S4x16 Call For Presentations

s4 final on black

We have opened the S4x16 Call For Presentations on the event website. Since 2007 S4 has been the place to show your ICS Security research to an advanced audience that will get it. In recent years we have added Operations Technology (OT) and ICS Cyber Weapons sessions to the event. But again these sessions are aimed at an audience that knows the basics and doesn’t want to hear SCADASEC 101.

The new venue in South Beach will allow us to produce sessions on two big stages, so we will be hunting harder than ever for quality, fresh and entertaining content.

Here is the short version of the CFP:

  • Email your proposed idea for a S4x16 session to s4@digitalbond.com
  • Explain the session in 2 to 3 paragraphs highlighting what is new or novel about the session
  • Identify if it is a Technical Deep Dive Session or Main Stage Session
  • Identify the time requested for the session (15, 30, 45 or 60 minutes)

Also email us any ideas you may have for speakers or topics we should chase for S4x16. We evaluate submissions as they come in, so sending your session idea in early increases the odds it will be accepted. The CFP closes on September 1st.

Book Review: There Will Be Cyberwar

Screen Shot 2015-07-01 at 9.17.37 AMThere Will Be Cyberwar: How The Move To Network-Centric War Fighting Has Set The Stage For Cyberwar by Richard Stiennon

Read this book if you are looking for a summary of the attacks and cyber incidents that have occurred over the past 20 years in government, military, critical infrastructure and business. It also provides numerous concise examples of security controls that are needed to combat the attacks described in the book.

Don’t read this book if your focus is ICS. There is a bit of information on ICS incident, but not enough to justify reading for that purpose and you will find minor problems with the ICS text. Don’t read this book if you are looking primarily for a discussion and analysis of the future of “cyberwar”.

With the exception of the fictional scenario in Chapter 1 most of the book is focused on synopsis of past incidents. It does however convincingly make the case that weapons systems, communication systems and many other elements required to effectively fight a war are now connected to networks, more reliant on software and therefore subject to a cyber attack.

Given the title, There Will Be Cyberwar, and in light of Thomas Rid’s Cyberwar Will Not Take Place it is almost mandatory to see if Richard made his case and why the two authors come to diametrically opposed conclusions.

The answer is actually simple. The two authors have very different definitions for cyberwar. Thomas spent a lot of time defining war and then cyberwar in his book, and he made a convincing case why this definition of cyberwar will not be met. Read the book and listen to my podcast with Thomas to understand this point of view.

Richard has a much less stringent definition of what constitutes cyberwar.

Cyberwar is the use of computer and network attacks to further the goals of a war-fighting apparatus.

Richard has made the case clearly in his book that based on this definition cyberwar will happen and incidents have probably already occurred that would meet this definition.

I’ve heard no dispute that cyber weapons will be used in wartime, just a dispute over the term cyberwar.

A more interesting question is will we see a use of cyber weapons in war that is akin to the Battle of Britain / air warfare? I first heard this question from Jason Healey of the Atlantic Council in a panel discussion. The Battle of Britain proved that air power alone could be used to win a major battle. Will we see a major battle fought entirely in the cyber domain?

Richard also describes what would constitute a Cyber Pearl Harbor in the book.

It is not the destruction of the power grid, or the loss of communications from attacks against the Internet and telecom infrastructure, or even the collapse of the stock market that deservers Panetta’s dire warning. Only a crippling military defeat thanks to overwhelming control of the cyber domain deserves to be labeled a Cyber Pearl Harbor.

I believe the last sentence is a better definition of cyberwar, and perhaps a slightly modified version of the earlier definition is better for cyber weapons. In the end most of the disagreement is definitions, and this is less interesting or important than how cyber weapons will be created, deployed and used as well as defended against.

Note: I read the Kindle version on an iPad Mini 3 Kindle app. The formatting is wrong, but not so wrong to make the book unreadable on that device and still worth the convenience and savings over the print version for me.

