5 Interesting Takeaways from the S4x18 ICS Security Conference

S4x18 ICS Security Conference - Miami Beach, Florida


Last week I attended the S4x18 Conference in Miami Beach. S4 is one of the premier conferences in the industrial control systems (ICS) security space, and is attended by many of the security researchers in our space, as well as by many asset owners of critical infrastructure.

This was our first year attending the S4 Conference, and I got lots of ideas for how to improve our security processes while there. While most of the content is intended for asset owners, not software vendors, there was still quite a bit of relevant information.

Here are some of my thoughts from the conference:


Lean OT Security: How Usability Can Shape Security

I was interested to hear Ralph Langner (of Stuxnet fame) talk about “Lean OT Security.” Of course, the idea of “lean” is something we are very familiar with here at IA, but I’d never heard the concept applied to security before, which usually has a more formal approach.

I think he made some very good points about why usability should be a primary consideration for security measures, because without considering usability, humans will find ways to work around the security measures.

Since I’m always thinking about product design, this approach made a lot of sense to me. I think we can also do better at building the security model within Ignition to be more user-friendly, and by doing so, encourage more users to build more secure systems.

 

 

EPRI Technical Assessment Methodology

A team from OSIsoft gave a good talk about the EPRI (Electric Power Research Institute) Cyber Security Technical Assessment Methodology, and their experience going through that process.

The outcome of this assessment methodology is a standardized document called a Cyber Security Data Sheet (CSDS), which is kind of like a Material Safety Data Sheet for software. I think this will become a valuable tool by providing a common language and rubric to discuss the security of a software product.


The ICS Community Rewards Transparency

There was a lot of discussion and detail at S4 surrounding the Triton/Trisis/HatMan attack on Triconex safety systems.

While the technical details of these attacks were very interesting in and of themselves, I was also interested in how the community reacted to Schneider Electric’s response to the issue. The fact that Schneider had experts on stage at S4 divulging details of the attack was very warmly received by this crowd.

Apparently in this community, vendor transparency has not been the norm in the past, and Schneider’s transparency was rewarded with multiple rounds of applause. Great to see this kind of transparency becoming more common in the security space.

You can watch the session here:


 

 

Don’t Forget the Obvious When It Comes to Security

Much of the S4 Conference is focused around highly technical discussions of both exploits as well as high-tech prevention and intrusion detection systems.

While the technical depth of these topics is considerable (the talk on private key-sharing using quantum photon entanglement blew my mind), it is still amusing to see that in most real-world attacks, even attacks with very high-tech components, the genesis of what makes the attack possible is usually a very low-tech social engineering attack or an exploit of a physical security flaw.

In so many systems, people are still the weakest link. Makes me glad that here at IA we have started focusing so strongly on training our staff, especially training and testing people on spotting phishing emails, which are so often the attack vector.

 

 

A Parallel to Our Own Ignition Community Conference

One of the most interesting things to me personally about the S4 Conference wasn’t necessarily the content itself, but the community and the conference format.

In many ways, S4 is extremely similar to our own ICC: The attendee count was nearly identical, both are held in performing-arts centers and spread onto three stages, and both are attended by enthusiastic communities of experts who are excited to be sharing with their peers.

The big difference is that while I am certainly an “insider” at ICC, I was a complete outsider in this community; none of the familiar faces I’m used to seeing were present. It was interesting to observe such a similar but separate community conference, and gave me some perspective on what it must be like for newcomers attending ICC.


More Resources

Of course, there is so much more to the conference than what I touched upon. If you are interested to learn more about the S4 Conference, visit https://s4x18.com/. Also, if you want to watch some of the keynote presentation and session highlights, visit the S4 YouTube Channel.


Tags /

Security
AUTHOR
Carl Gould
Chief Technology Officer / Inductive Automation
Carl Gould is Chief Technology Officer at Inductive Automation. As CTO, Carl is responsible for the overall technical strategy and roadmap for the company and its products. Carl has been with the company from the ground up as one of the original creators of Ignition. His work over the years in leadership roles, including Director of Software Engineering, has been instrumental to the development of Ignition and to the company's rapid growth. Today, Carl continues to innovate new ways to elevate the software, the company, and the manufacturing automation industry as a whole.
Table of contents