DEF  CON   29
abstracts

Capture the Flags

All times listed in PDT

Friday, Aug. 6 | 10:00 a.m.  — Sunday, Aug. 8 | 4:00 p.m.

Hack the Planet

Help us protect our Unicorn Cupcake process line by performing a PLC security assessment!

CISA ICS CTF

Azalea Power Co. is experiencing the effects of a large-scale cyber attack and is in need of a cyber incident response team to help them investigate. You and your team of cyber incident responders have been brought in to help the internal IT team as they identify the extent of the impacts to their IT network, corporate building management system (BMS), and power distribution system.

In this challenge, participants will explore network and host artifacts from Azalia Power's IT, BMS and electric distribution networks. Throughout the exercise, participants will be exposed to real world techniques and leverage multiple open source tools to dig into the artifacts and discover indicators of compromise (IOCs) and techniques that the attackers used to get into the environment.

Aug 6, 2021 — Friday

All times listed in PDT

10:00 am - 11:00 am
KEYNOTE: Reading the Future with Useful Fiction with P.W. Singer (PW Singer)

10:00 am - 11:00 am
Tabletop Exercise - GRIMM and Insane Forensics

Join us in a tabletop exercise where you play the role of the expert called into assess the unexpected shutdown of a power plant. You will be led through a series of real world malicious activities and be asked to offer your analysis. Can you get operations going again?

[
REGISTER HERE]

11:00 am - 11:30 am
Living off the Land in an ICS/OT Penetration Test

Aaron Boyd


Many antivirus or application whitelisting solutions are composed of signature-based detections only monitoring for known malicious files or tools being executed or loaded onto the disk of an operating system by default. Knowing this, adversaries and activity groups needed to put a focus to living off the land tactics and techniques to target ICS/OT environments as well as enterprise environments if they are being used as the pivoting point in reaching an ICS/OT environment. Living off the Land is the term used to describe the use of typically pre-existing utilities, that are known and trusted with legitimate capabilities, present on a victim host and network for nefarious purposes. Aaron Boyd, a Senior Industrial Penetration Tester with Dragos, will talk about and show an example of one of the living off the land techniques used by Dragos when conducting penetration tests within an ICS/OT environment and some strategies customers can use to detect it.

11:30 am - 12:30 pm
Your Infrastructure is Encrypted: Protecting Critical Infrastructure from Ransomware

Moderator: Jamil Jaffer; Panelists: Ernie Bio; David Etue; Jennifer DeTrani


The recent attacks against Colonial Pipeline, JBS, and others have made it clear just how vulnerable U.S. Critical Infrastructure is to ransomware. While these attacks have been grabbing headlines, the path forward has not. A variety of tools and approaches will need to be tested by both the government and private sector to push back against the threat of ransomware and protect critical infrastructure from future attacks.

This panel brings together a variety of perspectives from the government, technology, and venture capital sectors to chart the path forward and detail what steps government and the private sector can take individually and together to protect critical infrastructure across the country.

12:00 pm - 1:00 pm
Tabletop Exercise - GRIMM and Insane Forensics

Join us in a tabletop exercise where you play the role of the expert called into assess the unexpected shutdown of a power plant. You will be led through a series of real world malicious activities and be asked to offer your analysis. Can you get operations going again?

[
REGISTER HERE]

12:30 pm - 1:00 pm
Do We Really Want to Live in the Cyberpunk World?
Mert Can Kilic

What are the possible future threats when it comes to cyber physical systems? Human augmentations, insulin pumps, and brain computer interfaces are inevitable, but how will their security and possible incidents affect our world?

1:00 pm - 1:30 pm
Beetlejuice: The Lessons We Should Have Learned For ICS Cybersecurity
Tim Yardley

In this talk I will present the top 15 quotes from *redacted* and how we can transform them to operational advice to improve ICS cyber security. Hold tight, this is going to be a wild ride.

1:30 pm - 2:00 pm
Scripts and Tools to Help Your ICS InfoSec Journey
Don C. Weber

Conducting security assessments and gathering information from control environments are obviously different than doing the same tasks in a corporate environment. But, where do you start? Don will outline some of the tools to conduct research, perform assessments, and gather information. He will review some of the scripts the Cutaway Security team has developed to make this easier for administrators, information security professionals, and operational technology teams teams.

