PROGRAM WWW.ISC-CPH.COM
INDUSTRIAL SECURITY CONFERENCE COPENHAGEN 14-15-16 NOV 2022
THESE AND MANY MORE SPEAKERS Bent Kock, IT Security and Operation Specialist, Novo Nordisk Joe Slowik, Threat Researcher, Gigamon Patrick Miller, CEO, Ampere Industrial Security Rene Levin, CISO, EWII Martin Scheu, Security Engineer, SWITCH-CERT Morten Kromann, OT Security Specialist, Siemens
InsightIT
INDUSTRIAL SECURITY CONFERENCE COPENHAGEN 14-15-16 NOV 2022
SPEAKERS LIST
Stephen Hilt, Sr. Threat Researcher and Author, Trend Micro Joe Slowik, Threat Researcher, Gigamon Bent Kock, IT Security and Operation Specialist, Novo Nordisk Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center, MITRE Labs Rene Levin, CISO, EWII Tibor Földesi, Security Analyst, Norlys Patrick Miller, CEO, Ampere Industrial Security Peter Frøkjær, President, ISACA Denmark Chapter Søren Maigaard, Direktør, EnergiCERT Jakob Witt, Trusselsvurderingsenheden, Forsvarets Efterretningstjeneste CFCS Andrada Son, Headhunter, CSA CPH Jesus Molina, Director of Industrial Security, Waterfall Security Solutions Camilla Treschow Schrøder, Founder and Director, CSA CPH Lars Syberg, Partner, Implement Tom Holsøe, Partner, Head of IT and Digitalisation, Specialist Advisor on cybersecurity, Poul Schmith / Kammeradvokaten James McQuiggan, Security Awareness Advocate, KnowBe4 Jesper Rode Tholstrup, Kontorchef, Energistyrlsen Kenneth Bjerregaard, Threathunter, EnergiCERT Kerry Tomlinson, Cyber News Reporter, Ampere News Martin Scheu, Security Engineer, SWITCH-CERT Morten Kromann, OT Security Specialist, Siemens Ron Brash, VP of Technical Research & Integrations, aDolus Technology Søren Egede Knudsen, IT/OT Security Expert, Egede Casper Bladt, Senior IT/OT Security Consultant, Engarde Security Jens Nielsen, Senior Security Researcher, ICSRange Vivek Ponnada, Regional Sales Director, Nozomi Networks Michael L. Weng, Senior Security Consultant, OT/ICS, WithSecure Corporation Jørgen Hartig, Adm. Dir. og strategisk rådgiver, SecuriOT Martin Bo Clausen, Product Owner – IT Cyber Defence, Energinet Maite Carli García, Communication Manager & European CCI Coordinator, CCI Dr. Maureen McWhite, Owner, 4Gen Consulting Services LLC Alicja Janicka, Threat Intelligence Analytiker, EnergiCERT 2
IN PARTERSHIP WITH
CONFIRMED PARTERS
PROGRAM MANDAG 14 NOV 2022 08.30
Udlevering af navneskilte og deltagermateriale Let morgenanretning med kaffe/te
09.00
Åbning af konferencen ved Nina Meyer, Senior Project Manager, Insight Events
09.05
Introduktion ved ordstyrer Peter Frøkjær, Formand for ISACA Denmark
09.10
Cybertruslen mod Danmark Jakob Witt giver en opdatering på Cybertruslen mod Danmark samt fortæller om CFCS vurdering af krigen i Ukraines påvirkning af trusselsbilledet. Thorsten vil også kort orientere arbejdet med vurderingen af Cybertruslen. Jakob Witt, Trusselsvurderingsenheden, Forsvarets Efterretningstjeneste CFCS
09.50
Kort pause
10.00
Ny Cyber- og Informationssikkerhedsstrategi En sikker og stabil energiforsyning er en forudsætning for et velfungerende samfund, og i Danmark har vi et af verdens højeste niveauer af forsyningssikkerhed. Det skal der holdes fast i, også under omstillingen til grøn energi og den samtidige digitalisering af energisystemet. Den ændrede sikkerhedspolitiske situation i verden har kun sat Cyber- og informationssikkerhed højere på dagsordenen. Jesper Rode Tholstrup, Kontorchef, Energistyrelsen
10.40
Netværkspause med forfriskninger
11.15
Typer og eksempler på angreb i energisektoren i 2022 EnergiCERT opsamler, monitorerer og reagerer på netværkstrafik for 150+ energivirksomheder. Alt det opsamlede data bruges dels til at hjælpe den enkelte virksomhed men også til at se ind i de trusler der reelt er mod dansk kritisk infrastruktur. Hør hvad de ser, få gennemgået udvalgte sager og få gode råd til, hvordan du kan øge sin Cybersikkerhed. Kenneth Bjerregaard, Threathunter, EnergiCERT
11.55
4
Frokost og Networking
PROGRAM MANDAG 14 NOV 2022 12.55
