Bryan Owen

Security trends and highlights from S4x19

Blog Post created by Bryan Owen on Jan 20, 2019

S4 may well be the ‘Davos’ for those who strive to improve modern society by addressing digital hazards affecting industrial automation systems. Technology professionals and industrial security thought leaders from around the globe converge annually at S4 to report lessons learned, exchange ideas, welcome newcomers and create our future.


Unofficially, the follow up story on Triton (malware targeting industrial safety systems) created the most buzz at S4. Gregory Hale’s report “S4: Warning Signs Before Triton Attack” at ISS Source fills in missing details from last year. Findings on what else was compromised seems like a nightmare scenario. No wonder the details took so long to emerge – especially with victim and vendor shaming that is all too common with cyber incidents. What if an incident response team recommends a full compromise assessment for your entire organization? Recommendation: Use the PI System Security Audit Tools to check your PI System especially if it spans your DMZ.


Lessons learned from the Liberty Eclipse Phase II live range grid black start simulation was another S4 highlight. Michael Toecker and OSIsoft/INL alum Gary Seifert told a riveting story. The importance of having a plan and knowing who is calling the shots proved to be a key finding. To me, Liberty Eclipse is exemplary of DOE/DARPA research that is ideal for public-private collaboration. For more information see E&E news reporter Blake Soback’s story about the test is published “Grid Planners put ‘black start’ technology to the test”.


Innovation on defense stands out at S4 this year. While S4 never fails to disappoint with offense research like your garage door opener is more secure than industrial cranes or hijacking PLCs, it seems critical infrastructure sectors have turned the corner with a focus on mission assurance and formal engineering based approaches. Highlights include Cyber Process Hazard Analysis and Consequence-driven, Cyber-informed engineering. ‘I can deal with disruption, but I can’t deal with destruction’ is a message from executives reported by interview with INL’s Andy Bochman. Extra info: OSIsoft uses cyber bow tie analysis methodology specifically to consider both prevention and consequence barriers.


Related engineering approaches described at S4 include. GE Digital Ghost, EPRI Threat Assessment Methodology, Layered Blueprints – A Method for Engineering OT Security, IEEE Making Power System Cybersecurity Part of the Engineering Process, and Threat Modeling Belgian Energy Producers. Bottom line: engineering approaches, more than information security compliance catalogs are necessary to secure industrial systems.


With so many thought leaders in one place ‘Create the Future’ was an appropriate S4 theme. Important topics in this category focus on risk management aspects having a global effect. These include my contributions to initiatives for securing the software supply chain as well as a new common vulnerability scoring system for industrial control systems. I look forward to reporting success as these initiatives mature and drive efficiency for everyone. In the meantime, check out the coverage by Sean Lyngaas of Cyberscoop “New code-validation project tries to spot the next industrial supply chain attack”.


S4 is infamous for technical challenges. The S4x19 ICS detection challenge for ICS network monitoring solutions was based on over 300GB of packet captures from a real facility. The data set was then anonymized and tainted with malicious traffic including Stuxnet and Havex for analysis by contestants. Results demonstrated by Dragos and Kaspersky are worth review especially for those interested in ICS traffic monitoring solutions with an overall summary from Dragos founder Rob Lee.


Participation at S4 is also a catalyst for OSIsoft security champions. Activities at S4x19 include 3 speaking sessions and sponsor host for over a dozen popular ‘capture the flag’ CTF challenges focused on the PI System. Challenge flags are designed to engage security researchers on the latest PI System technology and with our champions at S4 this year: Harry Paul's Blog James Dryden Kevin Geneva Lubos Mlcoch Mark McCoy

Our congratulations and S4x19 Capture the Flag honors go to Team Claroty with appreciation extended to all teams!