CERIAS Weekly Security Seminar - Purdue University

We face an existential threat of permanent damage to critical physical components in our national infrastructure as a result of their poor resilience against cybersecurity attack. A Programmable Logic Controller (PLC) commonly provides the control system for such components, e.g., bulk power generators. Our proof-of-concept implementation dramatically mitigates threats to such cyber-physical systems (CPS) by specifically leveraging what NIST 800-160 calls "highly assured, kernel-based operating systems in Programmable Logic Controllers".We dramatically reduce the attack surface visible to potential attackers to be ~1% of the total compared to competing approaches. Our demonstration refactors the common CPS architectural approach to data and cooperating processes into hierarchically ordered security domains using the widely available OpenPLC project code base. The GEMSOS security kernel verifiably enforces traditional integrity mandatory access control (MAC) policy on all cross-domain flows. GEMSOS is designed for wide-spread delivery as a Reusable Trusted Device, providing the reference monitor for secure single-board, multi-board, and System-on-a-Chip systems.Only a processing component in the highest integrity domain can directly send/receive control signals, enforcing "safe region" operating constraints to prevent physical damage. This very small attack surface protects the critical physical components, making the overall CPS resilient to skilled adversaries' attacks, even though much larger lower integrity software running in other domains on the same Trusted Device hardware and network infrastructure may be thoroughly compromised. We make available our restructured OpenPLC source to encourage control system manufacturers to deliver verifiable PLC products to, as NIST puts it, "achieve a high degree of system integrity and availability" for control systems. UC Davis is using our demonstration on GEMSOS in their Computer Security Lab, today. About the speaker: Roger R. Schell is internationally recognized for originating several key modern security design and evaluation techniques, and was awarded patents in cryptography, authentication and trusted workstation. His experience includes 20 years in US federal program management (computers), 30 years as a computer industry security product vendor, and 5 years as a graduate cybersecurity engineering faculty member.He is President and a founder of Aesec Corporation, a start-up providing a commercial verifiably secure operating system. Previously Dr. Schell was co-founder and vice president for Gemini Computers, Inc., now an Aesec subsidiary. At Gemini he directed development of their highly secure (what NSA called "Class A1") commercial product, the Gemini Multiprocessing Secure Operating System (GEMSOS). He was also the founding Deputy Director of NSA's National Computer Security Center. He has been referred to as the "father" of the Trusted Computer System Evaluation Criteria (the "Orange Book"). Dr. Schell is a retired USAF Colonel. He received a Ph.D. in Computer Science from the MIT, an M.S.E.E. from Washington State, and a B.S.E.E. from Montana State. The NIST and NSA have recognized Dr. Schell with the National Computer System Security Award. In 2012 he was inducted into the inaugural class of the National Cyber Security Hall of Fame.

From compliance in the classroom to compliance on the street, important lessons that every cybersecurity professional should know.  We’ll cover proven approaches for compliance and risk assessment for a variety of industries, and present specific scenarios and strategies for addressing real challenges facing organizations with PCI, HITRUST, FedRAMP, CMMC and Privacy. Below are some of the examples that we will cover.   Scope creep (All) Setting deadlines and addressing missing evidence (All) Building out compensating controls (PCI) Conflict of Interest (FedRAMP) Internal Organizational Politics (Risk Assessment) Defensive Interviewees(All) Ethics and Responsible Reporting (All)