Grøn omstilling, digitalisering og den forsyningskritiske infrastruktur skal leve sammen hver for sig. Der er forøget fokus på at blive uafhængig af de fossile brændstoffer og i disse tider ud af de russiske leverancer. Politikere og en række private forsyningsvirksomheder, konsulenthuse og software-leverandører peger på at data fra bla. forsyningsselskaberne er en del af svaret på en digitalisering og teknologiske understøttelse til en effektiv grøn omstilling. Det er ganske givet rigtigt! Men vær opmærksom på, at den forsyningsvigtige infrastruktur i dag er baseret på nogle ældre teknologiske løsninger, der ikke umiddelbart er moden til den moderne digitalisering og koblingen til denne. Derfor er det Rene Levins hypotese, at de 2 områder IT og OT/ICS er dybt afhængige af hinanden. Vi skal beskytte den ældre teknologi med fysisk segmentering og ved hændelse kunne sikre forsyningen ved at køre ø-drift. Dette indtil der er sket en udvikling og udskiftning af teknologien i OT/ICS-segmentet så forsyningerne altid er tilgængelige. Samtidigt er OT/ICS dybt afhængig af, at digitaliseringen bruges til at sikre, at der ikke sker inficering i OT/ICS, ved brug af moderne IDS og IPS, hvis virksomheder og myndigheder vælger at automatisere driften i OT/ ICS og her føre data tilbage til dette segment”. Med dette som udgangspunkt vil Rene Levin forsøge at komme med en fælles reference arkitektur – den kan være tæt på sandheden … eller? Rene Levin, CISO, EWII
13.35
Kort pause
13.45
NIS2 – opdatering NIS2-direktivet er vedtaget, og vi kender den endelige direktivtekst fra EU. Nu skal direktivet implementeres i Danmark, og i den forbindelse skal flere spørgsmål besvares, før vi kender den nye virkelighed for Cybersikkerheden hos mange danske virksomheder og myndigheder. Vi kigger nærmere på, hvad vi ved om reglerne og ikke mindst, hvad der kan gøres allerede nu for at blive klar til reglerne i 2024. Tom Holsøe, Partner, Head of IT and Digitalisation, Specialist Advisor on cybersecurity, Poul Schmith / Kammeradvokaten
14.25
Netværkspause med forfriskninger
14.55
Erfaringer fra krigen i Ukraine i relation til Cybertruslen Siden krigen i Ukraine startede, har EnergiCERT udgivet 7 rapporter om, hvordan det har påvirket Cybertruslen mod dansk, kritisk infrastruktur. Søren Maigaard beskriver i dette oplæg, hvordan de indsamler data om angreb og trusler samt hvordan de internt arbejder med dette under en krise. Derefter går han i dybden med de faktiske observationer relateret til krigen og hvad han konkret ser via det sensornetværk, som dækker en stor del af energisektoren i Danmark. Søren Maigaard, Direktør, EnergiCERT
15.35
Kort pause
5
PROGRAM MANDAG 14 NOV 2022 15.45
Den største trussel er manglen på kompetencer – hvordan står det til i Danmark, og hvad kan vi gøre? Manglen på Cyber- og Informationssikkerhedskompetencer, er fortsat den største trussel indenfor Cybersecurity. I 2022 vurderes manglen at være størst inden for OT-sikkerhed, hvor de sidste par års omfattende Cyber angreb har understreget behovet for specialister. Men hvad kan vi gøre for at løse problemet? I denne keynote deler ressourcevirksomheden CSA CPH specialiseret i Cybersecurity ud af deres indsigt i problemstillingen omkring kompetencetilgængeligheden. De deler ud af praktiske erfaringer med at tiltrække ressourcer til branchen, samt viden om, hvad der virker for at fastholde flere talenter. Camilla Treschow Schrøder, Founder and Director, CSA CPH Andrada Son, Headhunter, CSA CPH
16.25
Nyt fra specialisterne 1. De eksisterende råd og anbefalinger til OT/ICS Cyber Security (Defense) Strategies - Set i lyset af nye malware’s og situationen i Ukraine Michael L. Weng, Senior Security Consultant, OT/ICS, WithSecure Corporation 2. Kravene til dine risikovurderinger bliver strammet med NIS2 – konkrete anbefalinger til eftergangsmåde ift OT-trusler Jørgen Hartig, Adm. Dir. og strategisk rådgiver, SecuriOT 3. ISA/IEC 62443 og NIS2 - og det praktiske beredskab! Hvordan afklarer man hvad og om man er omfattet af de kommende NIS2 krav, og hvordan hænger det sammen med ISA/IEC 62443? Kan beredskab og genetablering af driftmiljøet ske med alle de vante sikkerhedstjenester og cloud-services tilgængelige? Langtfra altid. Kom og hør om, hvordan man skaber en robust OT-sikkerhedsarkitektur og tekniske recovery planer, der virker under ø-drift - og få praktisk inspiration til din organisations beredskabsplanlægning som du kan gå direkte hjem og bruge. Lars Syberg, Partner, Implement
17.10
