Managing SCADA Network Security Risks

Transcription

1 Organized by AmericanBusinessConferences May 25-26, 2011 Holiday Inn Golden Gateway San Francisco The First And Only Dedicated SCADA Security Event Quantify Risk, Evaluate Vulnerabilities, & Discover Solutions For Managing SCADA Network Security Risks Strategies & Technical Solutions For Economically Managing Risk In A Multi-Threat Environment Megan J. Hertzler Assistant General Counsel and Director of Data Privacy XCEL ENERGY Gerald S. Frees Director, NERC CIP Compliance, Regulatory Services AMERICAN ELECTRIC POWER L C Williams Senior Program Manager, Critical Cyber Asset Infrastructure for Enterprise IT Security TENNESSEE VALLEY AUTHORITY Tim Roxey Director Risk Assessment and Technology Division NORTH AMERICAN ELECTRIC RELIABILITY CORP. Mike Firstenberg Security Operations AMERICAN WATER - SECURITY OPERATIONS Amy Beth Superintendent of Process Control DENVER WATER Luis A Suarez Program Manager, Information Security TENNESSEE VALLEY AUTHORITY Jim Brenton Director of CIP Standards Development ERCOT SCADA systems are becoming prey to increasingly sophisticated security threats due partly to the actual amount of physical connections but also to potential new vulnerabilities within the business network itself including those that could impact trade secrets, proprietary information and the functionality of the business itself. Presenting Real World Examples On Identifying Vulnerabilities & Evaluating Mitigations For Every Layer Of Your System Architecture & Business Process Multi Access Point Security Wireless Security Cyber Security Network Security Smart Grid Integration Security Physical Security Internal & Business Process Security Encryption Methods Firewall Configuration Produced Primarily For: Electricity Utilities Water Utilities Oil & Gas Industry But Also Relevant For: Oil Refineries Pipeline Operators Nuclear Power Plant Operators And Any Business Operating Advanced Automated Control Systems Managing Critical Infrastructure call: mail: info@american-business-conferences.com

2 Event Breakdown We Have An Established Reputation In Running Events For The Utility And Oil And Gas Industries Some of American Business Conferences Past Contributors Are Listed Below Attendees Will Include Utilities/ Oil and Gas Industry With The Following Job Titles: IT Security Professionals Director, IT Security & Controls IT Security Manager Vice President VP and CIO Director of Corporate Security Director, IT Enterprise Infrastructure Process Control Engineers IT Applications Manager Network Security, Information Protection Manager Industry Breakdown - Sector Industry Breakdown - Job Seniority Director Engineering IT Security Specialist Vice President IT Infrastucture Director Project Management, Smartgrid Head of SCADA Head of IT Head of Telemetry Head of Operations COO Chief Security Officer Head of Engineering Automation & Process Control Engineering System Designers & Engineers Network Engineers Head of Maintenance As connections between the business network and the internet increase, it is apparent that organizations using SCADA systems are encountering more security threats. Due to new potential vulnerabilities to the business network, and the evolving threat landscape, there is now a greater need to increase security around trade secrets, proprietary information and the functionality of the business itself. To do this it is necessary to gain more understanding on the scale of the threat to avoid spending millions of dollars on projects not addressing the key vulnerabilities. It is important to have an understanding of the infrastructure of your SCADA or DCS system to be more aware of your vulnerabilities to understand what security procedures, technologies and applications should be deployed for cost-effective security. The mission of Managing SCADA Security Risks 2011 is to dispel the myths surrounding physical and cyber security by gaining awareness of the current threat environment and evaluating the scale of the threat. This will be achieved by real world examples of how companies using industrial control systems are identifying vulnerabilities and threat professionals will discuss the reality of SCADA risks and potential implications for your business. After considering what is likely to attack in day one, the event will provide an understanding of what type of architecture and revised business process can protect against an attack. This will be achieved by evaluating cost effective technical solutions for making your SCADA networks more robust at every level. call: mail: info@american-business-conferences.com page: 2

