|Click for much Gibber ... I mean, bigger|
I missed a number of presentations due to a mid day arrival on Wednesday and missed a few others to field a few intermittent phone calls, but got to hear most of them (my apologies to speakers not covered below).
First off, Patrick Miller and Steve Parker, EnergySec Presidents past and present, were both outstanding ringmasters and herders of wandering speakers.
Great to see Jack @sintixerr, @SharlaArtz, @LisaNCW Carrington and nearly see @Slad3G Griffin. And the amazing Tweetwall (center screen in picture above) facilitated audience participation, both in the room and globally, scrolling thoughtful 140 character contributions and snarky, succinct broadsides on the unsuspecting speakers! Hashtag for a replay of sorts is #ESS13.
Here's a summary of the talks I caught:
- Andrew Plato (Anitian) on his Rapid Risk Assessment approach, with special and humorous emphasis urging native security speakers to learn and use business language (maybe RosettaStone or Duolingo can help them with this)
- Julie Soutuyo (Tennessee Valley Authority) shared her experiences helping make TVA, faced with an onslaught of real-world cyber threats while having to address both FISMA and NERC CIP compliance regs, a more resilient organization
- Russell Thomas (George Mason University) aka @MrMeritology took us through a Texas Heat Wave movie plot of his own creation to illustrate how a balanced scorecard risk management framework could save the day. Look for it in theaters in 2015!
- Michael Toecker (Digital Bond) aka @mtoecker provoked the crowd with a great talk on bridging the divide between control systems operators and cyber security pro's, and had us ready to see his concepts on a mock up of an actual operator display. Sadly, he said that will have to wait to next time. Meanwhile, as SpongeBob would say, you're free to use your IMAGINATION
- Chris Sistrunk (Entergy) aka @chrissistrunk, an unabashed squirrel lover, showcased his extraordinary SCADA test lab, described how he built it, the many benefits it confers upon his coworkers at Entergy, and gave practical advice on how folks in the audience could jumpstart their own labs projects
- Jacob Kitchel (Industrial Defender) walked us through a DevOps approach to improving IT operations in control systems environments. He listed many helpful tools along the way, and made mention of ID's tools near the end. Not entirely security related ... and like Chris's before it, the audience seemed to eat it up.
- Gib Sorebo (SAIC) gave by far the most business oriented talk, focusing on what security practitioners in the audience need to know to better communicate security risks and requirements to their senior leadership, board members, and shareholders. He also described mature governance structures and business-risk based cybersecurity strategies
- Nadya Bartol (Utility Telecom Council) walked us through an exploration of the mesmerizing complexities of ICS supply chain security and shed some light on emerging tool that may help utilities get a handle on this challenge: IEC 62443 2-4
- Spencer McIntyre (SecureState) - two key terms in this one for me: Zigbee, the low power networking standard used in AMI smart meters, and its evil twin: KillerBee, a "practice Zigbee exploitation framework". Good discussion on the current state and some of the continuing security issues with smart meters
Lastly, following University of Houston professor, Dr. Art Conklin's energetic opening, I moderated a Town Hall-style discussion on "Workforce Development in the ICS Workplace." We hit a lot of different notes over the course of several hours, and jointly investigated questions on how to build a robust pipeline of skilled operational security (OT) Security practitioners for utilities. I'll leave you with this image from my preso, which attempts to depict the current cultural and language divide one finds in many utilities. Just so you know, some of us are working hard to finish these bridges!
Got to go now ... Next year's in Austin!