Remeber the discussion on SCADA from Y2K?
It doesn't look like the lack of security has gone away, just someone else is taking advantage of it.
http://www.sans.org/scada09_summit/agenda.php
SANS Process Control and SCADA Summit 2009
Summit Agenda
Sunday, February 1
4:00 pm - 5:00 pm
Special SCADA Overview - Matt Luallen, Encari
5:00 pm - 8:00 pm
Welcome: Registration and Super Bowl Reception
Monday February 2
7:00 am - 8:30 am
Breakfast - Sponsored by Mu Dynamics & Byres Security
8:30 am - 9:10 am
Keynote: The Future of the Smart Grid
Garry Brown, Chair, New York Public Service Commission
9:10 am - 9:50 am
Keynote Discussion: Security Risks and Other Problems with the Smart Grid and AMI.
Asset Owners and security researchers discuss security and cost issues surrounding the smart grid and Automated Metering Systems
Matt Carpenter, InGuardians; Wesley McGrew; INL speaker, Tom Flowers; Jonathan Pollet, Industrial Defender
9:50 am - 10:10 am
Break
10:10 am - 11:20 am
Track 1:
Control System Cyber Incident Handling: A Law Enforcement Perspective Panel.
Police and law enforcement cyber crime units have to prepare for incidents on SCADA and control systems. This panel focuses on issues such as incident response, forensics, public collaboration, as well as challenges and successes regarding how law enforcement is dealing with these very important issues.
Moderator: Mark Fabro, President & Chief Security Scientist, Lofty Perch. Panelists: Jeff Morgan, Process Control Systems Analyst, Cyber Division, Federal Bureau of Investigation
Track 2:
What's Really Going On Out there in CyberAttacks, and What's Coming Next? - A Conversation with Jason Larsen.
Jason's deep understanding of the attack space, his wide and varied contacts among black and white hats, and his engaging style make this one of the audience's favorite sessions year after year at the SCADA Security Summits. His predictions about future attacks are often eerily accurate.
Jason Larsen, IOActive
11:20 am - 12:30 pm
Track 1:
What Works in Security Control Systems: Panel One. Asset Owners Share Lessons from the Trenches
Tom Flowers, Centerpoint: Security in a Disaster: How to Allow Third Party Access While Protecting Your Systems; Mark Heard, Eastman Chemical, Segmenting Networks for Effective Security; Troy Embree, P & G
Track 2:
Dale Peterson Brings You the Best of S4 2009 (SCADA Security Scientific Symposium). Highlights from the January 2009 gathering of the top SCADA security researchers. You get the most important elements of two days of presentations summarized in this one-hour session at the Summit.
Dale Peterson, Digital Bond
Interactive Workshop:
Wireless Threats with Matt Carpenter and Wesley McGrew
12:30 pm - 1:40 pm
Lunch
1:40 pm - 2:40 pm
Track 1:
The Most Critical Vulnerabilities in Control Systems: Findings from the National SCADA Test Bed and the Control Systems Security Project.
Extensive testing of control systems from more than a dozen vendors has uncovered significant numbers of vulnerabilities. In this session, INL's Rita Wells and Gary Finco will each show you the most important vulnerabilities and tell you which ones could lead to the most damage if exploited and are hardest to correct. They'll also show you what can be done about each of them/
Rita Wells and Gary Finco, Idaho National Labs
Track 2:
The Software Patching and Updating Trade Offs for Critical Systems.
Some asset owners report that they have found a way to keep their systems patched without impacting reliability. Vendors are promoting significant improvements. In this panel you'll hear about progress along that front and be able to answer questions.
Kevin Staggs, Honeywell; Kevin Sullivan, Microsoft; Asset Owner (to be named)
2:40 pm - 3:40 pm
Track 1:
Public Utility Commissioners Meet the Security Challenge.
This session uses a simulated rate hearing to help asset owners and utility commissioners identify the most productive (and unproductive) means of discussing control system security challenges and helping regulators understand the investments needed to protect the reliability of the critical infrastructure.
Garry Brown, Chair, NY Public Utility Commission; Mike Assante, NERC; Seth Bromberger, Pacific Gas & Electric
Track 2:
The Most Promising Results from the COE Roadmap to Secure Control Systems in the Energy Sector.
Chaired by Tom Flowers, this session highlights Dale Peterson of Digital Bond describing the Bandolier project (that worked with vendors on finding all security-related parameters and created verifications and auditing tools for continuous monitoring of all security parameters) and Bryan Richardson of SANDIA National Labs about the Ant Farm Project (a passive network mapping application displays a 'picture' of your network).
