pa|CS3STHLM – the Stockholm international summit on Cyber Security in SCADA and- is an annual summit that gather the most important stakeholders across critical processes and industries. CS3STHLM has been organized since 2014, and has quickly become the premier ICS Security Summit in Northern Europe! The participants at CS3STHLM are interested in securing control systems, critical infrastructure, automation and smart-grid. The summit gathers ICS/SCADA stakeholders across many different types of critical infrastructures. CS3STHLM invites an international SCADA/ICS community, and all official communication and presentations will be in English. CS3STHLM offers three days full of opportunities for increased knowledge - one day of practical tutorials followed by two days of presentations by top speakers from the ICS field. CS3STHLM is a summit that offers generous time for lectures, networking and exchange of experiences on todays challenges in regard to ICS/SCADA security, together with practical advises on how to go about to manage them. The summit is built up by a mix of presentations from two stages, practical demonstrations in the ICS lab, lightning talks and the Hallway Track for networking. The CS3STHLM summit gives you a great opportunity to experience international top-speakers and meet the most experienced experts in the field. Robert Malmgren and Erik Johansson, two leading Swedish industrial security specialists, are the organizers of CS3STHLM. Their practical experiences are fundamental for the success of this summit. 20-22 October 2020 21-24 October 2019 22-25 October 2018 23-26 October 2017 25-27 October 2016 20-22 October 2015 CS3STHLM Summit Dinner - also known as The Gala Dinner. Summit 2019 had the pleasure of having Herman Geijer talk about Zombie Survival. Andy Greenberg from Wired presented his findings in his upcoming book -. Torstein Gimnes Are from Norsk Hydro talked about the events that followed the cyberattack on Norsk Hydro earlier in 2019. At the CS3STHLM Expo 2019, an ICS Cyber Security Expo in Stockhom, you get an overview of threats and different protection that's available on the market. Here you will meet both researchers, vendors and experts who share their experiences of best practice and trends in IT security for critical parts of society. 22 October 2019 li|Speakers Expo Partners Attendees h1|CS3STHLM h2|The Premier Cyber Security Conference for ICS/SCADA and Critical Infrastructure The Summit 2020 2019 2018 2017 2016 2015 The Expo 2019 h3|Organized by Recent News Who Should Attend? What Will You Learn? Why Attend? Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Summit Dinner Andy Greenberg Torstein Gimnes Are Nalen, Stockholm h4|26-28 October 2021 Nalen in Stockholm, Sweden History Summit 2019 Gala Dinner Summit 2019 Keynote Summit 2019 Keynote Previous Expo sp|Menu 21 December 2020 news CS3STHLM Newsletter December 2020 26 November 2020 news CS3STHLM Newsletter November 2020 23 October 2020 news CS3STHLM 2020 - Thank You! 22 October 2020 press EXTRA PRESS RELEASE FROM CS3STHLM 8 9 150+ rmation pa|This page contains information which is not active and is tied to past events. At the CS3STHLM Expo 2020, an ICS Cyber Security Expo in Stockholm, you will get an overview of threats and different protection that's available on the market. Here you will meet both researchers, vendors and experts who share their experiences of best practice and trends in IT security for critical parts of society. CS3STHLM Expo enables companies and organisations to network, demonstrate valuable experiences products and services, via workshops and presentations. The Expo offer a place for valuable discussions and to experience success-stories from around the globe. Moreover it's an excellent opportunity for networking among peers in the industry, meet security experts as well as representatives from governmental agencies and organisations. li|Expo Wednesday & Thursday October 21-22 Time: 09-16 How can I contact the organizer with any questions? If you have any questions, contact us at: info@cs3sthlm.se h1|CS3STHLM h2|CS3STHLM Expo h3|When Faq h4|21-22 of October sp|Menu CS3STHLM 2019-2020 View rmation pa| li|News h1|CS3STHLM h2|The Newsroom CS3STHLM Newsletter December 2020 CS3STHLM Newsletter November 2020 CS3STHLM 2020 - Thank You! EXTRA PRESS RELEASE FROM CS3STHLM CS3STHLM seventh conference on Cyber Security CS3STHLM Newsletter October CS3STHLM seventh conference on Cyber Security CS3STHLM Newsletter September CS3STHLM Goes Virtual The Locked Shields Sessions Submissions to the 2020 CFP CS3STHLM Newsletter February CS3STHLM 2020 Theme Smarter! 2019 Releases of Recordings CS3STHLM Newsletter January CS3STHLM Newsletter October - Thank You CS3STHLM Newsletter September Stephen J. Hilt - Trend Micro CS3STHLM Newsletter August CS3STHLM Newsletter June CS3STHLM Newsletter February CS3STHLM Newsletter December CS3STHLM Summary of 2018 Event CS3STHLM Record Attendance CS3STHLM App and Honey Pot Competition CS3STHLM fifth conference on industrial cyber security Ola Hermansson - Technical Operations Manager Anton Shipulin - Kaspersky Lab Kai Thomsen - Senior Incident Responder CS3STHLM Newsletter September Erik Johansson - Co-founder of CS3sthlm Dr. Stephan Beirer - The Expert on the ISO/IEC 20719 standard Mikael Vingaard - The Expert on ICS Honeypots CS3STHLM Newsletter April CS3STHLM Newsletter December CS3STHLM Presents ICS- and IoT Lab together with Norwegian Energy CERT Advenica announces new collaboration with CS3STHLM CS3STHLM Newsletter September Malware that can knock out power grids discovered CS3STHLM Newsletter June CFP - DON'T MISS OUR DEADLINE Cyber Security Summit 4SICS Relaunches as CS3STHLM h3|2020 CS3STHLM 2019 CS3STHLM 2018 CS3STHLM 2017 CS3STHLM h4|News & Press sp|Menu 21 Dec 2020 news 26 Nov 2020 news 23 Oct 2020 news 22 Oct 2020 press 15 Oct 2020 press 12 Oct 2020 news 24 Sep 2020 press 17 Sep 2020 news 10 Jul 2020 news 23 Mar 2020 blog 05 Mar 2020 blog 20 Feb 2020 news 14 Feb 2020 blog 14 Feb 2020 blog 13 Jan 2020 news 28 Oct 2019 news 08 Oct 2019 blog 30 Sep 2019 news 24 Sep 2019 blog 30 Aug 2019 news 28 Jun 2019 news 15 Feb 2019 news 19 Dec 2018 news 25 Oct 2018 news 24 Oct 2018 news 22 Oct 2018 news 18 Oct 2018 press 15 Oct 2018 blog 15 Oct 2018 blog 26 Sep 2018 blog 19 Sep 2018 news 18 Sep 2018 blog 17 Sep 2018 blog 17 Sep 2018 blog 30 Apr 2018 news 20 Dec 2017 news 04 Oct 2017 press 14 Sep 2017 press 13 Sep 2017 news 13 Jun 2017 press 13 Jun 2017 news 08 May 2017 news 21 Apr 2017 press rmation pa|For press and other media to attend the summit a press pass is required for reporters, and a photo pass for photographers. Apply by sending an email to the address below where you present your publication, if you need more than one accreditation, and if you need a photo pass. For applications and questions regarding press logistics please contact Please note that the high profile of the summit means certain restrictions regarding photography, a photo pass does not guarantee access to the actual seminars. There will be dedicated press rooms for photo shoots and interviews, and we have staff on site that will help organize these for you. li|Press Cissi Thorell Press Officer press@cs3sthlm.se h1|CS3STHLM h2|Press Information EXTRA PRESS RELEASE FROM CS3STHLM CS3STHLM seventh conference on Cyber Security CS3STHLM seventh conference on Cyber Security CS3STHLM fifth conference on industrial cyber security CS3STHLM Presents ICS- and IoT Lab together with Norwegian Energy CERT Advenica announces new collaboration with CS3STHLM Malware that can knock out power grids discovered Cyber Security Summit 4SICS Relaunches as CS3STHLM h3|Please Note 2020 CS3STHLM - 2018 CS3STHLM - 2017 CS3STHLM - h4|Press & Media sp|Menu Press Announcements 22 Oct 2020 press 15 Oct 2020 press 24 Sep 2020 press Press Announcements 18 Oct 2018 press Press Announcements 04 Oct 2017 press 14 Sep 2017 press 13 Jun 2017 press 21 Apr 2017 press rmation pa|This page contains information which is not active and is tied to past events. CS3STHLM – the Stockholm international summit on Cyber Security in SCADA and- is an annual summit that gather the most important stakeholders across critical processes and industries. CS3STHLM has been organized since 2014, and has quickly become the premier ICS Security Summit in Northern Europe! 20-22 October 2020 21-24 October 2019 22-25 October 2018 23-26 October 2017 25-27 October 2016 20-22 October 2015 22-23 October 2014 The venue of our choice, Nalen, has a long and fascinating history. Built in 1888 it has over the years seen a wide range of events ranging from athletic competitions to religious meetings. Today Nalen hosts over a hundred concerts and conferences annually in its carefully renovated premises. We will have multiple stages with the best international speakers and trainers, having excellent social activities and provide hard-to-earn knowledge, no matter if it is deeply technical matters, sucessful solutions or policy briefs. The Security Lab is, of course, returning to the CS3STHLM summit of 2019. We plan to add even more ICS and ICS communication equipment to the lab, and we working on extending the IoT security part further. li|About h1|CS3STHLM h2|ICS Conference h3|2020 2019 2018 2017 2016 2015 2014 h4|About CS3STHLM Past Events Nalen, Stockholm Speakers & Trainers Geek Lounge - The ICS Lab h5|Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Skyddsrummet, Stockholm sp|Menu CS3STHLM 2019-2020 Erwin Kooi & Rik van Hees at CS3STHLM 2018 rmation pa|This page contains information which is not active and is tied to past events. li|Agenda h1|CS3STHLM h2|Agenda 2020 h3|Tues Wednes Thurs Expo open Introduction Walk-through of the conference platform Hopin Q&A Conning Corona- on deception, scams and social engineering in a pandemic Expo open The sustainability of safety and security Break for sessions How to create a risk-based future-proof zone model Ransomware? Please Hold for The Next Available Agent Expo open Break for sessions Break for sessions Reverse Engineering Siemens PLCs: Lessons Learned for Today and Tomorrow Hacking Advanced Metering Infrastructure (AMI) – an attacker’s perspective on Distribution System Operator (in)security Expo open Break for sessions ACME Windpharms – It can’t be ‘smart’ if you lack simple security So You Want to Take Down the Electric Grid - or You Want to Defend It Pressing the big red button – on Incident Response Readiness in the Oil and Gas Sector Hidden Attack Surfaces of Modern Industrial Automation Systems Expo open Break for sessions Bug hunting in cloud connected ICS devices: Getting root from the cloud Smarter Shipping. Hacking floating ICS for fun and profit Expo open Break for sessions Break for sessions Threat modeling and attack simulations for enterprise and ICS A Practical Way to Test OT Security Mechanisms in Real-life Scenarios Expo open Break for sessions Fake Company, Fake Factory but Real Attacks: Stories of a Realistic, High Interaction ICS Honeypot h4|Conference Overview Welcome Reception Summit Summit sp|Menu CS3STHLM 2019-2020 20th of October day - 19-20 21st of October day - 09-16 22nd of October day - 09-16:30 19:00-20:30 19:00 Erik Johansson & Robert Malmgren 19:10 Karl Emil Nikka 19:25 Erik 'Z' Johansson 19:30 Jenny Radcliffe 10:00-10:45 09:00 - keynote Ross Anderson 10:10 Accenture Session 10:35 Kristina Blomqvist Jonas Edberg 11:20 Daniel Kapellmann Zafra 12:00-13:15 12:10 Recorded Future Session 12:35 Darktrace Session 13:00 Ali Abbasi 13:50 Krzysztof Swaczynski 14:25-15:15 14:30 Waterfall Session 15:00 Colin Cassidy 15:40 Joe Slowik 09:00 Marie Moe Jan Tore Sørensen 09:50 Federico Maggi 10:40-11:25 10:50 Accenture Session 11:10 Kelly Leuschner 11:55 Andrew Tierney 12:30-13:45 12:35 Recorded Future Session 13:00 Darktrace Session 13:30 Simon Hacks Wenjun Xiong 14:00 Matan Dobrushin Idan Helzer 14:45-15:30 14:35 Waterfall Session 15:15 Stephen J. Hilt rmation pa|This page contains information which is not active and is tied to past events. The Security Lab is, of course, returning to the CS3STHLM summit of 2019. We plan to add even more ICS and ICS communication equipment to the lab, and we working on extending the IoT security part further. Similar to one of the previous year, we plan to record and release the traffic in the ICS lab network. We encourage both newcomers as well as experts to connect to the environment to play with the available equipment. Newcomers will have help to get started by having some examples that they can test and learn from. More experienced users will be able to poke harder at the systems. We have drafted a document that describes the "rules of engagement" for the using the lab. The rules should make it easier for everyone to understand what is OK and what is not OK to do in the lab environment. It all boils down to being a "good neighbour" that does not interfere, destroy or make trouble for others. The rules of engagement is also a way to show to the general public that we bring this equipment to the conference for two purposes: one is to give people access to equipment that they normally cannot put their hands on and to allow them to learn about them. The second purpose, is that if we find flaws or problems with the equipment, we will hand them over to KraftCERT that is on site, that in turn with coordinate disclosure with vendors. This is described in the document. (multiple) siemens (s7 1200/1500/300/400), ABB AC800, ABB PM581, (multiple) Allen-Bradley Micrologix 1100, Allen-Bradley Micrologix 1400, Easy Tech Nanjing, Beckhoff (multiple) Fortinet, Hirschman EAGLE 20, Hirschman, Seecomea, mGuard, RuggedCom Siemens, Digi, Moxa Dragos Cyberlens PwnPlug, Wifi Pinapple, Arlo Network Camera Cisco, Moxa (multiple), Westermo (multiple), Siemens (multiple), Ruggedcom (multiple), GarretCom (multiple), Sierra Wireless ES450 (multiple) Garland TAPs Microtick AutomationDirect, Phoenix contact, SEL, Red Lion, Barix Barionet 100, Advantech ADAM 5500, industrial PC's To this, we have all the IoT related stuff, which is everything from raspberry PI's and IoT developmend boards via Philip Hue's/LIFX, lots of WiFi equipment and SOHO routers. More stuff will be added as we go along. This years ICS and IoT security lab will be installed in the GeekLounge part of Nalen. That is in the basement, in the room called Stacken (the stack). This year there is a much larger team involved in setting up, running the lab, or have special tasks involving the lab during the conference. The team members include Lars-Erik Smevold of KraftCERT (NO) who will be in charge of the lab, Robert Malmgren (SE) of ROMAB, Erik Hjelmvik (SE) of NETRESEC and Mikael Vingaard (DK). We would also like to thank the Norwegian National Security Authority and KraftCERT for providing new interesting equipment to the ICS Lab. li|Ics lab h1|CS3STHLM h2|The Security Lab h3|Rules of Engagement We will have equipment from I T Equipment Location at Conference Security Lab Crew Preparing the ICS Security Lab 2017 h4|ICS & IOT Secuity Lab PLC Firewalls Ethernet I/O Networking Monitoring Security Devices Industry Switches Networking Taps Routers Other sp|Menu CS3STHLM 2019-2020 o rmation pa|This page contains information which is not active and is tied to past events. We will have multiple stages with the best international speakers and trainers, having excellent social activities and provide hard-to-earn knowledge, no matter if it is deeply technical matters, sucessful solutions or policy briefs. li|Program h1|CS3STHLM h2|The Program h3|Speakers Jonas Edberg Joe Slowik Michal Paulski Colin Cassidy Presentations Application of RAMS methodologies in OT Security Detecting and Tracking RATs in the Energy Sector The sustainability of safety and security Threat modeling and attack simulations for enterprise and ICS h4|Summit Program Cyber Security Consultant Adversary Hunter OT Security Architect Senior Security Consultant sp|Menu CS3STHLM 2019-2020 Ignacio Moreno Canadas Nour Fateen Ross Anderson Simon Hacks Wenjun Xiong rmation pa|Omnisiens AB is a private limited liability company registered in Stockholm, Sweden. 556976-8244 SE556976824401 li|Contact Omnisiens AB Rörstrandsgatan 30A 113 40 STOCKHOLM Sweden h1|CS3STHLM h2|Contact Details h3|Regarding the CS3STHLM summit: CS3STHLM summit is arranged by: h4|How to get in touch Mail Address Web Mail Our organisation number is: Our EU VAT-number is: sp|Menu rmation pa|This will be our 8th summit and we are on the lookout for partners who wants to take an active part in the event. Contact us for more information P.S. English is the primary language at the CS3STHLM summit. This page contains information which is not active and is tied to past events. li|Partners Examples of partnership opportunities: Tutorial/workshop on company products Hosting of welcome reception, lunch or gala dinner Private rooms for meetings/showcases Equipment demonstrations in the ICS lab h1|CS3STHLM h2|Become a Partner Partners of 2020 h3|Premium Sponsor Organizer h4|Partners for 2021 sp|Menu CS3STHLM 2019-2020 rmation pa|At the CS3STHLM Expo 2019, an ICS Cyber Security Expo in Stockholm, you will get an overview of threats and different protection that's available on the market. Here you will meet both researchers, vendors and experts who share their experiences of best practice and trends in IT security for critical parts of society. CS3STHLM Expo enables companies and organisations to network, demonstrate valuable experiences products and services, via workshops and presentations. The Expo offer a place for valuable discussions and to experience success-stories from around the globe. Moreover it's an excellent opportunity for networking among peers in the industry, meet security experts as well as representatives from governmental agencies and organisations. At the CS3STHLM Expo 2018, an ICS Cyber Security Expo in Stockholm, you will get an overview of threats and different protection that's available on the market. Here you will meet both researchers, vendors and experts who share their experiences of best practice and trends in IT security for critical parts of society. CS3STHLM Expo enables companies and organisations to network, demonstrate valuable experiences products and services, via workshops and presentations. The Expo offer a place for valuable discussions and to experience success-stories from around the globe. Moreover it's an excellent opportunity for networking among peers in the industry, meet security experts as well as representatives from governmental agencies and organisations. li| h1|CS3STHLM h2|Expo Expo How to save $1.7 million over three years on industrial cybersecurity: the Results of the Forrester Total Economic (TEI) Impact study Testbed Evaluation of DoS Attacks on Continuously Controlled Processes We are all vulnerable Applying automated attack modeling to a smart grid use case Cyber Security for OT/IIoT/ICS – what we have learned 1000 installations later Attack Path Mapping Project EnergyShield - hacking the power grid as a research method Expo Kaspersky Industrial Cybersecurity approach ICS cyber security in the face of digital transformation Resilient Computing and Communication for Critical Infrastructures Control Theory for Practical Cyber-Physical Security Recorded Future - The Dark Web’s deep threat intelligence secrets Security when failure is not an option Securing Low Level Software Using Formal Methods Securing Wireless Transmissions at the Air Interface Addressing Physical to Digital Convergence in an Evolving World h3|Presentations Anton Shipulin Henrik Sandberg Magnus Lundgren Mathias Ekstedt Michael Weng Robert Bearsby Robert Lagerström Partners Presentations Anton Shipulin Dr Kevin Jones György Dán Henrik Sandberg Jannis Utz Jonas Dellenvall Mads Dam Ragnar Thobaben Rick K. Peters Partners h4|22 October Kaspersky Lab KTH Royal Institute Recorded Future KTH Royal Institute Nozmi Networks F-Secure Consulting KTH Royal Institute 23 October Kaspersky Lab Airbus Group KTH Royal Institute KTH Royal Institute Recorded Future Advenica KTH Royal Institute KTH Royal Institute Fortinet sp|The Archive - Expo Menu 2018 2019 2019 2018 rmation pa|Here we’ve gathered all of the information from our previous events for viewing. You can view everything from past hosted trainings to selected keynotes and our beloved gala dinner. The Gala Dinner is a recurring moment at our conference after the first day of presentations. Here we enjoy a lovely full course dinner with selected dinner entertainment. li| h1|CS3STHLM h2|The Archive Keynotes The cyber-attack on Hydro Industrial Technology Trajectory: Running With Scissors Exploring the Unknown ICS Threat Landscape Stuxnet and Beyond: The Age of Digital Warfare Why Control System Cyber Security Sucks Trainings Network Forensics Training PentestingHands-on Threat Modeling for ICS-OT Network Forensics Training ICS Scada Honeypot Technical Training PentestingNetwork Forensics Training Practical SCADA/ICS Honeypots Cyber Security for Industrial Automation and Control Systems: An introduction of the IEC 62443 standard How to maximize your usage of the Shodan platform Introduction to the IEC 62443 Standard ICS Active Defence SHODAN hacking PCAP Analysis and ICS Network Forensics Introduction to ISA99/IEC 62443 Intrusions Detection System forDeveloping, procuring and running secure and reliable systems Applied Cyber Defenses forSpeakers Presentations TLS Interception and Decryption *LIVE DEMO* How we reverse-engineered multiple industrial radio remote-control systems Testbed Evaluation of DoS Attacks on Continuously Controlled Processes The good, the bad and the segmented Control Theory for Practical Cyber-Physical Security Operator Jail breakout Industroyer: biggest threat to industrial control systems since Stuxnet Network and Information Security Directive: the road ahead Industroyer: biggest threat to industrial control systems since Stuxnet Road to Cyber Threat Intelligence in the Energy Sector Embodied Vulnerabilities - How to find, fix, and think about them Exploring the Unknown ICS Threat Landscape Simulating Attacks on infrastructure systems in Egypt Is Your Plant "Ready to Crash"? Missing the Obvious: Network Security Monitoring for ICS Experiences from introducing security network monitoring at a major ICS enviroment What aren't we doing right? ... or is that 'What are we doing wrong?' Conversations with your Control System Gala Dinner Zombie Survival Fake news or folklore? Adventures in social engineering - tales of a "people hack" Voyage to Space Cyber Security through the ages h3|Torstein Gimnes Are Andy Greenberg Patrick Miller Robert M. Lee Kim Zetter Stefan Lueders 2019 Erik Hjelmvik Arnaud Soullié Jasper Hooft 2018 Erik Hjelmvik Mikael Vingaard Arnaud Soullié 2017 Erik Hjelmvik Mikael Vingaard Michael Theuerzeit 2016 John Matherly Arjan Meijer Robert M. Lee 2015 John Matherly Erik Hjelmvik Arjan Meijer 2014 Anders Rodrick Fredrik Hesse Joel Langill 2019 Erik Hjelmvik Stephen Hilt Henrik Sandberg 2018 Erwin Kooi Henrik Sandberg Dieter Sarrazyn 2017 Anton Cherepanov Paraskevi Kasse Robert Lipovský 2016 Margrete Raaum Eireann Leverett Robert M. Lee 2015 Ahmed Sherif Eldemrdash Arjan Meijer Chris Sistrunk 2014 Anders Rodrick Joel Langill John Matherly 2015 - 2019 Herman Geijer Jack Werner Jenny Radcliffe Christer Fuglesang Peter Zinn h4|Quick Select 2019 2019 2018 2016 2015 2014 Two days Two days One day Two days Two days Two days Two days One day One day One day One day One day One day One day One day One day One day One day Zombie Survival Expert Journalist Social Engineering Expert Astronaut sp|The Archive Menu 2014 2019 2019 2018 2017 2016 2015 rmation pa|20-22 October 2020 21-24 October 2019 22-25 October 2018 23-26 October 2017 25-27 October 2016 20-22 October 2015 22-23 October 2014 li|History Topics Speakers Attendees Topics Speakers Workshops Attendees Topics Speakers Workshops Attendees Topics Speakers Workshops Attendees Topics Speakers Workshops Attendees Topics Speakers Workshops Attendees Topics Speakers Workshops Attendees h1|CS3STHLM h2|Our Past Events 2020 2019 2018 2017 2016 2015 2014 h3|Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Nalen, Stockholm Skyddsrummet, Stockholm h4|2014 - 2020 sp|Menu 22 26 340+ Virtual Event Coming soon 20 47 3 250+ 22 34 6 250+ 23 21 3 180 20 26 3 220+ 14 20 6 200+ 12 16 4 120 rmation pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. li| h1|CS3STHLM h2|Videos The fall of CODESYS Automotive DoIP and forensic analysis for automotive systems curl - the world's most used software component? Security Testing for ICS Owners 2.0 The Blue side of Locked Shields TLS Interception and Decryption Introduction to Malcolm Know what's happening in the exercise Broken Rungs: A look at popular ladder logic runtime privileges Digital Forensics and ICS: Why and how? Fuzz Testing IEC 61850 Project RunAway Cyber strategic decision-making exercises What is the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)? When will my PLC support Mirai? Nation-State Supply Chain Attacks for Dummies and You Too SCADApocalypse Now 4.0 Ultra responsible disclosure The Red Team's view from the exercise Technical setup of the Locked Shields Exercise How we reverse-engineered multiple industrial radio remote-control systems Introduction to Locked Shields exercise Memory Forensics and DMA Attacks with MemProcFS and PCILeech Hunting and Responding in ICS Attack Cars Revisited Stateful Protocol Hunting The good, the bad and the segmented Indicators vs. Anomalies vs. Behaviors: A Critical Examination for ICS Defense Recent APT Campaign targeting Energy Sector Assets Using fake BTS as a part of pentest ICS Incident Response Learning as you go is Expensive Jumping Air Gaps Unblockable Chains - Is Blockchain the ultimate malicious infrastructure Industrial Technology Trajectory: Running With Scissors Securing the ICS lab network Secure SCADA Protocol for the 21st Century (SSP21) S in IoT is for Security Configurable Code-Reuse Attacks Mitigation Industroyer: Biggest threat to industrial control systems since Stuxnet Back to the IoT Future DYI insider threat detection/prevention within ICS environments With Akriti Srivastava, Dan Demeter, & Rossella Mattioli - Moderated