ICS Industry Pioneer and Expert Eric Byres of ICS-Secure reports on the RSA Conference last week.

I just returned from the RSA Conference 2017 in San Francisco, after a five year hiatus. If you are not familiar with the RSA Conferences, they are one of the largest cyber security events in the world, with a reported 40,000 attendees last year.

The last time I was at the RSA Conference, I didn’t think anyone there was taking ICS security seriously, so I decided to stop attending the event. This time I was hoping that with the interest in the Industrial Internet of Things (IIoT) and all the news of proven cyber impacts on critical infrastructures (like those in the Ukraine), things would be different.

Sadly nothing has changed.  The RSA Conference (RSAC) is still pretty much a waste of time for anyone concerned with either IIoT or ICS security.

RSAC 2017 looked promising at the start. Mike Assante was on the annual keynote panel “The Seven Most Dangerous New Attack Techniques, and What’s Coming Next”. You can see video of the talk here: https://youtu.be/45_ciRquXBE

But it went down hill after that with only one mainstream talk on ICS security. No tracks, no panels, no sessions… And while I didn’t attend that one talk*, the description told me enough:

IoT and SCADA: Lessons Learned and Case Studies    

Law | Mobile & IoT Security | Technology Infrastructure & Operations | Peer2Peer

This session will review key lessons learned about SCADA and IoT breaches and attacks such as Stuxnet and Mirai. We will look at the consequences of SCADA breaches and potential legal fallout, analyze two case studies, and discuss best legal and security practices. Case studies will feature two different potential attackers: a hostile nation state and aggrieved employees.

Facilitator: Lawrence Dietz, General Counsel and Managing Director of Information Security, TAL Global Corporation

Stuxnet?? Haven’t we heard enough of that old worm? Has nothing else happened since 2010? And why is this talk in a law session run by a lawyer? I’m sure that Mr. Dietz is a fine lawyer, but if he is the only ICS expert that RSAC can find, what are they saying? Maybe the message is “Time to lawyer up boys, ‘cause there’s nothing else we can do to secure ICS”.

In fairness there were four decent ICS sessions in the RSA Sandbox, all presented by familiar faces like Clint Bodungen, Andrey Nikishin and Tom VanNorman. Unfortunately the RSA SandBox is advertised as “Full of hands-on interactive experiences to test your infosec skills…This year the Sandbox opens with RSAC’s third annual craft beer tasting event, CyBEER Ops”.

Perhaps RSAC should add; “Hey all you ICS kids… come play in the sand box where you can’t hurt yourself. Just remember don’t run and don’t throw sand at each other”. I’m sorry, but the term “sandbox” and the setup of the sandbox area just did not instill any feeling that RSAC managment team thinks ICS security is important.

On the show floor the situation was equally sad. Out of the several hundred booths I visited, I only found four with staff that could talk intelligently about ICS or IIoT issues. Now I’m sure I missed a few booths, but RSAC didn’t make it easy to find ICS security vendors. On the RSA 2017 web site there are over 100 possible search keywords and 20 core topics, covering everything from ”Access Control” and “Anti-Spam” to “Zero Day Vulnerability”. Everything that is except the terms ICS, SCADA, or IIoT security. Those terms were conspicuously absent from the 120 search choices RSAC offered.

So would I recommend the RSA Conference to the ICS security community? Maybe if you want to meet up with colleagues – I had many productive face-to-face meetings with clients, potential partners and old friends. But if you want to see new ICS security technologies or listen to talks on the state of the art in IIoT security, go somewhere else. Dale Peterson’s S4 events  the SANS ICS Summit,  the ICSJWG meetings and the ARC Forum are far better ways to spend your time and money. And you can still meet your friends there too.

Will I be back in 2018? Maybe, but only for the face-to-face meetings. Instead I will be heading to the SANS ICS Summit in Orlando, March 19-21. Hope to see you there.

*In the interests of full disclosure, I didn’t buy a full conference pass, so there might have been things I missed – but I doubt it. And I didn’t manage to visit every booth in the show.  With over 650 exhibitors this year, I doubt anyone did. But I did struggle through every line of the exhibitors list and didn’t see any ICS-related vendors, except arguably my old friends at Belden. Unfortunately they were advertised only as TripWire, with no mention of ICS security in their show description.