From compliance in the classroom to compliance on the street, important lessons that every cybersecurity professional should know.  We'll cover proven approaches for compliance and risk assessment for a variety of industries, and present specific scenarios and strategies for addressing real challenges facing organizations with PCI, HITRUST, FedRAMP, CMMC and Privacy. Below are some of the examples that we will cover. Scope creep (All)Setting deadlines and addressing missing evidence (All)Building out compensating controls (PCI)Conflict of Interest (FedRAMP)Internal Organizational Politics (Risk Assessment)Defensive Interviewees(All)Ethics and Responsible Reporting (All) About the speaker: Jeremiah Sahlberg is the Managing Director--Federal, Third Party Risk at Tevora and has more than 20 years of security experience.  Sahlberg is an executive security consultant and advises clients on establishing security programs and compliance management. He holds CISSP, CISM, PCI QSA and HITRUST certifications.   Previously, Sahlberg held theSenior Director of Protect Operations at NBC Universal and was the CISO for Tekmark Global Solutions.  Sahlberg has presented at Evanta(2019), NCUA-ISAO (2018), NCTA (2017), SINET (2016), New York State Cyber Security Conference (2014 & 2012), and Nevada Digital Government Summit(2010).  He guest lectures at NPower and sits on various Boards.

Cyber security data  in many ways mimics the behavior of organic systems. Individuals or groups compete for limited resources using a variety of strategies, the most effective of which are re-used and refined in later ‘generations’. Traditionally this behavior has made detection of malware very difficult because 1) recognition systems are often built on exact matching to a pattern that can only be ‘learned’ after a malicious entity reveals itself and 2) the enormous volume and variation in benign code is an overwhelming source of previously unseen entities that often confound detectors.  In addition, the enormous volume of malware artifacts is overwhelming anyone trying to categorize and characterize new additions to the many malware repositories as so much of the processing is done by hand. To turn the tables of complexity on the attackers, we have developed a method for mapping the sequence of behaviors that make up a malicious artifact to strings of text and analyze these strings using modified bioinformatics algorithms. Bioinformatics algorithms optimize the alignment between text strings even in the presence of mismatches, insertions or deletions and do not require an a priori definition of the patterns one is seeking. Nor do they require any type of exact matching. This allows the data itself to suggest meaningful patterns that are conserved between binaries. These patterns can be used to identify zero-day malware and can help to automate the curation and characterization of large quantities of suspected malware.  I will talk about our MLSTONES capabilities as an innovative and effective way of detecting and characterizing most types of malware artifacts.  I’ll also discuss how these capabilities can be used on other types of cyber security data. 

Cyber security data  in many ways mimics the behavior of organic systems. Individuals or groups compete for limited resources using a variety of strategies, the most effective of which are re-used and refined in later ‘generations'. Traditionally this behavior has made detection of malware very difficult because 1) recognition systems are often built on exact matching to a pattern that can only be ‘learned' after a malicious entity reveals itself and 2) the enormous volume and variation in benign code is an overwhelming source of previously unseen entities that often confound detectors.  In addition, the enormous volume of malware artifacts is overwhelming anyone trying to categorize and characterize new additions to the many malware repositories as so much of the processing is done by hand.To turn the tables of complexity on the attackers, we have developed a method for mapping the sequence of behaviors that make up a malicious artifact to strings of text and analyze these strings using modified bioinformatics algorithms. Bioinformatics algorithms optimize the alignment between text strings even in the presence of mismatches, insertions or deletions and do not require an a priori definition of the patterns one is seeking. Nor do they require any type of exact matching. This allows the data itself to suggest meaningful patterns that are conserved between binaries. These patterns can be used to identify zero-day malware and can help to automate the curation and characterization of large quantities of suspected malware.  I will talk about our MLSTONES capabilities as an innovative and effective way of detecting and characterizing most types of malware artifacts.  I'll also discuss how these capabilities can be used on other types of cyber security data.  About the speaker: Elena Peterson --Ms Peterson joined PNNL in 1990 after getting her BS in Computer and Information Sciences from the University of Oregon.  She is currently a Senior Cyber Security Researcher in the Computation and Analytics Division.  Ms. Peterson has led the research, development, and management of multiple cross-disciplinary, multi-laboratory projects focused in the fundamental sciences and national security sectors.  Her work has included research and development of integrated computational environments for bioinformatics, physics, computational chemistry, and cyber security.  She is currently the principal investigator for the MLSTONES and mMutant projects, which applies algorithms and tools from the biological sciences to create new and innovative solutions to relevant cyber security problems thus merging two of her main interests.