by Robert Malmgren With Martin Eian - Moderated by Robert Malmgren Security for Safety: Fortifying the last line of defense Strategict Network Defense in ICS Environments Pandora's Box ICS Program Development for Multi-national Corporations From Box to Backdoor ENISA Trainings for Cyber Security Specialists Protecting European transport infrastructures BE, What We Really Know About the Notorious Cyber-Attacks DYODE: Do Your Own DiodE In a grid operator's security trenches Physics-based attack detection and countermeasures in control systems Too many cooks spoil the broth? The Rise of the Machines Lightweight protocol! Serious equipment! Critical implications! PLC-Blaster - a worm living in your PLC Embodied Vulnerabilities - How to find, fix and think about them With Anton Cherepanov, Robert Lipovský, & Robert M. Lee CRATE City...consequences of a simulated cyber attack With Simin Nadjm-Tehrani, Henrik Sandberg, & Vidar Hedtjärn Swaling Exploring the unknown ICS Threat Landscape The Ukraine Cyber Attack: One Year Later Breaking isolation using cache attributes Cybersecurity in Europe - the NIS Directive & the role of Operators of essential services The role of anomaly detection in industrial control systems Ageing of ICS - What's the deal? Simulating Attacks on infrastructure systems in Egypt Building Automation Security Is Your Plant "Ready to Crash"? Missing the Obvious: Network Security Monitoring Hacking the Power Grid: Analyzing what Hackers do when they have access to the 'Power Grid Honeypot' Catastronomics: North Reducing attack surface on ICS with Windows native solutions PhysICS - Using physics simulation engine to demonstrate impacts on industrial control attacks The dirty secrets your hardware can keep, and how we can clean up its act IT and Cyber security at Svenska kraftnät Responsible Disclosure may be Irresponisble Case Studies in Real World ICS/SCADA Incident Response and Forensics Digital Maintenance and Test Equipment and Impact on Control System Security Who controls your industrial control systems? Reversing and Deciphering the Cyber Espionage Malware Communications With Kim Zetter, Erieann Leverett, Leif Nixon, & John Matherly - Moderated by Robert M. Lee Asset Identification and Network Security Monitoring in ICS Networks The Little Pump Gauge That Could: Attacks Against Gas Pump Monitoring Systems h3|2019 Alexander Nochvay Christopher Corbett & Kevin Gomez Buquerin Daniel Stenberg Dieter Sarrazyn Erik Biverot & Johan Nilsson Erik Hjelmvik Janek Pelzer Jarkko Huttunen Jimmy Wylie & Reid Wightman Jonathan Jogenfors Markus Mahrla Matan Dobrushin & Yoav Flint Rosenfeld Michael Widmann Michael Widmann Mike Dodson Monta Elkins Nicklas Keijser Rikard Bodforss Sandra Bardón Silver Saks Stephen Hilt Thomas Svensson Ulf Frisk 2018 Ben Miller & Mark Stacey Cheng Lei Dan Gunter & Daniel Michaud-Soucy Erwin Kooi & Rik van Hees Joe Slowik Jonathan Homer Marcin Dudek Mark Bristow Mark Stacey Monta Elkis Omer Zohar Patrick Miller William Middleton 2017 Adam Crain Akriti Srivastava Ali Abbasi Anton Cherepanov & Robert Lipovský Dan Demeter Dieter Sarrazyn Harlem Session Harlem Session Jens Wiesner Joe Slowik Lars-Erik Smevold Melissa Crawford Patrick DeSantis Rossella Mattioli Rossella Mattioli 2016 Anton Cherepanov & Robert Lipovský Ary Kokos & Arnaud Soullié Erwin Kooi Henrik Sandberg Isabel Skierka & Jan-Peter Kleinhans John Matherly Lucas Lundgren Maik Brüggemann Marie Moe & Eireann Leverett Panel Discussion Peter Andersson & Erik Westring Research Session - Q & A Robert M. Lee Robert M. Lee Roberto Guanciale Rossella Mattioli & Paraskevi Kasse Simin Nadjm-Tehrani Vidar Hedtjärn Swaling 2015 Ahmed Sherif Eldemrdash Anders Östgaard Arjan Meijer Chris Sistrunk & Rob Caldwell Dewan Chowdhury Eireann Leverett Jan Seidl Jan Seidl Joe Fitzpatrick Kristoffer Sjökvist Leif Nixon Mark Fabro Michael Toecker Mikael Vingaard Monnappa K A Panel Discussion Robert M. Lee Stephen Hilt sp|The Archive - Videos Menu 2015 2019 rmation pa|For expert advice and support, and to guarantee vivid discussions, excellent input and insight to current events within our field, we are proud to present our advisory board. li|Advisory h1|CS3STHLM h2|Expertise all around Anne-Marie Eklund Löwinder Kristina Blomqvist Margrete Raaum h3|Chief Information Security Officer at IIS, The Internet Foundation In Sweden Group Operational Technology Security Officer at Vattenfall AB CEO of the Norwegian Energy Sector CERT at Board Member of Forum of Incident Response and Security Teams (FIRST) h4|Advisory Board sp|Menu Sweden Sweden Norway rmation pa| li| h1|CS3STHLM h2|Gallery sp|The Archive - Gallery Menu 2017 2019 2019 rmation pa|This page contains information which is not active and is tied to past events. We will have multiple stages with the best international speakers and trainers, having excellent social activities and provide hard-to-earn knowledge, no matter if it is deeply technical matters, sucessful solutions or policy briefs. Ali Abbasi is a Post-Doctoral researcher at the Chair for System Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. Currently, Ali is involved in projects related to software testing for embedded systems, specially in the context of Industrial Control Systems. He received his Msc degree in Computer Science from Tsinghua University, Beijing, China. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. Ali received his PhD degree from Eindhoven University of Technology, the Netherlands. In Eindhoven, he was working on code-reuse defences for Programable Logic Controllers (PLC) and other embedded systems. Andrew leads the hardware team at Pen Test Partners. He covers all systems that aren't general purpose computers: IoT, phones, cars, ships, planes and industrial control. On the offensive side, he has spent many years reverse engineering, researching and finding vulnerabilities in these systems. On the defensive side, he takes the knowledge gained from research and advises companies on how to build secure products. This ranges from the nitty-gritty of securing devices against physical attack, through to developing complete connected platforms that make use of defence-in-depth so that they can stay secure through the entire lifecycle of the product. He trains people how to attack and defend hardware, with customers ranging from medical device manufacturers through to police forensics teams. I have been a Senior Security Consultant at IOActive for 5 years and have performed many security audits of ICS/SCADA systems including: several assessments at two of the UKs largest Distribution Network Operators, Energy Management Systems in Asia, Smart Meter infrastructure, shipping terminals, HVAC and baggage handling systems at one of Europe’s busiest airports, and several windfarms in Europe. I have presented and Blackhat and Defcon on Industrial Ethernet Switches, like those deployed in windfarms and other ICS environments. Prior to this I was the Security Technical Lead and core product development lead within GE for the PowerOn Fusion product a leading Outage Management System/Distribution Management System (OMS/DMS) used throughout the world. I led the secure testing project of our product that took place at INL (Idaho National Laboratories) in 2010. I produced the secure coding guidelines now used throughout GE as the benchmark for secure coding guidelines within the business. Finally, I worked with a corporate security team to develop the processes and procedures for a GE wide PSIRT to handle reported vulnerabilities and security concerns/questions with any of GE’s product range. Graduated from the University of Glasgow with a B.Sc. in Computing Science where I worked on the Nemesis Operating System (https://en.wikipedia.org/wiki/Nemesis_(operating_system)) Daniel Kapellmann Zafra is a technical analysis manager for the FireEye Intelligence cyber-physical team. As a former Fulbright scholar, he holds a master’s degree in information management from the University of Washington specialized in information security. His multidisciplinary background includes consulting for ITU and the Competitive Intelligence Unit IT market research firm, to IT planning and architecture for Puget Sound Energy. He is a frequent speaker on operational technology topics at local and international conferences including RSA, VirusBulletin, CyCON, ICSJWG, AFPM Operations & Process Technology and Hack the Capitol. In 2017, he was awarded first place at Kaspersky Academy Talent Lab's competition in Moscow for designing an application to address security beyond anti-virus. With more than a decade of research experience in the cybersecurity field, Federico Maggi is specialized in doing threat and security analysis on virtually any system. Federico has analyzed web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. Federico has experience on defensive technology and research, through building machine learning-based tools for intrusion and fraud detection. He’s applied data visualization techniques for analyzing botnets, and has gained basic malware analysis and reverse-engineering on Android-based platforms. Currently employed as a Senior Researcher with security giant Trend Micro, Federico was an Assistant Professor at Politecnico di Milano, one of the leading engineering technical universities in Italy. Aside his teaching activities, Federico co-directed the security group and has managed hundreds of graduate students. Federico has given several lectures and talks as an invited speaker at international venues and research schools, and also serves in the review or organizing committees of well-known conferences." Cyber-security researcher with military experience in a cyber security unit. Jan Tore Sørensen wrote his master thesis on Security in Industrial Networks in 2007 and has worked with the technical aspects of ICS security within several different industrial verticals for mnemonic since then. He has lately been involved in projects for securing critical subsystems on offshore installations in the North Sea and building a security monitoring scheme for IACS systems offshore. Jenny Radcliffe is a world renowned Social Engineer, hired to bypass security systems through a mixture of psychology, con-artistry, cunning and guile. A "burglar" for hire and entertaining educator, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organisations of all sizes in order to help secure money, data and information from malicious attacks. Jenny is a sought after keynote speaker at major conferences and corporate events and is a multiple TEDx contributor. A go-to guest expert on the human element of security, scams, cons and hacks, she has appeared on numerous television and radio shows, as well as online media and traditional press outlets. She is also the host of the award winning podcast “The Human Factor” interviewing industry leaders, bloggers, experts, fellow social engineers and con-artists about all elements of security and preventing people from becoming victims of malicious social engineering. Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to ‘take the fight to the adversary’ by applying forward-looking, active defense measures to constantly keep threat actors off balance. When not hunting adversaries or playing with open source security projects, Joe loves playing ice hockey and building Legos. Jonas is a cyber security consultant at Contrast Advisory, which he co-founded in 2017, with experience from a wide set of industries and companies. During the last few years Jonas has been focusing on cyber security within the energy industry. He has prior experience within GRC (Governance, Risk and Compliance), information security, external and internal audit, privacy, risk management and internal control from Transcendent Group and EY Advisory Services. Jonas holds a master’s degree in Industrial Engineering and Management from Chalmers University of Technology and is CISA, CISM, CRISC and CIPP/E certified. Kelly Leuschner is a security researcher with Cisco Talos. Kelly spends her time looking for vulnerabilities in devices that interact with the physical world including(ICS), Supervisory Control and Data Acquisition (SCADA), and Internet of Things (IoT). She began her career as a contractor to the US government developing custom firmware for micro-controllers. Her fascination with learning how things work led her to shift focus to vulnerability research at Cisco Talos. Now, she works with vendors to fix problems in their products. Kristina Blomqvist is group operational technology security officer at Vattenfall AB. She is responsible for creating, establishing and maintaining the OT Security area and for ensuring that all aspects of OT-security are aligned with relevant stakeholders within the Vattenfall group. Moreover, she drives and coordinates OT security initiatives and monitors regulatory development. Kristina previous engagements includes being program manager for the Swedish National Program for ICS Security at MSB, the civil contingencies agency, working as an analyst and market director at FOI, the Swedish Defence Research Agency, and as an I&C subject area representative and specialist at the Swedish Nuclear Power Inspectorate, SKI. Kristina holds a master in Engineering Physics from KTH, the Royal Institute of Technology. Kristina is also a long-term advisory board member for CS3Sthlm. Krzysztof is strategic advisor in the field of OT and IT security. He is a founder and board member of Seqred - cyber security shop focused on testing and improving security in ICS field. He gained his experience while working for strategic consultancy companies – EY and BCG. He advised global organizations in government, power & utilities, manufacturing, air transportation and building automation sectors, on the planning and safe implementation of IT and OT solutions as well as company-wide technology driven transformation programs. He worked with the management boards, CIOs, CISOs, whom he advised on fulfilling their potential and eliminating the risks stemming from new technologies. He expanded his managerial qualifications while participating in the Executive Education program at the MIT Sloan School of Management. In his current professional capacity Krzysztof leads team of OT security researches specialized in vulnerabilities assessments, i.e. reverse engineering, fuzzing and penetration testing. He is a holder of GIAC: Global Industrial Cyber Security Professional (GICSP) Certificate – globally recognized industrial cybersecurity certification. Dr. Marie Moe cares about public safety and securing systems that may impact human lives. Marie is a senior security consultant at mnemonic, and has a PhD in information security. She is also an Associate Professor at the Norwegian University of Science and Technology, where she teaches the course “Incident Response, Ethical Hacking and Forensics”. She has experience as a team leader at NorCERT, where she did incident handling of cyber attacks against Norway’s critical infrastructure. Cyber security researcher with military leadership experience in cyber security unit. Ross Anderson is Professor of Security Engineering at Cambridge University. He was one of the founders of the discipline of security economics, and is PI of the Cambridge Cybercrime Centre, which collects and analyses data about online wickedness. He has worked on key management for electricity substations; he was also a pioneer of powerline communications, prepayment metering, peer-to-peer systems, hardware tamper-resistance and API security. He is a Fellow of the Royal Society, the Royal Academy of Engineering, and the Institute of Physics, and a winner of the Lovelace Medal. He has just written the third edition of his textbook "Security Engineering – A Guide to Building Dependable Distributed Systems". Simon is a postdoc in the Software Systems Architecture and Security group, Computer Science at KTH Royal Institute of Technology. He did his Ph.D. at the RWTH Aachen University, Germany in the field of Enterprise Architecture Models. He supervised several theses related to Enterprise Architecture and supported the teaching of lectures in Software Engineering, Software Quality Assurance, Object Oriented Software Construction, and Software Project Management. He is Co-Chair of the VEnMo workshop, PC member at the TEAR workshop, and reviewer for the EMISA Journal. He received his master degree in applied computer science from the Technical University Dortmund and his bachelor degree in business informatics from the FOM University of Applied Sciences Essen. Additionally, he did an apprenticeship as IT specialist at E.ON IT in Essen and worked as a privacy consultant during his master studies at ISDSG. Stephen Hilt is a Sr. Threat Researcher at Trend Micro. Stephen focuses on General Security Research, Threat Actors, Malware behind attacks, and Industrial Control System Security. Stephen enjoys breaking things and putting them back together with a few extra parts to spare. Stephen is a world-renowned researcher, having spoken at Blackhat US, RSA, HITB and many more. His research has gained him Dark Reading top hacks of the year twice. Working at Digital Bond Stephen became a Nmap Contributor where he wrote some Nmap scripts for ICS and other mainstream protocols. This work took him into becoming an expert on ICS protocols and co-authored the book Hacking ExposedICS and SCADA Security Secrets & Solutions. Wenjun is a PhD student in Software Systems Architecture and Security group, at the Division of Network and Systems Engineering, KTH Royal Institute of Technology. Her research interests include Threat Modeling, Attack Simulations, and Cyber Security. She is currently working on designing a threat modeling language - enterpriseLang, based on MITRE ATT&CK Matrix. She received her MSc degree in Communication and Information Systems in 2017, from the State Key Laboratory of Information Engineering in Surveying, Mapping and Remote Sensing, Wuhan University, China, with special focus on Information Privacy. li|Speakers h1|CS3STHLM h2|World Class Content Ali Abbasi Ali Abbasi Andrew Ginter Andrew Ginter Andrew Tierney Andrew Tierney Andrew Tsonchev Andrew Tsonchev Colin Cassidy Colin Cassidy Daniel Kapellmann Zafra Daniel Kapellmann Zafra Federico Maggi Federico Maggi Idan Helzer Idan Helzer Ignacio Moreno Canadas Ignacio Moreno Canadas Jan Tore Sørensen Jan Tore Sørensen Jenny Radcliffe Jenny Radcliffe Joe Slowik Joe Slowik Jonas Edberg Jonas Edberg Kelly Leuschner Kelly Leuschner Kristina Blomqvist Kristina Blomqvist Krzysztof Swaczyński Krzysztof Swaczyński Marie Moe Marie Moe Matan Dobrushin Matan Dobrushin Michael Firstenberg Michael Firstenberg Michal Paulski Michal Paulski Nour Fateen Nour Fateen Ross Anderson Ross Anderson Simon Hacks Simon Hacks Stephen Hilt Stephen Hilt Wenjun Xiong Wenjun Xiong Wissam Al-Nasairi Wissam Al-Nasairi h3|Post-Doctoral Researcher at Ruhr-University Bochum VP Industrial Security at Waterfall Security Security Consultant at Pen Test Partners Director of Technology at Darktrace Senior Security Consultant at IOActive Technical Analysis Manager at FireEye Senior Researcher at Trend Micro Cyber Analyst at Otorio OT Security Consultant at Accenture Security Expert at mnemonic Social Engineer Adversary Hunter at Dragos Cyber Security Consultant at Contrast Advisory Security Researcher at Cisco Talos Group Operational Technology Security Officer at Vattenfall Strategic Advisor & Founder at Seqred Senior Security Consultant at mnemonic Head of OT Research at Otorio Director, Industrial Security at Waterfall Security OT Security Architect at Accenture Threat Expert at Recorded Future Professor of Security Engineering at University of Cambridge Computer Laboratory Postdoc at KTH Senior Threat Researcher at Trend Micro PhD Student at KTH X.0 and OT Security Lead at Accenture h4|Speakers P Post-Doctoral Researcher at Ruhr-University Bochum Biography Presentation Partner Session VP Industrial Security at Waterfall Security Presentation P Security Consultant at Pen Test Partners Biography Presentation Partner Session Director of Technology at Darktrace Presentation P Senior Security Consul... at IOActive Biography Presentation P Technical Analysis Man... at FireEye Biography Presentation P Senior Researcher at Trend Micro Biography Presentation P Cyber Analyst at Otorio Biography Presentation Partner Session OT Security Consultant at Accenture Presentation P Security Expert at mnemonic Biography Presentation P Social Engineer Biography Presentation P Adversary Hunter at Dragos Biography Presentation P Cyber Security Consultant at Contrast Advisory Biography Presentation P Security Researcher at Cisco Talos Biography Presentation P Group Operational Tech... at Vattenfall Biography Presentation P Strategic Advisor & Fo... at Seqred Biography Presentation P Senior Security Consul... at mnemonic Biography Presentation P Head of OT Research at Otorio Biography Presentation Partner Session Director, Industrial S... at Waterfall Security Presentation Partner Session OT Security Architect at Accenture Presentation Partner Session Threat Expert at Recorded Future Presentation Keynote Professor of Security ... at University of Cambridge Com... Biography Presentation P Postdoc at KTH Biography Presentation P Senior Threat Researcher at Trend Micro Biography Presentation P PhD Student at KTH Biography Presentation Partner Session X.0 and OT Security Lead at Accenture Presentation h5|Germany United Kingdom United Kingdom United States Italy Israel Norway United Kingdom United States Sweden United States Sweden Poland Norway Israel United Kingdom Sweden United States Sweden sp|Menu CS3STHLM 2019-2020 View resentation Presentation resentation Presentation resentation Presentation resentation Presentation resentation Presentation resentation Presentation with Matan Dobrushin resentation Presentation with Marie Moe resentation Presentation resentation Presentation resentation Presentation with Kristina Blomqvist resentation Presentation resentation Presentation with Jonas Edberg resentation Presentation resentation Presentation with Jan Tore Sørensen resentation Presentation with Idan Helzer Keynote resentation Presentation with Wenjun Xiong resentation Presentation resentation Presentation with Simon Hacks rmation pa|I am a senior Incident Responder at AUDI AG. My office is in Ingolstadt at Audi’s headquarters, but takes me where ever we have to investigate. Currently we a building up a joint Enterprise/ICS/Car cyber defense team. This means learning about and integrating three sometimes very different mindsets. Quite a challenge, but I’m convinced that we won’t be very successful without these integrated teams. I also teach for SANS in the ICS curriculum. And since we are a small team, I get to teach all over the world, which is at the same time interesting and challenging considering all the different countries and cultures I get to teach in. Computers and hacking have been kind of my thing since I was thirteen. After university, in 2001, when I finally had to get a real job, I got started as a network admin tasked with passive security (firewalls, IDSses, etc.) and then moved on to what nowadays is called active defense, mainly Network Security Monitoring and Incident Response. When Stuxnet hit in 2010 and caused a lot of headache for us at the company I was working at back then I started to focus more on ICS security. I teach the “ICS Active Defense and Incident Response” course at SANS (ICS515). And we have definitely seen interest increasing in this and other ICS courses over the last year. When I look at the current threat landscape, this was absolutely necessary. We need a lot more knowledgable and capable active defenders to secure our critical infrastructures and industries. Well, yes, but keep in mind, I am an incident responder, not I researcher so my main mantra especially in ICS/SCADA environments is to always put safety and reliability of operations first. But as probably anyone who as worked on many incidents I have my own stories to tell about devices and thus evidence I destroyed because of a stupid mistake I made. With regard to what you are probably more interested in, do I crash vehicles with my mad cyber skills, that’s a) not how this works and b) the job of our dedicated Car/IT Security team. In my opinion the hype is in the way current research gets reported vs. what current threats against vehicles actually are. Most organized crime around vehicles is about stealing vehicles or spare parts. Of course this is not as sexy for a story than say hackers taking over autonomous vehicles. If you’d like to get my full view on this, come to my talk ;-) What is the biggest challenges to automotive area with regards to security? I think the biggest challenge is software developers and automotive engineers understanding each other’s development processes and constraints. And learning to understand their different culture and language. Without these basics we’ll have a very hard time coping with the paradigm shifts currently happening in the automotive industry. As of now I’d say yes, definitely. As cars get more functionality that can be activated via software and we see an increase of managed vehicle fleets versus privately owned cars threats will probably diversify somewhat more. Criminals will always be where the most money can be made with the least risk, at least we can be sure of that ;-) We have been at some aspects of this a lot longer than many folks in the cyber security community might think and this has to do with all the immobilizer technology put into cars over the past 10-15 years and criminals finding ways around that. Also most discussions around fixing security problems in vehicles with quick patches over the air often don’t reflect how much testing has to go into any change you make to anything safety related in a vehicle. Also, like most ICS systems, we should keep in mind that there are (and there probably should be some more) failsafes that cannot be overridden by software. Absolutely. It’s the complexity of networks and the questions of trust all over again. But on a much larger scale than the Internet and with larger time constraints on both ways. By that I mean, your car and the traffic light you’re about to be at in 5 seconds won’t have the time to establish trust via something like a CRL. But also, that traffic light will be there for more than twenty years. And your car has a lifetime of about 10-15 years. Lots of interesting questions waiting for answers when it comes to smart cities… I can certainly imagine wormable vulnerabilities in parts of vehicle infrastructure that heavily relies on software. EV charging infrastructure, I’m looking at you ;-) But I am still optimistic enough that we’ll finally start learning from mistakes in other fields and will succeed in implementing more resilient architectures in vehicles and smart traffic infrastructures. That although there are some hard questions waiting to be answered we do know the basics of how to do this right. These are not new and sexy things and they take some effort, but it’s certainly doable. Also, we are still very early on in this particular race. So there is still time to learn from other fields and do some things better. li| h1|CS3STHLM Kai Thomsen - Senior Incident Responder h4|What is your day job, where are you working and what do you do? For how long have you worked in the field? You give classes as a technical trainer for ICS/SCADA security, do you see a lot of interest in these issues? Have you ever destroyed a car, or something physical, as part of what you do in your day work? What is the hype in relation to cyber security and vehicles? Is car theft the biggest risk, or do you see other aspects worse risks for vehicles & cyber security? What is the least known aspects of cyber security in the automative industry? How will the creation of smart cities have an impact on smart cars, with regards to security? In general, do you think that we will ever see things like NotPetya, ransomware infecting cars? What will be the biggest take away for the audience from your presentation at CS3sthlm? sp|Menu rmation em|This is a blog post with Kai Thomsen, a senior incident responder at AUDI AG. pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. Back in 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses – from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage – the largest, most devastating cyberattack the world had ever seen. Back in 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses – from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage – the largest, most devastating cyberattack the world had ever seen. Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future infrastructure organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IOT, and more IT - and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the industrial cybersecurity risk profile. In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience. The ICS threat landscape is mostly unknown. We have a lot of stories of attacks but most are hyped up. And from trusted sources we have metrics on incidents but they tell a very different story than intended sometimes. In this presentation, the current ICS threat landscape will be explored, deficiencies in it will be explained, and recommendations for the community will be given to help ensure we shine a light on a dark corner in the community. Kim Zetter is an award-winning investigative journalist and author who covers cybersecurity, cybercrime, cyber warfare, and civil liberties. She has been covering computer security and the hacking underground since 1999, first for PC World magazine, and now for Wired, where she has been reporting since 2003 and is currently a senior staff writer. She has broken numerous stories over the years about hacking, WikiLeaks, and NSA surveillance and has three times been voted one of the top 10 security reporters in the nation by her journalism peers and security industry professionals. In 2006 she broke a story for Salon.com about a secret NSA room at an AT&T facility in Missouri that was believed to be siphoning internet data from the telecom’s network operations center. In 2007 she wrote a groundbreaking three-part story for Wired on the cybercriminal underground, which exposed the world of online carding markets and the players behind them. In 2010, she and a Wired colleague broke the story about the arrest of Bradley Manning, the former Army intelligence analyst accused of leaking millions of classified U.S. government documents to WikiLeaks. In 2011, she wrote an extensive feature about Stuxnet, a sophisticated digital weapon that was launched by the U.S. and Israel to sabotage Iran’s uranium enrichment program. She recently completed a book on the topic titled Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon published by Crown/Random House in November 2014. li| h1|CS3STHLM h2|Keynotes The cyber-attack on Hydro Industrial Technology Trajectory: Running With Scissors Exploring the Unknown ICS Threat Landscape Stuxnet and Beyond: The Age of Digital Warfare Why Control System Cyber Security Sucks h3|Andy Greenberg Torstein Gimnes Are Patrick Miller Robert M. Lee Kim Zetter Stefan Lueders h4|Senior Writer at Wired Digital Marshall & CISO at Norsk Hydro Managing Partner at Archer Security Researcher at Dragos Inc. Investigating Journalist at Wired Head of IT Security at CERN sp|The Archive - Keynotes Menu 2014 2019 2019 Andy Greenberg Torstein Gimnes Are 2018 Patrick Miller 2016 Robert M. Lee 2015 Kim Zetter 2014 Stefan Lueders rmation pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. li| h1|CS3STHLM h2|Partners sp|The Archive - Partners Menu 2014 2019 2019 2018 2017 2016 2015 2014 rmation pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. li|Hexas Rows All Year 2019 2018 2017 2016 2015 2014 Keynote Presentation Training h1|CS3STHLM h2|Speakers h3|Adam Crain Ahmed Sherif Eldemrdash Akriti Srivastava Alexander Nochvay Ali Abbasi Anders Rodrick Andreas Erdich Andy Greenberg Anne-Marie Eklund Löwinder Anton Cherepanov Anton Shipulin Arjan Meijer Arnaud Soullié Ary Kokos Ben Miller Cdr Michael Widmann Cheng Lei Chris Sistrunk Christer Fuglesang Christian Augustat Christopher Corbett Dan Demeter Dan Gunter Daniel Michaud-Soucy Daniel Stenberg Dewan Chowdhury Didrik Ehrenborg Dieter Sarrazyn Dr Kevin Jones Eireann Leverett Erik Biverot Erik Hjelmvik Erik Westring Erik 'Z' Johansson Erik Zouave Erwin Kooi Frank Lycops Freddy DeZeure Fredrik Hesse Frode Hommedal György Dán Henrik Sandberg Herman Geijer Isabel Skierka Jack Werner Jan-Peter Kleinhans Jan Seidl Janek Pelzer Jannis Utz Jarkko Huttunen Jasper Hooft Jenny Radcliffe Jens Wiesner Jens Zerbst Jessikka Aro Jimmy Wylie Joe Fitzpatrick Joe Slowik Joel Langill Johan Nilsson John Matherly Jon Rogeberg Jonas Almroth Jonas Dellenvall Jonathan Homer Jonathan Jogenfors Justin Lowe Kai Thomsen Ken van Wyk Kevin Gomez Buquerin Khalid Ansari Kim Zetter Kristina Blomqvist Lars Erik Smevold Lars Westerdahl Leif Nixon Lucas Lundgren Mads Dam Magnus Lundgren Maik Brüggemann Marcin Dudek Margarita Jaitner Margrete Raaum Marie Moe Marina Krotofil Mark Bristow Mark Fabro Mark Stacey Markus Mahrla Martin Eian Matan Dobrushin Mathias Ekstedt Melissa Crawford Michael Theuerzeit Michael Toecker Michael Weng Mikael Vingaard Mike Dodson Mona Lange Monnappa K A Monta Elkins Nicklas Keijser Oleksii Yasynskyi Omer Zohar Paraskevi Kasse Patrick DeSantis Patrick Miller Peter Andersson Peter Zinn Ragnar Sundblad Ragnar Thobaben Reid Wightman Richard Widh Rick K. Peters Rik van Hees Rikard Bodforss Robert Bearsby Robert Caldwell Robert Guanciale Robert Lagerström Robert Lipovský Robert M. Lee Roman Sologub Rossella Mattioli Ruben Santamarta Samuel Linares Sandra Bardón Sarah Fluchs Sergey Gordeychic Silver Saks Simin Nadjm-Tehrani Staffan Persson Stefan Lueders Stephan Beirer Stephen Hilt Thomas Schreck Thomas Svensson Torstein Gimnes Are Ulf Frisk Vidar Hedtjärn Swaling Vyacheslav Borilin William Middleton Yoav Flint Rosenfeld h4|Layout Filter Sort Software Engineer Security Researcher Security Researcher Ph.D. Candidate Founder and Principal Consultant Hardware Engineer Senior Writer Chief Information Security Officer Senior Malware Researcher Global Presales Manager Security Consultant Cybersecurity R&D Manager Senior Consultant Director of Threat Operations Strategy Branch Chief ICS Security Researcher Astronaut Principal Engineer Junior Incident Responder Security Researcher Principal Threat Analyst Principal Threat Analyst Software Engineer Time & Sync Expert Security Expert Head of Cyber Security Architecture, Innovation and Scouting Researcher Senior Course coordinator Network Analyst Security Researcher Independent Security Consultant Analyst ICS/SCADA Architect Security Consultant & Researcher Software Security Architect Senior Incident Responder & Threat Analyst Professor in Teletraffic Systems Professor in Large-Scale Control Systems Zombie Survival Expert Researcher Journalist Project Manager IoT Independant Security Researcher Sales engineer Head of Solutions ICS Security Consultant Social Engineering Expert Dipl. Phys. CIO Investigative Reporter Senior Adversary Hunter Adversary Hunter Industrial Cyber Security Expert Teamlead of PM-CERT Internet Cartographer Manager System Architect CTO Chief of the Industrial Control System Group Research Manager Security Consultant Lead Incident Responder Incident Response Specialist Junior Incident Responder Automation & MES Engineer Investigating Journalist Program Manager - Program for Security in ICS Senior Security Analyst Scientist Security Expert Professor in Teleinformatics Sales Director Security Specialist IT Security Expert Analyst CEO of the Norwegian Energy Sector CERT Researcher Senior Security Engineer Director Principal Threat Analyst Security Consultant Senior Security Analyst Head of OT Research Professor Global Consultant Cyber Security Sales Engineer IT Security Consultant PhD Student Cyber Defense Team Lead Hacker-in-Chief Incident Handler/CSIRT Officer Cybersecurity Expert Independant Researcher Network and Information Security Officer Senior Security Research Engineer Managing Partner Security Researcher Time Worker Associate Professor in Communication Theory Senior Vulnerability Researcher Senior Cyber Security Expert & CEO Director, Operational Technology Global Enablement OT Security Officer CEO & Senior Partner Security Consultant Assistant Professor Associate Professor Senior Malware Researcher Security Researcher General Manager & CEO Officer in Network and Information Security Principal Security Consultant Director Technology Researcher Security Consultant Director and Scriptwriter Technology Researcher Professor Director of Information Security Head of IT Security Senior Consultant Senior Threat Researcher Principal Engineer Deputy Head of National Security Digital Marshall & CISO Pentester & Security Researcher Analyst Business Development Manager Senior Engineer Head of OT Research sp|The Archive - Speakers Menu 2014 2019 Adam Crain 2017 presentation 2017 Ahmed Sherif Eldemrdash 2015 presentation 2015 Akriti Srivastava 2017 presentation 2017 Alexander Nochvay 2019 presentation 2019 Ali Abbasi 2017 presentation 2017 Anders Rodrick 2014 presentation training 2014 Andreas Erdich 2019 presentation 2019 Andy Greenberg 2019 presentation keynote 2019 Anne-Marie Eklund Löwinder 2014 2015 2016 2017 2019 2014 2015 2016 2017 2019 Anton Cherepanov 2016 2017 presentation 2016 2017 Anton Shipulin 2018 2019 presentation 2018 2019 Arjan Meijer 2015 2016 presentation training 2015 2016 Arnaud Soullié 2016 2018 2019 presentation training 2016 2018 2019 Ary Kokos 2016 presentation 2016 Ben Miller 2018 presentation training 2018 Cdr Michael Widmann 2019 presentation 2019 Cheng Lei 2018 presentation 2018 Chris Sistrunk 2015 presentation training 2015 Christer Fuglesang 2016 presentation 2016 Christian Augustat 2019 presentation 2019 Christopher Corbett 2019 presentation 2019 Dan Demeter 2017 presentation 2017 Dan Gunter 2018 presentation 2018 Daniel Michaud-Soucy 2018 presentation training 2018 Daniel Stenberg 2019 presentation 2019 Dewan Chowdhury 2015 presentation 2015 Didrik Ehrenborg 2019 presentation 2019 Dieter Sarrazyn 2017 2018 2019 presentation 2017 2018 2019 Dr Kevin Jones 2018 presentation 2018 Eireann Leverett 2015 2016 presentation 2015 2016 Erik Biverot 2019 presentation 2019 Erik Hjelmvik 2014 2015 2017 2018 2019 presentation training 2014 2015 2017 2018 2019 Erik Westring 2016 presentation 2016 Erik 'Z' Johansson 2018 2018 Erik Zouave 2018 presentation 2018 Erwin Kooi 2016 2018 presentation 2016 2018 Frank Lycops 2018 presentation 2018 Freddy DeZeure 2015 presentation 2015 Fredrik Hesse 2014 training 2014 Frode Hommedal 2016 presentation 2016 György Dán 2018 presentation 2018 Henrik Sandberg 2016 2018 2019 presentation 2016 2018 2019 Herman Geijer 2019 presentation 2019 Isabel Skierka 2016 presentation 2016 Jack Werner 2018 presentation 2018 Jan-Peter Kleinhans 2016 presentation 2016 Jan Seidl 2015 presentation 2015 Janek Pelzer 2019 presentation 2019 Jannis Utz 2018 presentation 2018 Jarkko Huttunen 2019 presentation 2019 Jasper Hooft 2019 training 2019 Jenny Radcliffe 2017 presentation 2017 Jens Wiesner 2017 2019 presentation 2017 2019 Jens Zerbst 2016 presentation 2016 Jessikka Aro 2017 presentation 2017 Jimmy Wylie 2019 presentation 2019 Joe Fitzpatrick 2015 presentation training 2015 Joe Slowik 2017 2018 presentation training 2017 2018 Joel Langill 2014 presentation training 2014 Johan Nilsson 2019 presentation 2019 John Matherly 2014 2015 2016 presentation training 2014 2015 2016 Jon Rogeberg 2017 presentation 2017 Jonas Almroth 2018 presentation 2018 Jonas Dellenvall 2018 presentation 2018 Jonathan Homer 2018 presentation 2018 Jonathan Jogenfors 2019 presentation 2019 Justin Lowe 2014 presentation 2014 Kai Thomsen 2018 presentation 2018 Ken van Wyk 2016 presentation 2016 Kevin Gomez Buquerin 2019 presentation 2019 Khalid Ansari 2019 presentation 2019 Kim Zetter 2015 presentation keynote 2015 Kristina Blomqvist 2018 presentation 2018 Lars Erik Smevold 2017 2018 presentation 2017 2018 Lars Westerdahl 2018 presentation 2018 Leif Nixon 2015 presentation 2015 Lucas Lundgren 2016 presentation 2016 Mads Dam 2018 presentation 2018 Magnus Lundgren 2019 presentation 2019 Maik Brüggemann 2016 presentation 2016 Marcin Dudek 2018 presentation 2018 Margarita Jaitner 2018 presentation 2018 Margrete Raaum 2014 2016 presentation 2014 2016 Marie Moe 2016 presentation 2016 Marina Krotofil 2019 presentation 2019 Mark Bristow 2018 presentation 2018 Mark Fabro 2015 presentation 2015 Mark Stacey 2018 presentation 2018 Markus Mahrla 2019 presentation 2019 Martin Eian 2017 presentation 2017 Matan Dobrushin 2019 presentation 2019 Mathias Ekstedt 2019 presentation 2019 Melissa Crawford 2017 presentation 2017 Michael Theuerzeit 2017 training 2017 Michael Toecker 2015 presentation 2015 Michael Weng 2019 presentation 2019 Mikael Vingaard 2015 2017 2018 presentation training 2015 2017 2018 Mike Dodson 2019 presentation 2019 Mona Lange 2019 presentation 2019 Monnappa K A 2015 presentation training 2015 Monta Elkins 2018 2019 presentation 2018 2019 Nicklas Keijser 2019 presentation 2019 Oleksii Yasynskyi 2017 presentation 2017 Omer Zohar 2018 presentation 2018 Paraskevi Kasse 2016 2017 presentation 2016 2017 Patrick DeSantis 2017 presentation 2017 Patrick Miller 2018 presentation keynote 2018 Peter Andersson 2016 presentation 2016 Peter Zinn 2015 presentation 2015 Ragnar Sundblad 2019 presentation 2019 Ragnar Thobaben 2018 presentation 2018 Reid Wightman 2019 presentation 2019 Richard Widh 2019 presentation 2019 Rick K. Peters 2018 presentation 2018 Rik van Hees 2018 presentation 2018 Rikard Bodforss 2019 presentation 2019 Robert Bearsby 2019 presentation 2019 Robert Caldwell 2015 presentation 2015 Robert Guanciale 2016 presentation 2016 Robert Lagerström 2019 presentation 2019 Robert Lipovský 2016 2017 presentation 2016 2017 Robert M. Lee 2015 2016 presentation keynote training 2015 2016 Roman Sologub 2017 presentation 2017 Rossella Mattioli 2016 2017 presentation 2016 2017 Ruben Santamarta 2014 presentation 2014 Samuel Linares 2014 presentation 2014 Sandra Bardón 2019 presentation 2019 Sarah Fluchs 2019 presentation 2019 Sergey Gordeychic 2014 presentation 2014 Silver Saks 2019 presentation 2019 Simin Nadjm-Tehrani 2016 2019 presentation 2016 2019 Staffan Persson 2014 presentation 2014 Stefan Lueders 2014 presentation keynote 2014 Stephan Beirer 2018 presentation 2018 Stephen Hilt 2015 2019 presentation 2015 2019 Thomas Schreck 2016 presentation 2016 Thomas Svensson 2019 presentation 2019 Torstein Gimnes Are 2019 presentation keynote 2019 Ulf Frisk 2019 presentation 2019 Vidar Hedtjärn Swaling 2016 presentation 2016 Vyacheslav Borilin 2014 presentation 2014 William Middleton 2018 presentation 2018 Yoav Flint Rosenfeld 2019 presentation 2019 rmation pa|This page contains information which is not active and is tied to past events. The venue of our choice, Nalen, has a long and fascinating history. Built in 1888 it has over the years seen a wide range of events ranging from athletic competitions to religious meetings. Today Nalen hosts over a hundred concerts and conferences annually in its carefully renovated premises. Learn more here: Bromma Stockholm Airport is Stockholm's city-airport and is the quickest way to and from Stockholm. Arlanda is Sweden's biggest airport and acts like a central hub for the region of Stockholm and Scandinavia. Exit Olof Palmes gata, turn right on to Olof Palmes gata and take the stairs up to Malmskillnadsgatan. Continue straight along David Bagares gata. Take the first right onto Regeringsgatan, Nalen is on the left side. Exit towards Birger Jarlsgatan, turn right and follow Birger Jarlsgatan past Stureplan to Engelbrektsplan. Turn left onto David Bagares gata, up the stairs to Regeringsgatan. Turn left around the corner and you are at Nalen. Historical Elite Hotel Stockholm Plaza is located in central Stockholm near the beautiful Humlegården park and lively Stureplan. Elite Hotel Stockholm Plaza is only a 220m short walk from the venue Nalen. li|Practical details international experts provide in-depth knowledge, analyses and recommendations related to ICS security topics range from latest research to policy and best-practice with examples from real world implementations a mix of excellent talks, exciting workshops and tutorials combined with extensive networking 200 participants from over 20 countries allow for unique possibilities to discuss tricky questions and hard-to-get security experiences outstanding and extended ICS security lab with opportunity to test setups and devices hands on selected partners demonstrate ICS and security solutions Tutorial and workshop 09:00 - 17:00 Tutorials and workshop 09:00 - 17:00 CS3STHLM 2019 Expo Day 10:00 - 22:00 Welcome reception from 18:00 Summit 09:00 - 17:00 Conference dinner from 18:00 Summit 09:00 - 17:00 Nalen, Stockholm Regeringsgatan 74 111 39 Stockholm Sweden h1|CS3STHLM h2|International Summit Nalen, Stockholm h3|Monday October 19 Tuesday October 20 Wednesday October 21 Thursday October 22 Where Exactly? Closest Airports Closest Subway Hotel of Choice h4|Quick Details Practical Details h5|Bromma Arlanda Hötorgets T-bana Östermalmstorgs T-bana Elite Hotel Stockholm Plaza sp|Menu CS3STHLM 2019-2020 8,9 km 41,5 km 0,5 km 0,6 km 0,2 km rmation pa|Trainings Between 21st and 22nd of October, the days before the summit, we will provide different full-day tutorials and training with world-renowned experts. We have tutorials in a number of different areas such as forensics in computers and in networks, introduction to cybersecurity standards, and information gathering. The tutorials ranging from theoretical overviews via hands-on practical to highly technical classes. Tutorials are availabe by choosing "combo tickets" for CS3STHLM, in which training is included. When register for CS3STHLM you can select which training you are interested in participating. Due to the high level of interaction with trainers and complexity of the lab environment, most training classes have limited numbers of seats (15-20 seats). Each training class will be available on first come, first serve basis. We know that some training classes will be in high demand, so if you really want to get some specific training slot, be sure to reserve your seat as early as possible! Organizations are now dedicating resources to protecting their Industrial control systems (ICS) assets, which include supervisory control and data acquisition (SCADA) programs,... Our two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet... On this intense 2­ days training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the... li|Trainings h1|CS3STHLM h2|World Class Content Hands-on Threat Modeling for ICS-OT Network ForensICS Training Pentesting Industrial Control Systems h3|Please Note Trainings h4|Trainings & Tutorials One Day - 22 October Sold Out Two Days - 21-22 October Slots Open Two Days - 21-22 October Sold Out sp|Menu 2019 Archive View View Jasper Hooft Erik Hjelmvik Arnaud Soullié rmation pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. li| h1|CS3STHLM h2|Trainings Network Forensics Training PentestingHands-on Threat Modeling for ICS-OT Network Forensics Training ICS Scada Honeypot Technical Training PentestingICS Strategic Planning and War Gaming Introduction to Threat Hunting in ICS Introduction to Threat Hunting in ICS Network Forensics Training Practical SCADA/ICS Honeypots Cyber Security for Industrial Automation and Control Systems: An introduction of the IEC 62443 standard How to maximize your usage of the Shodan platform Introduction to the IEC 62443 Standard ICS Active Defence SHODAN hacking PCAP Analysis and ICS Network Forensics Introduction to ISA99/IEC 62443 Network Security Monitoring in ICS environments Hacking hardware in 3 easy steps Memory Forensics for Incident Responders Intrusions Detection System forDeveloping, procuring and running secure and reliable systems Applied Cyber Defenses for Industrial Control Systems h3|2019 Erik Hjelmvik Arnaud Soullié Jasper Hooft 2018 Erik Hjelmvik Mikael Vingaard Arnaud Soullié Joe Slowik Ben Miller Daniel Michaud-Soucy 2017 Erik Hjelmvik Mikael Vingaard Michael Theuerzeit 2016 John Matherly Arjan Meijer Robert M. Lee 2015 John Matherly Erik Hjelmvik Arjan Meijer Chris Sistrunk Joe Fitzpatrick Monnappa K A 2014 Anders Rodrick Fredrik Hesse Joel Langill h4|Two days Two days One day Two days Two days Two days Two days One day One day Two days One day One day One day One day One day One day One day One day One day One day One day One day One day One day sp|The Archive - Trainings Menu 2014 2019 rmation pa| li|Presentations h1|CS3STHLM h2|Expo Presentations h3|How to save $1.7 million over three years on industrial cybersecurity: the Results of the Forrester Total Economic (TEI) Impact study sp|Menu View Anton Shipulin rmation pa|This page contains information which is not active and is tied to past events. We will have multiple stages with the best international speakers and trainers, having excellent social activities and provide hard-to-earn knowledge, no matter if it is deeply technical matters, sucessful solutions or policy briefs. Ali Abbasi is a Post-Doctoral researcher at the Chair for System Security of Ruhr-University Bochum, Germany. His research interest involves embedded systems security mostly related to Industrial Control Systems, Critical Infrastructure security, and Real-Time Operating Systems security. Currently, Ali is involved in projects related to software testing for embedded systems, specially in the context of Industrial Control Systems. He received his Msc degree in Computer Science from Tsinghua University, Beijing, China. He was working there on Programmable Logic Controller (PLC) security in Network Security Lab, Microprocessor and SoC Technology R&D center with the National 863 High-tech Program grant from Ministry of Industry and Information Technology of China. Ali received his PhD degree from Eindhoven University of Technology, the Netherlands. In Eindhoven, he was working on code-reuse defences for Programable Logic Controllers (PLC) and other embedded systems. Andrew leads the hardware team at Pen Test Partners. He covers all systems that aren't general purpose computers: IoT, phones, cars, ships, planes and industrial control. On the offensive side, he has spent many years reverse engineering, researching and finding vulnerabilities in these systems. On the defensive side, he takes the knowledge gained from research and advises companies on how to build secure products. This ranges from the nitty-gritty of securing devices against physical attack, through to developing complete connected platforms that make use of defence-in-depth so that they can stay secure through the entire lifecycle of the product. He trains people how to attack and defend hardware, with customers ranging from medical device manufacturers through to police forensics teams. I have been a Senior Security Consultant at IOActive for 5 years and have performed many security audits of ICS/SCADA systems including: several assessments at two of the UKs largest Distribution Network Operators, Energy Management Systems in Asia, Smart Meter infrastructure, shipping terminals, HVAC and baggage handling systems at one of Europe’s busiest airports, and several windfarms in Europe. I have presented and Blackhat and Defcon on Industrial Ethernet Switches, like those deployed in windfarms and other ICS environments. Prior to this I was the Security Technical Lead and core product development lead within GE for the PowerOn Fusion product a leading Outage Management System/Distribution Management System (OMS/DMS) used throughout the world. I led the secure testing project of our product that took place at INL (Idaho National Laboratories) in 2010. I produced the secure coding guidelines now used throughout GE as the benchmark for secure coding guidelines within the business. Finally, I worked with a corporate security team to develop the processes and procedures for a GE wide PSIRT to handle reported vulnerabilities and security concerns/questions with any of GE’s product range. Graduated from the University of Glasgow with a B.Sc. in Computing Science where I worked on the