I agreed to speak at Jeffrey Carr’s Suits and Spooks in Boston on October 18th. The theme of this edition is Offensive Tactics Against Critical Infrastructure, and my sector to attack is electric. I’ll be showing how an adversary would compromise individual and large numbers of power plants. There are not going to be any new 0-days because the plants are insecure by design, but there will be new information on how an attacker would do this and how easy it is to have a major impact. (Note – space at the event is limited to 130, and the lineup is strong with Dan Geer and others)
This is an atypical audience to present ICS security too, and it is part of a deliberate strategy. We are increasingly avoiding the usual events and focusing more on ways to reach C-level executives and those outside the ICS security echo chamber.
Over the past ten years have seen dramatic increase in cyber security of a specific DCS or SCADA system occur in two different ways:
- A CEO/COO determines that ICS security is a top priority. In this case the security posture improves dramatically in 2 to 3 years. The security posture is at a level that most in the ICS security community believes is near impossible or doesn’t exist.
- The Operations team determines that ICS security is a top priority. In this case the security posture improves to an appropriate level in 5 to 7 years. Improving ICS security is much more of a time investment than equipment purchase, so with the right emphasis and diligence over years an Operations team can get there.
So one key is to convince CEO/COO or those that influence CEO/COO that run SCADA and DCS that they need to get serious about securing their ICS. Convince them it is in their best risk management interest to devote resources to this and measure results. Unfortunately, we are reaching few if any CEO/COO at ICSJWG, WEIScon, SANS Summits, … or on this website.