Summit Agenda

Day 1 - Tuesday, September 25, 2012

Noon - 7:00 pm Noon - 1:30 pm 1:30 pm - 4:30 pm

Track 1/ Skybridge A&B Policy and Compliance Track Track 2/ Auditorium Auditorium Technical Track General Session

Vendor & Guest Registration National Electric Sector Cybersecurity Organization Advisory Board Meeting (closed session) Pre - Summit Workshops CIP 007 Deep Dive Assessing and Auditing Control Systems with Nessus Steve Parker, VP of Technology Research and Projects and Workshop EnergySec and NESCO - This workshop will get into the nitty Reid Wightman, DigitalBond - The default scan in Nessus gritty details of CIP-007 covering many technical aspects of Vulnerability Scanner is powerful, but not appropriate for control security log management, account management, security systems and does not take full advantage of the tool's testing and more. This will be specific to control environments capabilities. In this course students will learn the most effective and directly related to what needs to be implemented and way to use Nessus to assess and audit control systems. There managed to help meet the NERC CIP standard requirements. are techniques to significantly lessen the impact and risk of a Steve Parker is a former NERC CIP auditor with a vast scan. Special configuration settings can check for default amount of practical experience in the field. Join this workshop credentials in databases and other applications. Bandolier to learn from his experiences and expertise. security audit templates can compare settings to an ICS vendors recommendations and more. In this course, taught by Digital Bond, students will use their own laptop and learn how best to use Nessus as a security tool on their SCADA or DCS. EnergySec Board of Directors Meeting (closed session) Welcome Address Patrick Miller, President and CEO of EnergySec and Principal Investigator of NESCO Hosted Welcome Reception Skybridge A&B Birds of a Feather Sessions (see information board at event)

4:30 pm - 6:00 pm 7:00 pm - 7:45 pm 8:00 pm - 10:00 pm 10:00 pm - Midnight

Day 2 - Wednesday, September 26, 2012

7:00 am - 4:00 pm 7:00 am - 8:00 am 8:00 am - 8:15 am 8:15 am - 8:45 am Vendor & Guest Registration Hosted Breakfast Intro and Welcome Brandon Dunlap, VP of Marketing, EnergySec Opening Keynote Address Richard Clarke, Good Harbor - Cyber risks to the electric power industry have become increasingly significant in recent years and will continue to grow with the adoption of new networked technologies. As a result, the electric industry faces increasing oversight and scrutiny from regulators, legislators, executive government agencies, insurers, and others.Because of the severe financial, legal, operational, and reputational consequences cyber risks pose, responsibility for managing these risks must reside with senior corporate executives. In his keynote, Richard Clarke will discuss how electric power executives can manage these risks through improvements in internal governance, application security development processes, vendor risk management, and crisis preparedness. Make Your Employees Mal-AWARE: Implementing a Scalable Behavior Modification Program Rohyt Belani, CEO of PhishMe - Cyber crime and electronic espionage, most commonly, initiate with an employee clicking a link to a website hosting malware, opening a file attached to an email and laden with malware, or just simply giving up corporate credentials when solicited via phishing websites. Phishing has been used to hijack online brokerage accounts to aid pump n' dump stock scams, compromise government networks, sabotage defense contracts, steal proprietary information on oil contracts worth billions, and break into the world's largest technology companies to compromise their intellectual property. Technical controls presented as silver bullets provide false hope and a false sense of security to employees, promoting dangerous behaviors. This continued threat makes it more important than ever for companies to provide an effective security awareness program to users on their networks. During this talk, I will present the techniques used by attackers to execute these attacks, and real-world cases thatmyteamhave responded to that will provide perspective on the impact. I will then discuss countermeasures that have been proven to be effective and are recommended by reputed bodies like SANS. It's about more than awareness training, it's about modifying employee perception of phishing emails and the responses to these types of attacks. Hosted Networking Break

8:45 am - 9:30 am

9:30 am - 10:00 am

Exhibitor Hall Open

Exhibit Set Up

10:00am - 10:45 am

Regulation, CIP Is Only The Beginning Prudence Parks, Director of Government Affairs and Legislative Counsel for UTC

Doubt, Deceit, Deficiency and Decency - A Decade of Disillusionment James Arlen, Push the Stack Consulting - "It's been nine years since the oft quoted Blackout of 2003." "It's been nine years since Urgent Action Standard 1200." "It's been eleven years since I began seriously working in the utility space." "I cannot escape the feeling that I have wasted a decade of my life." "Can I prove myself wrong?" Through a mixture of news stories, teachable moments, hard-won experience and perhaps an interpretive dance - you will be taken on a journey of maturity and self-discovery -- an examination and ultimately a determination on one information security professional's decade of trying to make a difference. (NOTE: Due to union regulations there shall be no interpretive dance.)

