Singapore ICS Cyber Security Conference | 2018

With the increasing speed OT Owners & Operators are being confronted with the ICS cybersecurity phenomenon. Being ignorant is no longer an excuse as specific legislation are being developed to enforce responsibilities of OT cyber security on OT Owners & Operators. As a multiple-stage journey with different activities, OT Owners & Operators are presented with difficulties and dilemmas in decisions making; How to begin, What to do First, What to do Next.
This lecture aims to provide insight in:

• What OT cybersecurity mean as an end-user
• The dilemmas; Cost, Resources, Risks, Liabilities
• The available choices and decision markers;

Cyber war is no more a depiction of a science fiction movie, it is a reality, and hence, protecting the industrial control systems that are at the heart of the critical industrial infrastructures is no more an option. The speaker will focus on covering the adoption of an actionable approach to enhancing cyber security within the existing industrial infrastructures and the design of new control systems “with effective implementable cybersecurity controls” during the EPC (Engineering, Procurement, and Construction) lifecycle. The speaker will also provide examples of previous experience in implementing industrial cybersecurity in brown oil fields, smart oil fields, power generation, transmission, distribution and other industrial infrastructures.

Why you should attend
• Understand the plant operation when designing cyber security models and solutions for control systems
• Learn how to embed industrial cyber security during the engineering project lifecycle
• Discuss the different types of critical infrastructures (energy, utilities, etc.) and how the type of operation is related to cyber security
• Develop ideas on how to move into cyber security by design for the new control systems.
• Understand how to enhance industrial cyber security within existing control systems
• What do you need to address before implementing cyber security solutions in the existing ICS systems

Main Takeaways
• Understanding the emerging cyber threats
• Discuss the latest ICS reports and incidents including the lessons that shall be learned
• Need for different industrial cyber security models for the different critical infrastructure
• Who are the stakeholders and what is the role of each?
• What are the important three Cs for effective industrial cyber security program?
• Why do we need to understand plant operation when planning to secure the plants from cyber threats?

Industrial Control Systems have traditionally operated in splendid isolation, achieving a
measure of security simply due to this isolation. In recent times, these formerly isolated
systems have become increasingly integrated into business systems, and even the Internet,
exposing them to increased yet unknown risk.

Most operators of ICS environments have little to no visibility into the assets resident within
their ICS environments - making it difficult to understand risk exposure of these critical
devices.

ICS operators are faced with a dilemma, and must understand the answer to this question:
In these times of IT/ICS convergence, how do I ensure my ICS environment remains secure
when I am unsure of what’s in my environment, what the vulnerabilities are within my
environment, and what’s connecting to it?
This session will demonstrate a case where IT/ICS convergence resulted in a compromise or
potential compromise. We will then expand on the risk of converged IT/ICS infrastructure,
and how these risks may be measured and understood.

Energy operators rely on an extensive network of business partners and suppliers to operate efficiently and safely. This network, while improving operations, can also contribute to increasing cyber security risks if best practices aren’t adopted and followed diligently.
The importance of resilience in a vendor’s supply chain is critical and should be evaluated near the same level as safety and integrity. Those operating industrial control environments should take a deeper look at security by reviewing key areas that can contribute to increased risk within the supply chain.

This presentation will address:

• What previous compromises tell us about our future
• The impact of regulations on supply chain security
• The importance of a long-term partner when choosing security solutions

What shared responsibility looks like before, during and after commissioning
Looking beyond greenfield; shared responsibility with legacy devices
Expectations during a compromise
When and where the reduction of vendors equals a stronger security posture
How to effectively evaluate vendors, from both OT and IT perspectives

Summary: Industrial Control Systems (ICS) provide the backbone of our critical infrastructure and are increasingly under attack. These systems present unique security challenges connecting aging equipment that often predates modern security. This session will review today’s most serious ICS threats, and innovative approaches to protect critical applications at their core, rather than the perimeter.

Please join us for lunch at Café Swiss, dining restaurant that is designed in a stylish modern architecture. Illuminated by an overhead of natural skylight, Café Swiss emanates an inviting aura of warmth and elegance for a tranquil respite. The sumptuous buffet lunch and dinner, offering a variety of European fare, are immensely popular.

