Last week I attended the S4x18 Conference in Miami Beach. S4 is one of the premier conferences in the industrial control systems (ICS) security space, and is attended by many of the security researchers in our space, as well as by many asset owners of critical infrastructure.
This was our first year attending the S4 Conference, and I got lots of ideas for how to improve our security processes while there. While most of the content is intended for asset owners, not software vendors, there was still quite a bit of relevant information.
Here are some of my thoughts from the conference:
Lean OT Security: How Usability Can Shape Security
I was interested to hear Ralph Langner (of Stuxnet fame) talk about “Lean OT Security.” Of course, the idea of “lean” is something we are very familiar with here at IA, but I’d never heard the concept applied to security before, which usually has a more formal approach.
I think he made some very good points about why usability should be a primary consideration for security measures, because without considering usability, humans will find ways to work around the security measures.
Since I’m always thinking about product design, this approach made a lot of sense to me. I think we can also do better at building the security model within Ignition to be more user-friendly, and by doing so, encourage more users to build more secure systems.
EPRI Technical Assessment Methodology
A team from OSIsoft gave a good talk about the EPRI (Electric Power Research Institute) Cyber Security Technical Assessment Methodology, and their experience going through that process.
The outcome of this assessment methodology is a standardized document called a Cyber Security Data Sheet (CSDS), which is kind of like a Material Safety Data Sheet for software. I think this will become a valuable tool by providing a common language and rubric to discuss the security of a software product.
The ICS Community Rewards Transparency
There was a lot of discussion and detail at S4 surrounding the Triton/Trisis/HatMan attack on Triconex safety systems.
While the technical details of these attacks were very interesting in and of themselves, I was also interested in how the community reacted to Schneider Electric’s response to the issue. The fact that Schneider had experts on stage at S4 divulging details of the attack was very warmly received by this crowd.
Apparently in this community, vendor transparency has not been the norm in the past, and Schneider’s transparency was rewarded with multiple rounds of applause. Great to see this kind of transparency becoming more common in the security space.
You can watch the session here:
#s4x18 Awesome transparency from @SchneiderElec on the TRISIS-TRITON malware. They have set the bar high for other vendors to follow. Kudos to my good friend Paul Forney for continuing to lead the way in ICS security.— Marty Edwards (@ics_Marty) January 18, 2018
Don’t Forget the Obvious When It Comes to Security
Much of the S4 Conference is focused around highly technical discussions of both exploits as well as high-tech prevention and intrusion detection systems.
While the technical depth of these topics is considerable (the talk on private key-sharing using quantum photon entanglement blew my mind), it is still amusing to see that in most real-world attacks, even attacks with very high-tech components, the genesis of what makes the attack possible is usually a very low-tech social engineering attack or an exploit of a physical security flaw.
In so many systems, people are still the weakest link. Makes me glad that here at IA we have started focusing so strongly on training our staff, especially training and testing people on spotting phishing emails, which are so often the attack vector.
A Parallel to Our Own Ignition Community Conference
One of the most interesting things to me personally about the S4 Conference wasn’t necessarily the content itself, but the community and the conference format.
In many ways, S4 is extremely similar to our own ICC: The attendee count was nearly identical, both are held in performing-arts centers and spread onto three stages, and both are attended by enthusiastic communities of experts who are excited to be sharing with their peers.
The big difference is that while I am certainly an “insider” at ICC, I was a complete outsider in this community; none of the familiar faces I’m used to seeing were present. It was interesting to observe such a similar but separate community conference, and gave me some perspective on what it must be like for newcomers attending ICC.
Of course, there is so much more to the conference than what I touched upon. If you are interested to learn more about the S4 Conference, visit https://s4x18.com/. Also, if you want to watch some of the keynote presentation and session highlights, visit the S4 YouTube Channel.