Stephen Hilt, Sr. Threat Researcher and Author, Trend Micro
Joe Slowik, Threat Researcher, Gigamon
Bent Kock, IT Security and Operation Specialist, Novo Nordisk
Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center, MITRE Labs
Tibor Földesi, Security Analyst, Norlys
Patrick Miller, CEO, Ampere Industrial Security
Peter Frøkjær, President, ISACA Denmark Chapter
Jesus Molina, Director of Industrial Security, Waterfall Security Solutions
James McQuiggan, Security Awareness Advocate, KnowBe4
Kerry Tomlinson, Cyber News Reporter, Ampere News
Martin Scheu, Security Engineer, SWITCH-CERT
Morten Kromann, OT Security Specialist, Siemens
Ron Brash, VP of Technical Research & Integrations, aDolus Technology
Søren Egede Knudsen, IT/OT Security Expert, Egede
Casper Bladt, Senior IT/OT Security Consultant, Engarde Security
Jens Nielsen, Pentester, Engarde Security
Vivek Ponnada, Regional Sales Director, Nozomi Networks
Michael L. Weng, Senior Security Consultant, OT/ICS, WithSecure Corporation
Martin Bo Clausen, Product Owner – IT Cyber Defence, Energinet
Maite Carli García, Communication Manager & European CCI Coordinator, CCI
Dr. Maureen McWhite, Owner, 4Gen Consulting Services LLC
Alicja Janicka, Threat Intelligence Analytiker, EnergiCERT
08.30 Registration and refreshments
Register at the conference reception, receive your nametag and conference material
09.00
09.05
09.10
Opening of the conference by Nina Meyer, Senior Project Manager, Insight Events
Chairman Peter Frøkjær, President of ISACA Denmark introduces today’s program
On creating a financially quantified, threat-based risk framework, allowing risk appetite to guide strategic decisions for high impact cyber risks
Presentation will cover:
• Threat Intelligence collection challenges
• Attack Graph modelling
• Stochastic simulations
• Executive management Risk Appetite and touch on recent standards being developed.
Martin Bo Clausen, Product Owner – IT Cyber Defence, Energinet
09.50 Short break
09.55 Can the Cloud fundamentally revolutionize OT Security?
OT Security traditionally had to deal with securing hardware & software that was on-prem. Due to well-known differences in OT technologies compared to those in IT, OT security solutions couldn’t always leverage best-in-class concepts from IT Security. Many were cumbersome to adopt (Defense in Depth, Zone & Conduits or Segmentation etc.), some like patching needed significant workarounds, while others like Zero Trust were (and are) nearly impossible to implement in OT. Additional aspects to consider were OT specific methodologies (e.g., CyberPHA, CCE) to address impact reduction. Even with increasing use of virtualized environments in OT which made it easier to implement IT solutions (AD, IAM etc.), OT Security remains challenging and mostly distinct from IT Security. However, is the Cloud going to fundamentally change that? Would increasing workloads in the Cloud (verticals such as manufacturing, transportation etc. are leading the pack) bring OT Security very much in-line with IT Security? Or would there be continued differences in how OT Security is managed in Cloud-native or Cloudfirst OT applications?
Vivek Ponnada, Regional Sales Director, Nozomi Networks10.35 Refreshments and networking
11.00
Short Abstract: Industry 4.0 and digital transformation are causing a disruption in the risk model for industrial security. The data produced by operations is quickly becoming as valuable (or more valuable) than the actual operations. As the organizational profit center shifts from operational assets to include operational data, so does the risk. In this presentation, learn how to secure your modern/ future industrial organization from the industrial process to the operational data products and beyond.
Patrick Miller, CEO, Ampere Industrial Security11.40
12.30
Lunch and networking
Tibor Földesi from Norlys will talk about the CTI (Cyber Threat Intelligence) journey which they started more than 4 years ago. The presentation will describe how Norlys prioritized their CTI program in the beginning, did vendor evaluations, utilized CTI to assist decision making on all levels, and many more interesting stories that others in the community can learn from.
If you are considering starting your own CTI program, this presentation will bring you valuable lessons and help you better understand how CTI can assist you to achieve better security.
Tibor Földesi, Security Analyst, Norlys
13.10 Short break
13.15
One of the biggest challenges facing supply chain security is how to secure legacy products while identifying hidden cyber risks buried deep in their subcomponents. Creating accurate Software Bills of Materials (SBOMs) is the critical first step, but how do we do that when the OT legacy software market is a story of abandoned, unbuildable, or lost source code?
Often all the OT industry must work with is binary images (hotfixes included). And that means working backwards from binaries using Binary Composition Analysis (BCA) and Metadata Composition Analysis (MCA). Using these techniques, the OT professional can address crucial challenges when identifying third-party/supply chain flaws, work with a myriad of file format types, research undocumented/ proprietary designs, and execute real-world file-format sleuthing.
