www.managing-scada-security-risks.com
Presenting Real World Examples On Identifying
Vulnerabilities & Evaluating Mitigations For Every
Layer Of Your System Architecture & Business Process
N
Multi Access Point Security
N
Wireless Security
N
Cyber Security
N
Network Security
N
Smart Grid Integration Security
N
Physical Security
N
Internal & Business Process Security
N
Encryption Methods
N
Firewall Configuration
Produced Primarily For:
N
Electricity Utilities
N
Water Utilities
N
Oil & Gas Industry
But Also Relevant For:
N
Oil Refineries
N
Pipeline Operators
N
Nuclear Power Plant Operators
N
And Any Business Operating Advanced Automated
Control Systems Managing Critical Infrastructure
May 25 - 26, 2011
Holiday Inn Golden Gateway
San Francisco
Organized by
American
Business
Conferences
The First
And Only Dedicated
SCADA Security Event
Quantify Risk, Evaluate Vulnerabilities, & Discover
Solutions For
Managing SCADA Network
Security Risks
Strategies & Technical Solutions For Economically Managing Risk In A Multi-Threat Environment
Luis A Suarez Program Manager, Information Security TENNESSEE VALLEY AUTHORITY Amy Beth Superintendent of Process Control DENVER WATER Mike Firstenberg Security Operations AMERICAN WATER -SECURITY OPERATIONS Tim Roxey
Director – Risk Assessment and Technology Division
NORTH AMERICAN ELECTRIC RELIABILITY
CORP. L C Williams
Senior Program Manager, Critical Cyber Asset
Infrastructure for Enterprise IT Security TENNESSEE VALLEY AUTHORITY Gerald S. Frees
Director, NERC CIP Compliance, Regulatory Services AMERICAN ELECTRIC POWER Megan J. Hertzler Assistant General Counsel and Director of
Data Privacy XCEL ENERGY Jim Brenton Director of CIP Standards Development ERCOT
“
SCADA systems are becoming prey to increasingly sophisticated security threats due partly to
the actual amount of physical connections but also to
potential new vulnerabilities
within the
business network
itself – including those that could impact
trade secrets, proprietary information
Industry Breakdown - Sector
Industry Breakdown - Job Seniority
As connections between the business network and the internet increase, it is apparent that organizations using SCADA systems are encountering more security threats. Due to new potential vulnerabilities to the business network, and the evolving threat landscape, there is now a greater need to increase security around trade secrets, proprietary information and the functionality of the business itself.
To do this it is necessary to gain more understanding on the scale of the threat to avoid spending millions of dollars on projects not addressing the key vulnerabilities. It is important to have an understanding of the infrastructure of your SCADA or DCS system to be more aware of your vulnerabilities to understand what security procedures, technologies and applications should be deployed for cost-effective security.
The mission of Managing SCADA Security Risks 2011is to dispel the myths surrounding physical and cyber security by gaining awareness of the current threat environment and evaluating the scale of the threat. This will be achieved by real world examples of how companies using industrial control systems are identifying vulnerabilities and threat professionals will discuss the reality of SCADA risks and potential implications for your business. After considering what is likely to attack in day one, the event will provide an understanding of what type of architecture and revised business process can protect against an attack. This will be achieved by evaluating cost effective technical solutions for making your SCADA networks more robust at every level.
Attendees Will Include
Event Breakdown
We Have An Established Reputation In Running Events For The
Utility And Oil And Gas Industries
Some of American Business Conferences Past Contributors Are Listed Below
Utilities/ Oil and Gas Industry
With The Following Job Titles:
N
IT Security Professionals
N
Director, IT Security & Controls
N
IT Security Manager
N
Vice President
N
VP and CIO
N
Director of Corporate Security
N
Director, IT Enterprise
Infrastructure
N
Process Control Engineers
N
IT Applications Manager
N
Network Security,
Information Protection
Manager
N
Director Engineering
N
IT Security Specialist
N
Vice President IT
Infrastucture
N
Director Project Management,
Smartgrid
N
Head of SCADA
N
Head of IT
N
Head of Telemetry
N
Head of Operations
N
COO
N
Chief Security Officer
N
Head of Engineering
N
Automation & Process Control
Engineering
N
System Designers & Engineers
N
Network Engineers
Day One:
May 25, 2011
09:00 Chair’s Introductory Remarks
The chair will outline the measurable goals of the conference: • What areas are considered to be critical?