2:00 pm - 3:00 pm
Consider the (Data) Source
Dan Gunter

Protecting industrial control systems involves a variety of challenges, from low tolerance of downtime to requiring a very deliberate combination of approaches and tools to ensure the integrity and availability of the environment. These environmental challenges can often stovepipe our thoughts around how we can respond to threats to control systems in making us think that one source of data is the only option. In this talk, we will consider the strengths and weaknesses of different data sources to include network and host sources. Using data from MITRE Engenuity's recent ICS ATT&CK evaluation, we will talk about known attacker TTPs, how to detect TTPs, and how to improve the chance of adversary detection by diversifying data sources. As collecting and processing more data is both a technical and staffing challenge, we will discuss how analysis can scale without requiring a significant resource increase.

3:00 pm - 4:00 pm
Tabletop Exercise - GRIMM and Insane Forensics

Join us in a tabletop exercise where you play the role of the expert called into assess the unexpected shutdown of a power plant. You will be led through a series of real world malicious activities and be asked to offer your analysis. Can you get operations going again?

[
REGISTER HERE]

3:00 pm - 3:30 pm
Approaches to Attract, Develop, and Retain an Industrial Cybersecurity Workforce
John Ellis; Julia Atkinson

Gaps in the industrial cybersecurity workforce leave critical infrastructure assets vulnerable to attack. In a 2020 ICS2 report, 64% of companies reported a significant or slight shortage of cybersecurity professionals. At the same time, 56% of companies reported that their organization is extremely or moderately at risk due to the cyber workforce shortage. A National Initiative for Cybersecurity Education (NICE) report found that industry-wide there was only one qualified worker to fill every 10 cybersecurity jobs in 2020. To protect the cyber-physical systems that form the lifeblood of the economy, something needs to be done to develop the ICS/OT cybersecurity workforce pipeline. This session will present models to attract, develop, and retain talent in industrial cybersecurity.

3:30 pm - 4:00 pm
It Takes a Village (and a generous grant): Students Performing ICS Security Assessments
Dennis Skarr; Christopher Von Reybyton; Alexander Vigovskiy

Everett Community College (EvCC) recently launched a 5 credit class titled “Assessing and Securing Control Systems” utilizing custom-developed ICS trainers by GRIMM. Performing a mock assessment on the nation’s first 10 foot ICS wall at a community college, students completed their capstone exercise for the EvCC’s first class dedicated to ICS security. This presentation has multiple students sharing their experiences related to why they chose this class, what they gained, and their career goals after the competition.

Aug 7, 2021 — Saturday

All times listed in PDT

10:00 am - 12:00 pm
CybatiWorks Powered by IntelliGenesis Mission Station Workshop
Matthew Luallen

Introduce, demonstrate and provide an interactive overview of the CybatiWorks exploratory cyber-physical mission station workshop. Participants mission station exercises cover an introduction to cyber-physical topics of logic, sensors and actuators, OT system architecture, communication protocols and data analysis. Participant mission station access is provided on a first-serve (FIFO) basis.

#CybatiWorks #IntelliGenesis

10:00 am - 11:30 am
Network Traffic Analysis with Malcolm
Seth Grover

11:30 am - 12:00 pm
Highlighting the Importance of Detection Context using the ATT&CK Evaluations for ICS Results
Otis Alexander

12:00 pm - 1:00 pm
A Fireside Chat with August Cole
August Cole

Fiction writer and futures consultant August Cole will talk about how thinking the thinkable is one of the most important ways to prepare for what’s ahead during the next 20 years - particularly when it comes to how autonomy and AI are poised to usher in a tumultuous era for American society, domestic security, and culture.  

1:00 pm - 1:30 pm
Toward a Collaborative Cyber Defense and Enhanced Threat Intelligence Structure
Lauren Zabierek

The recent ransomware and cyber espionage campaigns prove that a fundamental redesign of our domestic cyber defensive posture is both necessary and urgent to protect against future cyber threats.  As such, we believe the time is now to develop an integrated, networked approach to collaborative defense and intelligence analysis and sharing between the federal government, state and local governments, and the private sector. My team of student researchers and I conducted several interviews with stakeholders in both the state and federal governments and the private sector and poured over existing literature.  We've  created a roadmap toward this vision, answering how a 21st century threat can be tackled by the tools available in its own time.  We don't purport to have all the answers, but we would be interested in feedback from the community on the feasiblity and desirability of these ideas.