10:45 am - 11:30 am

NERC CIP Access Monitoring: What Constitutes a Shared Account? Spencer Wilcox, Excelon - NERC CIP standards 003-007 define access and shared accounts. What constitutes a shared account?Does your IAM account for all personnel with access to your UNIX and Windows systems? This presentation will explore the intricacies of access, and help you to better document your access and account management evidence leading up to your next audit.

Detecting Malware Without AntiVirus Jeff Bryner, P0wn Labs - When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures. If a company thinks they may be compromised but there is no AV signature, then what? What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.

Exhibitor Hall Open

What if we could integrate these together into a system for centrally issuing indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out... Hosted Lunch Break ES-C2M2 Case Study U.S. Dept of Energy Substation Remote Access - Entergy Style Chris Sistrunk, Entergy - Increasing cyber threats and changing NERC/CIP standards have caused Entergy to design and implement a new system for substation remote access. This system provides the access that engineers and technicians need, utilizes security best practices, leverages existing equipment, and is poised for future expansion and technologies. Identifying and Managing Network Zones in CIP 005 Edmond Rogers, Information Trust Institute, University of Illinois Urbana Champaign - Identifying and managing network zones for CIP compliance can require long hours of effort in review of visio diagrams. The presentation will provide an overview of the issues that administrators face when dealing with the challenges of providing for documentation that can be flexible and meet both operational and compliance needs in regards to identifying and managing network zones within a critical infrastructure network. The presentation will close with an overview of Network Access Policy Tool (NetAPT). NetAPT is designed to provide for automated documentation of network trust zones. Hosted Networking Break

11:30 am - 1:00 pm 1:00 pm - 1:45 pm

1:45 pm - 2:30 pm

CIP Auditors Panel Josh Axelrod, Ernst & Young Moderator Matt Stryker, SERC Brent Castegnetto, WECC Darren Nielsen, WECC

2:30 pm - 3:00 pm

3:00 pm - 3:45 pm

Compliance Forums Panel Lisa Carrington, Moderator Karl Perman, NATF Matt Jastram, WICF NAGF MCCF

Keys to a More Successful Security Program Joachim Gloschat, ICCT - An effective security program is a living thing. It is comprised of a myriad of equipment, actions, policies, and procedures all of which interconnect and rely on each other in order to provide a comprehensive and effective program. The collection of documents, together forming the security program, must be, by design and intent, focused on three primary missions: remedial measures, preventative measures, and, overlapping both of these, education. The security plan must accurately describe situations both present and future; capture potential scenarios and consequences; detail the organizations actions both during and following specific events; and, educate the organization on the specific roles specific groups play. Joachim Gloschat's presentation will address all this and more as he explores what makes a successful physical program security. All My Exes Panel - Ex Industry Discuss Why They Left Brandon Dunlap, Moderator Dave Lewis, AMD James Arlen, Taos Lisa Tawfall, Bechtel Don MacVittie, F5 Networks Best Practices on Managing Ports and Services Jacob Kitchel, Industrial Defender - Copy and paste netstat into and Excel spreadsheet - DONE! Save nmap output into a spreadsheet DONE! Copy a vendors ports list into a spreadsheet - DONE! Our industrys fascination with managing compliance data by taking default tool output and throwing it into Excel spreadsheets is widely known. This presentation on managing ports and services will finally provide you with the desire to pry those spreadsheets from your hands in exchange for a more robust, accurate, and sustainable solution. We will cover methods to support security and compliance while at the same time increasing accuracy, reliability, and insight into ports and services through the use of automation, change control, and visibility. Hosted Reception (Skybridge Terrace)

3:45 pm - 4:30 pm

4:30 pm - 5:00 pm

Exhibitor Hall Open

Smart Grid Privacy Panel Lisa Carrington, Moderator Gal Shpantzer, EnergySec Chris Shepherd, ICCT Sarah Cortes, Lee Tien Presentation TBD