• Who is likely to attack?
• What type of architecture and revised business process can protect against an attack?
Patrick C Miller, President and CEO,NATIONAL ELECTRIC SECTOR CYBERSECURITY ORGANIZATION (NESCO) 09:10 Gaining Clarity On The Current And Evolving Multi Threat – 09:35 Environment and Quantifying Risk In Terms Of Financial Value
• Understanding the state of the threat and how it may affect your business to understand how you will have to adjust • Making the business case for creating a long term strategy for
mitigating and managing these threats: balancing business and cyber security risk
• Transferable lessons on evaluating vulnerabilities in relation to the components of your system
• Understanding where security measures must be focused around your specific system and determining which investment is going to have the greatest impact
• Assessing the likelihood, challenges and possible impacts of cyber warfare world- wide to prepare for potential outsider attacks on your SCADA network
• Looking at the statistics of how many different pieces of malware code various industries experience and react to on a daily basis
• Gaining an understanding of electric sector regulations and security standards in terms of how they are evolving, associated legislation and increased agency oversight Jerry Freese, Director, NERC CIP Compliance, Regulatory Services, AMERICAN ELECTRIC POWER
Patrick C Miller,President and CEO, NATIONAL ELECTRIC SECTOR CYBERSECURITY ORGANIZATION (NESCO) 09:35 Question & Answer Session
WHAT ARE THE AREAS TO FOCUS ON?
09:45 Evaluating Vulnerabilities In Relation To The Key Interfaces Of Your System Architecture And Business Process
• Striking the balance between the level of security to provide an optimal level of protection versus being excessively intrusive
• Examining vulnerabilities of the following connections to identify what constitutes a critical situation:
1. Wireless Security
2. Hard wire/optical connection 3. Internet/cyber security 4. Network Security
5. Smart Grid Integration Security 6. Physical Security
7. Internal & Business Process Security 8. Encryption Methods
9. Firewall Configuration
10. Mobile Devices, Including USB Sticks 11. Authentication
L. C. Williams,Senior Project Manager, Critical Cyber Asset Infrastructure for Enterprise IT Security,TENNESSEE VALLEY AUTHORITY
Lisa Kaiser,Director, Strategic Planning and Policy, DEPARTMENT OF HOMELAND SECURITY
Mike Firstenberg,Security Operations, AMERICAN WATER 10:15 Question & Answer Session
10:30 Morning Refreshments To Be Served In Exhibition Showcase Area
REGULATORY FOCUS
11:00 Examining The Long Term Goals Of NERC And Smart Grid Standards To Determine How Industry Will Have To Adapt To Be Compliant
• Detailing the recent progress being made to develop the latest smart grid standards and how these may affect the NERC standards.
• Identifying what constitutes a critical situation and what your critical cyber assets are to determine what security measures must be implemented to ensure regulatory compliance • Providing an insight into how threat profiling can be used to
relate to what government agencies are seeing as a threat • Outlining the problems associated with cyber security best
practice versus regulatory compliance
• Understanding how timeliness of regulations can ensure you keep the latest preventative means in place in preparation • Resolving how to balance compliance at both the government
level and the state level and how regulations differ between utilities
• Understanding which NERC regulations could become mandatory, which of these standards apply to you and how industry is expected to comply
• Understanding the future of Critical Infrastructure Protection (CIP) requirements and how companies are expected to adhere
Tim Roxey, Director- Risk Assessment and Technology Division,
NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION Jim Brenton, Director CIP Standards Development, ERCOT Frances Cleveland,Lead of the SGIP-CSWG Standards Subgroup
11:45 Questions & Discussion
REAL WORLD EXAMPLES OF RESPONDING TO INTRUSIONS AND BREAK INS
12:00 Deciphering The Issues Around Intrusion Events In Terms Of The Likeliness And Whether They Pose A Risk To Your Business • Understanding how to respond to multi threats in a
commercial environment
• Gaining an understanding of the cyber security response, the forensics that were done and the key implementation responses