Nemesis Operating System (https://en.wikipedia.org/wiki/Nemesis_(operating_system)) Daniel Kapellmann Zafra is a technical analysis manager for the FireEye Intelligence cyber-physical team. As a former Fulbright scholar, he holds a master’s degree in information management from the University of Washington specialized in information security. His multidisciplinary background includes consulting for ITU and the Competitive Intelligence Unit IT market research firm, to IT planning and architecture for Puget Sound Energy. He is a frequent speaker on operational technology topics at local and international conferences including RSA, VirusBulletin, CyCON, ICSJWG, AFPM Operations & Process Technology and Hack the Capitol. In 2017, he was awarded first place at Kaspersky Academy Talent Lab's competition in Moscow for designing an application to address security beyond anti-virus. With more than a decade of research experience in the cybersecurity field, Federico Maggi is specialized in doing threat and security analysis on virtually any system. Federico has analyzed web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. Federico has experience on defensive technology and research, through building machine learning-based tools for intrusion and fraud detection. He’s applied data visualization techniques for analyzing botnets, and has gained basic malware analysis and reverse-engineering on Android-based platforms. Currently employed as a Senior Researcher with security giant Trend Micro, Federico was an Assistant Professor at Politecnico di Milano, one of the leading engineering technical universities in Italy. Aside his teaching activities, Federico co-directed the security group and has managed hundreds of graduate students. Federico has given several lectures and talks as an invited speaker at international venues and research schools, and also serves in the review or organizing committees of well-known conferences." Cyber-security researcher with military experience in a cyber security unit. Jan Tore Sørensen wrote his master thesis on Security in Industrial Networks in 2007 and has worked with the technical aspects of ICS security within several different industrial verticals for mnemonic since then. He has lately been involved in projects for securing critical subsystems on offshore installations in the North Sea and building a security monitoring scheme for IACS systems offshore. Jenny Radcliffe is a world renowned Social Engineer, hired to bypass security systems through a mixture of psychology, con-artistry, cunning and guile. A "burglar" for hire and entertaining educator, she has spent a lifetime talking her way into secure locations, protecting clients from scammers, and leading simulated criminal attacks on organisations of all sizes in order to help secure money, data and information from malicious attacks. Jenny is a sought after keynote speaker at major conferences and corporate events and is a multiple TEDx contributor. A go-to guest expert on the human element of security, scams, cons and hacks, she has appeared on numerous television and radio shows, as well as online media and traditional press outlets. She is also the host of the award winning podcast “The Human Factor” interviewing industry leaders, bloggers, experts, fellow social engineers and con-artists about all elements of security and preventing people from becoming victims of malicious social engineering. Joe Slowik currently hunts ICS adversaries for Dragos, pursuing threat activity groups through their malware, their communications, and any other observables available. Prior to his time at Dragos, Joe ran the Incident Response team at Los Alamos National Laboratory, and served as an Information Warfare Officer in the US Navy. Throughout his career in network defense, Joe has consistently worked to ‘take the fight to the adversary’ by applying forward-looking, active defense measures to constantly keep threat actors off balance. When not hunting adversaries or playing with open source security projects, Joe loves playing ice hockey and building Legos. Jonas is a cyber security consultant at Contrast Advisory, which he co-founded in 2017, with experience from a wide set of industries and companies. During the last few years Jonas has been focusing on cyber security within the energy industry. He has prior experience within GRC (Governance, Risk and Compliance), information security, external and internal audit, privacy, risk management and internal control from Transcendent Group and EY Advisory Services. Jonas holds a master’s degree in Industrial Engineering and Management from Chalmers University of Technology and is CISA, CISM, CRISC and CIPP/E certified. Kelly Leuschner is a security researcher with Cisco Talos. Kelly spends her time looking for vulnerabilities in devices that interact with the physical world including(ICS), Supervisory Control and Data Acquisition (SCADA), and Internet of Things (IoT). She began her career as a contractor to the US government developing custom firmware for micro-controllers. Her fascination with learning how things work led her to shift focus to vulnerability research at Cisco Talos. Now, she works with vendors to fix problems in their products. Kristina Blomqvist is group operational technology security officer at Vattenfall AB. She is responsible for creating, establishing and maintaining the OT Security area and for ensuring that all aspects of OT-security are aligned with relevant stakeholders within the Vattenfall group. Moreover, she drives and coordinates OT security initiatives and monitors regulatory development. Kristina previous engagements includes being program manager for the Swedish National Program for ICS Security at MSB, the civil contingencies agency, working as an analyst and market director at FOI, the Swedish Defence Research Agency, and as an I&C subject area representative and specialist at the Swedish Nuclear Power Inspectorate, SKI. Kristina holds a master in Engineering Physics from KTH, the Royal Institute of Technology. Kristina is also a long-term advisory board member for CS3Sthlm. Krzysztof is strategic advisor in the field of OT and IT security. He is a founder and board member of Seqred - cyber security shop focused on testing and improving security in ICS field. He gained his experience while working for strategic consultancy companies – EY and BCG. He advised global organizations in government, power & utilities, manufacturing, air transportation and building automation sectors, on the planning and safe implementation of IT and OT solutions as well as company-wide technology driven transformation programs. He worked with the management boards, CIOs, CISOs, whom he advised on fulfilling their potential and eliminating the risks stemming from new technologies. He expanded his managerial qualifications while participating in the Executive Education program at the MIT Sloan School of Management. In his current professional capacity Krzysztof leads team of OT security researches specialized in vulnerabilities assessments, i.e. reverse engineering, fuzzing and penetration testing. He is a holder of GIAC: Global Industrial Cyber Security Professional (GICSP) Certificate – globally recognized industrial cybersecurity certification. Dr. Marie Moe cares about public safety and securing systems that may impact human lives. Marie is a senior security consultant at mnemonic, and has a PhD in information security. She is also an Associate Professor at the Norwegian University of Science and Technology, where she teaches the course “Incident Response, Ethical Hacking and Forensics”. She has experience as a team leader at NorCERT, where she did incident handling of cyber attacks against Norway’s critical infrastructure. Cyber security researcher with military leadership experience in cyber security unit. Ross Anderson is Professor of Security Engineering at Cambridge University. He was one of the founders of the discipline of security economics, and is PI of the Cambridge Cybercrime Centre, which collects and analyses data about online wickedness. He has worked on key management for electricity substations; he was also a pioneer of powerline communications, prepayment metering, peer-to-peer systems, hardware tamper-resistance and API security. He is a Fellow of the Royal Society, the Royal Academy of Engineering, and the Institute of Physics, and a winner of the Lovelace Medal. He has just written the third edition of his textbook "Security Engineering – A Guide to Building Dependable Distributed Systems". Simon is a postdoc in the Software Systems Architecture and Security group, Computer Science at KTH Royal Institute of Technology. He did his Ph.D. at the RWTH Aachen University, Germany in the field of Enterprise Architecture Models. He supervised several theses related to Enterprise Architecture and supported the teaching of lectures in Software Engineering, Software Quality Assurance, Object Oriented Software Construction, and Software Project Management. He is Co-Chair of the VEnMo workshop, PC member at the TEAR workshop, and reviewer for the EMISA Journal. He received his master degree in applied computer science from the Technical University Dortmund and his bachelor degree in business informatics from the FOM University of Applied Sciences Essen. Additionally, he did an apprenticeship as IT specialist at E.ON IT in Essen and worked as a privacy consultant during his master studies at ISDSG. Stephen Hilt is a Sr. Threat Researcher at Trend Micro. Stephen focuses on General Security Research, Threat Actors, Malware behind attacks, and Industrial Control System Security. Stephen enjoys breaking things and putting them back together with a few extra parts to spare. Stephen is a world-renowned researcher, having spoken at Blackhat US, RSA, HITB and many more. His research has gained him Dark Reading top hacks of the year twice. Working at Digital Bond Stephen became a Nmap Contributor where he wrote some Nmap scripts for ICS and other mainstream protocols. This work took him into becoming an expert on ICS protocols and co-authored the book Hacking ExposedICS and SCADA Security Secrets & Solutions. Wenjun is a PhD student in Software Systems Architecture and Security group, at the Division of Network and Systems Engineering, KTH Royal Institute of Technology. Her research interests include Threat Modeling, Attack Simulations, and Cyber Security. She is currently working on designing a threat modeling language - enterpriseLang, based on MITRE ATT&CK Matrix. She received her MSc degree in Communication and Information Systems in 2017, from the State Key Laboratory of Information Engineering in Surveying, Mapping and Remote Sensing, Wuhan University, China, with special focus on Information Privacy. li|Speakers h1|CS3STHLM h2|World Class Content Ali Abbasi Ali Abbasi Andrew Ginter Andrew Ginter Andrew Tierney Andrew Tierney Andrew Tsonchev Andrew Tsonchev Colin Cassidy Colin Cassidy Daniel Kapellmann Zafra Daniel Kapellmann Zafra Federico Maggi Federico Maggi Idan Helzer Idan Helzer Ignacio Moreno Canadas Ignacio Moreno Canadas Jan Tore Sørensen Jan Tore Sørensen Jenny Radcliffe Jenny Radcliffe Joe Slowik Joe Slowik Jonas Edberg Jonas Edberg Kelly Leuschner Kelly Leuschner Kristina Blomqvist Kristina Blomqvist Krzysztof Swaczyński Krzysztof Swaczyński Marie Moe Marie Moe Matan Dobrushin Matan Dobrushin Michael Firstenberg Michael Firstenberg Michal Paulski Michal Paulski Nour Fateen Nour Fateen Ross Anderson Ross Anderson Simon Hacks Simon Hacks Stephen Hilt Stephen Hilt Wenjun Xiong Wenjun Xiong Wissam Al-Nasairi Wissam Al-Nasairi h3|Post-Doctoral Researcher at Ruhr-University Bochum VP Industrial Security at Waterfall Security Security Consultant at Pen Test Partners Director of Technology at Darktrace Senior Security Consultant at IOActive Technical Analysis Manager at FireEye Senior Researcher at Trend Micro Cyber Analyst at Otorio OT Security Consultant at Accenture Security Expert at mnemonic Social Engineer Adversary Hunter at Dragos Cyber Security Consultant at Contrast Advisory Security Researcher at Cisco Talos Group Operational Technology Security Officer at Vattenfall Strategic Advisor & Founder at Seqred Senior Security Consultant at mnemonic Head of OT Research at Otorio Director, Industrial Security at Waterfall Security OT Security Architect at Accenture Threat Expert at Recorded Future Professor of Security Engineering at University of Cambridge Computer Laboratory Postdoc at KTH Senior Threat Researcher at Trend Micro PhD Student at KTH X.0 and OT Security Lead at Accenture h4|Speakers P Post-Doctoral Researcher at Ruhr-University Bochum Biography Presentation Partner Session VP Industrial Security at Waterfall Security Presentation P Security Consultant at Pen Test Partners Biography Presentation Partner Session Director of Technology at Darktrace Presentation P Senior Security Consul... at IOActive Biography Presentation P Technical Analysis Man... at FireEye Biography Presentation P Senior Researcher at Trend Micro Biography Presentation P Cyber Analyst at Otorio Biography Presentation Partner Session OT Security Consultant at Accenture Presentation P Security Expert at mnemonic Biography Presentation P Social Engineer Biography Presentation P Adversary Hunter at Dragos Biography Presentation P Cyber Security Consultant at Contrast Advisory Biography Presentation P Security Researcher at Cisco Talos Biography Presentation P Group Operational Tech... at Vattenfall Biography Presentation P Strategic Advisor & Fo... at Seqred Biography Presentation P Senior Security Consul... at mnemonic Biography Presentation P Head of OT Research at Otorio Biography Presentation Partner Session Director, Industrial S... at Waterfall Security Presentation Partner Session OT Security Architect at Accenture Presentation Partner Session Threat Expert at Recorded Future Presentation Keynote Professor of Security ... at University of Cambridge Com... Biography Presentation P Postdoc at KTH Biography Presentation P Senior Threat Researcher at Trend Micro Biography Presentation P PhD Student at KTH Biography Presentation Partner Session X.0 and OT Security Lead at Accenture Presentation h5|Germany United Kingdom United Kingdom United States Italy Israel Norway United Kingdom United States Sweden United States Sweden Poland Norway Israel United Kingdom Sweden United States Sweden sp|Menu CS3STHLM 2019-2020 View resentation Presentation resentation Presentation resentation Presentation resentation Presentation resentation Presentation resentation Presentation with Matan Dobrushin resentation Presentation with Marie Moe resentation Presentation resentation Presentation resentation Presentation with Kristina Blomqvist resentation Presentation resentation Presentation with Jonas Edberg resentation Presentation resentation Presentation with Jan Tore Sørensen resentation Presentation with Idan Helzer Keynote resentation Presentation with Wenjun Xiong resentation Presentation resentation Presentation with Simon Hacks rmation pa|Stephen Hilt, Trend Micro. I work as a Sr. Threat Researcher. 2015 was my first 4SICS and I’ve attended one more in 2016 before the name change. Great conference put on on by great people. Its something that everyone depends on, every day to work. With out critical infrastructure working lots of things go wrong and its fun to work on something that every one depends on, and try to help secure it so that its there for them all the time. My presentation will be about industrial radio insecurities with a major focus on the crane research that we released earlier in the year. No live demos this time, but more stories about what we did, how we did the research and how working with the vendors to solve a unique problem. As a vendor I don’t think I should answer this question as it may sound salesy With malware evolving and more and more systems coming online you’ll see more cross over from Internet markets coming onto ICS networks. Case in point is who would of thought ransomware would be bringing down factories? Discussions with like minded individuals that also want to help solve some of the problems the world is facing in the age of internet security. Engage with the speakers, ask questions, get the most out of your time by making sure you have a true gasp of what they are presenting. li| h1|CS3STHLM Stephen J. Hilt - Trend Micro h4|What is your name, where do you work and what is your profession? Since you have been to CS3sthlm (4SICS) before, whats your impression? What makes this area, protection of critical infrastructure, so interesting? What can you highlight from your upcoming presentation/demo at CS3sthlm 2019? What is the current state of cybersecurity in the markets where your operating? Are the customers well aware of the threats? Do they have good protection in place? What are the biggest challenges that you see in the ICS security area,- now and in 5 years? What are you looking forward to with this year’s CS3sthlm? What would be your advice to our readers and attendees? sp|Menu rmation em|This is a blog post with Stephen J. Hilt, a senior threat researcher at Trend Micro. pa|My name is Ola Hermansson. I’m an audio engineer by trade, and work with stage craft and engineering on TV-productions, concerts and corporate events. Where I work? Everywhere… Hmmm, “As time goes by” (like Sam sung in Casablanca). This years conference is my fourth i believe. My first CS3 (then 4SICS)-experience was in 2015. My profession is a life-long love story (the cliché “I started out as a child” comes in handy…). Regarding me getting involved with the good people at CS3, I think it was my colleague Anders Hagström that was given the opportunity to work with the event, and asked me to join the team. I manage and run the technical operations when we’re “live” (so to speak). My main target is to keep the show running smooth (out of a technical perspective) and keeping the keynote speakers happy, giving them the best possible platform to perform on stage. I would like to think quite the opposite. The tools we use during CS3 is much the same as we use in a TV- or concert-production. Except the rock stars are PhD’s and the TV-cameras are fewer. That kind of depends of your position in a production. In this particular case, I come into play when much of the “marathon-like” work is done. For me it’s more like a 100 meter race, for one intense week. Of course there’s a lot of pre production on the technical side of things as well, but the intense part of the work takes place the last days just before a production (when we set things up) and during the show. One cool thing about working live production, is that you really only get one chance to get it right. Beating people’s expectations year after year, that’s a big challenge. Hmmm, Lot’s off goodies - but Jenny Radcliffe’s “Tales of a people Hacker” in 2017 was really intriguing. Also, for a techie like me, the GeekLounge in the basement is a really cool place as well (even though the technical level of the stuff going down there is kind of above my pay-grade :) Working at Nalen (the Venue) is always super cosy, I really like that place. This year will also feature an expo (taking place the day before the actual conference starts) - this means some new challenges for us production-wise, that I’m kind of looking forward to dealing with. It’s gonna be exciting. I don’t know. Buy a ticket. Show up. Stay geek? li| h1|CS3STHLM Ola Hermansson - Technical Operations Manager h4|What is your name, where do you work and what is your profession? For how many years have you been involved in this conference? How did you get involved in this, both with your profession and with this event? What is your role during the conference? You normaly travel the world with rock stars and TV celebrities, so this must be the complete contrast, or? Is it a marathon race, a 100 meter race, or something else to do this kind of job? What is the biggest challenges that you see? What is your best memories from the previous conferences? What do you look forward to with this years event? Any last words of advice to our readers and the attendees? sp|Menu rmation em|This is a blog post with Ola Hermansson, one of the guys in our great crew. pa|My name is Anton Shipulin I work for Kaspersky Lab at the headquarter, as a global presales manager in Kaspersky Industrial CyberSecurity (KICS) business development team. I am responsible for various things like promoting our technologies and expertise, market, technologies, and research intelligence, advising product development, building and improving presale processes and resources, heading Kaspersky ICS conference program committee, and many others. Besides that, I am a co-founder of international Russian-speaking ICS Cyber Security community and Industrial Cybersecurity Center (CCI) coordinator for Russia. All of these is because I have been a big fan of industrial cyber security topic for about 10 years and keen to help people to increase industrial cybersecurity posture. No! It is my first time at CS3sthlm and in Sweden! I am very excited to come this year as I’ve been following the conference for years and believe it is one of the best ICS security conferences, and doubly happy to be here with our Kaspersky ICS team as a sponsor to share our industrial cybersecurity expertise! Thank you for the long-standing quality! What amazed me when I was studying cybersecurity at the university was how close had become a physical and cyber world. That pushing a button remotely you can negatively impact the physical process. Years have passed since then and we see that those worlds have become even closer, big cyber-physical incidents happened, lots of researchers are done every year all over the world proving that despite specific of ICS and processes, they can be hacked with sufficient resources. It scares We will bring two demo modes to the lab: Gasoil discharge rail tank stand and Anomaly detection on the IoT stand, and our industrial cybersecurity researchers who want to look at and evaluate the security posture of the presented industrial equipment in the Lab and test possible cyber-physical attack scenarios. Gasoil discharge rail tank stand shows several targeted attack scenarios that could happen to industrial infrastructure on an example of oil and gas industry. The model represents a rail tank discharge rack that is used for offloading of oil into storage tanks. The sample attack scenarios (including «Process STOP», «Buffer tank overflow» and «Impacting pump operation») demonstrate how hypothetical hacker can impact or sabotage the operation of the rail tank discharge process. At the stand (comprising of an industrial programmable logic controller, physical process representation and two industrial workstations protected by Kaspersky Industrial Cybersecurity) you can see sequential stages of cyberattack, possible outcome and counteracting reaction of protection mechanisms based on Kaspersky Industrial Cybersecurity. Anomaly detection on the IoT stand simulates attempted attacks on typical elements of IoT infrastructure, such as gateways and devices (e.g. an IP camera), which are connected to a local network. IoT devices such as various controllers, sensors, cameras, are widely used in industrial organizations to collect and analyze data about manufacturing processes and to automate procedures. On the stand, you can see how IoT devices (an IP camera in this case) can be easily manipulated by an intruder. The intruder steals video data from the camera by creating a second video stream that is then connected to a criminal’s notebook. IoT gateways can be vulnerable to attempts to run a malicious code on them and to illegitimately change the firmware. These scenarios can be stopped with the Kaspersky IoT Security solution. The solution consists of several components, including Machine Learning Anomaly Detection that reveals anomalies in devices behavior; Linux Application Control (LAC), that blocks the launch of suspicious code that are not in the secure “White List”. This is accomplished via a connection to Kaspersky Lab intelligence services through the Kaspersky Security Network - ensuring a fast response. A program called Secure Boot blocks the launch of illegitimate software; and another solution, Secure Update, prevents a device from being updated with illegitimate version of software. On Gasoil discharge oil tank demo we show how our solution - Kaspersky Industrial Cybersecurity – reacts on the different ICS attacks. Basically, Kaspersky Industrial CyberSecurity is a portfolio of technologies and services designed to protect operational technology layers and elements of industrial enterprises – including SCADA servers, HMIs, engineering workstations, PLCs, network connections – without impacting on operational continuity and the consistency of industrial process. I would give a more detailed an overview of our approach to Industrial Cybersecurity at the expo talk. It is not only an operating system. Kaspersky Lab provides three closely related technologies: KasperskyOS, Kaspersky Security System for Linux and Kaspersky Secure Hypervisor. All these solutions have outstanding security capabilities due to dedicated security engine - Kaspersky Security System, capable to specify diverse security properties in a higher level way. KasperskyOS has already been successfully used in network appliances and other specialized solutions, and the major features of upcoming release are hard real-time support and support of CODESYS PLC runtime from 3S company, thus making KasperskyOS an ideal platform for PLC, where security matters. To harden existing Linux-based PLCs, there is a Kaspersky Security System for Linux - a product, based on the security engine and Linux containers technology. It allows to isolate components of different trust levels and enforce specified security properties. As an example of a solution based on this technology, there is an Embedded Security Shield from BE.Services, providing protected version of CODESYS runtime, which was separated into two parts (communication and core), and flexible and secure way to operate the PLC, constraining undesired