3 DAY 1: PRACTICAL EXAMPLES ON EVALUATING VULNERABILITIES THROUGHOUT SCADA SYSTEMS TO DETERMINE WHICH RISKS ARE THE MOST CRITICAL & EXPENSIVE Day One: May 25, :00 Chair s Introductory Remarks The chair will outline the measurable goals of the conference: What areas are considered to be critical? Who is likely to attack? What type of architecture and revised business process can protect against an attack? Patrick C Miller, President and CEO, NATIONAL ELECTRIC SECTOR CYBERSECURITY ORGANIZATION (NESCO) 09:10 Gaining Clarity On The Current And Evolving Multi Threat 09:35 Environment and Quantifying Risk In Terms Of Financial Value Understanding the state of the threat and how it may affect OPENING KEYNOTE SESSION your business to understand how you will have to adjust Making the business case for creating a long term strategy for mitigating and managing these threats: balancing business and cyber security risk Transferable lessons on evaluating vulnerabilities in relation to the components of your system Understanding where security measures must be focused around your specific system and determining which investment is going to have the greatest impact Assessing the likelihood, challenges and possible impacts of cyber warfare world- wide to prepare for potential outsider attacks on your SCADA network Looking at the statistics of how many different pieces of malware code various industries experience and react to on a daily basis Gaining an understanding of electric sector regulations and security standards in terms of how they are evolving, associated legislation and increased agency oversight Jerry Freese, Director, NERC CIP Compliance, Regulatory Services, AMERICAN ELECTRIC POWER Patrick C Miller, President and CEO, NATIONAL ELECTRIC SECTOR CYBERSECURITY ORGANIZATION (NESCO) 09:35 Question & Answer Session WHAT ARE THE AREAS TO FOCUS ON? 09:45 Evaluating Vulnerabilities In Relation To The Key Interfaces Of Your System Architecture And Business Process Striking the balance between the level of security to provide MULTI- an optimal level of protection versus being excessively intrusive STAKEHOLDER PANEL Examining vulnerabilities of the following connections to identify what constitutes a critical situation: 1. Wireless Security 2. Hard wire/optical connection 3. Internet/cyber security 4. Network Security 5. Smart Grid Integration Security 6. Physical Security 7. Internal & Business Process Security 8. Encryption Methods 9. Firewall Configuration 10. Mobile Devices, Including USB Sticks 11. Authentication L. C. Williams, Senior Project Manager, Critical Cyber Asset Infrastructure for Enterprise IT Security, TENNESSEE VALLEY AUTHORITY Lisa Kaiser, Director, Strategic Planning and Policy, DEPARTMENT OF HOMELAND SECURITY Mike Firstenberg, Security Operations, AMERICAN WATER 10:15 Question & Answer Session 10:30 Morning Refreshments To Be Served In Exhibition Showcase Area REGULATORY FOCUS 11:00 Examining The Long Term Goals Of NERC And Smart Grid Standards To Determine How Industry Will Have To Adapt To Be Compliant Detailing the recent progress being made to develop the latest smart grid standards and how these may affect the NERC standards. Identifying what constitutes a critical situation and what your critical cyber assets are to determine what security measures must be implemented to ensure regulatory compliance Providing an insight into how threat profiling can be used to relate to what government agencies are seeing as a threat Outlining the problems associated with cyber security best practice versus regulatory compliance Understanding how timeliness of regulations can ensure you keep the latest preventative means in place in preparation Resolving how to balance compliance at both the government level and the state level and how regulations differ between utilities Understanding which NERC regulations could become mandatory, which of these standards apply to you and how industry is expected to comply Understanding the future of Critical Infrastructure Protection (CIP) requirements and how companies are expected to adhere Tim Roxey, Director- Risk Assessment and Technology Division, NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION Jim Brenton, Director CIP Standards Development, ERCOT Frances Cleveland, Lead of the SGIP-CSWG Standards Subgroup 11:45 Questions & Discussion REAL WORLD EXAMPLES OF RESPONDING TO INTRUSIONS AND BREAK INS 12:00 