• Evaluating how to perform forensics analysis of an industrial control system
• Understanding how to recover your system with a disaster recovery plan
Tony Dodge, Information Security Investigator and Advisor,BC HYDRO
12:30 Question & Answer Session
12:40 Networking Luncheon To Be Served In Exhibition Showcase Area
SHARING SCADA SYSTEMS ON BUSINESS NETWORKS
2:20 Understanding How The SCADA Network Interacts With The Corporate Network To Gain A Better Understanding Of What Measures Must Be Implemented To Effectively Separate These Networks To Improve Your Security
• Gaining an insight into how to make SCADA compliant with business network security requirements
• Understanding how SCADA can coexist in a business network environment
• Understanding the best practices of building virtual security in a business network environment
DAY 1: PRACTICAL EXAMPLES ON EVALUATING VULNERABILITIES
THROUGHOUT SCADA SYSTEMS TO DETERMINE WHICH RISKS
ARE THE MOST CRITICAL & EXPENSIVE
OPENING KEYNOTE SESSION MULTI-STAKEHOLDER PANEL
DAY 2: EVALUATING COST EFFECTIVE SOLUTIONS FOR MAKING
YOUR SCADA NETWORK MORE SECURE
• Examining the connections between SCADA and business systems and how you can put security in place without affecting your business process
• Understanding the types of firewalls available for segregating the SCADA and corporate network and where these should be placed
Mike Firstenberg, Security Operations, AMERICAN WATER Amy Beth, Superintendent of Process Control, DENVER WATER 3:30 Questions & Discussion
SCADA RISK MANAGEMENT
3:40 Gaining An Understanding Of SCADA Risk Management From A Governmental And Industry Perspective
• Understanding SCADA risk management from a government employee involved in the RMP activities
• Gaining an insight in the perspective of the organization responsible for developing the bulk power system regulations • Understanding SCADA risk management from the perspective
of private industry as opposed to the public industry
Lisa Kaiser,Director, Strategic Planning and Policy, DEPARTMENT OF HOMELAND SECURITY
4:10 Questions & Discussion
4:20 Afternoon Refreshments
UNDERSTANDING YOUR SCADA SYSTEM
AND LOOKING AT THE INFRASTRUCTURE OF YOUR
CONTROL SYSTEM IN DEPTH
4:50 Examining Wireless Vulnerabilities To Identify What Security Measures Will Be Required And How To Move Your Business Model Forward As New Technologies Are Deployed • Understanding the architecture of wireless connections to
gain more awareness of the associated vulnerabilities that must be protected
• Gaining an insight as to whether the components of your wireless system are secure and knowing what to do if they are not secure
• Acknowledging the advantages of having a wireless network in terms of convenience and examining the latest technologies for making wireless more secure
5:20 Question & Answer Session
5:30 Chair’s Closing Remarks & End Of Day 1
5:40 Evening Cocktail Reception Served In Exhibition Showcase Area - 6:30
Day Two:
May 26, 2011
09:00 Chair’s Opening remarks
Megan. J. Hertzler, Assistant General Counsel and Director of Data Privacy, XCEL ENERGY
EVALUATING THE BUSINESS BENEFITS OF VARIOUS
SECURITY MEASURES TO LOCK DOWN YOUR
CONNECTIONS AND GUARANTEE SYSTEM INTEGRITY
09:10 Securing The Network At The SCADA-Internet Interface & Linking Your SCADA System To Other Commercial Information Systems Without Compromising Security
• Determining innovative ways of being able to secure a public interface on any source to prevent a denial of service or intrusion • Assessing optimal ways of hardening your network to mitigate
distributed denial of service attacks
• Understanding how to access your SCADA data without compromising the network
• Providing an insight into what is the most secure way to extract vital information from SCADA systems to enable sufficient reporting
• Understanding the types of highly controlled firewalls and other protective measures for the SCADA-internet interface to prevent the internet access through your SCADA system thus enhancing security
• Gaining an understanding as to what companies are doing towards moving to a more standardized communication network such that they can tie in anybody’s SCADA system into that network for the exchange of data
• NERC CIP cyber security beyond compliance
Jim Brenton,Director CIP Standards Development, ERCOT 09:40 Questions & Discussion
FIREWALL FOCUS