Chairman Peter Frøkjær, President of ISACA Denmark samler op på konferencens første dag 17.15 – 18.15 Netværksreception med forfriskninger sammen med vores partnere
6
PROGRAM TUESDAY 15 NOV 2022 08.30
Registration and refreshments Register at the conference reception, receive your nametag and conference material
09.00
Opening of the conference by Nina Meyer, Senior Project Manager, Insight Events
09.05
Chairman Peter Frøkjær, President of ISACA Denmark introduces today’s program
09.10
On creating a financially quantified, threat-based risk framework, allowing risk appetite to guide strategic decisions for high impact cyber risks Presentation will cover: • • • •
Threat Intelligence collection challenges Attack Graph modelling Stochastic simulations Executive management Risk Appetite and touch on recent standards being developed.
Martin Bo Clausen, Product Owner – IT Cyber Defence, Energinet 09.50
Short break
09.55
Can the Cloud fundamentally revolutionize OT Security?
OT Security traditionally had to deal with securing hardware & software that was on-prem. Due to well-known differences in OT technologies compared to those in IT, OT security solutions couldn’t always leverage best-in-class concepts from IT Security. Many were cumbersome to adopt (Defense in Depth, Zone & Conduits or Segmentation etc.), some like patching needed significant workarounds, while others like Zero Trust were (and are) nearly impossible to implement in OT. Additional aspects to consider were OT specific methodologies (e.g., CyberPHA, CCE) to address impact reduction. Even with increasing use of virtualized environments in OT which made it easier to implement IT solutions (AD, IAM etc.), OT Security remains challenging and mostly distinct from IT Security. However, is the Cloud going to fundamentally change that? Would increasing workloads in the Cloud (verticals such as manufacturing, transportation etc. are leading the pack) bring OT Security very much in-line with IT Security? Or would there be continued differences in how OT Security is managed in Cloud-native or Cloudfirst OT applications? Vivek Ponnada, Regional Sales Director, Nozomi Networks
10.35
Refreshments and networking
11.00
When Data > SCADA
Short Abstract: Industry 4.0 and digital transformation are causing a disruption in the risk model for industrial security. The data produced by operations is quickly becoming as valuable (or more valuable) than the actual operations. As the organizational profit center shifts from operational assets to include operational data, so does the risk. In this presentation, learn how to secure your modern/ future industrial organization from the industrial process to the operational data products and beyond. Patrick Miller, CEO, Ampere Industrial Security
11.40
Lunch and networking 7
PROGRAM TUESDAY 15 NOV 2022 12.30
Lessons learned in CTI land
Tibor Földesi from Norlys will talk about the CTI (Cyber Threat Intelligence) journey which they started more than 4 years ago. The presentation will describe how Norlys prioritized their CTI program in the beginning, did vendor evaluations, utilized CTI to assist decision making on all levels, and many more interesting stories that others in the community can learn from. If you are considering starting your own CTI program, this presentation will bring you valuable lessons and help you better understand how CTI can assist you to achieve better security. Tibor Földesi, Security Analyst, Norlys
13.10
Short break
13.15
Doctor StrangeFormat: How I learned to be an archeologist for SBOMs One of the biggest challenges facing supply chain security is how to secure legacy products while identifying hidden cyber risks buried deep in their subcomponents. Creating accurate Software Bills of Materials (SBOMs) is the critical first step, but how do we do that when the OT legacy software market is a story of abandoned, unbuildable, or lost source code? Often all the OT industry must work with is binary images (hotfixes included). And that means working backwards from binaries using Binary Composition Analysis (BCA) and Metadata Composition Analysis (MCA). Using these techniques, the OT professional can address crucial challenges when identifying third-party/supply chain