Takeaways from the 2024 SANS ICS Security Summit
Hitting on some personal highlights from the ICS Security Summit
I had the great opportunity to attend this year’s SANS ICS Security Summit and had an awesome time. I decided to put some notes together that hopefully a few people find interesting.
Note 1: Some entries have additional context, while some don’t.
Note 2: All opinions are my own and are not related to my current employer.
A few quick hits:
What was the Summit about and what is ICS
From the SANS site:
The annual ICS Security Summit brings together the industry's top practitioners and leading experts from around the globe to share actionable ideas, methods, and techniques for safeguarding critical infrastructure.
ICS = Industrial Control Systems. These systems can fall under the term Operational Technology (OT); IT and OT have many differences (I’ll be writing another blog post covering the basics) when it comes to Cybersecurity. The key thing to note is that OT/ICS usually support Critical Infrastructure (think Electric, Gas Pipelines, Water/Wastewater systems, etc.). As such, the safety and availability of these systems is critical.
Location
First off, location was awesome - it was held on June 17th-18th at the Disney Contemporary Resort in Orlando, Florida. Attendees were able to get group rates for rooms as well as for Disney World tickets. Definitely a plus.
Structure
This year’s Summit was split into 4 parts.
Day 0, was a “ICS/OT Foundations Workshop” with Tim Conway & Robert M. Lee. I didn’t attend this, but learning from those two guys would be a great time.
Day 1, they did something different this year and focused on a full day of SANS Instructor-led talks, demos, and technical labs.
Day 2, full day of Summit Keynote and Talks.
Following Day 2, they also offered in-person training courses for their SANS ICS Security related training.
Key Takeaways
“Defensible Architecture and Remote Access” Jason Dely & Stephen Mathezer
Jason Dely presented a Defensible Architecture Life-Cycle consisting of the following four stages: Scoping Phase, Design Phase, Implementation, and Maintain.
When it comes to designing and deploying a Defensible Architecture, many people won’t put in the initial work required to fully understand the environment they are trying to secure.
In the Scoping Phase, Jason emphasized the importance of identifying every Asset and interviewing every “User”, including vendors, to document their needs and determine exactly how the Assets are used. He noted that this could indeed turn into a lengthy stage, but the output will be well worth the effort.
“Emerging Regulations and Their Impact on Critical Infrastructure” Jason Christopher
Most Critical Infrastructure sectors have regulations that dictate minimum levels of cybersecurity (NERC CIP for Electric, TSA Security Directives for Pipelines, etc.).
We saw a spike in 2022 regarding these types of regulations and it’s possible that we may receive more frequent updates going forward.
Additionally, there are multiple frameworks that organizations can use to structure and assess their programs. Jason recommended that everyone perform a mapping exercise (like mapping C2M2 v NIST CSF) as it is useful in determining gaps.
“Current ICS Trends” Robert M. Lee , Tim Conway, & Jason Christopher
The three presenters discussed topics of ICS Network Visibility Monitoring, Cloud, and AI.
Regarding Network Visibility and Security Monitoring, Rob shared the statistic that less than 5% of Critical Infrastructure is currently monitored. For those new to the ICS space, this may seem alarming - and frankly it is. I’ve seen expansion of this capability over the last few years and with the potential of this becoming a NERC requirement (read about it here), the number should continue to grow.
However, I’ve seen firsthand that it can be difficult to get these projects off the ground: the current tools can be expensive to deploy and maintain (solutions designed for IT Enterprises won’t do), many companies have hundreds or thousands of geographically dispersed sites (many in the middle of nowhere), and it takes expertise that is hard to find (understanding of ICS protocols, ICS networking, and common attacks).
Rob mentions that most companies should focus on monitoring somewhere between 25% - 75% percent of their systems. I personally agree with this line of thinking, focus first on critical systems and then expand coverage after that as needed.
Regarding Cloud and AI, the main point was that Cloud and AI for ICS is coming whether we like it or not - instead of taking a hard opposing stance, it would be more worthwhile to research and understand how to provide security around these technologies.
“ICS Incident Response” Dean Parsons
Dean spoke at length on his experiences performing IR in ICS environments. This workshop was great and I wish it was even longer. Here’s a few points I managed to capture:
Companies in this space often get carried away with Attribution. Dean recommends to lower this on the priority list as Attribution can introduce bias to the IR process.
Containment, Eradication, and Recovery need to be treated differently in ICS environments. Moving too fast to contain can introduce more problems and even jeopardize safety (i.e. disconnecting a critical system from the ICS network). Some malware can be half-contained (block used ports/IPs) and wait until the next downtime for removal.
Engineers won’t respect you if you only use IT scenarios and terminology (i.e. don’t click on bad links), need to be able to understand and communicate actual ICS Malware and the TTP’s they use.
Four most targeted types of ICS related systems: Data Historian, HMI, Engineering Workstation, PLCs/RTUs.
Memory acquisition and PCAP analysis are incredibly useful in these environments - sometimes that’s all you can get.
Tabletop Exercises are highly recommended: a Ransomware exercise brings the most internal political value (bringing teams together), while a Living off the Land exercise brings the most real-world value.
Conclusion
Hopefully you find these notes helpful/useful. To anyone considering going to a future Summit, I’d recommend it. Thanks for reading!