behavior. As to Kaspersky Secure Hypervisor (KSH), it is a type 2 virtualization solution, which uses KasperskyOS as a host operating system and provides extended set of security services and guaranties. KSH enables seamless integration of COTS products, like SCADA, available at the market, with the security hardening mechanisms implemented in KasperskyOS. Practical use cases include access control for HW peripherals, additional independent authentication procedures, control and authorization of guest user and SW operations in accordance with security policies, defined for the solution as a whole, secure boot, update and audit available out of the box and many others. It should be specially noted, that KSH makes possible to harden the solution with a strong, state of the art cryptography implemented at the level of KasperskyOS, and it does not require any modifications of guest software at all. Along with the mentioned above KSH provides easy to use and transparent way to implement Trusted Execution Environment (TEE) that is also a high demand feature. Currently Kaspersky Lab has successful experience in combining the KSH technology both with other company products like KICS, and with third-party solutions like PcVue SCADA from ARC Informatique. Besides direct application to ICS solutions and products, KasperskyOS may be used to support ICS infrastructure in networking equipment - to secure communications, as well as Kaspersky Secure Hypervisor may be used for hardening of other ICS infrastructure components like DB servers. The plans for the nearest future include extending the set of supported usage scenarios and further integration with Kaspersky Lab services and technologies, like Kaspersky Security Network (KSN), Kaspersky Security Center (KSC) and many others. Good question, to find an answer to that, besides all of our projects at our client’s facilities, we conduct global researches, surveying people, analyzing data from our endpoints and networks sensors. We publish those reports regularly. Readers can find the latest version here and here . Some highlights from them are on the pictures below. Our practice with our clients mostly proves it Absolutely, our equipment described above will be open for exploring and researching during the conference in the Lab for the attendees, and our Kaspersky Industrial Cybersecurity security solutions will be connected to the lab network to analyse process traffic and attacks and demonstrate security capabilities. Kaspersky Lab ICS CERT is a research and awareness project launched by Kaspersky Lab at the end of 2016. The main objectives are to share KL expert knowledge on cyber threats affecting industrial organizations, to continuously identify major cybersecurity weaknesses and bottlenecks in ICS products and technologies and to coordinate community efforts to eliminate them. Since the launch of the project, KL ICS CERT experts have found and reported more than 165 0-day Vulnerabilities in various ICS, IoT, Automotive vendors’ products, and technologies wide-spread in the industry, some affecting hundreds of products on the market. KL ICS CERT researchers keep their eye on cyberattack campaigns, targeting industrial organizations in various countries all over the globe, notifying subscribers of the threat discovered. Security analysts are working with various international regulation bodies to bring Kaspersky Lab threat landscape knowledge and security expertise for the benefit of the new standards and recommendations being developed. KL ICS CERT experts provide awareness trainings for OT personnel and extensive deep dive expert-level exercises for IT security specialists as their way to share KL expertise and knowledge on how to make industrial enterprises more secure. There are lots of challenges we all know due to increasing connectivity everything to everything and amounts of data in the industrial systems, as result people have to process lots of information simultaneously. But people are not perfect at big (including security) data processing, they fail every time due to violations, mistakes, fatigue, losing vigilance. Therefore I see a lack of maturity and automation cybersecurity processes as the biggest problem in the ICS security. That is what we all should work on! Showcase and share our expertise, meet and discuss with world class experts, learn new stuff and get new ideas, learn how to make great ICS security conference to use it to make our Kaspersky ICS security conference better! Never stop learning, stay open-minded, strengthen the global ICS security community with your expertise! Keep [ or start ] attending the great CS4STHLM event, and do come to meet our Kaspersky Industrial CyberSecurity team all over the conference! Follow us Kaspersky ICS Team: Anton Shipulin: li| h1|CS3STHLM Anton Shipulin - Kaspersky Lab h4|What is your name, where do you work and what is your profession? Have you been to CS3sthlm (4SICS) before? Have you been to Stockholm before? This area, protection of critical infrastructure, what makes it so interesting do you think? What will you present or demo in the ICS Security Lab? Will there be any new products or services that you are rolling out? There has been some publication about the Kaspersky secure ICS operating system. What is the current status of that? What is the current state of ICS security in the markets where Kaspersky is operating? Are the customers well aware of the threats? Do they have good protection in place? Will the attendees be able to test, test drive, hack or play with any of the devices and demos that you will have on display? Kaspersky have launched an ICS CERT. How long have it existed, what are the objectives with that, and is it working on any interesting projects? What do you see as the biggest challenges in the ICS security area? What are you looking forward to with this years CS3sthlm? What would be you advice to our readers and attendees? sp|Menu rmation em|This is a blog post with Anton Shipulin, a global presales manager at Kaspersky Lab. pa|Behind the scenes: Erik Johansson, CS3sthlm organizer My name is Erik Johansson and I work as an independent advisor helping organizations with assessments and procurements to increase industrial cyber security. I often see myself as an Cyber Security Evangelist. Since I have found that most often the root cause behind technical weaknesses comes down to changing organizations mindset by educating and training them! Well the ideas for this conference started like a decade ago. Every winter Robert and I visited S4 the S4 conference in Miami. However, we were surprised about the small number of Europeans over there - despite the lack of good conferences focusing on Industrial Cyber Security in Europe. The ones that existed was too commercial and lacked the combination of technical depth and business perspective that we thought was necessary! During my research at the Royal Institute of Technology (KTH) on the security challenges, when migrating from analog to digital equipment (aka programmable electronics), I found that the security could also be related to the mindset of the people. A root cause of technical weaknesses can often be traced back to the lack of understanding the security implications of the business decisions. The last decades have I therefore preached about security awareness for organizations in order to change their fundamentally immature mindset regarding security. About twenty years ago I met Robert Malmgren – a very clever IT-security person who did not only understand the bits and bytes but could also see the business perspective - and the lack of human understanding of the complexity. Since then have our roads crossed many times in security related projects. As the co-founders, Robert Malmgren and I are involved in most part of the planning as well as running the event. Involved in program committee, evaluating the submitted papers, selecting partners and perform the overall discussion with industry. Definitely different. It’s a strange time consuming ”hobby” – that takes a huge amount of our limited spare timet. However, it’s also super exciting to get to know so many clever people from allround this planet… :) Tricky question. It’s really a mix. It’s a Marathon in the way that the planning and preparations starts almost direct after the last one and is ongoing for almost a year. Sometimes it’s more like a 100 meter race - like when we get 50 great submissions that needs to be evaluated. Or when the final program and all pieces is getting in place… and yes we are all exhausted after each event. Everyone that is working in critical infrastructure, as manager or operational, and would like to learn more about current threats, incidents, vulnerabilities and experiences as well as success stories should go. Not to say the least is to participate in the networking among peers that inspire and share valuable knowledge during the event! Industry have a huge challenge, not only to continuously increase their knowledge and awareness but to get a mature security culture in place. The challenges from a conference perspective is to reach out and bridge the unfortunate gap between top-level decision-makers and technical experts as well as the gap between IT and OT departments. Hard to tell - there are so many good memories. One was when the security researcher Ruben Santamarta (IOACTIVE) did a live hacking demo on a critical SATCOM equipment turning into a slot machine in front of our eyes. Another special memory was to listen to the only Swedish Astronaut, Mr Fuglesang, as evening speaker! :) I’m really excited for this our fifth anniversary which has been extended with an EXPO on the day before the SUMMIT! Arrive early! Participate and interact with the vendors at the EXPO. Moreover, take the opportunity to discuss the strategical challenges that follows by the ongoing regulations and visit and don’t forget to take a look at the ICS lab and the demonstrations of valuable security solutions. li| h1|CS3STHLM Erik Johansson - Co-founder of CS3sthlm h4|What is your name, profession and where do you work? How did you get involved with this conference? How did you get involved in this field? What is your role during the conference? Running a big event like CS3sthlm is different from your day-to-day work, or? Is it a marathon race, a 100 meter race, is it cat herding or something else to do this kind of job? Why should I go? What are the biggest challenges that you see? What is your best memory from previous conferences? What do you look forward to with this year’s event? Any last words of advice to our readers and the attendees? sp|Menu rmation em|This is a blog post with Ph D Erik Johansson, one of the organizers of the CS3sthlm summit. Below you find the interview we did with him as the planning and preparation of the conference and expo, was in full swing! pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. Late 2017 Herman released “Surviving Disaster - twelve ways to prepare yourself” the book examines what we can do to increase our chances of surviving when a disaster or something completely unexpected happens. “Surviving Disaster” is a popular science book that not only deals with survival techniques and bushcraft but also focuses on how humans work and what we can do to prepare ourselves mentally and increase our chances of coping with a crisis. At the age of 22, I wrote a series of blog entries on the topic of ”The greatest mysteries of the internet” (which you can read in Swedish here), and thanks to the massive response I promptly discovered that there wasn’t a lot of people in Sweden who wrote about the internet in quite the same way. I jumped between work places, including Swedish public service radio, for a couple of years before I ended up on Metro. Jenny Radcliffe – aka “The People Hacker” – is an expert in Social Engineering (the human element of security), negotiations, non-verbal communication and deception, using her skills to help clients from corporations and law enforcement, to poker players, politicians and the security industry protect themselves from malicious social engineering attacks. Coming soon Coming soon li| h1|CS3STHLM h2|Gala Dinner Zombie Survival Fake news or folklore? Adventures in social engineering - tales of a "people hack" Voyage to Space Cyber Security through the ages h3|Herman Geijer Jack Werner Jenny Radcliffe Christer Fuglesang Peter Zinn h4|Zombie Survival Expert at Independent Journalist at Freelance Social Engineering Expert at Independant Astronaut in Space Cyber Agent sp|The Archive - Gala Dinner Menu 2015 2019 2019 Herman Geijer 2018 Jack Werner 2017 Jenny Radcliffe 2016 Christer Fuglesang 2015 Peter Zinn rmation pa|For the last 15 years, I have been working as Pentester, Auditor, BC-manager and IT-security “jack of all trade” like malware tracking and alerting via malware sinkholes. Four years ago I switched from IT security to OT Security and needed to learn a lot of stuff in a very short timespan. As I didn’t have a power substation or water treatment plant for my private disposal (who has that :-) I had to learn a lot on ‘arcane’ ICS protocols like Modbus, IEC104, S7comm, DNP3 in some other way, hence honeypot seemed like an interesting way forward. To sum it all up - I needed to build something to simulate these protocols. I found a low interaction honeypot and started to learn about it. After a while I put an ICS honeypot on the Internet, and it was attacked right away! I was hooked and the rest is history - today I manage one of the largest privately owned honeypot networks (120+ sensors) deployed all over the world! They can be both! During my two-day training at CS3sthlm in October we will touch both types of usage. Depending on your goals and scope, it is two different deployment approaches - they can (read should!) be used as a important layer in our “defense in depth” strategies. Internally deployed honeypots can provide an effective “close-to-zero-false-positives” warning system - with a minimal maintained profile - and should be used in most ICS networks. My newest honeypot project Defenica works as a very, very convincing deception ICS device, built on purpose to emulate for example a PLC or HMI system. That is when I find zero-days targeting my honeypot networks! Normal reasoning would say that no real attackers would “burn” a zero-day on unsolicited ICS equipment… but some times they do! My latest published Moxa vulnerability (CVE-2018-10632) was built on the research found in the network traffic aimed at one of my honeypots! My 2 day workshop would provide a walk-through on that case, to enable my students to be inspired to do similar zero-day research activities. Honeypots can be either low, medium or high interaction. Low interaction honeypots are very easy to spot as a fake system if the attacker is skilled, but a high interaction honeypot, to a very large extent, has the same feel and look as the device/system that you are emulating. During my learning curve I started with typical low interactions honeypots, but today I use only medium/high interaction honeypots. During the workshop we will deploy and work with low, medium and high interaction honeypots – in combination with real ICS/SCADA equipment! When moving from low to high interactions honeypots a whole new world of enriched data emerged! Suddenly I found that I was able to detect and track various attacker groups during their campaign. Often one IP address attacks a honeypot, and they do some stuff and then seem to stop and go away. A while later a new IP adress comes along and continues the work that the first IP started! Having deployed a considerably number of honeypots globally, I have been able to see patterns, as well as map various activities to a specific group of attackers, previously hidden. No! In my class I will share my hard-earned knowledge on how to setup honeypots that an attacker cannot differentiate from a real device! Traditional IDS/IPS systems are often signature based, hence they will alert you whenever something match a known “signature”. If the activities/signatures from the attacker are not known in advance, no alert will be triggered. As the honeypot is a fake unit, there should never be any reason to communicate with the device - so any and all traffic/alerts to or from it should be investigated by the SOC/Blue team. Yes. A typical IDS system is designed for operating in environment with traditional IT systems, not OT/ICS equipment. Putting an IDS system to alert on ‘anomaly stuff ‘ e.g. old network protocols in an OT industrial network will fire a lots of alerts and make the security monitor system to light up as a over-charged Christmas three - that not a good way to avoid the alert fatigue that so many SOC/SAC teams are currently suffering from… As highlighted earlier, a significant advantage of using honeypot technology is the (almost) zero-false positive alerts. Very good questions, Robert! I would say that a honeypot typically and is a detection mechanism to alert you that something is out of order. But based on the deployment options it can actually be both! important things to think about? All this, and more, is what we will learn on the first day of the workshop! First: be really happy that it’s a honeypot and not the real equipment the attacker are trying to hack :-) Secondly: initiate your incident response (IR) process and start to observe the attacker in order to find the best possible time to kick them out of the environment. And - if done properly in the IR phase, be sure to gather knowledge of the TTP’ of the attackers. My students will learn how to plan, build, deploy and manage different types of honeypots. We will deploy the honeypots on the Internet and see various probes and attacks. On the second day we will build a dedicated network with real ICS/SCADA equipment and learn how to move from low to high interactions honeypots. Lots of fun stuff to do with this equipment! If you don’t already have honeypots in your arsenal of security tools you are missing out on a very interesting technology that can be effective, with zero false positives. If you never have worked with honeypots, please come and join the technical training! A great bonus of taking the honeypot class is that you also will get a view on the strange and ‘arcane’ protocols that lives in most industrial networks! li|To know what to achieve from the deployment How to make the honeypot ’believable’ Not introducing new risks for the company h1|CS3STHLM Mikael Vingaard - The Expert on ICS Honeypots h4|What is your background, with regards to security, the energy system and honeypots? Honeypots, aren’t they just tools for researchers? Or can they be used in a real environment? What is the most interesting results or effects you have seen with your honeypots? High interaction honeypots or low interaction honeypots, what is that, and what do you think about it? During your time running honeypots, what is the most surprising thing you have encountered or seen? Can an attacker easily see the difference between a real system and a fake one, the honeypot? How would you differentiate the honeypot in comparison with an IDS or an IPS? What are the advantages? Is there anything that you can catch, or detect, or do with an honeypot that one cannot do with an IDS, IPS or firewall? Is the honeypot a protection or a detection mechanism? Having honeypots in a ICS/SCADA environment, what is the most If a honeypot actually is being attacked, what is the first thing you should do as the owner of the honeypot? What will your students learn at the training? Any last final words of advice you would like to give? sp|Menu rmation em|This is a blog post with Mikael Vingaard, the expert on ICS Honeypot that will give the 2-day training session during the CS3sthlm conference week. Last year it was a 1 day course, but we decided to extend it so that more could be covered during class. Below you will find an interview we did with Mike as he was preparing for the class. primarily pa|This page contains information which is not active and is tied to past events. li|Presentations Ken Munro will not be presenting their "Smarter Shipping. Hacking floating ICS for fun and profit". Andrew Tierney will instead present this presentation. h1|CS3STHLM h2|World Class h3|Reverse Engineering Siemens PLCs: Lessons Learned for Today and Tomorrow Stop Protecting Information Smarter Shipping. Hacking floating ICS for fun and profit Operational Integrity: Safeguarding Your OT Systems With Cyber AI ACME Windpharms – It can’t be ‘smart’ if you lack simple security Ransomware? Please Hold for The Next Available Agent Hidden Attack Surfaces of Modern Industrial Automation Systems Application of RAMS methodologies in OT Security Conning Corona- on deception, scams and social engineering in a pandemic. So You Want to Take Down the Electric Grid - or You Want to Defend It Bug hunting in cloud connected ICS devices: Getting root from the cloud How to create a risk-based future-proof zone model Hacking Advanced Metering Infrastructure (AMI) – an attacker’s perspective on Distribution System Operator (in)security Pressing the big red button – on Incident Response Readiness in the Oil and Gas Sector A Practical Way to Test OT Security Mechanisms in Real-life Scenarios Future of Ransomware DevSecOps in ICS over data diode Detecting and Tracking RATs in the Energy Sector The sustainability of safety and security Threat modeling and attack simulations for enterprise and ICS Fake Company, Fake Factory but Real Attacks: Stories of a Realistic, High Interaction ICS Honeypot. Application of RAMS methodologies in OT Security h4|Summit Presentations Recent Changes sp|Menu CS3STHLM 2019-2020 View 21 October 2020 Ali Abbasi Andrew Ginter Andrew Tierney Andrew Tsonchev Colin Cassidy Daniel Kapellmann Zafra Federico Maggi Ignacio Moreno Canadas Jenny Radcliffe Joe Slowik Kelly Leuschner Kristina Blomqvist Jonas Edberg Krzysztof Swaczyński Marie Moe Jan Tore Sørensen Matan Dobrushin Idan Helzer Michael Firstenberg Michal Paulski Nour Fateen Ross Anderson Simon Hacks Wenjun Xiong Stephen Hilt Wissam Al-Nasairi rmation pa|Here you can view all the best international speakers and traineers attending CS3STHLM during the years. We also host a dinner entertainment slot during the Gala Dinner. li|All Expo Dinner Keynote Summit h1|CS3STHLM h2|Presentations The fall of CODESYS Applying the Consequence-driven Cyber-informed Engineering method on a Facility for a Successful Attack How to save $1.7 million over three years on industrial cybersecurity: the Results of the Forrester Total Economic (TEI) Impact study What is the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE)? Tales from Industrial Plants and Responders Automotive DoIP and forensic analysis for automotive systems curl - the world's most used software component? EU STRIKE3 project Security Testing for ICS Owners 2.0 A view from the Blue side of Locked Shields TLS Interception and Decryption *LIVE DEMO* Testbed Evaluation of DoS Attacks on Continuously Controlled Processes Zombie Survival Introduction to Malcolm Presenting how we know what’s happening in the exercise and measuring Applying the Consequence-driven Cyber-informed Engineering method on a Facility for a Successful Attack Broken Rungs: A look at popular ladder logic runtime privileges A view from the Blue side of Locked Shields Digital Forensics and ICS: Why and how? Automotive DoIP and forensic analysis for automotive systems Secure your MES - the bridge between IT and OT We are all vulnerable IT vs. OT: We are Much More Similar than We are Different. Comparing Process Control Room and SOC operations Fuzz Testing IEC 61850 Project RunAway Applying automated attack modeling to a smart grid use case Cyber Security for OT/IIoT/ICS – what we have learned 1000 installations later When will my PLC support Mirai? The security economics of large-scale attacks against ICS Tales from Industrial Plants and Responders Nation-State Supply Chain Attacks for Dummies and You Too SCADApocalypse Now 4.0? Building a distributed and robust time synchronisation service Broken Rungs: A look at popular ladder logic runtime privileges Demystifying TSCM or how to spot the witch doctor doing the raindance Ultra responsible disclosure – or how to deal with a 0-day in critical infrastructure Attack Path Mapping Project EnergyShield - hacking the power grid as a research method Red Teams view from the exercise Layered Blueprints – an ontology and method for (talking about) engineering OT Security Digging into the technical setup of the exercise How we reverse-engineered multiple industrial radio remote-control systems Introduction to Locked Shields exercise The cyber-attack on Hydro Memory Forensics and DMA Attacks with MemProcFS and PCILeech Project RunAway Kaspersky Industrial Cybersecurity approach Hunting and Responding in ICS Attacking PLCs by PLC in deep Stateful Protocol Hunting Stateful Protocol Hunting Operator Jail breakout ICS cyber security in the face of digital transformation Supply Chain Cyber Security throughout the ICS Lifecycle The good, the bad and the segmented Operator Jail breakout Resilient Computing and Communication for Critical Infrastructures Control Theory for Practical Cyber-Physical Security Fake news or folklore? Recorded Future - The Dark Web’s deep threat intelligence secrets Indicators vs. Anomalies vs. Behaviors: A Critical Examination for ICS Defense Designing a second generation cyber range Security when failure is not an option Recent APT Campaign targeting Energy Sector Assets Attacking Cars Revisited: On the Road Towards a More Resilient Connected Vehicle Infrastructure Introduction to MSB-session Introduction to KRAFT-CERT and some words about Nordic co-op Uncertain conflict – When critical infrastructure is affected by national conflicts. Securing Low Level Software Using Formal Methods Using fake BTS as a part of pentest of devices using SIM cards for data transmission IoT-related risks ICS Incident Response: Lessions and mitigations from the field Hunting and Responding in ICS Incident Response: Learning as you go is Expensive Jumping Air Gaps Unblockable Chains - Is Blockchain the ultimate