Using samples from an anonymized vendor, this session will explore the challenges experienced when decomposing files to address supply chain transparency. We’ll do this by identifying several types of files based on patterns (flash vs. bootloader vs. update package), distinguishing various attributes or markers of interest, spotting security problems with minimal effort, and exploring how to research a file format that is decades old. It’s not a trivial art, but rather a demonstrable skill that requires the combined experiences of people from differing backgrounds to achieve success. In other words, think of it as threat hunting but for OT/ICS files.
Ron Brash, VP of Technical Research & Integrations, aDolus TechnologyOnce a network security monitoring system is deployed in an OT/SCADA environment, SOC analysts and OT Security engineers need to train and improve their skills for the system they are managing. Training in a live environment needs to be well prepared and the simulated incident must under no circumstances affect the operation of the target system.
We have developed various attack scenarios for incident response training in electrical substations. While we are careful not to interrupt operations, the semi-automatic OT malware leaves enough traces for the security engineers to work with.
In this talk Martin Scheu will walk you through the planning phases, how to involve the different teams, training execution and the lessons learned.
Martin Scheu, Security Engineer, SWITCH-CERT15.00 Short break
15.10
In 2022, Cyclops Blink became known by the world as the next attack from the well-known advanced persistent group Sandworm. Associated to destructive malware like BlackEnergy and Olympic Destroyer, this group also compromises IoT devices around the world to use it as their infrastructure. In 2018, VPNFilter was one such malware family that affected many routers globally from many different vendors – and consisted of multiple payloads and functions. After the industry sinkholed their domains, many infections were left over that could have been utilized by this group.
However, they chose instead to retool and attack new routers with malware that has been dubbed “Cyclops Blink”. In February 2022 NCSC in the UK published about WatchGuard specific Cyclops Blink attacks, and through our investigation Trend Micro was able to acquire different families of Cyclops Blink samples - one specifically attacking ASUS routers. Analyzing these samples, we were able to emulate an infection and track down and monitor more than 150 C&C servers from the threat actor infrastructure. While businesses around the world are spending time and money to stop attacks, nation state attackers are going after consumer devices to gain footholds for future attacks. How can we expect our parents to defend from being part of the next large scale nation attack if businesses already struggle?
Stephen Hilt, Sr. Threat Researcher and Author, Trend Micro15.50 Short break
16.00
Organizations are barraged constantly with phishing campaign attacks, and one organization suffers a breach every fourteen seconds. According to the 2021 Verizon data breach report, over 85% of data breaches are due to human error. It is worth noting how the criminals get into an organization’s systems and infrastructure. It comes down to phishing attacks or misconfigured and unpatched systems.
One solution is utilizing a robust security awareness and training program. However, how many employees take it, retain it, or use it? If the program is useful, why do breaches continue to occur? Organizations have training programs. Employees complete it and move on. Unfortunately, most of the time, they don’t remember it.
The concept of security culture has been increasing over the past few years. However, organizations still struggle with implementing a security awareness program. This session will address ways to take your security awareness program from boring and bland to engaging, innovative and work towards having a robust security culture working to protect your organization.
James McQuiggan, Security Awareness Advocate, KnowBe416.50 Specialist talks
1. TXOne
2. Nozomi Networks
3. Securing File Transfers into Critical Infrastructure Environments – Nuclear Power Plant use case
The frequency and severity of targeted cyberattacks against critical infrastructure organizations around the world continue to increase. In this session you will hear about core technology components deployed at 98% of nuclear facilities in the US and how your organisation can secure those gaps, which may exist in your IT/OT data exchanges and file transfer processes
Opswat
17.35 Chairman Peter Frøkjær, President of ISACA Denmark rounds up today’s learnings
17.45 Networking reception Enjoy refreshments and network with your security colleagues
18.30 Dinner & Networking (requires separate signup) 3 course dinner in the restaurant including wine/beer/water
09.00
09.10
In an era with more and more focus on security in the OT environment, the focus has been on treating what is installed in the factory.
If we keep installing systems that is not up to date with the newest security patches, it is like having a clean room and walking in with dirty shoes.
In IEC62443 the process to handle this is called a security FAT, testing the security readiness of a system before installing them it in the factory.
In this talk Bent Kock and Morten Kromann will show how Novo Nordisk is getting clean shoes in their factories
Bent Kock, IT Security and Operation Specialist, Novo Nordisk Morten Kromann, OT Security Specialist, Siemens
09.50 Short break
10.00
S**t we have factories in Russia!
The conflict in Ukraine is affecting industrial businesses if they stop production or factories is taken over by Russia. With that in mind, Egede Aps started a research project in June 2022 that have has the primary objective of “How can a company exit Russia and make the PLCs difficult to reuse”. At the conference Søren Egede Knudsen will present the research and give some information on how this can be used.
