I was proud to attend and participate in this year’s S4 event in Miami, Florida: The Future of OT and ICS Security. S4 is the largest gathering of ICS security talent in the world. This year’s event was held at The Fillmore, Miami Beach, from April 19-21. It was 3 days, 3 stages, and 64 speaker sessions. There were over 800 attendees from 30 countries and included a record 164 women! The conference was not only a mind meld of the industry’s best, but an ideal opportunity for me to make new friends and reconnect with many of our colleagues and partners.
— Marc0 Ayala (@ICS_SCADA) April 18, 2022
— Blake Sobczak (@BlakeSobczak) April 20, 2022
— Jabs 🌻 (@CyberSnark) April 20, 2022
The Theme of S4 in 2022: No Limits!
Covid prevented most of us from meeting in such a venue for the past two years, so S4x22 had special significance as turning a new page in the in the ICS security dialogue. Dale Peterson, the master of ceremonies and event organizer lost no time by emphasizing this milestone in his opening remarks, presenting us with a challenge: “What if you had to deal with dirty assets forever? What if employees didn’t need an accurate asset inventory?” The opening set the stage for the themes of the event— no limits, and consequences. These themes resonated through many of the presentations I listened to and was privileged to participate in.
I was honored to participate in a Technical Deep Dive with Monica Tigleanu of MunichRe: The Great Debate: Cyber Insurance Will Play A Major Role In OT Risk Management. I argued the con side. I’ll share more about our debate in an upcoming blog post once the video is available.
There were so many great discussions, it would be difficult to write about them all. I’ve decided to highlight a few below:
Niloofar Razi Howe on Cyber Conflict and International Relations
Niloo hit it out of the park with her compelling presentation on how technology, privatization, and social media have changed the nature of war as evidenced in the Russian attack on Ukraine. Society now has access to intelligence that used to be the sole domain of powerful governments — this intel is being used by private citizens and governments alike as a tool in modern conflict. She argued that we now live in a world of conditional probability and the cards are being dealt more and more quickly, which can rapidly change “the hand” in international relations. In fact, she pointed out, we are at the first time in human history where the pace of change is outstripping our ability to gain mastery.
“You, [OT/ICS cyber pros], are the front lines” – @NiloofarHowe, @EnergyImpact_ Sr. Operating Partner, speaking about cyber conflict and international relations at #s4x22 by @digitalbond! pic.twitter.com/wD7NnQR6N5
— Rob Terrin (@RobTerrin) April 19, 2022
Dale Interviews Dave Lewis on Being a CISO and Talking OT Security to Your CISO
My key takeaway from Dale’s interview with Cisco’s CISO is about security debt. Dave Lewis likened it to the national debt of the US — something that we will have to deal with for as far into the future as we currently imagine. It is truly a problem spanning many decades. The situation makes it imperative for CISO’s to always focus their attention on making changes based on what matters most to the business. He dreams of a technology solution that informs him when he logs in every morning, “Here are 29 new issues, and here are the 2 that need your attention because of their potential impact on the business.” He also mused about the technology marketplace, saying “Relationships matter – the days of dropping a box of gear on my loading dock and disappearing forever are long since over.”
Rob Lee Discusses ICS Cyber Threat in 2022
Early every year Rob Lee gives a year in review talk on threats, vulnerabilities, and case studies from the previous year. Rob debuted his 2022 version of this highly anticipated speech. Rob delivered a provocative and informative overview of the new Pipedream ICS attack tool framework. Key points included:
Initial target set seems to be US LNG and some electric power; intent was clearly to take down key us infrastructure.
It’s not true that only orgs with Schneider or Omron gear need to be concerned — the framework is much more generic but that the initial targets have been on organizations operating Schneider and Omron.
The framework is very capable – it provides an attacker with the ability to leverage the native capabilities of an OT system.
You don’t get a vote on whether you are a target. You only have control over your protective and responsive capabilities.
95% of the mitigations that the gov’t has recommended are preventative. Rob wishes that more airtime would be given to defensive and responsive recommendations. He said that changing default configurations and passwords on Schneider gear is a particularly important mitigation and encouraged east-west monitoring in addition to the more common north-south.
Rob wrapped by shaming the attackers for doing such a bad job that the framework was discovered before ever being activated.
— Joe Słowik 🌻 (@jfslowik) April 20, 2022
Dale Peterson Interviews CISA Director Jen Easterly
Jen Easterly commanded the audience with her understanding of and commitment to ICS cybersecurity. During the interview, Jen announced the expansion of the Joint Cyber Defense Collaborative (JCDC) to include Industrial Control Systems (ICS) experts—security vendors, integrators, and distributors—to further increase U.S. government focus on the cybersecurity and resilience of industrial control systems and operational technology (ICS/OT). Companies initially joining the JCDC-ICS effort include Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem, as well as several JCDC Alliance partners. “Cyber threats to the systems that control and operate the critical infrastructure we rely on every day are among our greatest challenges. As the destruction or corruption of these control systems could cause grave harm, ensuring their security and resilience must be a collective effort that taps into the innovation, expertise, and ingenuity of the ICS community. I’m excited to leverage our evolving JCDC platform to enable us to plan, exercise, and collaborate with industry leaders to drive down risk to the systems and networks we depend on so greatly as a nation,” said Easterly.
Read the full CISA press release here: https://www.cisa.gov/news/2022/04/20/cisa-expands-joint-cyber-defense-collaborative-include-industrial-control-systems
Dale Peterson on Security Truth or Consequences
Dale Peterson’s “Truth or Consequences” session provided the most compelling argument I’ve heard for focusing on consequence management as an often-overlooked strategy to reduce OT risk. In every example, he pointed out the tendency to focus on layering in additional protective controls in a never-ending probability reduction exercise that will never guarantee the risk is reduced to tolerable levels. On the other hand, focusing on consequence mitigations can assuredly reduce OT risk scenarios to acceptable levels. To repeat: Focus on consequence mitigations!
S4x22 was a Wonderful Place to Rekindle Relationships and Start New Ones
Besides the presentations and technical deep dives there was plenty of time for me to reconnect with fellow colleagues and partners. Festivities included a Craft Beer Bash, a party at the Miami Beach Botanical Gardens, and Cabana Sessions with industry colleagues around the Surfcomber pool. S4x22 proved to be the most mission-centric, and welcoming cybersecurity event I’ve ever attended.
— Ann Marie van den Hurk, MSM, APR (@amvandenhurk) April 21, 2022
— Ann Marie van den Hurk, MSM, APR (@amvandenhurk) April 21, 2022