The 2008 Edition of the SCADA Security Scientific Symposium (S4) is January 23-24 in beautiful Miami Beach, Florida.

Remember the Call for Papers deadline is September 15th.

We are searching the world for the best research on control system security, and we want your help. Do you know a researcher doing important work? Send me his or her contact info.

We are chasing for a great paper on anomaly detection in control systems. Seems like a natural given the more predictable nature of communications in these systems and DHS HSARPA even funded a couple of efforts. We are chasing papers performing security analysis on non-windows OS used in control system devices such as VxWorks and QNX, although embedded XP would be interesting as well. What don’t we know about that we should be chasing?

Last year we found groundbreaking analysis on OPC vulnerabilities in Hamburg and Barcelona. We found a grad student at University of Milan taking an innovative SCADA cryptography approach. (FYI – that students skills with a little help from S4 publicity landed him at the University of Illinois/TCIP for PhD studies). We found approaches to calculating risk and controller test methodologies in Canada. And of course some of the traditional research institutions, Sandia, Mitre and SRI, presented great work on current research at the event.

Some of you may be aware that SANS recently announced they will be holding another SCADA Security Summit in New Orleans the week prior to S4. Although both events address control system security, they are targeted at very different audiences. Per the SANS email, they focus on things like “best practices … overviews … education and awareness aimed at the CEO and executive level … procurement guide …”. These events, whether they be Joe Weiss’s event, SANS, PCSF, or ISA Expo, are all highly useful for the broad community learning about SCADA security.

S4 is different. Executives, marketing and those that are non-technical should not attend. It is for the person who has been to those other events and said where’s the beef. It is detailed code analysis, vulnerability testing methodologies, mathematics and statistics, protocol generation and analysis, crypto, hardware and software performance, …  We give our speakers an hour because the level of detail required cannot be presented in twenty minutes. Speakers provide a technical paper that is published in the proceedings book. Very importantly we insure the papers and presentations do not go over basic material the attendees have heard multiple times, such as the differences between control systems and IT systems or what a PLC is.

Look at the abstracts from last years proceedings or even better yet buy the book at our site or at Amazon.