Deciphering The Issues Around Intrusion Events In Terms Of The Likeliness And Whether They Pose A Risk To Your Business Understanding how to respond to multi threats in a commercial environment Gaining an understanding of the cyber security response, the forensics that were done and the key implementation responses Evaluating how to perform forensics analysis of an industrial control system Understanding how to recover your system with a disaster recovery plan Tony Dodge, Information Security Investigator and Advisor, BC HYDRO 12:30 Question & Answer Session 12:40 Networking Luncheon To Be Served In Exhibition Showcase Area SHARING SCADA SYSTEMS ON BUSINESS NETWORKS 2:20 Understanding How The SCADA Network Interacts With The Corporate Network To Gain A Better Understanding Of What Measures Must Be Implemented To Effectively Separate These Networks To Improve Your Security Gaining an insight into how to make SCADA compliant with business network security requirements Understanding how SCADA can coexist in a business network environment Understanding the best practices of building virtual security in a business network environment call: mail: info@american-business-conferences.com page: 3

4 DAY 2: EVALUATING COST EFFECTIVE SOLUTIONS FOR MAKING YOUR SCADA NETWORK MORE SECURE Examining the connections between SCADA and business systems and how you can put security in place without affecting your business process Understanding the types of firewalls available for segregating the SCADA and corporate network and where these should be placed Mike Firstenberg, Security Operations, AMERICAN WATER Amy Beth, Superintendent of Process Control, DENVER WATER 3:30 Questions & Discussion SCADA RISK MANAGEMENT 3:40 Gaining An Understanding Of SCADA Risk Management From A Governmental And Industry Perspective Understanding SCADA risk management from a government PANEL DISCUSSION employee involved in the RMP activities Gaining an insight in the perspective of the organization responsible for developing the bulk power system regulations Understanding SCADA risk management from the perspective of private industry as opposed to the public industry Lisa Kaiser, Director, Strategic Planning and Policy, DEPARTMENT OF HOMELAND SECURITY 4:10 Questions & Discussion 4:20 Afternoon Refreshments UNDERSTANDING YOUR SCADA SYSTEM AND LOOKING AT THE INFRASTRUCTURE OF YOUR CONTROL SYSTEM IN DEPTH 4:50 Examining Wireless Vulnerabilities To Identify What Security Measures Will Be Required And How To Move Your Business Model Forward As New Technologies Are Deployed Understanding the architecture of wireless connections to gain more awareness of the associated vulnerabilities that must be protected Gaining an insight as to whether the components of your wireless system are secure and knowing what to do if they are not secure Acknowledging the advantages of having a wireless network in terms of convenience and examining the latest technologies for making wireless more secure 5:20 Question & Answer Session 5:30 Chair s Closing Remarks & End Of Day 1 5:40 Evening Cocktail Reception Served In Exhibition Showcase Area - 6:30 Day Two: May 26, :00 Chair s Opening remarks Megan. J. Hertzler, Assistant General Counsel and Director of Data Privacy, XCEL ENERGY EVALUATING THE BUSINESS BENEFITS OF VARIOUS SECURITY MEASURES TO LOCK DOWN YOUR CONNECTIONS AND GUARANTEE SYSTEM INTEGRITY 09:10 Securing The Network At The SCADA-Internet Interface & Linking Your SCADA System To Other Commercial Information Systems Without Compromising Security Determining innovative ways of being able to secure a public interface on any source to prevent a denial of service or intrusion Assessing optimal ways of hardening your network to mitigate distributed denial of service attacks Understanding how to access your SCADA data without compromising the network Providing an insight into what is the most secure way to extract vital information from SCADA systems to enable sufficient reporting Understanding the types of highly controlled firewalls and other protective measures for the SCADA-internet interface to prevent the internet access through your SCADA system thus enhancing security Gaining an understanding as to what companies are doing towards moving to a more standardized communication network such that they can tie in anybody s SCADA system into that network for the exchange of data NERC CIP cyber security beyond compliance Jim Brenton, Director CIP Standards Development, ERCOT 09:40 Questions & Discussion FIREWALL FOCUS 09:50 Understanding