Market research indicates that most industrial companies have implemented cybersecurity programs to protect their control systems and facilities, and that these efforts have significantly reduced the risks of cyber attacks on critical infrastructure. However, with the digitalization trend, which is fast gaining traction across industrial sectors, the cybersecurity challenges for organizations increasingly span the IT-OT-IIoT spectrum. This means more needs to be done to ensure adequate cybersecurity protection.  This ARC presentation will include a discussion of the new digital-era challenges, the gaps that need to be filled, and the steps that industrial end-users should take in order to stay protected.

This a sharing session on the understanding of data diode solution from a neutral perspective. 

The speaker will walk the audience through the cyber kill chain process of how, in theory, an attempt to breach a typical manufacturing plant from the process of reconnaissance, weaponization, delivery, exploitation, installation, C&C can be achieved. With this theoretical attack, the process of defending each kill chain will be explained. In closing, apart from all the implemented defense method, the weakest link would still be the human element and how this can be addressed with touch of care and paranoia.

This presentation covers cyber threat intelligence information of APT Groups who are targeting ICS/SCADA environments. Louis Hur Young-il will explain how Open-source intelligence (OSINT) can be used to gather the threat intelligence.

The transition of traditional security system from Analog to Digital, opens up a new paradox i.e. improved quality and ease of convergence vs increased attack vectors. The presentation aims to break down the various new "weakness" of a Digital Security System and offer options and opinions on how to enhance or mitigate such vulnerabilities.

Please join us at the Alligator Pear poolside bar on Level 8 at the Fairmont Singapore for a welcome reception. Open bar serving Wine, Beer and Soft Drinks & Juices.

Sponsored by: Belden

Welcome address and conference introduction for SecurityWeek's 2018 ICS Cyber Security Conference.

Industrial Control Systems (ICS) have become increasingly attractive targets for cyber-attacks, as successful attacks can have disastrous consequences in the physical world. Unlike attacks on traditional Information Technology (IT) systems, attacks on ICS can disrupt essential services and even result in loss in lives. In response to the new threat of cyber, ICS operators need to augment operational resiliency with cyber resiliency. Furthermore, when planning for cyber resilience, operators need to do it holistically and not limit the scope to just the crown jewels, the ICS. The speaker will also give a flavour on Singapore’s efforts in building a cyber-resilient nation.

Backed by popular demand, the ICS CTF Challenge by NSHC Corporation is back in SecurityWeek's ICS Cyber Security Conference 2018 | Singapore! With realistic-looking ICS/SCADA scaled model landscape and using real PLCs, players can immersed themselves in multiple levels of quizzes and hands-on to score as many points as possible! As part of the CTF can be played online, hence players can enjoy both conference and the CTF at the same time!

Registration
The ICS/SCADA CTF competition is open to all conference ticketholders to play, enjoy and compete.
Participants simply have to register at the NSHC booth located in the Exhibition Area.

Gameplay
There are altogether 6 scenarios, each with its own set of challenges and scores.
The scenarios and challenges are based on real ICS/SCADA simulation using real ICS/SCADA components.
There are more than 50 challenges — Providing an enjoyable and unforgettable experience for both Beginners and Experts.

• Scenerio#1 : Focuses on malware analysis
• Scenerio#2 : Focuses on wireless hacking
• Scenerio#3 : Focuses on breaching an air-gapped Windows-based system
• Scenerio#4 : Focuses on breaching a Windows-based Engineering Station running a well-known HMI program
• Scenerio#5 : Focuses on breaching a PLC software/firmware
• Scenerio#6 : Focuses on creating “real-life” consequences on a railway model based on the flags captured in the above scenarios

Duration
The ICS CTF Challenge will be conducted over 2 days starting on the 24th Oct to 25th Oct, from 10am – 5pm on each day.
 

Equipment
All players are required to bring along their own laptops with at least these features:

• Any preferred hacking utilities of their choice (Kali Linux, ParrotOS, Backbox, Mimikatz etc).
• Own Wi-Fi & Bluetooth (built-in or external) and USB ports.
• A special hardware toolbox will be issued to each registered teams and registered individuals from the Umpire to accomplish certain tasks.