09:50 Understanding Best Practices Around Firewall Configurations To Keep The Networks Separate And Secure
• Understanding how to use firewalls to keep internet traffic away from SCADA traffic and to protect this traffic
• Determining the best practices around setting up DMZs both within your system and on the peripheries
• Understanding various routing methods in terms of
configuring routers to pass traffic from and to specified devices • Elucidating best practice for firewall policies
• Detailing what would be considered a strong firewall configuration as opposed to a weaker configuration Mike Firstenberg, Security Operations, AMERICAN WATER 10:20 Questions & Discussion
10:30 Morning Refreshments Served In The Exhibition Showcase Area 11:00 Gaining An Understanding To Data Access And Privacy Issues
Related To Smart Grid Technologies
• Gaining an understanding of the Department of Energy proceeding regarding input on privacy issues for customer-specific energy usage data (CEUD)
• Summarizing the recent and current federal and state proceedings addressing these privacy concerns
• Examining the outcome of the Colorado PUC rulemaking on privacy rules
• Outlining areas of growing consensus
• Identifying what utilities should be planning for in the areas of customer privacy
Megan. J. Hertzler, Assistant General Counsel and Director of Data Privacy, XCEL ENERGY
11:30 Questions & Discussion
PANEL DISCUSSION
DAY 2: EVALUATING COST EFFECTIVE SOLUTIONS FOR MAKING
YOUR SCADA NETWORK MORE SECURE
VENDOR PANEL
Effective Networking
Who you meet is just as important as what you learn. We’ve strategically integrated valuable networking time into this two-day event to ensure you maximize the business potential of each new contact you make.
Engaging Event
Our speakers and delegates come from a number of technical and strategic backgrounds with differing ideas and points of view. This leads to well-rounded and balanced conference discussion both during and after the event.
Quality Over Quantity
Our events are not anonymous tradeshows.The solutions-driven nature of this conference attracts a majority of electricity utilities as well as carefully selected proportion of attendees from a targeted and highly relevant supplier base.
Content is Key
The agenda is the backbone of an event and for that reason we spend weeks researching our content to ensure we address only the key industry topics in comprehensive detail to satisfy industry demand.
Relevant Research
It is essential that we research with the right people as well as reach large coverage. We make sure that our research partners are experts in their field and are heavily involved in the issues that are critical to their industry.
Expert Speakers
We are extremely selective in our speaker acquisition process. We ensure that our speakers are passionate industry leaders whose expertise and company background is focused specifically on the agenda topics.
Solutions Driven
Delegates continually walk away from our events with tangible solutions because our programs are designed specifically to facilitate technical progress and commercial interactivity. Each session has a dedicated Q&A, to maximize post-presentation debate.
Event Values:
INSIDER THREAT FOCUS
11:40 Implementing User Awareness And Training Your Work Force To Mitigate Accidental Insider Threats
• Discussing training methods, procedures and security strategies to minimize accidental insider threats without limiting access completely
• Clarifying the importance of user awareness in terms of understanding how critical their SCADA environment is • Understanding the importance of background checks on new
staff and being able to internally monitor users • Gaining an understanding of new processes available to
control employees when they move or leave to control the access they have to the system thus mitigating such insider threats
Patrick C Miller,President and CEO, NATIONAL ELECTRIC SECTOR CYBERSECURITY ORGANIZATION (NESCO)
Amy Beth,Superintendent of Process Control,DENVER WATER 12:20 Questions & Discussion
12:30 Networking Luncheon To Be Served In Exhibition Showcase Area
ASSESSING THE SECURITY ISSUES AROUND PHYSICAL
SECURITY IN RELATION TO CYBER SECURITY AND HOW BOTH
PHYSICAL AND VIRTUAL SECURITY CAN BE IMPLEMENTED
TOGETHER TO MAKE THE BUSINESS MORE ROBUST
PHYSICAL SECURITY FOCUS