Best Practices Around Firewall Configurations To Keep The Networks Separate And Secure Understanding how to use firewalls to keep internet traffic away from SCADA traffic and to protect this traffic Determining the best practices around setting up DMZs both within your system and on the peripheries Understanding various routing methods in terms of configuring routers to pass traffic from and to specified devices Elucidating best practice for firewall policies Detailing what would be considered a strong firewall configuration as opposed to a weaker configuration Mike Firstenberg, Security Operations, AMERICAN WATER 10:20 Questions & Discussion 10:30 Morning Refreshments Served In The Exhibition Showcase Area 11:00 Gaining An Understanding To Data Access And Privacy Issues Related To Smart Grid Technologies Gaining an understanding of the Department of Energy proceeding regarding input on privacy issues for customerspecific energy usage data (CEUD) Summarizing the recent and current federal and state proceedings addressing these privacy concerns Examining the outcome of the Colorado PUC rulemaking on privacy rules Outlining areas of growing consensus Identifying what utilities should be planning for in the areas of customer privacy Megan. J. Hertzler, Assistant General Counsel and Director of Data Privacy, XCEL ENERGY 11:30 Questions & Discussion call: mail: info@american-business-conferences.com page: 4

5 DAY 2: EVALUATING COST EFFECTIVE SOLUTIONS FOR MAKING YOUR SCADA NETWORK MORE SECURE INSIDER THREAT FOCUS 11:40 Implementing User Awareness And Training Your Work Force To Mitigate Accidental Insider Threats Discussing training methods, procedures and security strategies to minimize accidental insider threats without limiting access completely Clarifying the importance of user awareness in terms of understanding how critical their SCADA environment is Understanding the importance of background checks on new staff and being able to internally monitor users Gaining an understanding of new processes available to control employees when they move or leave to control the access they have to the system thus mitigating such insider threats Patrick C Miller, President and CEO, NATIONAL ELECTRIC SECTOR CYBERSECURITY ORGANIZATION (NESCO) Amy Beth, Superintendent of Process Control, DENVER WATER 12:20 Questions & Discussion 12:30 Networking Luncheon To Be Served In Exhibition Showcase Area ASSESSING THE SECURITY ISSUES AROUND PHYSICAL SECURITY IN RELATION TO CYBER SECURITY AND HOW BOTH PHYSICAL AND VIRTUAL SECURITY CAN BE IMPLEMENTED TOGETHER TO MAKE THE BUSINESS MORE ROBUST PHYSICAL SECURITY FOCUS 2:00 Benchmarking Best Practice Physical Security Measures In Conjunction With Cyber Security Implementations To Ensure Sufficient Security And Regulatory Compliance Clarifying the importance of taking a cross disciplinary approach to physical and cyber security Understanding the latest methods and technologies to protect the physical security of the SCADA system Determining means of accomplishing seamless security for the whole SCADA by technologies, applications and procedures Highlighting the importance of efficient communication between the IT professionals and the process control engineers to allow for the effective integration of security from both sides Understanding where your weakest links are in order to justify costs for implementing physical security measures and to mitigate the physical security risk Understanding the physical security parameters as dictated by NERC to ensure regulatory compliance VENDOR PANEL Understanding how to achieve security on the machines themselves by implementing, enabling and disabling ports Tony Dodge, Information Security Investigator and Advisor, BC HYDRO 2:30 Questions & Discussion 2:40 Examining The New Technologies That Are Coming Out On The Market For Encryption & Smart Grid Security & Evaluating The Maturity Of Vendor s Control System Devices Examining the latest technologies for control system security and smart grid security First hand experiences on implementation Making the business case for specific technical solutions and breaking down the costs of competing solutions 3:20 Extended Questions & Discussion 3:40 Afternoon Refreshments 4:10 Comparing Solutions For Making Wireless Networks More Secure Examining innovative methodologies and technologies for setting up SCADA networks in an ultra secure way to maximize cost savings Cost benefit analysis of the latest technical solutions for making wireless networks more secure