malicious infrastructure? Industrial Technology Trajectory: Running With Scissors Securing Wireless Transmissions at the Air Interface Addressing Physical to Digital Convergence in an Evolving World The good, the bad and the segmented Securing the ICS lab network Secure SCADA Protocol for the 21st Century (SSP21) S in IoT is for Security Configurable Code-Reuse Attacks Mitigation for COTS Programmable Logic Controller Binaries Industroyer: biggest threat to industrial control systems since Stuxnet Back to the IoT Future DIY insider threat detection/prevention within ICS enviroments Adventures in social engineering - tales of a "people hack" Security for Safety: Fortifying the last line of defense Pro-Kremlin trolls, fake news and propagandists as opinion influencers - and how to counter them Strategic Network Defense in ICS Environments APT Case Study Pandora´s box APT Case Study ICS Program Development for Multi-national Corporations Cyberattacks Against Critical Infrastructure in Ukraine: Taxonomy, Consequences, Lessons Learned Network and Information Security Directive: the road ahead Threat modelling and security measures for ICS/SCADA systems in critical infrastructure From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices Industroyer: biggest threat to industrial control systems since Stuxnet Cyberattacks Against Critical Infrastructure in Ukraine: Taxonomy, Consequences, Lessons Learned Protecting European transport infrastructures: threat models IoT in Europe: what could possibly go wrong and how you can fix ENISA Trainings for Cyber Security Specialists BlackEnergy – What We Really Know About the Notorious Cyber-Attacks DYODE: Do Your Own DiodE DYODE: Do Your Own DiodE Voyage to Space Embodied Vulnerabilities - How to find, fix, and think about them Crate City In a grid operator's security trenches The Cyber Threat Intelligence Matrix: A simple incident response decision model Physics-based attack detection and countermeasures in control systems Too many cooks spoil the broth? Too many cooks spoil the broth? Defense-in-Depth' in a time of advanced persistent threats Building Robust Tabletop Exercises to Strengthen Your CSIRT LIGHTWEIGHT PROTOCOL! SERIOUS EQUIPMENT! CRITICAL IMPLICATIONS! PLC-Blaster - A Worm Living in Your PLC Road to Cyber Threat Intelligence in the Energy Sector Embodied Vulnerabilities - How to find, fix, and think about them Cybersecurity in Europe - the NIS Directive and the role of Operators of essential services Crate City Breaking isolation using cache attributes BlackEnergy – What We Really Know About the Notorious Cyber-Attacks Exploring the Unknown ICS Threat Landscape Cybersecurity in Europe - the NIS Directive and the role of Operators of essential services The role of anomaly detection in industrial control systems Road to Cyber Threat Intelligence in the Energy Sector Ageing of ICS - What's the deal? Simulating Attacks on infrastructure systems in Egypt Is Your Plant "Ready to Crash"? Missing the Obvious: Network Security Monitoring for ICS Hacking the Power Grid: Analyzing what Hackers do when they have access to the 'Power Grid Honeypot' Caststonomics: North What can the ICS sector learn from APT attack? PhysICS - Using physics simulation engine to demonstrate impacts on industrial control attacks Reducing attack surface on ICS with Windows native solutions The dirty secrets your hardware can keep, and how we can clean up its act Stuxnet and Beyond: The Age of Digital Warfare Responsible Disclosure may be Irresponisble Case Studies in Real World ICS/SCADA Incident Response and Forensics Digital Maintenance and Test Equipment and Impact on Control System Security Who controls your industrial control systems? Reversing and Deciphering the Cyber Espionage Malware Communications Cyber Security through the ages Missing the Obvious: Network Security Monitoring for ICS Asset Identification and Network Security Monitoring in ICS Network The Little Pump Gauge That Could: Attacks Against Gas Pump Monitoring Systems Experiences from introducing security network monitoring at a major ICS enviroment SCADA Network Forensics What aren't we doing right? ... or is that 'What are we doing wrong?' Conversations with your Control System A best practice framework for managing ICS risks Information Security Incident Response in the Energy Sector SATCOM Terminals: Hacking by Air, Sea and Land Beyond Public Private Partnerships: Collaboration, Coordination and Commitment as key aspects of Industrial Cybersecurity SCADA StrangeLove: The Great Train Cyber Robbery Security requirements and their implications. An interpretation of the german security requirements for smart meters for manufacturers and operators Why Control System Cyber Security Sucks Cyber Security, or Cyber Safety Culture? How to convert the weakest link into the force h3|2019 Alexander Nochvay Andreas Erdich Andy Greenberg Anton Shipulin Cdr Michael Widmann Christian Augustat Christopher Corbett Daniel Stenberg Didrik Ehrenborg Dieter Sarrazyn Erik Biverot Erik Hjelmvik Henrik Sandberg Herman Geijer Janek Pelzer Jarkko Huttunen Jens Wiesner Jimmy Wylie Johan Nilsson Jonathan Jogenfors Kevin Gomez Buquerin Khalid Ansari Magnus Lundgren Marina Krotofil Markus Mahrla Matan Dobrushin Mathias Ekstedt Michael Weng Mike Dodson Mona Lange Monta Elkins Nicklas Keijser Ragnar Sundblad Reid Wightman Richard Widh Rikard Bodforss Robert Bearsby Robert Lagerström Sandra Bardón Sarah Fluchs Silver Saks Stephen Hilt Thomas Svensson Torstein Gimnes Are Ulf Frisk Yoav Flint Rosenfeld 2018 Anton Shipulin Ben Miller Cheng Lei Dan Gunter Daniel Michaud-Soucy Dieter Sarrazyn Dr Kevin Jones Erik Zouave Erwin Kooi Frank Lycops György Dán Henrik Sandberg Jack Werner Jannis Utz Joe Slowik Jonas Almroth Jonas Dellenvall Jonathan Homer Kai Thomsen Kristina Blomqvist Lars Erik Smevold Lars Westerdahl Mads Dam Marcin Dudek Margarita Jaitner Mark Bristow Mark Stacey Monta Elkins Omer Zohar Patrick Miller Ragnar Thobaben Rick K. Peters Rik van Hees William Middleton 2017 Adam Crain Akriti Srivastava Ali Abbasi Anton Cherepanov Dan Demeter Dieter Sarrazyn Jenny Radcliffe Jens Wiesner Jessikka Aro Joe Slowik Jon Rogeberg Lars Erik Smevold Martin Eian Melissa Crawford Oleksii Yasynskyi Paraskevi Kasse Patrick DeSantis Robert Lipovský Roman Sologub Rossella Mattioli 2016 Anton Cherepanov Arnaud Soullié Ary Kokos Christer Fuglesang Eireann Leverett Erik Westring Erwin Kooi Frode Hommedal Henrik Sandberg Isabel Skierka Jan-Peter Kleinhans Jens Zerbst Ken van Wyk Lucas Lundgren Maik Brüggemann Margrete Raaum Marie Moe Paraskevi Kasse Peter Andersson Robert Guanciale Robert Lipovský Robert M. Lee Rossella Mattioli Simin Nadjm-Tehrani Thomas Schreck Vidar Hedtjärn Swaling 2015 Ahmed Sherif Eldemrdash Arjan Meijer Chris Sistrunk Dewan Chowdhury Eireann Leverett Freddy DeZeure Jan Seidl Joe Fitzpatrick Kim Zetter Leif Nixon Mark Fabro Michael Toecker Mikael Vingaard Monnappa K A Peter Zinn Robert Caldwell Robert M. Lee Stephen Hilt 2014 Anders Rodrick Erik Hjelmvik Joel Langill John Matherly Justin Lowe Margrete Raaum Ruben Santamarta Samuel Linares Sergey Gordeychic Staffan Persson Stefan Lueders Vyacheslav Borilin h4|Filter 46 Presentations Summit Summit Keynote Expo Summit Summit Summit Summit Summit Summit Summit Summit Expo Dinner Summit Summit Summit Summit Summit Summit Summit Summit Expo Summit Summit Summit Expo Expo Summit Summit Summit Summit Summit Summit Summit Summit Expo Expo Summit Summit Summit Summit Summit Keynote Summit Summit 34 Presentations Expo Summit Summit Summit Summit Summit Expo Summit Summit Summit Expo Expo Dinner Expo Summit Expo Expo Summit Summit Summit Summit Summit Expo Summit Summit Summit Summit Summit Summit Summit Keynote Expo Expo Summit Summit 20 Presentations Summit Summit Summit Summit Summit Summit Dinner Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit 26 Presentations Summit Summit Summit Dinner Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Summit Keynote Summit Summit Summit Summit 18 Presentations Summit Summit Summit Summit Summit Summit Summit Summit Summit Keynote Summit Summit Summit Summit Summit Dinner Summit Summit Summit 12 Presentations Summit Summit Keynote Summit Summit Summit Summit Summit Summit Summit Keynote Summit sp|The Archive - Presentations Menu 2014 2019 rmation pa|I am a Principal Security Consultant and the Team Manager for ICS/OT Security at GAI NetConsult, a security consulting company based in Berlin / Germany. GAI NetConsult has been working in the ICS/OT domain for more than 15 years. Together with my colleagues we do consulting and technical or organizational auditing in the OT and ICS domain, mostly for operators and asset owners from energy industry, industrial manufacturing and for critical infrastructure projects. During my studies and my PhD, I worked as a freelance security consultant. In 2006, I joined GAI NetConsult; I have been working in the ICS / OT domain since then. Since 2010, I am involved in security standardization for ICS and OT systems. First in the security working group of the German utility organization BDEW, then also in the national standardization institutions DIN and DKE, the German mirror organisation to IEC. Since 2011, I have been working on the international level within ISO and IEC. In the working group responsible for information security management at ISO/IEC, I am the Editor of ISO/IEC 27019 and an expert for ICS and Smart Grid. ISO/IEC 27019 started as a German national project in 2010. It was initiated by several large and medium sized energy utilities and BDEW, the German utility association. The utilities felt that it was hard to integrate the OT / ICS domain within their security management organization, which was based on ISO/IEC 27001 within most companies. They decided to publish a standard to fill this gap and in 2013, the German version was translated and published as an international ISO/IEC document. The aim of 27019 is to extend the contents of ISO/IEC 27002 to the domain of process control systems and automation technology, thus allowing energy utilities to implement a standardized and specific information security management system (ISMS) that extends from the business to the process control level. I was the project leader and editor for the German version at DIN and DKE from 2010 to 2012 and was then delegated from the German National Body to ISO/IEC to be the Editor of the International Standard. The latest version from 2017 is now completely aligned with the current version of ISO/IEC 27001 and 27002, so it can be seamlessly used within an ISMS based on ISO/IEC 27001. Additionally we aligned with 27001 in such a way that is possible to have certifications based on ISO/IEC 27019 together with 27001. Furthermore, the scope of the standard has been extended to include the oil sector. We completely revised the technical content of all security controls and twelve new topics are covered now which were not included in the first revision from 2013, e.g. with regard to mobile devices, vulnerability management or technical reviews. It is now possible to have a certification for ISO/IEC 27019. This automatically includes the ISO/IEC 27001 requirements, which 27019 refers to. In Germany, already all gas and electricity grid providers have to be certified against ISO/IEC 27001 together with ISO´/IEC 27002 and 27019 since January, very likely a similar regulation will come into force for large generation and gas storage plants. Absolutely not. After an introduction to the energy supply and the ICS systems used in the different energy domains, I will give an overview about the ISO/IEC 27000 series and the important content of ISO/IEC 27001, which is necessary to understand the application of 27019. Then we will concentrate on the 27019 controls for the various security management domains. The Whitepaper „Requirements for Secure Control and Telecommunication Systems” is a best practice guideline, which defines security requirements for control systems used in the energy domain. It was developed by the German and Austrian utility associations BDEW and Oesterreichs Energie - therefore it is also called BDEW/OE-Whitepaper. The first version was published already in 2008 and it has become the de-facto standard in the German speaking regions, i.e. Germany, Austria and Switzerland for security requirement definitions for control systems in the energy domain. In May 2018 a fully revised version 2.0 has been published, the English translation is available is here: https://www.bdew.de/service/anwendungshilfen/whitepaper-anforderungen-sichere-steuerungs-telekommunikationssysteme/ While ISO/IEC 27019 defines requirements and best-practice controls related to the security management in the utility organization, the BDEW/OE-Whitepaper covers the requirements for the technology used in the ICS/OT domain. It is focusing on security specification and requirement definition in procurement projects. Together, ISO/IEC 27019 and the BDEW/OE-Whitepaper are the basis for secure operation within an energy utility. With BDEW and Oesterreichs Energie, I have been the editor of the Whitepaper both for the initial version in 2008 and for the revision in 2018. I have used the Whitepaper very often over the last 10 years, especially in procurement and audit projects for grid control systems, substation automation and protection systems as well as for power and gas storage plant automation and virtual power plants and supporting OT systems. Oddly enough, sometimes I still have to discuss the same problematic topics with suppliers and integrators as ten years ago. We will have exercises to learn how to apply the lecture content with regard to the ISO/IEC 27019 controls and the BDEW/OE-Whitepaper requirements. I will give as many first hand experiences from my projects with 27019 and the Whitepaper as possible. Our field is rapidly changing, thus is very important to have a regular exchange within the community. CS3STHLM is a perfect event for this. I am happy that I have been invited to give a lecture at CS3STHLM. I am looking forward to meet IRL some old friends from the ICS security community and to make a lot of new ones in Stockholm! I heard rumours there might be a gathering of the European Chapter of BEER-ISAC also… li| h1|CS3STHLM Dr. Stephan Beirer - The Expert on the ISO/IEC 20719 standard h4|What is your day job, where are you working and what do you do? For how long have you worked in the field? Are you involved in the standardization process? What areas are you working with? In your class, you will cover the ISO/IEC 27019 standard, which is somewhat unknown to many. What is the background for this standard? Where you involved early on with the development of the ISO/IEC 27019 standard? There is a relatively new edition of the standard. Does the new version differ much in comparison with older ones? Will utility companies start certification processes against the 27019 standard, or is it still against the 27001 only? Is there any requirement on prerequisites and prior deep knowledge of ISO/IEC 27000 before taking the class? You will also talk about an interesting German and Austrian Whitepaper. What is the background of this document? How does the BDEW/OE-Whitepaper relate to ISO/IEC 27019? How long have you been working with the BDEW/OE-Whitepaper? Is your class only theoretical, or will the participants also have any practical exercises? As an expert in the field of IT/information/cyber security, any advice you would like to share? Any last thoughts you would like to share with the readers? sp|Menu rmation em|This is a blog post interview with Dr. Stephan Beirer, the expert on the ISO/IEC 27019 standard. He will give a training session during the CS3sthlm conference week. Below you will find an interview we did with him as he was preparing for the class. You will probably find several things in the interview that you didnt already knew about the standard! pa|This is an open pledge to all that want to spread their knowledge in the cybersecurity world! We have opened our "Call for Participation" which is our name for the process of asking you to submit proposals for talks, workshops, training, demos, etc. Please see the PDF file for instructions on what and how to submit the information. We will accept submissions until 15th of March 2020. If you have any questions, comments or want to reach out and verify something, just send us an email at "cfp@cs3sthlm.se". li| h1|CS3STHLM h2|Call for Participation h3|We are now looking for content to the CS3STHLM summit of 2021! h4|Speakers & Trainers sp|Menu rmation pa|This page contains information which is not active and is tied to past events. li|Presentations Ken Munro will not be presenting their "Smarter Shipping. Hacking floating ICS for fun and profit". Andrew Tierney will instead present this presentation. h1|CS3STHLM h2|World Class h3|Reverse Engineering Siemens PLCs: Lessons Learned for Today and Tomorrow Stop Protecting Information Smarter Shipping. Hacking floating ICS for fun and profit Operational Integrity: Safeguarding Your OT Systems With Cyber AI ACME Windpharms – It can’t be ‘smart’ if you lack simple security Ransomware? Please Hold for The Next Available Agent Hidden Attack Surfaces of Modern Industrial Automation Systems Application of RAMS methodologies in OT Security Conning Corona- on deception, scams and social engineering in a pandemic. So You Want to Take Down the Electric Grid - or You Want to Defend It Bug hunting in cloud connected ICS devices: Getting root from the cloud How to create a risk-based future-proof zone model Hacking Advanced Metering Infrastructure (AMI) – an attacker’s perspective on Distribution System Operator (in)security Pressing the big red button – on Incident Response Readiness in the Oil and Gas Sector A Practical Way to Test OT Security Mechanisms in Real-life Scenarios Future of Ransomware DevSecOps in ICS over data diode Detecting and Tracking RATs in the Energy Sector The sustainability of safety and security Threat modeling and attack simulations for enterprise and ICS Fake Company, Fake Factory but Real Attacks: Stories of a Realistic, High Interaction ICS Honeypot. Application of RAMS methodologies in OT Security h4|Summit Presentations Recent Changes sp|Menu CS3STHLM 2019-2020 View 21 October 2020 Ali Abbasi Andrew Ginter Andrew Tierney Andrew Tsonchev Colin Cassidy Daniel Kapellmann Zafra Federico Maggi Ignacio Moreno Canadas Jenny Radcliffe Joe Slowik Kelly Leuschner Kristina Blomqvist Jonas Edberg Krzysztof Swaczyński Marie Moe Jan Tore Sørensen Matan Dobrushin Idan Helzer Michael Firstenberg Michal Paulski Nour Fateen Ross Anderson Simon Hacks Wenjun Xiong Stephen Hilt Wissam Al-Nasairi rmation pa|Hands-on Threat Modeling for ICS-OT Organizations are now dedicating resources to protecting their Industrial control systems (ICS) assets, which include supervisory control and data acquisition (SCADA) programs, against intentional or accidental security threats. ICS security has plenty of challenges. Several of them owe their existence to the ongoing convergence of information technology (IT) and operational technology (OT). People and technology must work together to develop security controls that they can implement, build upon, enforce, modify and improve. From experience we see that threat modeling as a discipline fits really well in ICS and OT environments, to design and secure connected systems in a way that is aligned with typical operational technology challenges. In order to minimize that gap we have developed a 1 day course with practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Students will be challenged in groups of 3 to 4 people to perform the different stages of threat modeling on the following: After each hands-on workshop, the results are discussed, and students receive a documented solution. Based on our successful trainings in the last years, we released this advanced threat modeling training at Black Hat USA 2018. Some feedback from our Black Hat training attendees: Staff involved in securing control systems, critical infrastructure, automation and smart-grid. Structured method to do risk assessments in an ICS environment The course students receive the following package as part of the course: As highly skilled professionals with years of experience under our belts we know that there is a gap between academic knowledge of threat modeling and the real world. In order to minimize that gap we have developed practical Use Cases, based on real life projects. Each use case includes a description of the environment, together with questions and templates to build a threat model. Using this methodology for the hands on workshops we provide our students with a robust training experience and the templates to incorporate threat modeling best practices in their daily work. The students will be challenged to perform the threat modeling in groups of 3 to 4 people performing the different stages of threat modeling on: After each hands-on workshop, the results are discussed, and the students receive a documented solution. li|Jasper hooft Diagramming remote support applications, sharing the same REST backend STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service Threat mitigations in a pharmaceutical manufacturing facility Modeling attack trees against a nuclear facility “Toreon delivered! One of the best workshop instructor’s I’ve ever had.” “Very nice training course, one of the best I ever attended.” “I feel that this course is one of the most important courses to be taken by a security professional.” “The group hands-on practical exercises truly helped.” A solid foundation to apply threat modeling in the field of ICS and OT Hands-on exercises take up at least 50% of the training in interactive challenges covering real cases. Threat modeling in ICS and OT What is threat modeling? Why perform threat modeling? Threat modeling stages Different threat modeling methodologies Communicate a threat model Understanding context Doomsday scenarios Data flow diagrams Trust boundaries STRIDE introduction Spoofing threats Tampering threats Repudiation threats Information disclosure threats Denial of service threats Elevation of privilege threats ICS and OT Attack libraries Mitigation patterns Authentication: mitigating spoofing Integrity: mitigating tampering Non-repudiation: mitigating repudiation Confidentiality: mitigating information disclosure Availability: mitigating denial of service Authorization: mitigating elevation of privilege ICS and OT mitigations Typical steps and variations Validation threat models Effective threat model workshops Communicating threat models Updating threat models Open-Source tools Commercial tools Threat modeling resources Hand-outs of the presentations Work sheets of the use cases, Detailed solution descriptions of the use cases Template to document a threat model Template to calculate risk levels of identified threats Receive certificate: Following a successful exam (passing grade defined at 70%) the student will receive certification for successful completion of course Diagramming remote support applications, sharing the same REST backend STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service Threat mitigations in a pharmaceutical manufacturing facility Modeling attack trees against a nuclear facility st|Hands-on: Diagram remote support applications, sharing the same REST backend Hands-on: STRIDE analysis of an Internet of Things (IoT) deployment with an on premise gateway and a cloud based update service Hands-on: Threat mitigations in a pharmaceutical manufacturing facility Threat models examples: automotive, industrial control systems, IoT and Cloud Hands-on: Modeling attack trees against a nuclear facility h1|CS3STHLM Hands-on Threat Modeling for ICS-OT h2|Course Outline h3|Student package: Threat Modeling – Real Life Use Cases h4|Taugh by Role Company Status Date Audience: Audience should expect for the training: Key Takeaway: Threat modeling introduction Diagrams – what are you building? Identifying threats – what can go wrong? Addressing each threat ICS-OT threat modeling Threat modeling resources sp|Menu 2019 Archive Jasper Hooft ICS Security Consultant Toreon Sold Out 22 October rmation em|The students should bring their own laptop or tablet to read and use the training handouts and exercise descriptions. pa|Digitalisation and the interconnectivity of operational technology (OT) drastically increases cybersecurity risk in the oil and gas industry. The security challenges, requirements and potential consequences in industrial environments significantly differ from those in a traditional office IT environment. While the impact of a security breach in office environments is often limited to financial losses, attacks on industrial systems have the potential to stop production, cause physical damage, harm the environment and even put peoples’ lives at risk. The oil and gas industry is increasingly reliant on digital systems, and companies have ambitious plans for increased use of digital technology. Established operational patterns are changing, allowing more onshore operation on offshore installations. This trend provides great benefits in areas of efficiency, cost savings and competitiveness, however it also leads to new challenges related to cybersecurity. The industry must therefore actively follow-up changes in the risk landscape, and their increased exposure to continuously evolving cyber threats. A key component in this is incident response readiness planning. The first part of this talk presents the results of an empirical study of cyber incident response readiness in the Norwegian oil and gas industry, performed by SINTEF on behalf of the Norwegian Petroleum Safety Authority. The study addresses the CERT capacity among various actors in the industry and their ability to handle critical cybersecurity incidents in industrial control and safety systems. The study focuses on OT systems, information sharing, and the operationalisation of CERT alerts and warnings. The study shows that informants are relatively satisfied with their own cyber incident preparedness today, but they acknowledge that it can be improved in the areas of visibility