flaws, work with a myriad of file format types, research undocumented/ proprietary designs, and execute real-world file-format sleuthing. Using samples from an anonymized vendor, this session will explore the challenges experienced when decomposing files to address supply chain transparency. We’ll do this by identifying several types of files based on patterns (flash vs. bootloader vs. update package), distinguishing various attributes or markers of interest, spotting security problems with minimal effort, and exploring how to research a file format that is decades old. It’s not a trivial art, but rather a demonstrable skill that requires the combined experiences of people from differing backgrounds to achieve success. In other words, think of it as threat hunting but for OT/ICS files. Ron Brash, VP of Technical Research & Integrations, aDolus Technology
13.55
Refreshments and networking
14.20
Incidence Response Training in Electrical Substations Once a network security monitoring system is deployed in an OT/SCADA environment, SOC analysts and OT Security engineers need to train and improve their skills for the system they are managing. Training in a live environment needs to be well prepared and the simulated incident must under no circumstances affect the operation of the target system. We have developed various attack scenarios for incident response training in electrical substations. While we are careful not to interrupt operations, the semi-automatic OT malware leaves enough traces for the security engineers to work with. In this talk Martin Scheu will walk you through the planning phases, how to involve the different teams, training execution and the lessons learned. Martin Scheu, Security Engineer, SWITCH-CERT
8
PROGRAM TUESDAY 15 NOV 2022 15.00
Short break
15.10
Don’t Blink! A deep dive into Cyclops Blink In 2022, Cyclops Blink became known by the world as the next attack from the well-known advanced persistent group Sandworm. Associated to destructive malware like BlackEnergy and Olympic Destroyer, this group also compromises IoT devices around the world to use it as their infrastructure. In 2018, VPNFilter was one such malware family that affected many routers globally from many different vendors – and consisted of multiple payloads and functions. After the industry sinkholed their domains, many infections were left over that could have been utilized by this group. However, they chose instead to retool and attack new routers with malware that has been dubbed “Cyclops Blink”. In February 2022 NCSC in the UK published about WatchGuard specific Cyclops Blink attacks, and through our investigation Trend Micro was able to acquire different families of Cyclops Blink samples - one specifically attacking ASUS routers. Analyzing these samples, we were able to emulate an infection and track down and monitor more than 150 C&C servers from the threat actor infrastructure. While businesses around the world are spending time and money to stop attacks, nation state attackers are going after consumer devices to gain footholds for future attacks. How can we expect our parents to defend from being part of the next large scale nation attack if businesses already struggle? Stephen Hilt, Sr. Threat Researcher and Author, Trend micro
15.50
Short break
16.00
5 Techniques to Increase Security Culture Within Organizations Organizations are barraged constantly with phishing campaign attacks, and one organization suffers a breach every fourteen seconds. According to the 2021 Verizon data breach report, over 85% of data breaches are due to human error. It is worth noting how the criminals get into an organization’s systems and infrastructure. It comes down to phishing attacks or misconfigured and unpatched systems. One solution is utilizing a robust security awareness and training program. However, how many employees take it, retain it, or use it? If the program is useful, why do breaches continue to occur? Organizations have training programs. Employees complete it and move on. Unfortunately, most of the time, they don’t remember it. The concept of security culture has been increasing over the past few years. However, organizations still struggle with implementing a security awareness program. This session will address ways to take your security awareness program from boring and bland to engaging, innovative and work towards having a robust security culture working to protect your organization. James McQuiggan, Security Awareness Advocate, KnowBe4