The last 5 years have seen a marked shift inhow companies view cyber threat intelligence (CTI) as a building block of theirsecurity strategy, but there still is a lot of confusion about how to build aprogram that provides utility. At its core CTI aims to provide informationabout motivations, methods and characteristics of attackers. In today’s rapidlyevolving threat landscape having timely access to CTI can be of significantvalue to security analysts. By looking beyond your own four walls organizationscan take faster mitigation action and also reduce their attack surface. AddingCTI to enterprise security programs can be an effective strategy to go from areactive to a proactive response. But the value of CTI is constrained by theability of enterprise security operations to contextualize, manage and actionupon it. This presentation will cover some fundamental CTI concepts, real worldchallenges in operationalizing it, and some easy ways to try it out foryourself.   Takeaways for the audience: 1. Overview of CTI concepts, frameworks,standards, and how they fit in the enterprise security model. 2. Clearer understanding of CTI data modelsand how they integrate with detection, protection and incident responseprocesses. 3. Practical ways to accelerate securityoperations and heighten defenses using CTI.

The last 5 years have seen a marked shift inhow companies view cyber threat intelligence (CTI) as a building block of theirsecurity strategy, but there still is a lot of confusion about how to build aprogram that provides utility. At its core CTI aims to provide informationabout motivations, methods and characteristics of attackers. In today's rapidlyevolving threat landscape having timely access to CTI can be of significantvalue to security analysts. By looking beyond your own four walls organizationscan take faster mitigation action and also reduce their attack surface. AddingCTI to enterprise security programs can be an effective strategy to go from areactive to a proactive response. But the value of CTI is constrained by theability of enterprise security operations to contextualize, manage and actionupon it. This presentation will cover some fundamental CTI concepts, real worldchallenges in operationalizing it, and some easy ways to try it out foryourself.  Takeaways for the audience:1. Overview of CTI concepts, frameworks,standards, and how they fit in the enterprise security model.2. Clearer understanding of CTI data modelsand how they integrate with detection, protection and incident responseprocesses. 3. Practical ways to accelerate securityoperations and heighten defenses using CTI. About the speaker: Shimon Modi is a seasonedcloud cybersecurity products and people leader with 10+ years experience andproven record of launching leading edge B2B SaaS solutions. Throughout his career Dr. Modi has worked in technical and leadershiproles on a wide range of cyber security initiatives in industry, government andacademia.  Dr. Modi is currently a Principal ProductManager at Elastic focused on building security solutions. Previously he wasHead of Product at TruSTAR Technology where he led PM, Engineering and DataScience teams in building an innovative cyber intelligence management platform.He was also a member of Accenture Technology Labs  where he led cybersecurity initiativesfocused on threat intelligence and the Internet of Things. Dr. Modi has also served as a technical experton US National standards and a delegate for the US National Body for ISObiometrics standards. He has authored a book, co-authored several book chaptersand published over 15 technical journal and conference articles. He has alsobeen invited to speak as subject matter expert at IEEE conferences and hackerconferences, including Black Hat & ShmooCon.

QoSient and a DHS independent SOC have been working together on an innovative pilot program called “Elimination of Unmonitored Space” (EUS) that strives to detect and respond to internal cyber threats through pervasive network sensing and sense-making in an enterprise network.   Modeled after the NSA’s Integrated Active Cyber Defense (IACD) architecture and the US DoD CENTAUR / Acropolis programs, the effort has developed a strategy for scalable development and deployment of new predictive cyber security analytics. In this presentation, we will present our approach to developing comprehensive network sensing at the endpoint and how centralized / regionalized analytic systems can manage the data and analytics needed to develop operational site-specific predictive analytics.  We believe that the shift to remote computing will push the need for awareness and predictive analytics at the endpoint and a new approach for cyber defense.