S4x15 Video: Attribution and Retribution Panel

S4x15 came on the heals of the attack on Sony. Everyone was discussing how cyber attack attribution can be done and the level of certainty that is possible, so we had a panel to discuss this very issue.

The second part of the panel discussed what does the victim due after they have attributed an attack to a nation or organization —retribution.

The panel included Bill Hagestad of Red Dragon Rising, Jonathan Pollet of Red Tiger, and Tim Yardley of University of Illinois.

Unsolicited Response Podcast: Eric Byres after Tofino

After a long and successful struggle to bring an industrial firewall to market, Eric Byres is leaving Belden and Tofino behind. We shouldn’t call it retirement because I expect that Eric will be contributing in a number of different ways in the next ten years.

I gave Eric a few months to clear his head and then talked with him for this episode of the Unsolicited Response Podcast.

The first 16 minutes of the episode are a retrospective of Tofino. What features were surprisingly effective, what were the biggest challenges and dark times, when will we see Tofino on a chip and more.

After that we talk about bigger questions on the ICSsec community, Eric’s home automation and what he may do next.

S4xJapan Call for Presentations

HankoWe are pleased to announce a return to Tokyo for the S4xJapan event on Friday, November 6th.

S4xJapan will be held again at Academy Hills on the 49th Floor of the Roppongi Hills Mori Building. There will be a fun and novel social event (last year was the Kaspersky KIPS game for the first time in Japanese) with food and drink after the days sessions complete. And then you will be close to the Tokyo nightlife on a Friday night to have some fun with old and new friends in the ICS security community.

The event will be a very full one-day that will cover ICS security, Operations Technology (OT), ICS cyber weapons and related topics.

We are looking for sessions in both English and Japanese (simultaneous translation will be provided).

If you have a session you would like to present or know of a speaker or topic we should chase, send us an email at S4@digitalbond.com.

We will welcome some presentations from overseas experts with new information and techniques. If this is you, please note that PACSEC JP is the following Wednesday and Thursday so you can potentially speak at two events and enjoy some time in Tokyo.

S4x15 Video: Simulating Multiple Substation Failures

This is a great session for power engineers and those involved in substations to watch. It is an extremely technical session by Dr. Chee-Wooi Ten of Michigan Technological University.

The key point is actually easy to understand. The most critical substations to secure may not be the highest voltage substations, and this session provides a set of mathematical equations to perform an impact analysis to identify the most critical substations.

Dr. Ten gets into the modeling and mathematics in significant detail in the video.

S4x15 Video: Power Fingerprinting

We generally do not allow product presentations at S4, but occasionally there is a technology that is novel or potentially important that we make an exception. For example, we had Kaspersky present on their ICS operating system at S4x15.

A second exception was made for Carlos Aguayo Gonzalez of PFP Cybersecurity to present the idea of using Power Fingerprinting to identify changes in PLC or RTU logic or firmware.

I won’t attempt to summarize the technical details; watch the video. It includes a demo of the technology.

However it is interesting that the Power Fingerprinting sensor is in fact not connected to the device it is monitoring. Hello air gap. It also is a potential tool for addressing the supply chain problem.

Unsolicited Response Podcast: Rios on WhiteScope and Medical Device Security

Billy Rios of Laconicly joined me on the Unsolicited Response Podcast to discuss two topics:

  1. WhiteScope – an online ICS/SCADA whitelist that is trying to solve the last mile supply chain problem until vendors start signing their code. The WhiteScope data repository is available to all, free of charge.
  2. Medical Device Security – an area that Billy is a pioneer on. We discuss progress, FDA involvement and how similar or different it is as compared to the classic SCADA/DCS/Process Control.

S4x16 Moves To South Beach

Save the date: S4x16 is January 12-16

S4x16 is moving to the Fillmore Miami Beach at Jackie Gleason Theater in the heart of South Beach. It’s literally 3 blocks from the beach, 1 block from Lincoln Road and right in the middle of all the SoBe restaurants, shops and night life.