Examining testing procedures for wireless radiation and the ability to interfere with data and obtaining information 4:50 Questions & Discussion 5:00 Determining Best Practices On Patch Management To Understand How Such Security Measures Can Be Implemented Into Your Own System Determining innovative methodologies other people across industry are applying for patch management Making sure there is a proper air gap in place to prevent infection on a system running continually Gaining an insight into the test environment for patch management and understanding to what extent you can test such security measures before these are deployed to a production system Understanding novel ways of discovering what patches you require without having to connect to the outside world Luis A Suarez, Program Manager, Information Security, TENNESSEE VALLEY AUTHORITY 5:50 Chair s Closing Remarks & End Of Day 2 Event Values: Content is Key The agenda is the backbone of an event and for that reason we spend weeks researching our content to ensure we address only the key industry topics in comprehensive detail to satisfy industry demand. Effective Networking Who you meet is just as important as what you learn. We ve strategically integrated valuable networking time into this two-day event to ensure you maximize the business potential of each new contact you make. Relevant Research It is essential that we research with the right people as well as reach large coverage. We make sure that our research partners are experts in their field and are heavily involved in the issues that are critical to their industry. Quality Over Quantity Our events are not anonymous tradeshows.the solutions-driven nature of this conference attracts a majority of electricity utilities as well as carefully selected proportion of attendees from a targeted and highly relevant supplier base. Expert Speakers We are extremely selective in our speaker acquisition process. We ensure that our speakers are passionate industry leaders whose expertise and company background is focused specifically on the agenda topics. Engaging Event Our speakers and delegates come from a number of technical and strategic backgrounds with differing ideas and points of view. This leads to well-rounded and balanced conference discussion both during and after the event. Solutions Driven Delegates continually walk away from our events with tangible solutions because our programs are designed specifically to facilitate technical progress and commercial interactivity. Each session has a dedicated Q&A, to maximize post-presentation debate. call: mail: info@american-business-conferences.com page: 5

6 SPONSORSHIP AND EXHIBITION OPPORTUNITIES Exhibition Floor Plan The exhibition showcase will provide the opportunity for vendors to demonstrate their solutions in an informal setting. Unlike a traditional large exhibition or trade show you will gain access to the strategic decision makers at a time when the attendees are relaxed yet focused on discussing the solutions to their key business issues. Organizations wishing to exhibit or sponsor a break, lunch or evening reception should info@american-business-conferences.co.uk or call Conference Hall Exhibition Area Stand 3 Stand 4 Stand 5 Stand 6 Stand 7 REGISTRATION Stand 1 Stand 2 Tea and Coffee station Stand 8 Stand 9 Stand 10 Stand 11 Stand 16 Stand 15 Stand 14 Stand 13 Stand 12 Why Sponsor or Exhibit Understand The Market & Identify Opportunities This event is essential for companies who want to keep up to date with the industry's latest requirements and ensure products are competitively appropriate to the market. At Managing SCADA Security Risks 2011 you can utilize your market knowledge to more effectively direct your products and services to the most relevant customers. Make New Connections Meet industry leaders in person, and forge meaningful business relationships. Take the opportunity to network with the industry, understand clients needs and build your future business within elite industry circles. Maximize your Brand & Showcase Your Products Elevate your organization and products in front of senior decision makers from your specific target audience. Network and have meaningful discussions with professionals that are actively looking for new solutions. Establish Your Organization Place your company at the forefront of the leading industry initiative. Publicly display your in-depth involvement in driving forward Managing SCADA Security Risks. call: mail: info@american-business-conferences.com page: 7