16.50
Specialist talks 1. TXOne 2. Nozomi Networks 3. Securing File Transfers into Critical Infrastructure Environments – Nuclear Power Plant use case The frequency and severity of targeted cyberattacks against critical infrastructure organizations around the world continue to increase. In this session you will hear about core technology components deployed at 98% of nuclear facilities in the US and how your organisation can secure those gaps, which may exist in your IT/OT data exchanges and file transfer processes Opswat 9
PROGRAM TUESDAY 15 NOV 2022 17.35
Chairman Peter Frøkjær, President of ISACA Denmark rounds up today’s learnings
17.45
Networking reception Enjoy refreshments and network with your security colleagues
18.30
10
Dinner & Networking (requires separate signup) 3 course dinner in the restaurant including wine/beer/water
PROGRAM WEDNESDAY 16 NOV 2022 09.00
Chairman Peter Frøkjær, President of ISACA Denmark introduces today’s program
09.10
Security FAT - Clean shoes and how to get them In an era with more and more focus on security in the OT environment, the focus has been on treating what is installed in the factory. If we keep installing systems that is not up to date with the newest security patches, it is like having a clean room and walking in with dirty shoes. In IEC62443 the process to handle this is called a security FAT, testing the security readiness of a system before installing them it in the factory. In this talk Bent Kock and Morten Kromann will show how Novo Nordisk is getting clean shoes in their factories Bent Kock, IT Security and Operation Specialist, Novo Nordisk Morten Kromann, OT Security Specialist, Siemens
09.50
Short break
10.00
S**t we have factories in Russia! The conflict in Ukraine is affecting industrial businesses if they stop production or factories is taken over by Russia. With that in mind, Egede Aps started a research project in June 2022 that have has the primary objective of “How can a company exit Russia and make the PLCs difficult to reuse”. At the conference Søren Egede Knudsen will present the research and give some information on how this can be used. Søren Egede Knudsen, CEO & IT/OT Security Expert, Egede
10.40
Refreshments and networking
11.10
Women in Cyber Moderator: Kerry Tomlinson, Cyber News Reporter, Ampere News Update on the activities of the Top20 PLC group Maite Carli García, Communication Manager & European CCI Coordinator, CCI Supply chain cybersecurity with an emphasis on the transportation sector, including maritime, rail and air. Dr. Maureen McWhite, Owner, 4Gen Consulting Services LLC EnergiCERT Alicja Janicka, Threat Intelligence Analytiker, EnergiCERT
11.50
Lunch and networking
12.50
Industrial Security - 13 Ways to Break a Firewall Cybersecurity for critical infrastructures and manufacturing almost always starts with an IT/OT firewall. But - all security technologies have limitations. Understanding those limitations and understanding what alternative designs might add value is essential to designing robust defenses. In this presentation, we look at 13 ways to break a firewall, and we compare those attacks to an increasingly popular alternative: hardware-enforced unidirectional gateway technology. Jesus Molina, Director of Industrial Security, Waterfall Security Solutions
11
PROGRAM WEDNESDAY 16 NOV 2022 13.25
Short break
13.35
Recreating the Ukraine 2015 attack - on the latest 2022 firmware Take one Ethernet converter, two skilled security researchers and 5 days in the lab = some interesting zerodays. The presentation will give an insight of the internal research work, En Garde Security did on the very same device that was (ab)used in the power grid attack i 2015. We will provide insight on the thought process, how we actual found the vulnerabilities and the whole responsible disclosure process. Attend the conference, to learn how we was able to duplicate the attack on latest, current firmware... and we would provide a live demo as well! Casper Bladt, Senior IT/OT Security Consultant, Engarde Security Jens Nielsen, Senior Security Researcher, ICSRange
