Selected Sessions at 2014 October ICS Cyber Security Conference

The 14th ICS Cyber Security Conference ( will have 5 major themes: Actual ICS cyber incidents; ICS cyber security standards; ICS cyber security solutions; ICS cyber security demonstrations; and ICS policy issues. The Conference focuses on what has REALLY happened and what is being done that affects the CONTROL SYSTEMS.

  • This is a case history of a very significant control system cyber incident and what has happened since. A broadcast storm resulted in complete and simultaneous failure of two interconnected power plant units (over 200 DCS processors with complete loss of logic with the plants at power). The discussion will provide details of the utility’s response to the incident including improving the robustness of the upgraded processor firmware and hardening its network against overloads or broadcast storms.

  • This is a real case history of a recent cyber attack of an off-shore oil platform. The presentation will discuss how big data was used to identify a cyber attack that caused the tilting and resultant shutdown of the platform.

  • This vulnerability may actually be more significant than Stuxnet as this affects any controller and may not be detectable. It is possible to sniff and inject packets into field device networks such as Modbus over RS-485, HART, Profibus, etc. Devices and applications residing on this control network can be vulnerable to specially crafted packets and instructions (the developers didn’t expect that packets could have correct CRC and incorrect content.)Moreover, some of the data that is collected at the field device level is passed to the higher levels. This “feature” can be used to attack not only the lower layers of network and/or industrial processes, but also corporate networks. Imagine hacking one small transmitter to gain remote command execution on the SAP system.

  • Aurora is still not well understood and affects every electric substation and substation customer. This presentation will include a detailed discussion of what is Aurora, why it is a gap in protection, and what can it affect. It will also discuss the first sets of Aurora hardware mitigation data from two utilities.

  • There is minimal guidance on how to identify the potential consequence from cyber vulnerability disclosures. An end-user control system cyber security expert will provide a general methodology for determining the potential consequence of vulnerabilities. That is, what do I have to do and when.

  • A utility has been acting as a test bed for evaluating control system cyber security solutions for reliability. The utility is monitoring their control system network and using this information to improve reliability and reduce maintenance costs. The utility will provide a status of the efforts including the close integration of IT, OT, and Operations.

  • Recent studies such as the Unisys Ponemon report have attempted to indicate the state of critical infrastructure security without significant input from the ICS community. Consequently, the results and conclusions may be suspect. This presentation and associated survey will be the start of an assessment of the state of ICS cyber security based on input from the ICS community.

  • Cyber insurance is becoming an important consideration in IT. However, providing cyber insurance to the ICS community where business continuity and personal safety are critical is a more difficult problem. A major international insurance carrier will provide their perspectives on the carrot and stick approach necessary to provide cyber insurance for ICS operators.

  •  There is much more to follow.

     Joe Weiss