1:30 pm - 2:00 pm
Fortifying ICS - Hardening and Testing
Dieter Sarrazyn

Every ICS environment will sooner or later have to deal with updates, upgrades or additions to the control system environment. Nowadays it is important to include cybersecurity within such projects, although that is still sometimes forgotten (sad but true). One of the ways to include security is to set security requirements but also perform hardening and cybersecurity testing within FAT and SAT cycles.

This talk will explain important elements of hardening as well as things to keep in mind when performing cybersecurity testing during FAT/SAT phases after performing said hardening.

2:00 pm - 2:30 pm
Crippling the Grid: Examination of Dependencies and Cyber Vulnerabilities
Joe Slowik

Typical views of cyber-focused attacks on electric utilities emphasize direct impacts to generation, transmission, or distribution assets. While some examples of this activity exist, most notably in Ukraine, such actions are relatively difficult given technical and access requirements to properly execute. Less explored, but far more dangerous, are critical dependencies in electric utility operations which are often more exposed to IT networks and require less specialized knowledge to subvert. This presentation will examine some of these dependencies and their implications to show how ICS-centric defense must include relevant IT links and functional requirements.

2:30 pm - 3:00 pm
Leveraging SBOMs to Enhance ICS Security
Thomas Pace

In this talk Tom Pace will discuss how SBOMs (Software Bill of Materials) can be leveraged to enhance ICS security. The recent executive order and guidance from the NTIA have reignited the SBOM discussion and its importance, especially to critical assets such as ICS devices. Tom will explain what an SBOM is, how they can be generated and consumed as well as the vale of the data once an SBOM has been generated. This will include but not be limited to use cases such as known vulnerabilities, integrity verification, provenance and license compliance. Tom will further explain the value an SBOM can have to various stakeholders, from ICS device manufacturers to end-users of the devices themselves. Tom will highlight how significant time savings can be realized once SBOMs are in place, while at the same time provide commentary on the challenges of generating an SBOM especially for devices deemed "legacy" or out of support.

3:00 pm - 3:30 pm
Smart Meters: I'm Hacking Infrastructure and So Should You
Hash Salehi

Why Smart Meters? This is a question Hash is often asked. There's no bitcoin or credit card numbers hiding inside, so he must want to steal power, right? Openly analyzing the technology running our critical infrastructure and publishing the findings is something Hash is passionate about. In the wake of the great Texas freeze of 2021, we can no longer "hope" those in power will make decisions that are in the people's best interest. This talk will present research on the Landis+Gyr GridStream series of smart meters used by Oncor, the largest energy provider in Texas.


Cyber attacks on Industrial Control Systems (ICS) differ in scope and impact based on a number of factors, including the adversary's intent, sophistication and capabilities, and familiarity with ICS and automated indutrial processes. In order to understand, identify and address the specific points that can prevent or stop an attack, a systematic model known as "Cyber Kill Chain" is detailed, a term that comes from the military environment and registered by the Lockheed Martin company. While most are familiar with terms and theoretical diagrams of how security should be implemented, in this talk we want to present live how an attack chain occurs from scratch to compromise industrial devices, the full kill chain, based in our experiences. The goal is to land these threats into the real world without the need to carry out these attacks with a nation-state budget.

1:30 pm - 2:00 pm
Building an ICS Firing Range (in our kitchen): Sharing Our Journey & Lessons Learned (so you don’t have to)
Nico Leidecker; Moritz Thomas

Aiming to improve our own expertise in ICS security, we went to build our own ICS firing range for internal and external trainings, and hacking demos. It covers multiple technical aspects about IT infrastructure, PLC configuration and programming, ICS protocols and specific methodologies for red and blue teaming. Beginning with a bridge operation scenario we planned our approach on implementing the ICS Firing Range addressing all levels of the Purdue Model, from enterprise to physical processes. We were faced with a variety of practical challenges and challenges specific to the ICS context and prototyping: we learned how to implement ladder logic, how CAD modelling works, how to print 3D models with a 3D printer and how to combine all ICS and bridge components into a single, confined and mobile lab environment. Lastly, we designed a series of kill chains for our firing range that we use for trainings on a variety of professions such as digital forensics and incident response.

Aug 8, 2021 — Sunday

All times listed in PDT


10:00 am - 10:30 am
Bottom-Up and Top-Down: Exploiting Vulnerabilities In the OT Cloud Era
Sharon Brizinov; Uri Katz

We researched the exploitability of cloud-based management platforms responsible for monitoring industrial control systems (ICS), and developed techniques to exploit vulnerabilities in automation vendor CODESYS’ Automation Server and vulnerabilities in the WAGO PLC platform. Our research mimics the top-down and bottom-up paths an attacker would take to either control a Level 1 device in order to eventually compromise the cloud-based management console, or the reverse, commandeer the cloud in order to manipulate all networked field devices.