QoSient and a DHS independent SOC have been working together on an innovative pilot program called "Elimination of Unmonitored Space" (EUS) that strives to detect and respond to internal cyber threats through pervasive network sensing and sense-making in an enterprise network.   Modeled after the NSA's Integrated Active Cyber Defense (IACD) architecture and the US DoD CENTAUR / Acropolis programs, the effort has developed a strategy for scalable development and deployment of new predictive cyber security analytics.In this presentation, we will present our approach to developing comprehensive network sensing at the endpoint and how centralized / regionalized analytic systems can manage the data and analytics needed to develop operational site-specific predictive analytics.  We believe that the shift to remote computing will push the need for awareness and predictive analytics at the endpoint and a new approach for cyber defense. About the speaker: Carter is a recognized expert in cyber security and leader in the development of network security technology and practices for over 35 years.   His professional experience includes: 1) research and development in cyber security at US National Laboratories, Federally Funded Research and Development Centers, and the telecommunications industry, 2) managing security products and services development at leading network vendors, FORE Systems, Bay Networks and Nortel, 3) leading network security standards for the ITU, ATM Forum and IETF, and 4) providing cyber security consulting to the NSA, DHS, US DoD, NSF and the FBI. Carter is the inventor of "netflow" and is a recognized Subject Matter Expert in network cyber security, active cyber defense, situational awareness, network measurement and monitoring analytics for cyber security and security control assurance.  Carter holds a BS and MS in Pharmacology from The University of Georgia and has held Faculty Research Scientist positions at Carnegie Mellon University, and the Georgia Institute of Technology.

The adoption of advanced data technologies is one of the defining characteristics of the connected world. From ML to AI, we are getting a smarter, more personal world. The dystopic view is that not only Big Brother but many parties can monitor, control and manipulate us. What are the implications for trust? The need for privacy-enforcing technologies is now, not after the ghost is in the machine. What will you learn from attending? ·         How machine learning & AI play into conversations around trust and privacy ·         A framework to bring us into the future when it comes to privacy ·         What each of us can do now to further protect our privacy

The adoption of advanced data technologies is one of the defining characteristics of the connected world. From ML to AI, we are getting a smarter, more personal world. The dystopic view is that not only Big Brother but many parties can monitor, control and manipulate us. What are the implications for trust? The need for privacy-enforcing technologies is now, not after the ghost is in the machine.What will you learn from attending?·         How machine learning & AI play into conversations around trust and privacy·         A framework to bring us into the future when it comes to privacy·         What each of us can do now to further protect our privacy About the speaker: Sam Curry, Chief Security Officer, is an IT security visionary with over 20 years of IT security industry experience. Sam served as Chief Technology and Security Officer at Arbor Networks, where he was responsible for the development and implementation of Arbor's technology, security and innovation roadmap. Previously, he spent more than seven years at RSA (the Security Division of EMC) in a variety of senior management positions, including Chief Strategy Officer and Chief Technologist and Senior Vice President of Product Management and Product Marketing. Sam has also held senior roles at Microstrategy, Computer Associates, and McAfee. Alon Kaufman, Co-Founder and CEO of Duality Technologies, has 20 years of experience in the hi-tech arena, commercializing data-science technologies, leading industrial research and corporate innovation teams. Prior to founding Duality he served as RSA's global director of Data Science, Research and Innovation. In addition to his leadership experience, he is accomplished in the fields of artificial intelligence, machine learning and how they interplay with security and privacy, with over 30 approved US patents in these fields. He holds a PhD. in Computational Neuroscience and machine learning from the Hebrew University and an MBA from Tel Aviv University.

