Reflections on the ICS-CSR 2016 Symposium

In this post, I would like to share some reflections on the ICS-CSR (Industrial Control Systems and SCADA Cyber Security) symposium that took place from 23rd – 25th August at CSIT in Belfast, UK. This is not intended to be an exhaustive account of what happened at the symposium, rather a summary of stand-out moments for me. The post will touch on digital forensics for industrial control systems, serious gaming as an awareness raising tool, security metrics, and some highlights from the papers that were presented at the symposium.

Belfast City Hall -- The Location of the Symposium Dinner

Belfast City Hall — The Location of the Symposium Dinner

The first day of ICS-CSR was dedicated to a number of hands-on sessions that focused on different aspects of Industrial Control Systems (ICS) security . For example, there were sessions on incident analysis using state-of-art software solutions (from CyberBit) and a superb session on penetration testing for ICS (from Limes Security).

In addition, a team from Airbus, lead by Dr Kevin Jones, gave a hands-on introduction to digital forensics for ICS, which was very interesting. It became evident during the session that this is a challenging topic. For example, one of the striking aspects is the range of skills that a forensics team needs in this environment. For example, skills are needed for “classical” digital forensics, such as network traffic analysis using tools, such as Wireshark, with a focus on SCADA protocols; and ICS-specific analysis skills, including examining the ladder logic that is used to control the behaviour Programmable Logic Controllers (PLCs). The latter activity needing vendor-specific knowledge. Meanwhile, these forensics activities need to be implemented in safety-critical environments, in which the availability of components and the overall system is of the utmost importance. Ouch. A major challenge for enterprises (and our educators) is training individuals and teams with the necessary skills to perform these important tasks. Also, this is clearly an area where research is needed on suitable processes and toolchains to support practitioners. Incidentally, there was a paper in the main programme of the symposium on this topic.

Finally, the first-day workshop was concluded with an excellent serious game, delivered by a team from De Montfort University. The game is nicely introduced in a paper. The major aim of the game is to raise awareness of the cybersecurity issue for critical infrastructures with the so-called C-suite — enterprise-level decision makers, such as CEOs and CFOs. This awareness raising issue, to get “buy-in” from the C-suite, is a common theme in the security field, especially for critical infrastructures where the topic is (arguably) less well-understood. Often this problem is framed as a communication issue — how do we articulate the need for (or benefit of) cybersecurity to non-technical and (quarterly) profit-driven individuals? Security is seen as an overhead. Perhaps serious games, such as that presented in the workshop, can help make inroads to support this necessary communication. Interestingly, players in the game take C-suite roles, with their bonuses affected by their capacity to respond to a major cybersecurity incident. Surely, this should speak to C-suite members’ motives. ­čÖé

The main programme of the symposium followed on the second and third day, with presentations of the papers that had been accepted to the symposium and two keynote talks. The proceedings are available online. As usual at ICS-CSR, the quality of the papers (and their presentation) was high, and questions from the audience frequent and friendly. Here are some of my personal highlights.

Eeiran Leverett from Concinnity Risks giving his keynote talk

Eeiran Leverett from Concinnity Risks giving his keynote talk

The first keynote talk by┬áEeiran Leverett (from Concinnity Risks) was very thought provoking, covering a range of topics including information asymmetry and the incomposability of security. Eeiran highlighted the importance of good security metrics — something I think we are lacking, both as an industry and scientific community. It was nice, therefore, to follow the keynote with our paper on resilience metrics. (Also, see this paper that is related to measuring risk.)┬á If you get the chance to see a keynote from Eeiran, I would recommend going along — it’s worth it for the magic tricks, alone. The second keynote talk was given by Kevin Jones from Airbus, highlighting their ambitious vision for the factory of the future; a way to reduce manufacturing times (and costs) with increased automation and horizontal integration of systems. In his talk, Kevin discussed the cybersecurity challenges in this environment, a number of the themes he highlighted in a previous talk that he gave as part of AIT’s cybersecurity lecture series.

There were a number of interesting papers, which I haven’t previously mentioned, that stood out for me. Two interesting papers examined cyber-attacks to Wide-Area Measurement Systems (WAMs) in the smart grid, which use Phasor Measurement Units (PMUs): from Sarita Paudel, on a survey of threat scenarios to WAMs and mitigation solutions, and Rafiullah Khan, on attacks that could be orchestrated using the BlackEnergy malware. Both of these could be useful if one is considering threat scenarios for your research in the smart grid. Detection of attacks featured in a number of papers that were presented — this is an important capability, with respect to the emerging (advanced persistent) cybersecurity threat to smart grids. Specifically, BooJoong Kang presented his ongoing research, in the context of the SPARKS project, on stateful analysis for intrusion detection in the smart grid (see a previous blog entry on the motivation for this work), and Justyna Chromik presented her ongoing PhD research on using grid models to detect (and mitigate) malicious behaviour in power systems.

Finally, I would like to thank the symposium general chairs — Kevin Jones, Helge Janicke, and┬áThomas Brandstetter — and the local organising team at CSIT. The symposium continues to be an excellent forum for the open exchange of industry and research challenges and solutions for industrial control systems security. This openness is undoubtedly facilitated by the conduct of the chairs and the hospitality of the local organisers. I’m looking forward to ICS-CSR 2017 — I hope to see you there!