2:00 Benchmarking Best Practice Physical Security Measures In Conjunction With Cyber Security Implementations To Ensure Sufficient Security And Regulatory Compliance
• Clarifying the importance of taking a cross disciplinary approach to physical and cyber security
• Understanding the latest methods and technologies to protect the physical security of the SCADA system
• Determining means of accomplishing seamless security for the whole SCADA by technologies, applications and procedures
• Highlighting the importance of efficient communication between the IT professionals and the process control engineers to allow for the effective integration of security from both sides
• Understanding where your weakest links are in order to justify costs for implementing physical security measures and to mitigate the physical security risk
• Understanding the physical security parameters as dictated by NERC to ensure regulatory compliance
• Understanding how to achieve security on the machines themselves by implementing, enabling and disabling ports Tony Dodge,Information Security Investigator and Advisor,
BC HYDRO
2:30 Questions & Discussion
2:40 Examining The New Technologies That Are Coming Out On The Market For Encryption & Smart Grid Security & Evaluating The Maturity Of Vendor’s Control System Devices
• Examining the latest technologies for control system security and smart grid security
• First hand experiences on implementation
• Making the business case for specific technical solutions and breaking down the costs of competing solutions
3:20 Extended Questions & Discussion 3:40 Afternoon Refreshments
4:10 Comparing Solutions For Making Wireless Networks More Secure
• Examining innovative methodologies and technologies for setting up SCADA networks in an ultra secure way to maximize cost savings
• Cost benefit analysis of the latest technical solutions for making wireless networks more secure
• Examining testing procedures for wireless radiation and the ability to interfere with data and obtaining information 4:50 Questions & Discussion
5:00 Determining Best Practices On Patch Management To
Understand How Such Security Measures Can Be Implemented Into Your Own System
• Determining innovative methodologies other people across industry are applying for patch management
• Making sure there is a proper air gap in place to prevent infection on a system running continually
• Gaining an insight into the test environment for patch management and understanding to what extent you can test such security measures before these are deployed to a production system
• Understanding novel ways of discovering what patches you require without having to connect to the outside world Luis A Suarez, Program Manager, Information Security,
TENNESSEE VALLEY AUTHORITY 5:50 Chair’s Closing Remarks & End Of Day 2
REGISTRA
TION
Conference Hall
Exhibition Area
Stand 3 Stand 4 Stand 5 Stand 6
Stand 16 Stand 15 Stand 14 Stand 13 Stand 12 Stand 7 Stand 1 Stand 2 Stand 8 Stand 9 Stand 10 Stand 11
Tea and Coffee station
Why Sponsor or Exhibit
Understand The Market & Identify Opportunities
This event is essential for companies who want to keep up to date with the industry's latest requirements and ensure products are competitively appropriate to the market. At Managing SCADA Security Risks 2011 you can utilize your market knowledge to more effectively direct your products and services to the most relevant customers.
Make New Connections
Meet industry leaders in person, and forge meaningful business relationships. Take the opportunity to network with the industry, understand clients’ needs and build your future business within elite industry circles.
Maximize your Brand & Showcase Your Products
Elevate your organization and products in front of senior decision makers from your specific target audience. Network and have meaningful discussions with professionals that are actively looking for new solutions.
Establish Your Organization
Place your company at the forefront of the leading industry initiative. Publicly display your in-depth involvement in driving forward Managing SCADA Security Risks.
Exhibition Floor Plan
The exhibition showcase will provide the opportunity for vendors to demonstrate their solutions in an informal setting. Unlike a traditional large exhibition or trade show you will gain access to the strategic decision makers at a time when the attendees are relaxed yet focused on discussing the solutions to their key business issues.