Tom Flowers; Dale Peterson, Digital Bond; Bryan Richardson, Sandia National Labs
3:40 pm - 4:00 pm
Break
4:00 pm - 5:15 pm
The Updated Procurement Standards: Buying Security Baked into Control Systems.
Remote Access (Dial-up Modems; Dedicated Line and Dial-up Modems; TCP/IP; Web-based Interfaces; Virtual Private Networks; Serial Communications Security); Physical Security (Physical Access; Physical Perimeter Access; Manual Override Control; Intra-perimeter Communications); Network Partitioning (Network Devices; Network Architecture); and Wireless Technologies (Bluetooth; Microwave and Satellite; 802.11; ZigBee). They'll also discuss advances in worldwide adoption - especially in Europe and directions that the standards will go in the future.
Will Pelgrin, New York State Office of Cybersecurity and Critical Infrastructure; Rita Wells, Idaho National Laboratory; Robert McComber, Telvent; Larry Spoonemore, Southern Co.
Interactive Workshop:
S4 with Dale Peterson
5:30 pm - 6:30 pm
Cocktail Panel with the leading Control Systems Vendors
An opportunity to hear about the latest advances in cyber security from control systems and security vendors.
Tuesday, February 3
7:00 am - 8:30 am
Breakfast
8:30 am - 9:40 am
Keynote Panel: Penetration Testing; How the Attackers Get Through Your Defenses.
In 2008, executives in critical infrastructure industries (especially electric utilities) have demanded independent assessments on how well their systems and networks can withstand cyber attacks. This panel features the people most often called in to test those systems to determine whether they can be penetrated and how. These expert penetration testers will help you see exactly where the holes are and how they can bypass your defenses.
Top Penetration Testers from Idaho National Laboratory; Jason Larsen, IOActive, and others to be named
9:40 am - 10:00 am
Break
10:00 am - 11:10 am
Track 1:
The Real Vulnerabilities and Risks in Serial Communication. Serial Communications Yesterday, Today and Tomorrow; Newly released research results that prove the vulnerabilities in Serial Communications; With the World Focused on TCP/IP Does Serial Become THE Target; Serial Vulnerability Mitigations - Promising Practices Plus a bonus discussion of the critical vulnerabilities being exploited through USB worms.
Perry Pederson, Wurldtech; Eric Byres; To Be Named
Track 2:
The Three Most Important Things You can Do to Secure Your Control Systems.
Multiple perspectives on the most cost effective actions asset owners can take to improve security on control systems.
Eric Byres; Craig Dupler, Boeing
Interactive Workshop:
Red Team with Pen Testing Experts
11:10 am - 12:20 pm
Track 1:
Major Changes Coming in the NERC CIP Standards and Auditing
NERC has made enormous progress during the past few months in helping the electric sector to become leaders in understanding the threat and in mitigating the risks. But much more needs to be done and the CIP standards will be modified to help utilities do what is necessary. In this session, you'll hear from the people most responsible for making the needed changes and ensuring they are implemented fully and effectively and how they will be measured.
Mike Assante, NERC [plus others to be named by NERC]
Track 2:
Combination Session: The Three Faces of Cyber Crime and What Works in Security Information Sharing in Cyber Security.
A very fast paced session that first introduces you to the attackers who are developing, using and enhancing the cyber attack tools - discussion what they are after, how they make their money, and what we can expect from them in the future. This is followed by a fascinating discussion of how and why companies in the UK actually share their attacks, vulnerabilities and mitigations.
Alan Paller, SANS; Sheridan, CPNI
Interactive Workshop:
Conversations with your Utility with Garry Brown
12:20 pm - 1:30 pm
Lunch
1:30 pm - 2:40 pm
What Works in Security Control Systems.
Seth Bromberger, Pacific Gas & Electric; Stacy Bresler, Pacificorp; Mike Firstenberg, American Water; Joel Garmon, Florida Power & Light
Interactive Workshop:
CIP Standards with Mike Assante
2:40 pm - 3:50 pm
How to Upgrade the Security of the Control Systems You Already Own.
Three of the control system vendors who are doing the best job of baking security in. In this session leading vendors show you how you can use tools and techniques available today to implement the security improvements detailed in the SCADA procurement standards. They'll share the innovations they have added to their product lines and services and answer questions about what is and is not possible today.
Markus Braendle, ABB Power Systems
3:50 pm - 4:50 pm
Research Panel: What are the most promising research projects underway to improve security in cyber systems.
Ulf Lindqvist and representatives from the top control systems research organizations.
4:50 pm - 5:00 pm
Closing
5:00 pm - 6:00 pm
R & D Reception - This is a unique opportunity to discuss Process Control Research Initiatives. Please join us to find out what's new, what's being worked on and how you can benefit from it.
Register Now!
Remember "SCADA"?
Threaded Mode