Topic: Top 10 Things They Hate about Us: Avoiding the Security Traps in an IACS Assessment
Join us for this presentation by Bri Rolston, Chief Research & Security Geek, GkJuju Security & Consulting Services
Time and Location: December 16th, via Zoom Meeting 12:00-1:00pm
Please Note: Zoom information will be sent in the RSVP Confirmation Email.
Presentation Summary: In 20 years of IACS security work, I have yet to meet an engineering or process control team that doesn’t have a Top 10 Hate List for the security team. 10-20 security controls repeatedly cause more damage than they prevent if not rolled out in a thoughtful, methodical way to IACS networks.
How can cyber security risk management efforts be considered effective if they CAUSE the impact we were hoping to avoid? Why is it so hard for engineering and control system teams to fight the obvious and get IT and cyber security groups to pay attention?
We’ll cover the basics of Industrial and Automation Control Systems (IACS) and why they differ so greatly from corporate IT environments. Then, we’ll discuss how to secure them appropriately and balance functional vs technical security risk. We’ll actually walk through a common Life Cycle Management (LCM) problem and do a technical risk analysis of it.
Bri Rolston, Chief Research & Security Geek, GkJuju Security & Consulting Services.
By day, this mild-mannered <insert sarcastic disbelief here> geek works at Idaho National Laboratory and specializes in defensive, security engineering research and threat response. She has more than 25 years’ experience in telecommunications, Information Technology (IT), Industrial Automation & Control Systems (IACS)/Operational Technology (OT) security research as well as a wide range of operational security experience including incident response, threat management, risk analysis & remediation, vulnerability management, secure code development, cloud security, and IACS security program development. She has trained a number of IACS incident response teams including DHS CIRT in 2005, contributed to IACS and OT security standards development for DHS, DOE, NIST, and ISA/IEC, run a number of incident response efforts for nation-state attacks (Google Aurora 2010), and has a patent for efficient attack path selection and risk analysis.
By night, the geek side REALLY comes out. She spends more time than she should considering deeply geekly ideas as part of the global research community, helps organize conferences such as BSides IF, volunteers at small community groups, and vacations at different security cons. During this time, she follows the darker path of threat research–fingerprinting attack teams, examining the halo effects in exploit development, and identifying 2nd-payload in IACS/OT attacks. Sometimes, she even plots world domination and may plan to take over the world using a IIoT tractor SDRs, cell-towers, drones, and satellites . <Cue evil laugh>