Here is my short, 13-minute introduction to S4x15. After going into a brief review of S4x12, x13 and x14, it covers the theme of S4x15 and where ICS security research is heading.

Assume an attacker has gained a presence on the ICS, such as gaining control of a computer or finding a way to connect to the ICS network.

  • What could and would an attacker do?
  • What can a defender do?

This moves the discussion from a “hacking” focus to engineering and automation. The “hacking” continues to be the easiest part of an ICS attack. What an adversary does after gaining control of a cyber asset is a much more difficult project than the common “I can take down …” bravado that is often read.

Engineering and automation also offers great opportunities on the defensive side, particularly on reducing the consequences of a cyber attack.

Admittedly this moves the ICSsec research community further out front of the ICS community, and there is a concern that we may be outrunning our supply lines. However, if we keep doing “research” on known and solved issues we will lose the best researchers and not be ready when the ICS community comes to the realization this is a problem that can be and needs to be solved.

One final thought that I’ll write more about later. While the ICS security researchers and thought leaders need to press forward, there is a huge and growing need for the typical ICS security conferences and training programs that the S4 attendee has little interest in. The ICSsec 101 needs to be taught to large numbers of people, and scaling these learning activities up is likely to be a major problem.