5:00 pm - 7:00 pm 7:00 pm - 10:00 pm

Birds of a Feather Sessions (see information board at event)

Day 3 - Thursday, September 27, 2012

7:00 am - 11:30 am 7:00 am - 8:00 am 8:00 am - 8:15 am 8:15 am - 8:45 am Vendor & Guest Registration Hosted Breakfast Welcome Can You Regulate Attitude? Steve Parker, VP Technical Research, EnergySec and NESCO - Winston Churchill once said, "Attitude is a little thing that makes a big difference." Indeed, when it comes to security, fostering the right attitude is essential. But can attitude be mandated? Or must it be carefully cultivated and encouraged?This presentation will discuss the limitations of regulatory approaches to security, and explore what is really needed to secure our critical energy infrastructure.

8:45 am - 9:30 am 9:30 am - 10:00 am

Exhibitor Hall Open

The Power of Community Deb Bryant, Deb Bryant and Associates Hosted Networking Break

10:00 am - 10:45 am

State Regulators Panel Miles Keogh (invited) John Savage Thom Pearce

The Stories We Could Tell Slade Griffin, Enernex -As two-way communications become more widespread in control systems, the old begins to blend with the new in security research, vulnerability assessments, and penetration tests. Slades presentation will be a brief recap, and interactive discussion, of the past two years testing industrial control systems, smart grid equipment, and emerging technologies. This will include real-life examples of vulnerabilities discovered, compliance gaps, and mitigations applied as utilities and vendors work together to apply security best practices in their environments. "I belong to the warrior in whom the old ways have joined the new." Presentation Sean McGurk Hosted Lunch Break

10:45 am - 11:30 am 11:30 am - 1:00 pm 1:00 pm - 5:00 pm

National Electric Sector Cybersecurity Organization Town Hall Meeting Keynote Presentation: Pat Hoffman, U.S.Dept of Energy Security Legislation: Building the Bridge Between the Possible and the Practical Why dont they just do the right thing? -Comment by a staffer of the House Homeland Security Committee during a 2009 hearing on the vulnerability of the electric system to cyber incidents Cybersecurity of the nation as a whole or of the electric grid in particular has been the subject of dozens of Congressional hearings and close to 1500 bills since 2009. Yet we seem no closer to defining what is the right thing and what are the respective responsibilities of government and the private sector to achieve a more secure grid. Meanwhile, as the grid undergoes a massive modernization transformation, the migration to IP-enabled devices, and away from proprietary, islanded control systems, is required to achieve greater efficiency and interoperability. And dependence on ICS augments daily. Despite a hard court press by the Administration, the National Security Agency, military generals, and former Homeland Security officials, the Senate failed to pass cloture before recessing for the month of August on their latest iteration of the right thing, the Lieberman/Collins bill which would have enhanced public/private information sharing and devised a best practices federally-run framework. Earlier in the year, the House passed a bill limited to better information sharing. Demands for federal legislation are based in part on particular examples of grid vulnerability, namely, Aurora, email spearphising exploits, and Stuxnet. But are these examples based on reality in terms of actual practices and controls that electricity system owners and operators already have in place? The first was a laboratory experiment (and has been memorialized by an exhibit in the National Spy Museum), the second the subject of Senate demonstrations and the third effectuated by actions of unsuspecting third parties. Legislation based on fear rarely makes good law. So how do we spur asset owners/operators self-interest in keeping the lights on to achieve a more secure system? The NERC CIP standards regime provides the sticks: Fines and audits to ensure compliance with standards. Thats the practical solution to address vulnerabilities as we understand them today and set baseline operational and personnel standards. Whats needed are the carrots to incentivize staying ahead of the curve of the possible, such as better information sharing and collaboration, education and training, and workforce development. Should other policies be examined as well, especially those concerning issues outside our sphere of influence, such as supply chain integrity? Or is the continuously changing nature of cybersecurity mean that doing the right thing is like trying to nail jello to the wall?

Exhibitor Hall Open

Summit Concludes
5:30 pm - Midnight Post-Event Spirit Mountain Casino Night (Registration Required)

Day 4 - Friday, September 28, 2012

8:00 am - 9:00 am 9:00 am - 5:00 pm Summit Advisory Board Breakfast CISO Forum (invitation only)