Prizes
Attractive prizes will be awarded to the top 3 winners at the end of the 2nd day closing ceremony
1st Place: Gold Medal + Apple earpods
2nd Place: Silver Medal + Wireless eye massager
3rd Place: Bronze Medal + Screw Driver Tool Kit

Skill Level
Basic IT knowledge will do. A keen-to-learn attitude is the key skill!

Safety Controllers (Safety Instrumented Systems) have always been considered immune to attacks as last barrier of plant safety, and claimed to be designed to ensure safe and reliable operation for Industrial Control Systems (ICS) and Supervisory Control and DataAcquisition (SCADA) environments. Unfortunately, the recent research and in-the-field experience indicate misplaced confidence (based on SIL) and overall weak security practices since these devices themselves form another attack surface for the determined adversaries.

This presentation discusses vulnerabilities found by Applied Risk research team across various state of the art safety controllers, which are commonly used in industrial environments. Advanced attack vectors will be discussed where attackers could exploit the discovered vulnerabilities to gain control over the device, including connected industrial assets.In addition to the discovered vulnerabilities, the process we followed during our research will be discussed.
Examples will be given for topics including: 

• From research to exploitation (a la basecamp)
• Manipulate the safety logic
• Live Demo

Inside look at TRITON ICS Malware
Can you imagine what happens when the industrial safety controllers (SIS) at the one of the world’s largest oil company are being hacked? What if hackers could penetrate, take control and/or disable all nuclear plants and other critical infrastructure systems? Damage from the 2017 Triton attack could have reached epic proportions as the first malware of its kind to specifically target industrial safety controllers. Yet, as recent discoveries indicate, the world experienced the first-ever "evil twin" attack on both SIS and Industrial Control Systems (ICS) simultaneously. Learn what steps Schneider is taking to avoid escalation to grave consequences from these types of attacks.

Session Detail

If this was just a PLC then maybe we would not have been quite so enthralled.  In this case it was a triply redundant safety controller whose entire purpose is to protect people, equipment and the environment from disaster.  There is only one reason anyone would want to compromise such a device – to enable serious harm.  Yes, you could imagine that a plant shutdown would cause an economic outcome, but if that was the intent, this could have been accomplished with only a few lines of Python script and the elaborate manipulation of processor memory would have been a total waste of time.  No, the intent was much more than that.  It was a grave one.  
This session will discuss the issues and practical solutions to these three intriguing questions:

1. What & Why do we need to know about the "Evil Twins" TRITON/TRISIS attack?
2. Why do we need to change?
3. Lessons Learned & Solutions

Session Objectives 

• Bring clarity to the details of this attack
• Highlight the way the much larger scope behind the Triton/Trisis Attack
• Discuss how our industry should move forward from this state

There is much still to be said about the Triton attack and practitioners in our industry need to be fully aware of these details if they are to be effective in defending against this type of attack in the critical infrastructure.

Background
In late December 2016, at least 3 Ukrainian power utilities came under a sophisticated, multi-stage, cyber attack that brought down power transmission to at least 200,000 households for 6 hours. Shift operators on that fateful day were caught off guard as their control systems were hijacked and remotely controlled by the attackers. Due to the multi-stage attack, the operators were literally isolated from escalating the incident, and could only watched helplessly as the attackers opened the protective relays to each sub-station one at a time…ushering in the first ever power outages created by human hackers.

Please join us for lunch at Café Swiss, dining restaurant that is designed in a stylish modern architecture. Illuminated by an overhead of natural skylight, Café Swiss emanates an inviting aura of warmth and elegance for a tranquil respite. The sumptuous buffet lunch and dinner, offering a variety of European fare, are immensely popular.