This is a classic art deco venue where The Dick Clark Show, The Ed Sullivan Show and the Miss USA and Miss Universe Pageants were often filmed in the auditorium. In 1964, Jackie Gleason even moved his hugely popular tv show there, hence the name.

In 2007, the Jackie Gleason Theater underwent a major renovation and now has state of the art lighting, sound, video and just about any staging option we can think of — all without losing that cool art deco feel that is South Beach. In fact, the planning team is feeling the challenge of coming up with unique content, formats and staging worthy of this non-traditional ICSsec conference facility.

You often hear this security professional or that automation engineer is a “rock star”. At S4x16 we will see who the real rock stars are on a real stage that today is a major concert venue. Speakers will literally be in the spotlight on the big stage.


In addition to the main theater, the venue has so many interesting rooms for us to use. For example, the ICS Village will be held in the Red Star Lounge, a VIP lounge for concerts with coffee and cocktails and comfortable couches and tables to better get to know your fellow S4 attendees. Much like the staging, taking full advantage of all the rooms is a fun, creative challenge.

The Kimpton Surfcomber will again be an official S4x16 hotel, and it is only a 3 block walk to the Fillmore Miami Beach at Jackie Gleason Theater. Attendees raved about this hotel last year … except for the bus ride to Kovens. No buses for S4x16!


Note: We want to publicly thank the Kovens Conference Center that has been the home of S4 since the inaugural event back in 2007. They did a fantastic job for us each and every year. Unfortunately we outgrew the ballroom there and wanted to move somewhere that buses were not required. We highly recommend Kovens if you need a South Florida venue for an event.

iSight Partners Acquires Critical Intelligence

meBelden buys Tofino, GE buys Wurldtech, Lockheed Martin buys Industrial Defender and now iSight Partners acquires Critical Intelligence. The trend continues of larger organizations buying ICS security expertise.

Bob Huber and Sean McBride left Idaho National Labs (INL), after being involved in setting up what became ICS-CERT, to form Critical Intelligence. Critical Intelligence in many ways competed, or augmented if you want to play nice, the information ICS-CERT provided. However, the depth and breadth of the Critical Intelligence product far exceeded what ICS-CERT provided. Whether this was due to the talent disparity, fewer restrictions on what could be written, or both is not known.

I spoke with Bob and Steve Ward of iSight yesterday to understand the motivation for partnering and what future ICS services, products and events will look like. It is too early to answer the later question, but the motivation was clear.

iSight is looking to improve their threat intelligence in the ICS area, basic and easily understood reason. From a Critical Intelligence standpoint it’s more interesting. iSight has 200+ analysts that speak 16 different languages.

  • A lot of the important ICS threat info is written in Chinese, Russian and Arabic, not to mention the videos and podcasts that require the ability to understand the spoken language.
  • A fair amount of the technical analysis of malware and other attack code is not ICS specific. Look at the work that Kyle Wilhoit is doing over at Trend Micro on Havex and Black Energy for an example.
  • iSight has a methodology that will add rigor to the analysis and reporting process.

What iSight was missing was an understanding of what matters in an ICS, who are the players, important protocols and products, and the ability to task all those resources in a smart way that would lead to useful product. If the two companies can integrate the capabilities well the result should be more than the sum of the parts.

The biggest question then will be are the asset owners able to take in and act on this better threat intel?

Admittedly I’m a big fan of Critical Intelligence’s work. They helped with content on our site for a couple of years, were guests on the podcast, speakers at S4 and one of the people I talked to when I was trying to figure out who was doing what to whom.

Another thing this latest acquisition has in common with the other ICSsec acquisition is the price and terms were not disclosed.

Congratulations to Bob and Sean and the rest of the team at Critical Intelligence.