Organizations wishing to exhibit or sponsor a break, lunch or evening reception should email
info@american-business-conferences.co.uk
or call 1-800-721-3915
REGISTRATION FORM
Managing Sada Security Risks 2011
2 DAY CONFERENCE May 25 - 26, 2011
Holiiday Inn Golden Gateway, San Francisco
Register Online at www.managing-scada-security-risks.com
YES I would like to register the delegate(s) below for the 2 day conference Managing Scada Security Risks 2011
DETAILSPLEASE USE CAPITALS PLEASE PHOTOCOPY FOR MULTIPLE DELEGATES
Delegate 1. Miss/Ms/Mrs/Mr/Dr/Other: Position Delegate 2. Miss/Ms/Mrs/Mr/Dr/Other: Position Organization name Address
Country ZIP/Postal Code Telephone
Fax E-mail
Signature Date
DELEGATE RATES - WE HAVE TEAM DISCOUNTS SO YOU CAN INVOLVE YOUR WHOLE ORGANISATION OR TEAMS. CALL (1) 800 721 3915
VENUE INFORMATION ACCOMMODATION Holiday Inn Golden Gateway
1500 Van Ness San Francisco, CA 94109 Reservations:(888) 465-4329 Front Desk:(415) 441-4000 Online:www.goldengatewayhotel.com
Location & Directions:www.goldengatewayhotel.com/map.asp
PAYMENTPLEASE TICK APPROPRIATE BOXES AND COMPLETE DETAILS
Payment must be received in full prior to the event. Check
I enclose a check in US Dollars payable to American Business Conferences Limited for $
Payment by WIRE TRANSFER
A copy of the bank transfer document should be attached to your registration form so appropriate allocation of funds can be made to your registration.
Barclays Bank: SWIFT/BIC Code: BARCGB22 IBAN: GB16BARC20301942331166 EIN. no: 98-0514924
Credit Card
Please debit my Access Visa American Express Mastercard Switch/Maestro forAmount $
Card Number Start Date Name on card Expiry Date Signature of card holder Date Early Booking Discount Book and pay before March 18, 2011 and claim our Super Early Booking Discount*.
Book and pay before April 15, 2011 and claim our Early Booking Discount*. Check box to claim.
DELEGATE FEES (Guests are responsible for their own travel and accommodation arrangements)
I’m claiming an Early Bird Discount– please check box
Super Early Bird Discount* Early Bird Discount* Standard Rate
before March 18, 2011 before April 15, 2011 after April 15, 2011 Full 2 Day Conference: $1,299 $1,499 $1,699
I am interested in sponsorship and exhibition opportunities at the Managing Scada Security Risks 2011 I cannot attend the conference but would like to order the presentations on CD only:
CD, including audio files $499
HOW TO REGISTER
From the US and Canada:
Call Toll Freeon (1) 800 721 3915
Fax Toll Freeon (1) 800 714 1359
By email:
info@american-business-conferences.com
Online:
Register online on our website at www.american-business-conferences.com or
www.managing-scada-security-risks.com
Address:
American Business Conferences 2300 M Street, NW
Suite 800
Washington, DC 20037 USA
Terms and Conditions
The conference is being organized by American Business Conferences, a division of London Business Conferences Ltd, a limited liability company formed under English company law and registered in the UK no. 5090859.
Cancellations received one calendar month (or the previous working day whichever is the earliest) before the event will be eligible for a refund less $150 administration fee. Cancellations must be made in writing. After that point no refund can be made. If you are unable to attend, no refund can be given but you may nominate a colleague to take your place. American Business Conferences reserves the right to alter or cancel the speakers or program.
Receipt of this booking form, inclusive or exclusive of payment constitutes formal agreement to attend and acceptance of the terms and conditions stated. *If you are claiming the early booking discount this may not be used in conjunction with other discounts advertised elsewhere.
We would like to keep you informed of other American Business Conferences products and services. This will be carried out in accordance with the Data Protection Act. Please write to the Head of Marketing, American Business Conferences at the address below if you specifically do not want to receive this information.
American Business Conferences.
2300 M Street, NW. Suite 800. Washington, DC 20037. USA
American Business Conferences will not accept liability for any individual transport delays and in such circumstances the normal cancellation restrictions apply. American Business Conferences is a Division of London Business Conferences Limited,
Registered in England No. 5090859 EIN. no: 98-0514924
Sponsorship
and Exhibition
A limited number of sponsorship and exhibition opportunities are available at
this event. For further information
please call 1-800-721-3915
Team
Discounts
Available.
Call
1-800-721-3915
Holiday Inn Golden Gateway has some of the most breathtaking views of San Francisco and the Bay Area. The 26 story high-rise hotel offers 499 comfortable, spacious, and refined rooms and suites in town.
Guests will enjoy a fine list of standard lodging amenities and close proximity to the downtown financial district, making us the ideal San Francisco Bay Hotel.