price at the venue when registering to the conference. Number of days: Choose between 2 or 3 days Conference
EARLY BIRD Until 29 Sep 2023
SPECIAL OFFER Until 27 Oct 2023
NORMAL PRICE From 28 Oct 2023
International program: 14-15 Nov
DKK 9,495
DKK 10,495
DKK 11,995
Networking Dinner: 14 Nov
DKK 750
DKK 750
DKK 750
Prices are excluding VAT. GROUP DISCOUNT It is possible to register 3+ entries for the conference and get a discount. Contact us for more information. REGISTRATION To register for the conference the best and quickest way is to fill in the online registration form on www.isc-cph.com. We also accept bookings by post, Tel: (+45) 35 25 35 45 and e-mail: info@insightevents.dk. Once we have received your registration you will receive an invoice. Your registration is binding. CANCELLATION All cancellations must be submitted in writing. If cancelled up to 14 days before the event, a fee of 10% will be withheld. Should cancellation be made less than 14 days prior to the event, 50% will be withheld and, if cancelled later than 2 days before the date of the event, full price will be paid. If you are prevented from participating, you also can transfer your participation to a colleague. All substitutions must be received in writing. INTERESTED IN A PARTNERSHIP? Please contact Thomas Klindt Senior Sales Manager – Sponsors & Exhibition tk@insightevents.dk , +45 4195 1431 Insight Events ApS, Silkegade 17, st., Postbox 2023, DK-1012 Copenhagen K, Tel: (+45) 35 25 35 45, info@insightevents.dk, www.insightevents.dk, VAT registered No 24 24 03 7
We take reservations for misprints and changes in the program. For further information please contact Senior Project Manager Nina Meyer, Tel: (+45) 3055 3092 or e-mail: nm@insightevents.dk