As IT and Operational Technology (OT) environments continue to converge, managers of ICS have been faced with the challenge of protecting these crucial systems and data, in spite of inherent security weaknesses and the continual risk of insider threat. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. Existing, legacy approaches have proven inadequate on their own, especially against insiders who, by definition, have authorized access. 
There is an urgent need for a new approach to combat the next generation of cyber-threats, across both OT and IT environments. While total prevention of compromise is untenable, utilizing automated self-learning technologies to detect and respond to emerging threats within a network is an achievable cyber security goal, irrespective of whether the suspicious behavior originated on the corporate network or ICS. 
Some of the world’s leading energy and manufacturing companies are using these technologies to detect early indicators of cyber-attacks or vulnerabilities across IT and OT environments, without reliance on pre-identified threat feeds, rules, or signatures. These technologies represent an innovative and fundamental step-change in automated cyber-defense. 
In this session, learn: 

• How new machine learning and mathematics are automating advanced threat detection
  
• Why 100% network visibility allows you to preempt emerging situations, in real time, across both IT and OT environments 
  
• How smart prioritization and visualization of threats allows for better resource allocation and lower risk 
  
• Real-world examples of detected OT threats, from non-malicious insiders to sophisticated cyber-attackers
  

Sponsored by: Darktrace

Last December, cyber attackers launched a new malware variant called TRITON, specifically designed to target industrial safety systems. It was used against a critical infrastructure facility in the Middle East, causing an operational outage. While this malware was not the first to impact operational networks, it illustrates that ICS networks are now directly in the crosshairs of attackers.

In this session, we will discuss the emergence of ICS-specific malware, how it’s being used to infiltrate industrial environments, and what operators can do to defend their ICS networks and critical assets to prevent disruptions.

Sponsored by: Indegy

Today, cyber threats have grown not just in its depth (i.e. more sophisticated), but also in its breadth (i.e. expanded scope). It has grown from threats in Enterprise IT systems (IT) to Operation Technologies (OT). Generally, OT refers to critical infra-structures such as nuclear, chemical, energy, water plants, trains, planes, ships etc. In certain context, it is addressed as Industrial Control Systems (ICS), or Supervisory Control And Data Acquisition (SCADA) systems.
In this sharing, the speaker would share the typical risks in both IT and OT, and why they could not be addressed in separated perspectives. The contents will be delivered in a highly practical approach with much of the sharing being the speaker’s first-hand experiences and encounters operationally.

Functional Safety at Your Plant Requires IT Security

The cyber security threat has expanded from its origins in the home and office PC environment into Industrial Control Systems. At the end of 2017, the world's first successful hacker attack on a safety instrumented system (SIS) was discovered. Malware in a programming station (PC) modified older Triconex safety instrumented systems manufactured by Schneider Electric during ongoing operation. To do this, the programming station was manipulated in such a way that the usual programming function was used to exchange a user program fragment in the Triconex SIS. This modification put the SIS into a safe state. We suspect that the aim of the attack was more than to simply stop the SIS. Rather, it can be assumed that this was supposed to result in a crash. This malware is known as "TRISIS" or "TRITON" (hereafter referred to as "TRISIS").

In this presentation, Sujith Panikkar of HIMA will explain that by looking at a wider solution, through a combination of functional safety and IT security, businesses ensure their overall safety.

The presentation will address three core questions:

• Can the “insecurity” of integrated control systems influence the functional safety of a plant?
• What needs to be protected?
• Can the principles developed for functional safety be applied to security?

With reference to the international standards IEC 61508 for functional safety, IEC 61511 for Safety instrumented Systems and IEC 62443 for cyber security the session will deliver a unique perspective and thinking on this very real, very modern threat.

How problematic can the human element be in Industrial Cybersecurity?

Wetware refers to the human brain as analogous to, or in contrast with electronic
hardware and software. Although the human element is paramount in Industrial
Cybersecurity, its importance is not adequately highlighted in relevant International
Standards. This has striking similarity to the way the human element is inadequately
treated in most Functional Safety Standards.
This talk will provide a comparative review of standards on Industrial Cybersecurity
from the human factor point of view. It will also highlight its relevance and importance
with illustrations and case studies from the industry. It concludes with the authors'
recommendations on methodologies to embrace Wetware in lifecycle activities with a
holistic view-point.

DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. It was developed for communications between various types of data acquisition and control equipment and plays a crucial role in SCADA systems.

In this technical session, Ying Kiat Pang,  Director of Network and Software Security at Beyond Security Asia, will address the following topics:

•  Fuzzing and CRT
• A Glimpse of ISASecure EDSA evaluation elements
• beSTORM Fuzzing Framework
• Crafting the attack language - A Snippet
• Fuzzing DNP3 Layers

Please join us in the sponsor area for an exclusive with cocktails and appetizers and network with industry peers. At this reception we have prepared a fantastic menu and premium bar!