10:30 am - 11:00 am
Detecting Attackers Using Your Own Sensors with State Estimation
Stefan Stephenson-Moe

As OT technologies like PLCs and RTU become smarter and more capable of running standard operating systems, the concern of malware infecting OT technologies has become more of a realistic threat. In cases like Stuxnet where the attacker wishes to cause damage to a system while keeping the user unaware it must do so by modifying sensor data that would alert the user to a change in the system. State estimation is a technique used in the Power Industry to detect when sensors are providing garbage data. In this talk I plan to explain how state estimation works and how it can be applied as a technique for detecting an attacker attempting to manipulate sensor data for nefarious purposes.

11:00 am - 12:00 pm
Top 20 Secure PLC Coding Practices
Vivek Ponnada; Sarah Fluchs

This presentation is the outcome of a community driven project called "Top 20 Secure PLC Coding Practices", with document version 1.0 to be released on plc-security.com on June 15th, 2021, for downloading free or charge, and will have no restrictions on distribution and use.

12:00 pm - 1:00 pm
ICS Cyber Threat Intelligence (CTI) Information Sharing Between Brazil and the United States
Moderator: Paul de Souza; Panelists: Helio Sant'ana; Max Campos; Tom VanNorman; John Felker

The panelists will touch on topics such as the annual critical infrastructure themed exercise Cyber Guardian run by the Brazilian Cyber Command and the opportunities for industrial control systems (ICS) professionals in the US to become more involved. Topics such as national Malware Information Sharing Platform (MISP) implementation in Brazil focusing on information sharing, particularly in the ICS world, will be discussed. The ICS Village and the Cyber Security Forum Initiative will engage in conversation with the Brazilian government during this session.

1:00 pm - 1:30 pm
ICS Intrusion KillChain explained with real simulation
Javier Perez; Juan Escobar

Cyber attacks on Industrial Control Systems (ICS) differ in scope and impact based on a number of factors, including the adversary's intent, sophistication and capabilities, and familiarity with ICS and automated indutrial processes. In order to understand, identify and address the specific points that can prevent or stop an attack, a systematic model known as "Cyber Kill Chain" is detailed, a term that comes from the military environment and registered by the Lockheed Martin company. While most are familiar with terms and theoretical diagrams of how security should be implemented, in this talk we want to present live how an attack chain occurs from scratch to compromise industrial devices, the full kill chain, based in our experiences. The goal is to land these threats into the real world without the need to carry out these attacks with a nation-state budget.

1:30 pm - 2:00 pm
Building an ICS Firing Range (in our kitchen): Sharing Our Journey & Lessons Learned (so you don’t have to)
Nico Leidecker; Moritz Thomas

Aiming to improve our own expertise in ICS security, we went to build our own ICS firing range for internal and external trainings, and hacking demos. It covers multiple technical aspects about IT infrastructure, PLC configuration and programming, ICS protocols and specific methodologies for red and blue teaming. Beginning with a bridge operation scenario we planned our approach on implementing the ICS Firing Range addressing all levels of the Purdue Model, from enterprise to physical processes. We were faced with a variety of practical challenges and challenges specific to the ICS context and prototyping: we learned how to implement ladder logic, how CAD modelling works, how to print 3D models with a 3D printer and how to combine all ICS and bridge components into a single, confined and mobile lab environment. Lastly, we designed a series of kill chains for our firing range that we use for trainings on a variety of professions such as digital forensics and incident response.

2:00 pm - 3:00 pm
ICS Jeopardy
Moderator: Mary Brooks; Panelists: Maggie Morganti; Tatyana Bolton; Chris Sistrunk

This. Is. Jeopardy. ICS-style. Join our intrepid contestants in a full round of the iconic game show Jeopardy as they test their knowledge of the various categories every good cybersecurity expert should know—including historical ICS incidents, nerdy fiction and random trivia—all the while performing on-the-spot asset identification (aka: figuring out the remote buzzer system because we're still in a pandemic.) Tune in to watch Maggie Morganti of Schneider Electric, Chris Sistrunk of Mandiant, and Tatyana Bolton of the R Street Institute battle it out to win one of three, appropriately mediocre, prizes.