Top 10 Things They Hate about Us: Avoiding the Security Traps in an IACS Assessment

When:  Dec 16, 2020 from 12:00 to 13:00 (MT)
Associated with  Boise Chapter

Due to unforeseeable circumstances, we unfortunately need to cancel the CPE Event scheduled for Wednesday, December 16th, 2020.  We are on target to hold our CPE event in January.

TopicTop 10 Things They Hate about Us:  Avoiding the Security Traps in an IACS Assessment

Join us for this presentation by Bri Rolston, Chief Research & Security Geek, GkJuju Security & Consulting Services

Time and Location: December 16th, via Zoom Meeting 12:00-1:00pm

Please Note:  Zoom information will be sent in the RSVP Confirmation Email.

In keeping with our annual tradition, click below to assist ISACA Boise’s Virtual support of Toys for Tots.

 ISACA Boise Toys for Tots Giving

Presentation Summary:  In 20 years of IACS security work, I have yet to meet an engineering or process control team that doesn’t have a Top 10 Hate List for the security team.  10-20 security controls repeatedly cause more damage than they prevent if not rolled out in a thoughtful, methodical way to IACS networks.  

How can cyber security risk management efforts be considered effective if they CAUSE the impact we were hoping to avoid?  Why is it so hard for engineering and control system teams to fight the obvious and get IT and cyber security groups to pay attention?    

We’ll cover the basics of Industrial and Automation Control Systems (IACS) and why they differ so greatly from corporate IT environments.  Then, we’ll discuss how to secure them appropriately and balance functional vs technical security risk.  We’ll actually walk through a common Life Cycle Management (LCM) problem and do a technical risk analysis of it.

Bri Rolston, Chief Research & Security Geek, GkJuju Security & Consulting Services.  

By day, this mild-mannered <insert sarcastic disbelief here> geek works at Idaho National Laboratory  and specializes in defensive, security engineering research and threat response. She has more than 25 years’ experience in telecommunications, Information Technology (IT), Industrial Automation & Control  Systems (IACS)/Operational Technology (OT) security research as well as a wide range of operational  security experience including incident response, threat management, risk analysis & remediation,  vulnerability management, secure code development, cloud security, and IACS security program  development. She has trained a number of IACS incident response teams including DHS CIRT in 2005,  contributed to IACS and OT security standards development for DHS, DOE, NIST, and ISA/IEC, run a  number of incident response efforts for nation-state attacks (Google Aurora 2010), and has a patent for  efficient attack path selection and risk analysis.  

By night, the geek side REALLY comes out. She spends more time than she should considering deeply geekly ideas as part of the global research community, helps organize conferences such as BSides IF,  volunteers at small community groups, and vacations at different security cons. During this time, she follows the darker path of threat research–fingerprinting attack teams, examining the halo effects in  exploit development, and identifying 2nd-payload in IACS/OT attacks. Sometimes, she even plots world  domination and may plan to take over the world using a IIoT tractor SDRs, cell-towers, drones, and  satellites . <Cue evil laugh>

Location