7 REGISTRATION FORM Managing Sada Security Risks DAY CONFERENCE May 25-26, 2011 Holiiday Inn Golden Gateway, San Francisco Register Online at YES I would like to register the delegate(s) below for the 2 day conference Managing Scada Security Risks 2011 DETAILS PLEASE USE CAPITALS PLEASE PHOTOCOPY FOR MULTIPLE DELEGATES Delegate 1. Miss/Ms/Mrs/Mr/Dr/Other: Position Delegate 2. Miss/Ms/Mrs/Mr/Dr/Other: Position Organization name Address HOW TO REGISTER From the US and Canada: Call Toll Free on (1) Fax Toll Free on (1) By info@american-business-conferences.com Online: Register online on our website at or Country Telephone Fax ZIP/Postal Code Address: American Business Conferences 2300 M Street, NW Suite 800 Washington, DC USA Signature DELEGATE RATES - WE HAVE TEAM DISCOUNTS SO YOU CAN INVOLVE YOUR WHOLE ORGANISATION OR TEAMS. CALL (1) Early Booking Discount VENUE INFORMATION Holiday Inn Golden Gateway 1500 Van Ness San Francisco, CA Reservations: (888) Front Desk: (415) Online: Location & Directions: PAYMENT PLEASE TICK APPROPRIATE BOXES AND COMPLETE DETAILS Payment must be received in full prior to the event. Date ACCOMMODATION Check I enclose a check in US Dollars payable to American Business Conferences Limited for $ Payment by WIRE TRANSFER A copy of the bank transfer document should be attached to your registration form so appropriate allocation of funds can be made to your registration. Barclays Bank: SWIFT/BIC Code: BARCGB22 IBAN: GB16BARC EIN. no: Credit Card Please debit my Access Visa American Express Mastercard Switch/Maestro for Amount $ Card Number Name on card Book and pay before March 18, 2011 and claim our Super Early Booking Discount*. Book and pay before April 15, 2011 and claim our Early Booking Discount*. Check box to claim. DELEGATE FEES (Guests are responsible for their own travel and accommodation arrangements) I m claiming an Early Bird Discount please check box Super Early Bird Discount* Early Bird Discount* Standard Rate before March 18, 2011 before April 15, 2011 after April 15, 2011 Full 2 Day Conference: $1,299 $1,499 $1,699 I am interested in sponsorship and exhibition opportunities at the Managing Scada Security Risks 2011 I cannot attend the conference but would like to order the presentations on CD only: CD, including audio files $499 Holiday Inn Golden Gateway has some of the most breathtaking views of San Francisco and the Bay Area. The 26 story high-rise hotel offers 499 comfortable, spacious, and refined rooms and suites in town. Guests will enjoy a fine list of standard lodging amenities and close proximity to the downtown financial district, making us the ideal San Francisco Bay Hotel. Start Date Expiry Date Team Discounts Available. Call Terms and Conditions The conference is being organized by American Business Conferences, a division of London Business Conferences Ltd, a limited liability company formed under English company law and registered in the UK no Cancellations received one calendar month (or the previous working day whichever is the earliest) before the event will be eligible for a refund less $150 administration fee. Cancellations must be made in writing. After that point no refund can be made. If you are unable to attend, no refund can be given but you may nominate a colleague to take your place. American Business Conferences reserves the right to alter or cancel the speakers or program. Receipt of this booking form, inclusive or exclusive of payment constitutes formal agreement to attend and acceptance of the terms and conditions stated. *If you are claiming the early booking discount this may not be used in conjunction with other discounts advertised elsewhere. We would like to keep you informed of other American Business Conferences products and services. This will be carried out in accordance with the Data Protection Act. Please write to the Head of Marketing, American Business Conferences at the address below if you specifically do not want to receive this information. American Business Conferences M Street, NW. Suite 800. Washington, DC USA American Business Conferences will not accept liability for any individual transport delays and in such circumstances the normal cancellation restrictions apply. American Business Conferences is a Division of London Business Conferences Limited, Registered in England No EIN. no: Sponsorship and Exhibition A limited number of sponsorship and exhibition opportunities are available at this event. For further information please call Signature of card holder Date Security Code