The speaker will share some highlights on his previous experiences on:

• Applying automation engineering mindset in industrial cyber security in different energy sectors.
• Adopting industrial cyber security designs that bring value to your organization.
• Implementing innovative techniques to resolving cyber security concerns
• Making industrial cyber security a value-driven approach

Backed by popular demand, the ICS CTF Challenge by NSHC Corporation is back in SecurityWeek's ICS Cyber Security Conference 2018 | Singapore! With realistic-looking ICS/SCADA scaled model landscape and using real PLCs, players can immersed themselves in multiple levels of quizzes and hands-on to score as many points as possible! As part of the CTF can be played online, hence players can enjoy both conference and the CTF at the same time!

Registration
The ICS/SCADA CTF competition is open to all conference ticketholders to play, enjoy and compete.
Participants simply have to register at the NSHC booth located in the Exhibition Area.

Gameplay
There are altogether 6 scenarios, each with its own set of challenges and scores.
The scenarios and challenges are based on real ICS/SCADA simulation using real ICS/SCADA components.
There are more than 50 challenges — Providing an enjoyable and unforgettable experience for both Beginners and Experts.

• Scenerio#1 : Focuses on malware analysis
• Scenerio#2 : Focuses on wireless hacking
• Scenerio#3 : Focuses on breaching an air-gapped Windows-based system
• Scenerio#4 : Focuses on breaching a Windows-based Engineering Station running a well-known HMI program
• Scenerio#5 : Focuses on breaching a PLC software/firmware
• Scenerio#6 : Focuses on creating “real-life” consequences on a railway model based on the flags captured in the above scenarios

Duration
The ICS CTF Challenge will be conducted over 2 days starting on the 24th Oct to 25th Oct, from 10am – 5pm on each day.
 

Equipment
All players are required to bring along their own laptops with at least these features:

• Any preferred hacking utilities of their choice (Kali Linux, ParrotOS, Backbox, Mimikatz etc).
• Own Wi-Fi & Bluetooth (built-in or external) and USB ports.
• A special hardware toolbox will be issued to each registered teams and registered individuals from the Umpire to accomplish certain tasks.

Prizes
Attractive prizes will be awarded to the top 3 winners at the end of the 2nd day closing ceremony
1st Place: Gold Medal + Apple earpods
2nd Place: Silver Medal + Wireless eye massager
3rd Place: Bronze Medal + Screw Driver Tool Kit

Skill Level
Basic IT knowledge will do. A keen-to-learn attitude is the key skill!

Dr. Marlene Ladendorff will share insights on the cybersecurity initiatives under way to secure protect digital APR1400 nuclear power reactors in the United Arab Emirates. Ladendorff, who was responsible for building cybersecurity procedures, processes, and programs during the construction and start-up phases of the plants, will give an exclusive look inside the current program at Emirates Nuclear Energy Corporation.

APR1400 Digital Nuclear Reactor Cyber Security

As new builds of the APR1400 digital nuclear power reactors continue construction around the world, applying appropriate cyber security controls to protect them presents a new challenge for nuclear cyber security specialists.  Cyber attacks continue to grow more complex and are increasingly focusing on critical infrastructure equipment.  Additionally, the cyber security defense industry is seeing an upsurge in combined attacks that blend cyber and physical security, resulting in complex incidents that require new security techniques in order to mount an effective defense.  Further complicating the issue, nuclear cyber security may not have the same definition and requirements in different countries around the world.  An ideal situation would be to build cyber security in to the plants as they are being constructed rather than “bolting it on” at a later date. However cyber security is implemented, the goal remains the same: protection against cyber attacks for the plant, the community, and the environment.

This session covers key security essentials for embracing Industry 4.0:

• Industry 4. 0 cyber security strategies for mitigating operational risks arising from connected smart factories and digital supply chains.
• Maintaining trust in process, technology and organization.
• Validating security, interoperability and reliability in operations   

Most important for an ICS is to secure operational technology (OT). OT-failure can be caused by many reasons: equipment failure, cyber-attack or even physical attack. In modern connected world having just ESD (emergency shutdown system) and control-logic rules are simply not enough. These means can be compared to signature-based protection in cyber world, where also other advanced technics like heuristics, whitelisting and ML are used. ICS environment can rapidly change and personnel has no possibility to change rules so fast.