14.15
Refreshments and networking
14.35
Ensuring Operational Resiliency in a Contested World Operating a safe and reliable system has become increasingly complex in the last 10 years. Gone are the days where logical isolation and security by obscurity could be relied on to ensure safety from cyber threats. Today’s asset owners and operators need new methods tools to meet these challenges while maintain the high standards of reliability that the public and the economy have come to rely on. This presentation will cover how the landscape has changed over the past 10 years and discuss some ways that owners and operators can engineer resiliency solutions to prioritize activities and reduce these risks. Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center, MITRE Labs
15.15
Evaluating Asset Owner Implications from Cyber Conflict News headlines emphasize the increasing risk of ”cyber war” for critical infrastructure operations, yet to date few known examples of such activity actually exist. While the field remains one in flux, we unfortunately have some recent examples showing what implications may hold for industrial asset owners and operators from actual conflict scenarios. In this discussion, we will explore how cyber shaped the invasion of Ukraine, and what risks events such as this conflict pose for OT environments and their defenders. Additionally, we will expand scope to examine implications from less-visible conflict scenarios, notably ongoing ”ransomware” and wiper campaigns in Israel and Iran, to see how critical infrastructure operators and defenders are impacted in ”low-level” but nonetheless significant conflict scenarios. Joe Slowik will conclude with an examination of just what asset owners can usefully do to improve security outcomes and build operational resilience in the face of such threats. Joe Slowik, Threat Researcher, Gigamon
16.00
Chairman Peter Frøkjær, President of ISACA Denmark talks about today’s learnings
16.20
The conference ends
12
VENUE & REGISTRATION DATES & CONFERENCE VENUE The conference will be held 14, 15 & 16 November 2022 at Crowne Plaza Copenhagen Towers Ørestads Blvd. 114 – 118 DK-2300 Copenhagen ACCOMMODATION Accommodation is not included in the registration fee. It is possible to book hotel room at the venue when registering for a favorable price. Number of days: Choose between 2 or 3 days Conference
EARLY BIRD Until 30 Sep 2022
SPECIAL OFFER Until 28 Oct 2022
NORMAL PRICE From 29 Oct 2022
All 3 days: 14-15-16 Nov
DKK 11,495
DKK 12,495
DKK 13,495
International program: 15-16 Nov
DKK 9,495
DKK 10,495
DKK 11,995
Networking Dinner: 15 Nov 2022
DKK 650
DKK 650
DKK 650
Prices are excluding VAT. GROUP DISCOUNT It is possible to register 3+ entries for the conference and get a discount. Contact us for more information. REGISTRATION To register for the conference the best and quickest way is to fill in the online registration form on www.isc-cph.com. We also accept bookings by post, Tel: (+45) 35 25 35 45 and e-mail: info@insightevents.dk. Once we have received your registration you will receive an invoice. Your registration is binding. CANCELLATION All cancellations must be submitted in writing. If cancelled up to 14 days before the event, a fee of 10% will be withheld. Should cancellation be made less than 14 days prior to the event, 50% will be withheld and, if cancelled later than 2 days before the date of the event, full price will be paid. If you are prevented from participating, you also can transfer your participation to a colleague. All substitutions must be received in writing. COVID-19 and participation All COVID-19 restrictions ended in Denmark in January 2022, and the disease is no longer labelled “a risk for society”. Insight Events ApS, Silkegade 17, st., Postbox 2023, DK-1012 Copenhagen K, Tel: (+45) 35 25 35 45, info@insightevents.dk, www.insightevents.dk, VAT registered No 24 24 03 7
We take reservations for misprints and changes in the program. For further information please contact Senior Project Manager Nina Meyer, Tel: (+45) 3055 3092 or e-mail: nm@insightevents.dk 13