Q & A: https://www.cerias.purdue.edu/site/blog/post/summary_of_july_15th_2020_purdue_seminar_on_control_system_cyber_security/Critical infrastructures such as electric power, oil/gas, water/wastewater,pipelines, transportation, and manufacturing utilize process control and safetysystems to monitor, control, and assure safe operating conditions. Controlsystems consist of Internet protocol (IP) networks and HMIs to provide operatorinput and big data analytics. These systems have been designed with cybersecurity and authentication. However, what makes control systems unique are thecontrol system devices such process sensors, actuators, drives, power supplies,etc. that have no cyber security or authentication and are a direct threat topersonnel and equipment safety. Control system cyber security impacts are real.There have been more than 1,250 actual control system cyber incidents with morethan 1,500 deaths and more than $70Billion in direct damage. There is a need toget the computer scientists/network engineers that understand networks and thedomain engineers that understand the physical processes to work together orthere is no hope in securing the critical infrastructures. About the speaker: Joseph Weiss is an industry expert on controlsystems and electronic security of control systems, with more than 40 years ofexperience in the energy industry. Mr. Weiss spent more than 14 years at theElectric Power Research Institute (EPRI), the first 5 years managing theNuclear Instrumentation and Diagnostics Program. He was responsible fordeveloping many utility industry security primers and implementationguidelines. He was also the EPRI Exploratory Research lead on instrumentation,controls, and communications. Mr. Weiss serves as a member of numerousorganizations related to control system security. He served as the Task ForceLead for review of information security impacts on IEEE standards. He is also aDirector on ISA's Standards and Practices Board. He has provided oral andwritten testimony to three House subcommittees, one Senate Committee, and aformal statement for the record to another House Committee. He has alsoresponded to numerous Government Accountability Office (GAO) information requestson cyber security and Smart Grid issues. He is also an invited speaker at manyindustry and vendor user group security conferences, has chaired numerous panelsessions on control system security, and is often quoted throughout theindustry. He has published over 80 papers on instrumentation, controls, anddiagnostics including chapters on cyber security for Electric PowerSubstations Engineering and Securing Water and Wastewater Systems.He coauthored Cyber Security Policy Guidebook and authored ProtectingIndustrial Control Systems from Electronic Threats. In February 2016, Mr.Weiss gave the keynote to the National Academy of Science, Engineering, andMedicine on control system cyber security. Mr. Weiss has conducted SCADA,substation, nuclear and fossil plant control system, and water systemsvulnerability and risk assessments and conducted short courses on controlsystem security. He has amassed a database of more than 1,100 actual controlsystem cyber incidents. He was a member of Transportation Safety Board Committeeon Cyber Security for Mass Transit. He was a subject matter expert to theInternational Atomic Energy Agency on nuclear plant control system cybersecurity. He started the annual Industrial Control System (ICS) Cyber Security Conferencein 2002. Mr. Weiss has received numerous industry awards, including the EPRIPresidents Award (2002) and is an ISA Fellow, Managing Director of ISA FossilPlant Standards, ISA Nuclear Plant Standards, ISA Industrial Automation andControl System Security (ISA99), a Ponemon Institute Fellow, and an IEEE SeniorMember. He has been identified as a Smart Grid Pioneer by Smart Grid Today. Heis a Voting Member of the TC65 TAG and a US Expert to TC65 WG10,Security for industrial process measurement and control – network and systemsecurity and IEC TC45A Nuclear Plant Cyber Security. Mr. Weiss was featured inRichard Clarke and RP Eddy's book- Warning – Finding Cassandras to StopCatastrophes. He has patents on instrumentation, control systems,and OT networks. He is a registered professional engineer in the State ofCalifornia, a Certified Information Security Manager (CISM) and Certified inRisk and Information Systems Control (CRISC). Website: www.controlglobal.com/unfetteredBook: Protecting Industrial Control Systemsfrom Electronic Threats

Q & A: https://www.cerias.purdue.edu/site/blog/post/summary_of_july_15th_2020_purdue_seminar_on_control_system_cyber_security/ Critical infrastructures such as electric power, oil/gas, water/wastewater,pipelines, transportation, and manufacturing utilize process control and safetysystems to monitor, control, and assure safe operating conditions. Controlsystems consist of Internet protocol (IP) networks and HMIs to provide operatorinput and big data analytics. These systems have been designed with cybersecurity and authentication. However, what makes control systems unique are thecontrol system devices such process sensors, actuators, drives, power supplies,etc. that have no cyber security or authentication and are a direct threat topersonnel and equipment safety. Control system cyber security impacts are real.There have been more than 1,250 actual control system cyber incidents with morethan 1,500 deaths and more than $70Billion in direct damage. There is a need toget the computer scientists/network engineers that understand networks and thedomain engineers that understand the physical processes to work together orthere is no hope in securing the critical infrastructures.

