I frequently pound CISA for not having metrics. What are they trying to do and how will we know if it’s working or not? So, #walkthetalk. We have goals and associated metrics to measure the success of S4. For example, one goal and metric related to our Create The Future tag line is:

Goal: The new ideas presented at S4 events lead to actual, serious attempts to put the ideas in practice.

Metric: Capture five ideas generated at each S4 event and count how many of these top five are attempted in the subsequent 12 months.

The S4x20 Projects we picked:

  1. What to patch when in ICS … ICS-Patch. Status: Document issued but received minimal traction. Fail
  2. ICS4ICS – Incident Command System For ICS. Status: Megan Samford and ISAGCA ran with this and have created a program with lots of momentum. Success
  3. Top 20 Secure PLC Security Coding Practices. Status: Sarah Fluchs got this off the ground and was joined by Vivek Ponnada and a very active team. Document, training, videos and other resources available. Status: Huge success and growing
  4. Pwn2Own Miami to get top researchers to focus on key ICS cyber assets. Status: Pwn20wn came back to S4x22 and did some important work on OPC UA and DNP3 stacks. Many of the other targets revealed less useful information. Status: Partial Success.
  5. Expand the community by having over 1,000 individuals complete the OnRamp and Highway full training course. Status: Fail. Originally we ran this as a free course that was videos, exercises and comment board. We had thousands of registrants, but the completion rate was less than 10%. Videos moved to the S4xEvents YouTube channel.

Two success, one partial success, and two fails in terms of results. A close reading of the metric would say all were successes since they were attempted. We may tweak this metric.

It’s important to note that in most of these efforts we are only cheerleaders and help a bit with the early organization and marketing. The two that I played the biggest role in where the two fails. All this is prelude to:

DFIR For PLCs (and OT embedded devices)

This is one of our S4x22 selected projects. The team from Mandiant gave a session on the methodology and some tools they were working on. They then released a tool at Blackhat. There are some other tools out there as well. The ball is rolling.

The simple thing would be to put together a page with a link to all the DFIR tools. This is of value and Tim Yardley and a few others do this. What we found in the Top 20 Secure PLC Coding Practices is a list doesn’t drive the program. To do that you need documentation, presentations that team members can give, videos, training, vendor participation and more. The project can identify what is needed and encourage resources to create and share these tools.

I’ve talked to a handful of people who have expertise in this area and want to participate. The reason for this article is to throw a wider net, beyond the usual suspects.

Every week I’ll get a message from someone new to the field asking how they should grow their career in OT security. Providing meaningful help to a project like this is the best answer I have. Being one of the main contributors and leaders is one of the best ways to meet the people that will help you in your career and build your personal brand. My introduction into the OT security community was largely helped by being the IDS signatures for ICS protocols person back in the 2004-2006 timeframe.

A project like this needs both technical experts and people with good organizational, people and marketing skills. Even if you aren’t a digital forensics expert or software engineer you could play a major role.

Next Steps

Again, I’m only a cheerleader here. The next step is to get people who see the benefit in devoting some serious time on this identified and talking. What we saw in the Top 20 project was two leaders and what eventually became an active core of ~10. That’s one way, but not necessarily the way.

If you are interested in participating with some serious time, DM me or send an email to s4@digitalbond.com.

If you are interested and contribute in a smaller way or use the results. Hang loose. In 6 – 12 months there, hopefully, would be something for you to look at.