ML/DL technologies today are matured enough to deal with extreme amount of ICS telemetry. Different signals (sensors and actuators values) are correlated by physical laws and control logic. With ML, it is possible to learn these correlations under normal operational condition and establish something like white-listed behaviour. Any failure or attack that changes some signal will cause relevant changes in other signals. ML-model detects such situation as an anomaly.

In this presentation, we will show how this idea is implemented in the Machine Learning for Anomaly Detection (MLAD) system, and how it works with Secure Water Treatment (SWaT) realistic plant simulation that was made publicly available by Singapore University of Technology and Design (SUTD).  We will provide description of an important benefits of the MLAD – how it allows to find the cause of detected anomalous behavior, do that fast and effectively.
 

Today with topics like Digitalization, Smart Cities and Clouds etc. the ideas we know about Industrial Control Systems are rapidly changing. With all the new functionalities and ease of access and monitoring operational data using a cell phone, the threat landscape is increasing. This result in extreme needs for cyber security additional solutions not only from OT Vendors themselves but also from external security vendors. Questions like hat are the challenges facing End Users when deciding integrating a security solution? Who needs to decide and based on what decisions needs to be taken? What should be considered after the integration? And other will be briefly answered during this session. The topics cover the difficulties faced by security solution provider and end users during Integration Phase and after operation during security patches update and based on what to get these update.

Please join us for lunch at Café Swiss, dining restaurant that is designed in a stylish modern architecture. Illuminated by an overhead of natural skylight, Café Swiss emanates an inviting aura of warmth and elegance for a tranquil respite. The sumptuous buffet lunch and dinner, offering a variety of European fare, are immensely popular.

For the first time, a safety system (Triconex) from the company Schneider Electric is compromised. The plant shut down. HIMA takes the incident very seriously and deeply analyzes the information available. HIMA reviews its own processes and products based on the security agencies' recommendations. The diversity between the Schneider and HIMA systems, the results of the security analysis carried out by Dragos as well as their different design philosophy suggest that the TRITON attack is not directly deployable among other vendors systems.

This presentation will summarize the experience gained during cybersecurity assessments of various IT components of  electrical grids.

Modern Smart Grid implementations contain large numbers of system-wide and specific vulnerabilities both in individual components and in overall ICS systems and networks. Identifying and using these vulnerabilities requires an average level of expertise and a modest level of funds. The implications of such attacks may vary from local fraud to negative physical impact on power substation components to large-scale network accidents.

This research presents the findings of several SCADA StrangeLove projects aimed at assessing the security of different elements of electrical grid such as network communications, relay protection, SCADA, application software, small-scale power generation systems. Details of technical vulnerabilities and related cyber-physical attack scenarios will be discussed.

The world is gearing up for a revolution that will likely be as game-changing as the invention of the automobile 120 years ago. Automation has the potential to fundamentally change our transportation systems, the way we build cities and the way we work and live our lives. The potential benefits are enormous, but there will likely be painful side effects that we need to anticipate and be prepared to address.

Almost all organizations conduct security assessment or security audits for their IACS setup, either internally of from third party consultants. This paper will cover these critical information that may be missed out by IT security specialist and IACS engineers. This paper will also provide the experience of conducting a security assessment for IACS, and to emphasize the critical scopes that might be missed out by the assessor.

This is a live demonstration for the “Last Line of Defense” countermeasures, meant for IACS environments that simply cannot patch their Windows Systems. The purpose of these “Last Line of Defense” countermeasures is to help minimise of the destructive nature of the malware for IACS operators until the long-term countermeasures can be achieved.

SecurityWeek's 2018 Singapore ICS Cyber Security Conference is winding down, but there is still time for some great discussions! Please join us for closing remarks and an open discussion where anyone can make comments, share insights, ask questions and engage in a lively discussion.

Conclusion of SecurityWeek's 2018 ICS Cyber Security Conference. Thank You!