Søren Egede Knudsen, CEO & IT/OT Security Expert, Egede
10.40 Refreshments and networking
11.10
Women in Cyber
Moderator: Kerry Tomlinson, Cyber News Reporter, Ampere News Update on the activities of the Top20 PLC group
Maite Carli García, Communication Manager & European CCI Coordinator, CCI
Supply chain cybersecurity with an emphasis on the transportation sector, including maritime, rail and air.
Dr. Maureen McWhite, Owner, 4Gen Consulting Services LLC
EnergiCERT
Alicja Janicka, Threat Intelligence Analytiker, EnergiCERT
11.50 Lunch and networking
12.50
Industrial Security - 13 Ways to Break a Firewall
Cybersecurity for critical infrastructures and manufacturing almost always starts with an IT/OT firewall. But - all security technologies have limitations. Understanding those limitations and understanding what alternative designs might add value is essential to designing robust defenses. In this presentation, we look at 13 ways to break a firewall, and we compare those attacks to an increasingly popular alternative: hardware-enforced unidirectional gateway technology.
Jesus Molina, Director of Industrial Security, Waterfall Security Solutions
13.35
Take one Ethernet converter, two skilled security researchers and 5 days in the lab = some interesting zerodays.
The presentation will give an insight of the internal research work, En Garde Security did on the very same device that was (ab)used in the power grid attack i 2015.
We will provide insight on the thought process, how we actual found the vulnerabilities and the whole responsible disclosure process.
Attend the conference, to learn how we was able to duplicate the attack on latest, current firmware... and we would provide a live demo as well!
Casper Bladt, Senior IT/OT Security Consultant, Engarde Security Jens Nielsen, Senior Security Researcher, ICSRange
14.15 Refreshments and networking
14.35
Operating a safe and reliable system has become increasingly complex in the last 10 years. Gone are the days where logical isolation and security by obscurity could be relied on to ensure safety from cyber threats.
Today’s asset owners and operators need new methods tools to meet these challenges while maintain the high standards of reliability that the public and the economy have come to rely on.
This presentation will cover how the landscape has changed over the past 10 years and discuss some ways that owners and operators can engineer resiliency solutions to prioritize activities and reduce these risks.
Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center, MITRE Labs
15.15
News headlines emphasize the increasing risk of ”cyber war” for critical infrastructure operations, yet to date few known examples of such activity actually exist. While the field remains one in flux, we unfortunately have some recent examples showing what implications may hold for industrial asset owners and operators from actual conflict scenarios. In this discussion, we will explore how cyber shaped the invasion of Ukraine, and what risks events such as this conflict pose for OT environments and their defenders. Additionally, we will expand scope to examine implications from less-visible conflict scenarios, notably ongoing ”ransomware” and wiper campaigns in Israel and Iran, to see how critical infrastructure operators and defenders are impacted in ”low-level” but nonetheless significant conflict scenarios. Joe Slowik will conclude with an examination of just what asset owners can usefully do to improve security outcomes and build operational resilience in the face of such threats.
Joe Slowik, Threat Researcher, Gigamon
16.00
16.20 The conference ends
The conference will be held 15 & 16 November 2022 at
Crowne Plaza Copenhagen Towers Ørestads Blvd. 114 – 118 DK-2300 Copenhagen
Accommodation is not included in the registration fee. It is possible to book hotel room at the venue when registering for a favorable price.
Until 30 Sep 2022
Until 28 Oct 2022 NORMAL
From 29 Oct 2022
International program: 15-16 Nov DKK 9,495 DKK 10,495 DKK 11,995
Networking Dinner: 15 Nov 2022 DKK 650 DKK 650 DKK 650
Prices are in Danish Kroner and excluding VAT.
It is possible to register 3+ entries for the conference and get a discount. Contact us for more information.
To register for the conference the best and quickest way is to fill in the online registration form on www.isc-cph.com. We also accept bookings by post, Tel: (+45) 35 25 35 45 and e-mail: info@insightevents.dk. Once we have received your registration you will receive an invoice. Your registration is binding.
All cancellations must be submitted in writing. If cancelled up to 14 days before the event, a fee of 10% will be withheld. Should cancellation be made less than 14 days prior to the event, 50% will be withheld and, if cancelled later than 2 days before the date of the event, full price will be paid. If you are prevented from participating, you also can transfer your participation to a colleague. All substitutions must be received in writing.
All COVID-19 restrictions ended in Denmark in January 2022, and the disease is no longer labelled “a risk for society”.
Insight Events ApS, Silkegade 17, st., Postbox 2023, DK-1012 Copenhagen K, Tel: (+45) 35 25 35 45, info@insightevents.dk, www.insightevents.dk, VAT registered No 24 24 03 7
We take reservations for misprints and changes in the program. For further information please contact Senior Project Manager Nina Meyer, Tel: (+45) 3055 3092 or e-mail: nm@insightevents.dk