Digital Transformation has fundamentally affected the conduct of elections since 2000. This webinar shares the perspective of a former senior Federal official who worked to help secure US elections against foreign interference during a 30+ year career in the US Government and who now works as a Chief Information Security Officer for a leading global cyber and network security company. This presentation will provide both background knowledge applicable to a general audience as well as advice and recommendations for government officials and their partners who are charged with carrying out elections. Topics covered in this webinar include: ·      Identifying key challenges in electoral integrity, especially the importance of public perception and voter confidence.Explore why and how securing elections differs from classic’ information security in its complexity and solutions. ·      Describing the “perfect storm” of colliding factors in the 2020 elections. We faceCOVID-19 related challenges ranging from public health concerns to added complexity and cost—and a pivot to mass mail-in voting is likely to both require process and technology changes and put stress on some of the most fragile parts of the existing election infrastructure. The expected surge of mail-in paper ballots in 2020 doesn’t make cybersecurity irrelevant;if anything, it heightens its importance. Dealing with these challenges is a risk management problem; so the webinar will provide recommendations on ‘doing with less’ – ranging from which parts of the problem to address first to how to harness the power of IT and leverage partnerships.

Digital Transformation has fundamentally affected the conduct of elections since 2000. This webinar shares the perspective of a former senior Federal official who worked to help secure US elections against foreign interference during a 30+ year career in the US Government and who now works as a Chief Information Security Officer for a leading global cyber and network security company. This presentation will provide both background knowledge applicable to a general audience as well as advice and recommendations for government officials and their partners who are charged with carrying out elections. Topics covered in this webinar include:·      Identifying key challenges in electoral integrity, especially the importance of public perception and voter confidence.Explore why and how securing elections differs from classic' information security in its complexity and solutions.·      Describing the "perfect storm" of colliding factors in the 2020 elections. We faceCOVID-19 related challenges ranging from public health concerns to added complexity and cost—and a pivot to mass mail-in voting is likely to both require process and technology changes and put stress on some of the most fragile parts of the existing election infrastructure. The expected surge of mail-in paper ballots in 2020 doesn't make cybersecurity irrelevant;if anything, it heightens its importance.Dealing with these challenges is a risk management problem; so the webinar will provide recommendations on ‘doing with less' – ranging from which parts of the problem to address first to how to harness the power of IT and leverage partnerships. About the speaker: Jim Richberg's role as a Fortinet CISO leverages his 30+ years' experience leading and driving innovation in cybersecurity, threat intelligence, and cyber strategy & policy for the US Government and international partners.Prior to joining Fortinet, he served as the National Intelligence Manager for Cyber, the senior Federal Executive focused on cyber intelligence within the $80B+/100,000employee US Intelligence Community (IC). He led creation and implementation of cyber strategy for the 17 departments and agencies of the IC, set integrated priorities on cyber threat, and served as Senior Advisor to the Director of National Intelligence (DNI) on cyber issues. He brings a broad enterprise-level approach to cybersecurity honed as a member of the Executive team which created and oversaw implementation of the multi-billion dollar whole-of-government Comprehensive National Cybersecurity Initiative(CNCI) that generated new Government cyber capability and enhanced cybersecurity in the private sector and critical infrastructure.Mr. Richberg's broad operational experience –including his 20 years at CIA-- gives him practical insight into difficult cyber problems ranging from advanced threat capabilities to supply chain integrity and election security. He has extensive experience engaging with audiences ranging from Heads of State and CEO's to analysts and IT staff. He brings a strong focus on strategic problem solving (identify and solve the key problem vs. the most visible one) and on framing complex problems in comprehensible terms that facilitate analysis and formulation of solutions.