and real-time monitoring of cybersecurity in OT systems. Furthermore, the study shows that not all oil and gas companies or drilling rig operators distinguish between cybersecurity incidents in IT and OT systems, and views vary widely concerning who is responsible for security in and between IT and OT systems. mnemonic has, for several years, delivered security monitoring services to different customers within these industrial verticals and helped them build cybersecurity mechanism for protecting their industrial automation and control systems. In the second part of this talk, we will present a recent use-case where mnemonic designed a solution for securing remote access into SAAS and protecting IACS subsystems offshore from cyber threats. Here we implemented a system allowing the control room offshore to dynamically grant access and isolate critical subsystems offshore by pressing a “big red button”. If there is an incident, the “big red button” can be used without impacting the protected production process. The key takeaways from this talk will be an insight into the unique challenges of the petroleum industry when it comes to incident response readiness, including a real-world example of how to design secure remote access with a built in practical emergency network segmentation solution. li|Marie jan h1|CS3STHLM Pressing the big red button – on Incident Response Readiness in the Oil and Gas Sector h4|Author Role Work Author Role Work Previous Presentation Next Presentation sp|Menu Marie Moe Senior Security Consultant mnemonic Jan Tore Sørensen Security Expert mnemonic Krzysztof Swaczyński Matan Dobrushin Idan Helzer rmation pa|Network ForensICS Training Our two-day Network Forensics class consists of a mix of theory and hands-on labs, where students will learn to analyze Full Packet Capture (FPC) files. The scenarios in the labs are primarily focused at network forensics for incident response, but are also relevant for law enforcement/internal security etc. where the network traffic of a suspect or insider is being monitored. The scenario used in the class involves a new progressive Bank, which provides exchange services for Bitcoin and Litecoin. We’ve set up clients and a server for this bank using REAL physical machines and a REAL internet connection. All traffic on the network is captured to PCAP files by a SecurityOnion sensor. In the scenario this bank gets into lots of trouble with hackers and malware, such as: Class attendees will learn to analyze captured network traffic from these events in order to: Each attendee will be provided with a free personal single user license of NetworkMiner Professional and CapLoader. These licenses will be valid for six months from the first training day. Q: Who should attend? A: Anyone who want to improve their skills at finding evil stuff in full content packet captures. Q: Who should NOT attend? A: Those who are afraid of using Linux command line tools. Attendees will need to bring a laptop that fits the following specs: A VirtualBox VM will be provided on USB flash drives at the beginning of the training. Please note that having a 64-bit CPU and a 64-bit OS is not always enough to support 64-bit virtualization. You might need to enable features such as ”AMD-V”, ”VT-x” or ”Hyper-V” in BIOS in order to run virtual machines in 64-bit mode. You might also need to turn off “Intel Trusted Execution” in BIOS. One way to verify that your laptop supports 64-bit virtualization is to download the SecurityOnion ISO and see if it boots up in VirtualBox. li|Erik hjelmvik Theory: Ethernet signaling Hardware: Network TAPs and Monitor ports / SPAN ports Sniffers: Recommendations for high-performance packet interception Analyze Modbus TCP traffic Forensics of IEC 60870-5-104 network traffic Investigate telnet sessions PCAP analysis: Extracting evidence and indicators of compromise using open source tools Defeating Big Data: Techniques for working with large data sets Whitelists: Learn how to detect 0-day exploit attacks without using IDS signatures Challenge Day 1: Find the needle in our haystack and win a honorable prize! NetworkMiner Professional: Learning to leverage the features available in the Pro version Port Independent Protocol Identification (PIPI) DNS Whitelisting NetworkMinerCLI: Automating content extraction with our command line tool CapLoader: Searching, sorting and drilling through large PCAP data sets Super fast flow transcript (aka Follow TCP/UDP stream) Filter PCAP files and export frames to other tools Keyword search Create inventory of ICS devices from PCAP Challenge Day 2 Defacement of the Bank’s web server (see zone-h mirror) Backdoor infection through trojanized software Spear phishing Use of a popular RAT (njRAT) to access the victims machine and exfiltrate the wallet.dat files for Bitcoin and Litecoin Infection with real malware (Nemucod, Miuref / Boaxxe and more) Investigate web server compromises and defacements Identify covert backdoors Reassemble incoming emails and attachments Detect and decode RAT/backdoor traffic Detect malicious traffic without having to rely on blacklists, AV or third-party detection services A PC running any 64 bit Windows OS (can be a Virtual Machine) At least 4GB RAM At least 40 GB free disk space VirtualBox (64 bit) installed (VMWare will not be supported in the training) h1|CS3STHLM Network ForensICS Training h3|Target Audience Training Preparations h4|Taugh by Role Company Status Date Day 1 - Theory and Practice using Open Source Tools Day 2 - Advanced Network Forensics using Netresec Tools The Scenario Professional software included FREE of charge Laptop Required sp|Menu 2019 Archive Erik Hjelmvik Network Analyst NETRESEC Slots Open 21-22 October rmation pa|LockedShields is the largest global cyber exercise. It is hosted by the NATO CCDCOE center in Tallinn, Estonia and runned once a year and involves 1000’s of people from many contries around the world. It is very technical, where a number of blue teams need to defend the society from highly sofisticated cyber attacks from a very large and advanced red team. The red team attacks telecom infrastructure, power utilities, water treatment plants, advanced cloud and virtualisation solutions, and the rest of the information infrastructure that make up a modern society. Earlier this month, people around the world received word that the the worlds largest red/blue team cybersecurity exercise, Locked Shields, will be cancled 2020 due to the current situation with Covid-19 all over the world. This is a very unfortunate situation for all involved - the people who have spent 1000’s of hours preparing the exercise, all the teams eager awaiting startex, and people wanting to evaluate the exercise. In this situation there are at least some nuggets to be found - we are releasing 7 videos on Locked Shields that was recorded at CS3 2019 at our special coverage of cyber exercise & Lock Shield. At that session all different aspects of running a global, multi-team, highly technical cyber exercise were covered: More detailed information on these presentations and videos can be found at the archived CS3sthlm site for 2019, please check out the wednesday track li|Introduction and overview of the whole exercise What is the The NATO CCDCOE How the green team build the large infrastructure that host all teams and all activities. How red teams plan and perform their attacks, How blue teams work when they are under large scale attacks from competent adversaries, How the yellow team, how some experts can be the magic glue and isolation between the blue and the white teams for factual and critical information. How the white team is keeping track what is happening and keeping the scores How the strategic decision making track was created and handled h1|CS3STHLM The Locked Shields Sessions sp|Menu rmation pa|With the deadline of the 2020 CFP submission getting closer we have started to get some great submissions, but we are always looking for more content to get a good mix. We welcome presenters from the whole globe, and so far we have had people presenting from most continents, except Australia and the both poles! We want to have a good balance of policy and technical presentations since we want to have a mixed audience that needs to be exposed to all parts of the protection of critical infrastructure. We can always see some interesting examples of IIoT, incident response, successful deployment of new technology, new security research, low-level attacks, new models and methods to discover attacks. A full list of various areas and special topics of interest is included in the info PDF (see below) For several years we have had authors presenting - such as Kim Zetter, Andy Greenberg, Rob M Lee etc - and have had their books distributed to participants as part of their talks. If you are an author in this field, please consider contacting us to present and we will discuss possibilities for book signing, book distributions, etc. You can find the general information page on CFP here: and you find the PDF describing the CPF here: and the submission page here: Remember that the deadline is the 15th of March, and the e-mail address for submissions is cfp@cs3sthlm.se li| h1|CS3STHLM Submissions to the 2020 CFP sp|Menu rmation em|- CS3STHLM Crew pa|There are many reasons for this selection: “Smart” is used to describe many current things in the cyber industry – such as “SmartGrid”, “Smart Meters”, “Smart Cities” and “smart vehicles”. Smarter is also what the adversaries have become, finding more exotic vulnerabilities, and launching attacks built with increasing domain knowledge and sophistication. We, as people working in this profession, must be smarter, and we must design and implement smarter methods, tactics and solutions to be able to detect and protect against these attacks. At the same time, we cannot forget that we live in a complicated world where “stupid” still is a highly viable option: “Admin/admin” is still used as login combinations! End-of-life firewalls are still in use! Old bugs are forever days as updates are not done! And separation of sensitive infrastructure from the rest of the business is still not done! We anticipate submissions from speaker candidates that will be describing new and smart solutions. We also expect presentations that analyses, or describes different attacks, on the stupid, on the broken, or even the smart. No matter the mix of “smarter” or ”stupid” in presentations, trainings and hallway tracks, we know that all participants will be leaving CS3STHLM 2020 Smarter! li| h1|CS3STHLM CS3STHLM 2020 Theme Smarter! h2|We have chosen as the theme for the 2020 conference. sp|Menu rmation em|Smarter! pa|We are working with releasing recordings from the 2019 conference. They are added to the youtube channel as they gets finished (edited, mixed), and after we receive the OK from the presenter. Videos are available at the following URL We have gotten some questions about the keynotes: Andy Greenberg and Norsk Hydro Ransomware attack. The Hydro Ransomware attack was presented with the condition that it would not be recorded and published. So if you attended the conference you got an exclusive brefing which others will miss. We agreed with Andy Greenberg to delay his Sandworm keynote, since he is currently on a book tour. The recording of the Sandworm keynote will be released later this year. We will also add a movie archive at the cs3sthlm home page, from where one can reach all recordings from previous cs3sthlm conferences. We will announce it via another blog post when that work is finished! li| h1|CS3STHLM 2019 Releases of Recordings sp|Menu rmation pa|Reverse Engineering is the process of identifying a software or hardware logic by investigating the software binary code or hardware behavior. Programmable Logic Controllers are one of the most (if not the most) critical embedded devices in the industry. PLCs can control almost all the crucial elements of an industrial process and are considered the ’brain of modern industrial control systems’. With recent advances in Industry 4.0, the concept of PLCs operating in an air gapped network became a myth. Thus, with growing accessability of these devices, vendors which historically did not have to worry about their product security, try to find shortcuts while working on improving the security of their product. In this talk, we will take a look into how some of these shortcuts might affect the vendors product security. We finally talk about few other PLC vendors which have similar functionality but are less critical. We end by taking a look at overall roadblocks on reverse engineering the PLCs to identify security issues or similar special access functionalities. li|Ali abbasi h1|CS3STHLM Reverse Engineering Siemens PLCs: Lessons Learned for Today and Tomorrow h4|Author Role Work Next Presentation sp|Menu Ali Abbasi Post-Doctoral Researcher Ruhr-University Bochum Andrew Ginter rmation pa|Media hype concerning attacks on ““the grid”” abound - but just what would be necessary to achieve an at-scale disruption of electric utility operations in Europe or North America? This presentation will explore this issue focusing first on events that actually brought grid operations to their knees: the 2003 Italian/Swiss, US/Canada, and Denmark/Sweden blackouts; and the 2006 European blackout event. Based on these events (which were not cyber in origin), we will explore grid resiliency and how interconnections, inter-dependencies, and N-1 (sometimes also phrased as N+1) resiliency come into play for maintaining power operations. Based on this discussion, we will then explore how a sufficiently patient, motivated, and resourceful attacker could either produce or take advantage of conditions to actually create large-scale outage events. The focus here is not on relatively short, geographically limited disruptions in service (such as 2015 and 2016 Ukraine), but rather potentially long-term or physically disruptive (or destructive events) across large regions. To explore this, we will discuss chaining cyber impacts with environmental or operational variability, and how potential attackers could utilize manufactured grid-level disturbances to produce negative outcomes. Specifically, this discussion will look at two frequency deviation events (one in Europe, one in the United States) in 2019 as actual examples of conditions that could be leveraged to achieve wider disruption. Finally, this presentation will conclude with what actions asset owners, operators, and defenders can take to either detect or mitigate such events. First and foremost - greater visibility into operations and communications is necessary to both identify potential attackers as they move toward their objectives and what operational changes or alterations might take place when attackers initiate effects. However, this comes with an important caveat: in systems such as electric utility operations, no provider - from the municipal distribution authority through the multinational utility operator - is isolated and alone. Thus, truly identifying grid-scale attack attempts requires greater, faster communication and coordination among all stakeholders involved in an operational area. While truly grid-scale events induced via cyber remain theoretical at this time, adversaries are investing in the capabilities necessary to make such effects possible. Defenders will only be able to counter such moves through a combination of enhanced visibility, improved reaction time, and sharing information as quickly as possible with partner organizations. li|Joe slowik h1|CS3STHLM So You Want to Take Down the Electric Grid - or You Want to Defend It h4|Author Role Work Previous Presentation Next Presentation sp|Menu Joe Slowik Adversary Hunter Dragos Jenny Radcliffe Kelly Leuschner rmation pa|IT/OT Convergence is a major challenge for industrial organizations on the path to digitalization. The volume and variety of security products as well as the standards for OT networks is growing at a fast pace. As a result, the need for deep expertise, required to sort through and select the right systems for specific industry needs, grows even faster. In our session we will present a promising new initiative designed to simplify digitalization processes and test the efficiency and relevance of OT security tools before they are placed in the network. We’ll present the results of our latest research which studied the unique Tactics Techniques and Procedures (TTPs) of OT attacks and devised a method to test them in a simulated lab environment. The research included the implementation of tens of new techniques and OT use cases over a MITRE’s Caldera platform, an open-source advisory emulation platform. The research was further expanded by implementing the recently published “ATT&CK for ICS” model, and also will point some improvements for the existing model. li|Matan idan h1|CS3STHLM A Practical Way to Test OT Security Mechanisms in Real-life Scenarios h4|Author Role Work Author Role Work Previous Presentation Next Presentation sp|Menu Matan Dobrushin Head of OT Research Otorio Idan Helzer Cyber Analyst Otorio Marie Moe Jan Tore Sørensen Michael Firstenberg rmation pa|PentestingOn this intense 2­ days training, you will learn everything you need to start pentesting Industrial Control Networks. We will cover the basics to help you understand what are the most common ICS vulnerabilities. We will then spend some time learning and exploiting Windows & Active Directory weaknesses, as most ICS are controlled by Windows systems. We will cover the most common ICS protocols (Modbus, S7, Profinet, Ethernet/IP, DNP3, OPC…), analyze packet captures and learn how to use these protocols to talk to Programmable Logic Controllers (PLCs). You will learn how to program a PLC, to better understand how to exploit them. The training will end with an afternoon dedicated to a challenging hands­on exercise: The first CTF in which you capture a real flag ! Using your newly acquired skills, you will try to compromise a Windows Active Directory, pivot to an ICS setup to take control of a model train and robotic arms. For starters, I will introduce the concept of ICS. The topics will include: I will also introduce attendees to the most common vulnerabilities in ICS, and describes some of the public attacks: This module will introduce the concept of penetration test. I do not intend to spend too much time of the theoretical stuff (how to make a report, etc etc) since that is not what attendees are looking for. However, I think a module is required to ensure that everyone shares at least the basic concepts of penetration testing, in order to understand the rest of the training. The module will include : Toolz used : nmap, Nessus, Metasploit Lab setup : Windows Servers and workstations, Metasploitable, Kali Linux Any ICS now includes, at least in some areas, Windows systems. So I think that some time must be spent on Windows basics. This module will introduce the following topics: A selection of hacking techniques will be applied on lab machines. This module will introduce the most common ICS protocols: Modbus/TCP, S7, Profinet, DNP3, Ethernet/IP…. Attendees will analyze network captures and be introduced to software libraries/ clients to use these protocols to talk to PLC simulators. In order to have a better understanding of how a PLC works, student will use dedicated software to program a PLC in ladder logic (using trial versions of TIA portal and/or soMachine basic). Students will then deploy the code to real PLCs. Toolz used : SoMachine Basic Lab : Windows virtual machine This module will be mostly lab sessions, in order to apply the knowledge learned so far: Network capture analysis & replaying packets Talking industrial protocols : Modbus, S7 Additional PLC features: web server, ftp, snmp and how to exploit it Toolz used : nmap, Nessus, Metasploit Lab : Windows Servers and workstations, Kali Linux, Siemens and Schneider PLCs I strongly believe that a good training must include “real­life” examples and labs. I will dedicate the last half­day of the training to a Capture The Flag event. To do so, I will have a specific setup where attendees will be able to use their newly­acquired knowledge on a simulation of a “real-life” system. This will include compromise of Windows host, pivoting to the ICS, understanding the industrial process, and finally capturing a real flag with a robot hand! This will be an expanded version of the CTF I usually organize during the ICS workshops at conferences. This training is aimed at OT professionals willing to understand what are the security issues within ICS, and how to technically assess the security level of an ICS. It will also be beneficial for IT security professionals wanting to understand the technical specificities of ICS. The attendees will learn what are the common ICS vulnerabilities, the tools and techniques to assess an ICS (both Windows systems and PLCs), and will practice these techniques during an hands­on Capture The Flag on real hardware. li|Arnaud soullie Introduction to ICS & common vulnerabilities Pentesting Basics & tools [Hands­on] Windows basics and pentesting Windows [Hands­on] Focus on ICS protocols Programming PLCs [Hands­on] Pentesting ICS [Hands­on] Capture The Flag [Hands­on] Vocabulary Classic architectures ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles OT vs IT Lack of network segmentation / Exposure Lack of hardening ICS protocols insecurity OSINT for ICS : Where to look to find informations Reconnaissance : how to portscan & nessus Exploitation : Metasploit basics Windows Active Directory How to find credentials on Windows systems Exploiting and pivoting to gain Domain Admin privileges h1|CS3STHLM Pentesting Industrial Control Systems h2|Detailed content: h4|Taugh by Role Company Status Date Module 1: Introduction to ICS & common vulnerabilities Module 2: Pentesting Basics & tools Module 3: Windows basics and pentesting Windows Module 4: Focus on ICS protocols Module 5: Programming PLCs Module 6: Pentesting ICS Module 8: Capture The Flag Target audience: Key takeaways: h5|The detailed outline of the training will be the following: sp|Menu 2019 Archive Arnaud Soullié Cybersecurity R&D Manager pentesting-ics.com Sold Out 21-22 October rmation em|This module is not hands­-on This module is not hands­-on pa| li|Nour fateen h1|CS3STHLM Detecting and Tracking RATs in the Energy Sector h4|Author Role Work Previous Presentation Next Presentation sp|Menu Nour Fateen Threat Expert Recorded Future Michal Paulski Ross Anderson rmation pa|This presentation will show results from the commissioned Forrester Consulting Total Economic Impact™ study, highlighting the costs and benefits of using a dedicated industrial cybersecurity solution Kaspersky Industrial CyberSecurity (KICS) for Nodes and the improved experience this brings to customers. Additionally the Study provides readers with a framework to evaluate the potential financial impact of the KICS on their organizations. li|Anton shipulin h1|CS3STHLM How to save $1.7 million over three years on industrial cybersecurity: the Results of the Forrester Total Economic (TEI) Impact study h4|Author Role Work sp|Menu Anton Shipulin Global Presales Manager Kaspersky rmation pa|This work concentrates on the cyber security of enterprise and(ICS). Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased attack surfaces. This all has led to fragmentation on the security front. To improve the security of enterprise systems, threat modeling can be applied to proactively deal with security issues from a holistic point of view, and can also be combined with attack simulations to provide quantitative security measurements, which has not been commonly used while shown efficient in some disciplines. Hitherto, we have proposed the use of attack simulations based on system architecture models. Our approaches facilitate a model of the system and simulate cyber-attacks in order to identify the greatest weaknesses. This can be imagined as the execution of a great number of parallel virtual penetration tests. Such an attack simulation tool enables the security assessor to focus on the collection of the information about the system required for the simulations. As the previous approaches rely on a static implementation, we propose the use of the Meta Attack Language (MAL). This framework is built for creating domain-specific languages (DSLs) that define which information about a system is required and specifies the generic attack logic. Since MAL is a meta language (i.e. the set of rules that should be used to create a new DSL), no particular domain of interest is represented, but it can be used to create languages targeting certain domains like enterprise system and ICS. This work first introduces enterpriseLang - a threat modeling language for enterprise security based on the MITRE ATT&CK Matrix, which can assess the cyber security of enterprise systems from a holistic point of view. This compilable language can automatically visualize possible attack paths an adversary may choose, show the most vulnerable asset, and provide possible mitigations for each attack step intended to counter cyber-attacks. The attack steps representing adversary techniques are captured within the ATT&CK Matrix based on real-world observations. These adversary techniques are categorized by tactics, and are organized with security metrics e.g. platform, permissions required, and mitigations that provide information for threat modeling. Moreover, this core IT related threat modeling language is complemented by our IcsLang that allows to create and simulate OT specific environments. Similar to enterpriseLang, this language is based on the ICS MITRE ATT&CK Matrix and enriched by real-world observations collected from industry partners in an EU project (EnergyShield). Based on the characteristics of MAL, we will motivate why certain types of attacks are included in our artifact and others not. Mainly, this is based on assumptions, made in the design of MAL and creating a trade-off between level of detail and usability. To demonstrate the applicability and the integration between the two languages, we present energy domain architecture and simulate well-known attacks e.g. the Ukraine power grid attack scenario to test the languages. These languages can also be re-used by people with less security expertise to automatically assess the security of their specific-enterprise or ICS. li|Simon wenjun h1|CS3STHLM Threat modeling and attack simulations for enterprise and ICS h4|Author Role Work Author Role Work Previous Presentation Next Presentation sp|Menu Simon Hacks Postdoc KTH Wenjun Xiong PhD Student KTH Ross Anderson Stephen Hilt rmation pa|Deploying honeypots or other deception technology to attract attackers is the to-go approach to discover unknown threats or simply to assess the threat level against a specific target. Over the years, however, attackers have grown accustomed to the presence of honeypots and learned how to get around them. We decided to make one of the most realistic ones created to date, it was so real – it was mistakenly identified as a real production environment by other security researchers! In this talk we will see how, over the course of a few months, we designed, setup, and built a factory honeypot that was so real that we could have started making products with it. We went as far as creating a fake company including online presence, with a website featuring employee profiles and pictures, phone numbers with auto-responding prompts with extension numbers, postal addresses, etc. Also, we went beyond recording network and host attack traces: We wanted to be able to see the attacker actions as they were happening on the screen, so we created a system to record screencast on demand, when activity is detected on the host. By attending this talk, you will learn what kind of attacks we’ve recorded, ranging from the initial reconnaissance scans, interactions, frauds, and ransomware infection. Finally, the session will wrap up with some recommendations based on the findings from building and running this honeypot. li|Stephen hilt h1|CS3STHLM Fake Company, Fake Factory but Real Attacks: Stories of a Realistic, High Interaction ICS Honeypot. h4|Author Role Work Previous Presentation Next Presentation sp|Menu Stephen Hilt Senior Threat Researcher Trend Micro Simon Hacks Wenjun Xiong Wissam Al-Nasairi rmation pa| li|Ross anderson h1|CS3STHLM The sustainability of safety and security h4|Author Role Work Previous Presentation Next Presentation sp|Menu Ross Anderson Professor of Security Engineering University of Cambridge Computer Laboratory Nour Fateen Simon Hacks Wenjun Xiong rmation pa|The talk will cover the basics of windfarms and their operations, I’ll briefly discuss prior research in this area, noting that those findings are still valid today. Then the core of this talk will focus on identified security threats and their mitigations based on real life assessments. The impact these threats can have both in terms of windfarm operation and the physical damage that can be caused. I will show how physical and remote access to the windfarm can be gained, and by investigating the vulnerabilities found, I will show that there is an over-reliance on security boxes and buzzword solutions that has left general, basic, security hygiene lacking. So much so that that in some cases, not only have systems not been patched, but they were installed insecurely in the first place. I will then discuss the recent 2019 UK outage and the part played by windfarms in that, from the initial outage to their impact on restoration as a result of how micro generation is modelled within control systems. There will be two key takeaways from this talk. Firstly, I will be busting the myth that ‘cutting off the supply’ is the most interesting attack that can be performed. It is the most likely, and one of the simplest attacks, but it is not the most interesting. Secondly, I will cover a point often glossed over in other talks. When an attacker ‘takes control’ it is often simply left at that, as if taking control was the ‘win condition’. This talk will cover some of the more interesting cyber physical attacks that can be performed on a wind farm and look at some of the ways that actual physical damage could be caused. li|Colin cassidy h1|CS3STHLM ACME Windpharms – It can’t be ‘smart’ if you lack simple security h4|Author Role Work Previous Presentation Next Presentation sp|Menu Colin Cassidy Senior Security Consultant IOActive Andrew Tsonchev Daniel Kapellmann Zafra rmation pa| li|Andrew ginter h1|CS3STHLM Stop Protecting Information h4|Author Role Work Previous Presentation Next Presentation sp|Menu Andrew Ginter VP Industrial Securituy Waterfall Security Ali Abbasi Andrew Tierney rmation pa|The presentation will cover a walk-through of how we have combined best practices for securing OT and IT environments, general and sector specific standards and guidance as well as the much-debated Purdue model into a future-oriented flexible and scalable zone model for a multinational and multisite company. The presentation will give a practical example of how you can go about when combining high security solutions with current industry trends related to connectivity in a common zone model that spans both IT and OT. The concepts described will provide a basis for organizations with high security requirements to develop their zone models in order to be better suited for managing increased digitalization, something that ought to be on every company’s agenda that has adopted digitalization in their strategy. Everyone interested in an example of how to be able to utilize the latest industry trends within digitalization while operating environments with both sensitive information and security sensitive operations under regulation. li|Kristina jonas Why the tools and traditional zone models are outgrown What a zone model for today and the future must be able to handle The concepts we use to bridge the gap between flexibility and security What the zone model covers, and how it relates to other security areas and the total security posture How we look on implementation of the zone model for both present installations and when designing new solutions Lessons learned – so far! h1|CS3STHLM How to create a risk-based future-proof zone model h4|Author Role Work Author Role Work The presentation will cover: Takeaways/what you will learn: Target audience: Previous Presentation Next Presentation sp|Menu Kristina Blomqvist Group Operational Technology Security Officer Vattenfall Jonas Edberg Cyber Security Consultant Contrast Advisory Kelly Leuschner Krzysztof Swaczyński rmation pa|Last year we performed a security analysis on a testbed smart manufacturing system using a variety of “unconventional” attack vectors. Striving to think very much outside the box, we wanted to understand which overlooked conditions and attacker capabilities make certain attacks possible, and their consequences. Through concrete PoCs, we’ll describe what unconventional attack vectors and very creative attackers can achieve, as well as how they can be stopped by current security solutions. We’ll first show how a remote attacker can indirectly compromise an engineering workstation to backdoor the automation logic of an industrial robot. Then, we’ll reveal how the attack has been carried out via a malicious software extension that targets the simulation and offline programming (OLP) platform. The attendees will learn that such malicious extensions have full capabilities on the target system, but we’ll explain what they are and how they can be stopped. Our second entry point is an industry-grade embedded device. These devices, often dubbed as “IIoT devices” offer great programming flexibility—compared to, say, PLCs—at the price of more responsibility for the programmers. The proliferation of customizable IIoT devices along with the many 3rd-party development libraries are the perfect target for software supply-chain attacks. We’ll show how we trojanized a simple temperature-measurement library to implement an ARP-based DoS attack, along with inaccurate temperature data-points, which can cause cascade effects down the data-processing pipeline. We’ll argue that detecting violations in the software supply-chain is hard in large, distributed enterprises, but their effects can be mitigated with proper network partitioning. The last step of our security analysis focused on lateral movements to complex, programmable machines such as industrial robots. We observe that, movement-instructions aside, industrial robot programming languages have statements, loops, conditions, network sockets, serial communication, etc. With access to low-level system resources like files, network, memory, and peripherals, task programs are a powerful, overlooked payload. Not only we show that task programs are susceptible to input-validation vulnerabilities, we also show that they’re rich enough to implement malware-like functionalities, given that the runtime environment provides no resource isolation. As a result, task programs have unmediated access to the entire system. We’ll share cases of vulnerable and malicious task programs, and how to discover such patterns, including some vulnerabilities we found in real-world code. We conclude by discussing the remediation steps that can be adopted by developers and vendors to mitigate our findings in the medium and long term. li|Federico maggi Learn that programming environments for industrial automation are extensible with plug-in systems (like many other software applications), which could be the weak entry point that can be exploited by using plug-ins as an attack vector. Learn that the proliferation of customizable IIoT is creating the demand for faster (and more accessible) firmware development, which in turns makes 3rd-party development libraries an attractive target. Learn that the languages used to program industrial robots, and possibly other machines, include features that can allow writing and hiding malicious or vulnerable code. Understand why it’s essential to always contextualize attack vectors and vulnerabilities within the entire system: there are so many protection layers and humans in the loop, that could easily prevent a concrete attack from happening, without the need of complex defense solutions. h1|CS3STHLM Hidden Attack Surfaces of Modern Industrial Automation Systems h3|Takeaways: h4|Author Role Work Co-authors Previous Presentation Next Presentation sp|Menu Federico Maggi Senior Researcher Trend Micro Marcello Pogliani Security Engineer Secure Network Srl Davide Quarta Postdoc Researcher EURECOM Stefano Zanero Associate Professor Politecnico di Milano Marco Balduzzi Senior Researcher Scientist Trend Micro Research Daniel Kapellmann Zafra Ignacio Moreno Canadas rmation pa|Regardless of the type and scale of the vessels that we test in our security assessments there are a set of common security issues that always seem to be present. Whether it’s a Moss Maritime CS55 deep water exploration drilling rig, a Neo-Panamax container ship, a re-supply vessel, a seabed survey vessel, or a brand-new cruise ship on its shakedown voyage, some things just keep cropping up. We’ll talk about the distinct lack of understanding and interaction between IT and OT installers/engineers on board and in the yard. The issue here is that OT systems are often accessible from the IT systems and vice versa, often through deliberate bypass of security features by those on board, or through poor design / poor password management / weak patch management. li|Andrew tierney h1|CS3STHLM Smarter Shipping. Hacking floating ICS for fun and profit h4|Author Role Work Previous Presentation Next Presentation sp|Menu Andrew Tierney Security Consultant Pen Test Partners Andrew Ginter Andrew Tsonchev rmation pa| li|Michal paulski h1|CS3STHLM DevSecOps in ICS over data diode h4|Author Role Work Previous Presentation Next Presentation sp|Menu Michal Paulski OT Security Architect Accenture Michael Firstenberg Nour Fateen rmation pa|As more and more devices are becoming cloud connected it is important to understand how this attack surface is different from traditional socket based server applications. There is no open port listening with a cloud connected application so there is additional work required in order to just get the application to accept attacker controlled data. This talk will walk through the initial steps necessary to even begin vulnerability research of the application. Cloud based control of physical devices has some security benefits compared to traditional socket programming but, at the end of the day there is an application running on a device that acts on messages from the cloud. This means that there is opportunity for bugs and vulnerabilities in the software responsible for handling cloud messages. This talk will describe changes in research methodology that are necessary for performing vulnerability research on a cloud connected application. Zero-day vulnerabilities found in a cloud connected application on a popular industrial controller will be covered in depth. These vulnerabilities will be demonstrated live by impersonating the industrial vendor cloud application, resulting in getting root from the cloud. Familiarity with programming and common bug classes Detailed description of vulnerability research methodology relating to cloud connected ICS devices. Description of an attack chain combining multiple zero day vulnerabilities to gain root access to a cloud connected controller. Cloud connectivity provides many benefits to Industrial automation, but it also provides additional attack surface. Vendors should be mindful of untrusted data even if it comes from a cloud application. li|Kelly leuschner Introduction Software stack, traditional vs. cloud connected Additional security benefits of cloud applications Libraries provided which include: Authentication enabled by default (most times) Encryption enabled by default (most times) Where are vulnerabilities most likely to be found? In the actual handling of the message data, and the actions taken as a result Vendor code Challenges for Vulnerability research Researcher doesn’t have access to application running in the cloud at least not source access Authentication and encryption makes it difficult to MITM to observe traffic for research Pre-work is necessary to even begin learning about the data format Which is what we will go into next Azure IoT Hub client MQTT based protocol JSON data format We will need to learn the exact format through research Azure IoT Hub Running the industrial vendor cloud application MQTT Overview Publish / Subscribe protocol Client Broker Cloud Application MQTT Topics Format Examples Wildcards Changes to Research Approach Can’t connect to a port and start sending data If you’re lucky you might have access to both applications and could capture data between them Options Configure the device to connect to a real cloud instance that you control Stand up a “local” server pretending to be the cloud Test Setup - Real cloud instance In this scenario the researcher must have access to configure connection properties with the cloud Test Setup - Local MQTT broker In this scenario the researcher must have the ability to add a root certificate to the device. (will probably require root) Supported messages Discuss device specific messages Discuss vulnerable message structure Outline of vulnerable process Discuss steps involved Vulnerability explanations Discuss specific vulnerabilities DEMO (live) Code Execution from the cloud Mitigations / Lessons Learned Discuss mistakes to avoid when developing a cloud application Discuss ways to mitigate with existing industrial control devices Review - Research Pre-work Impersonating the cloud application Local vs. Real Cloud instance Learning the topic format For both publish and subscribe Learning the data format Finding the data parsing code From there it’s business as usual for vulnerability research h1|CS3STHLM Bug hunting in cloud connected ICS devices: Getting root from the cloud h2|Outline h3|Moving to the cloud Intro to the industrial controller Protocol Overview Research Methodology Industrial controller vulnerabilities Conclusion Target audience Audience expectations Audience takeaway h4|Author Role Work Previous Presentation Next Presentation sp|Menu Kelly Leuschner Security Researcher Cisco Talos Joe Slowik Kristina Blomqvist Jonas Edberg rmation pa| li|Andrew tsonchev h1|CS3STHLM Operational Integrity: Safeguarding Your OT Systems With Cyber AI h4|Author Role Work Previous Presentation Next Presentation sp|Menu Andrew Tsonchev Director of Technology Darktrace Andrew Tierney Colin Cassidy rmation pa| li|Jenny radcliffe h1|CS3STHLM Conning Corona- on deception, scams and social engineering in a pandemic. h4|Author Role Previous Presentation Next Presentation sp|Menu Jenny Radcliffe Social Engineer Ignacio Moreno Canadas Joe Slowik rmation pa|The CS3STHLM of 2020 is over, and a reflection is that the virtual event went even better than we could hope for. The basis of CS3STHLM is the content, and we are familliar with that part – but everything else in the event production was new to us! From the organizing side of CS3STHLM, we would like to express our warmest gratitude to everyone involved in making this years Summit, Expo and Sessions such a success! We would like to give a big shoutout to all content providers and speakers, trainers - without you the event would not have been possible, and it was a honour to work with you! Special thanks goes out to our partners: Accenture Security, Darktrace, Kaspersky, Recorded Future, Sectra, sysctl, Trend Micro, Waterfall Security Solutions and also to the crews at Dynamic Duo, WeareBryssel, Scenteknik, Nikka systems, and all staff at Nalen. As a content provider - we have already opened the for submissions to the 2021 event! If you have critics, comments or ideas for enhancements we would like to hear from you. Everything that can make CS3STHLM even better we would like to know! Mail us at If you have ideas for topics, presenters, content, areas of special interest, things that earns a deep dive, please reach out to us at . Your input is important to us. And once again – thank you! li| h1|CS3STHLM CS3STHLM 2020 - Thank You! h2|Thank You! h4|Published Post Attachments Written By More news Previous Post Next Post h5|22 October 2020 26 November 2020 sp|Menu 23 Oct 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa| li|Wissam al nasairi h1|CS3STHLM Application of RAMS methodologies in OT Security h4|Author Role Work Previous Presentation sp|Menu Wissam Al-Nasairi X.0 and OT Security Lead Accenture Stephen Hilt rmation pa|NORTHERN EUROPE’S LEADING CONFERENCE ON CYBER SECURITY AND ICS/SCADA, CS3STHLM, ANNOUNCES,: Andy Greenberg, author of ”Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers” will appear live on link to comment the fact that Sandworm is yet again making headlines thanks to the unsealing of Department of Justice/FBI indictment. In the aftermath of the dramatic events this week Andy Greenberg has agreed to partake live on link in CS3STHLM on this specific subject. Robert Malmgren, co founder of ”-We are so grateful that Andy has made time for us in his extremely busy schedule, it’s invaluable to get a direct comment from a world leading authority!” CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se h1|CS3STHLM EXTRA PRESS RELEASE FROM CS3STHLM h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|15 October 2020 23 October 2020 sp|Menu 22 Oct 2020 Cissi Thorell CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|The COVID situation is problematic for all. For a long time we waited to see if it would be possible to run CS3 in Nalen as we have done for the last 5 years. We have now, after many meetings and discussions, decided to go fully virtual for 2020. The traditional courses, presentations and social events will exist, but go online. We will add new formats and ideas, such as meetups, to the 2020 edition. More details will be posted in the near future. The CS3sthlm team li| h1|CS3STHLM CS3STHLM Goes Virtual h4|Published Post Attachments Written By More news Previous Post Next Post h5|23 March 2020 17 September 2020 sp|Menu 10 Jul 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa| li|Michael firstenberg h1|CS3STHLM Future of Ransomware h4|Author Role Work Previous Presentation Next Presentation sp|Menu Michael Firstenberg Director, Industrial Security Waterfall Security Matan Dobrushin Idan Helzer Michal Paulski rmation pa|The presentation will guide audience through a complete ICS attack vector aimed at compromising smart meters and advanced metering infrastructure. It will show how in a recent case study team of security researchers identified zero days in smart devices and vulnerabilities in other components of AMI architecture and leveraged those to simulate comprehensive attack scenario. The talk will show an overview of challenges of smart metering solutions cybersecurity in Europe. Critical Infrastructure managing organizations, i.e. Power & utilities representatives, especially: executive managers (CISOs, CSOs, CIOs and CTOs), OT/ICS engineers and cybersecurity experts and managers responsible for/ or involved in smart grid and smart metering initiatives. No specific prerequisites are needed. Audience should expect comprehensive analysis covering general concepts as well as more technical details that will be supported and illustrated by specific and practical examples. Target audience will build awareness of cybersecurity challenges and typical vulnerabilities found in smart metering solutions. li|Krzysztof swaczynski Smart meters design, architecture and role of firmware Approach to reverse engineering smart meters firmware Results of DLMS/COSEM protocol implementation reversing – examples of identified key vulnerabilities Examples of common misconfigurations of 3G modems, PLC concentrators and serial port gateways Exploitation of identified vulnerabilities in simulated attack on DSO (Energy Distribution System Operator) and end customer h1|CS3STHLM Hacking Advanced Metering Infrastructure (AMI) – an attacker’s perspective on Distribution System Operator (in)security h3|Overview Agenda Target audience Key takeaways for the audience h4|Author Role Work Previous Presentation Next Presentation sp|Menu Krzysztof Swaczyński Strategic Advisor & Founder Seqred Kristina Blomqvist Jonas Edberg Marie Moe Jan Tore Sørensen rmation pa|This years Summit on Cyber Security inand Critical Infrastructure takes place in October 21-22 – but in cyberspace. CS3STHLM 2020 is looking forward to a successful meeting for leading cyber security experts from around the world. This year the event will be virtual due to the pandemic situation. We are really excited to get the outstanding , Professor of Security Engineering at University of Cambridge as our keynote speaker this year. He is a true pioneer in the Cyber Security field, and has just written the third edition of his textbook bible ”Security Engineering – A Guide to Building Dependable Distributed Systems” which will be released in November, says Robert Malmgren, founder of CS3STHLM. CS3STHLM also says welcome back to – the People Hacker, nominated for the UK Godmother of Cyber Security award this year! She will, during the Tuesday evening Welcome Reception, present ”Cunning Corona – on deception, scams and social engineering in a pandemic”. Notable for this year is that the purchase of a ticket to the CS3STHLM 2020 Summit also gives you the possibility to watch the whole program by . At first, directly from the event platform during the time that the CS3 Summit is live, and later from our web site . The presentations will not be available on YouTube as they usually are. The CS3STHLM Partner Expo, usually arranged the day before the CS3STHLM Summit, is now integrated into the two days of the Summit, and the conference participants can visit exhibitors in the platforms Expo section, or take part in partner sessions. The CS3STHLM Expo is not only a great opportunity to network and discuss the market field for interested parties, but will also consist of exciting demonstrations and presentations from researchers and vendors, says Erik Johansson from Omnisiens. CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se st|Ross Andersen Jenny Radcliffe VoD, Video on Demand h1|CS3STHLM CS3STHLM seventh conference on Cyber Security h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|12 October 2020 22 October 2020 sp|Menu 15 Oct 2020 Cissi Thorell CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|Finally some news about the 6th CS3STHLM summit! Our website is starting to be updated with information on the upcoming conference. A lot of new information has been published, and a lot more will be posted in the near future. Please check it out at this link. For the Call For Participation, we got more than 65+ very good submissions from all over the planet. We have selected some submissions to start with in this year’s program. Please check out the first batch of topics and presenters listed here and here We will add presenters to the lists over time, as we also have a few slots reserved for invited speakers. At this moment we have two trainings to chose from, but we hope to have even more very soon. The trainings that are set by today are with Arnauld Souille and with Erik Hjelmvik. Information on available trainings at . If you already have bought a ticket to the CS3STHLM Summit, or if you just wish to participate in the training part, please contact us at if you would like to add any training. Last year we had a success with our CS3STHLM Expo day held the day before the actual summit. The Expo day is free of charge and gave the attendees a chance to get useful knowledge through our partners and to participate in different activities. For the persons that like the hands-on approach to Cyber Security this is a good day to try out our ICS lab that will be filled with old and new ICS gadgets, many of them otherwise unavailable for testing. Also – all video filmed presentations from CS3STHLM 2018 and earlier are now available on our YouTube channel: Please subscribe! li| st|ICS/SCADA Penetration Testing ICS Network ForensICS Discount 10% for COMBO tickets training + summit until end of July! h1|CS3STHLM CS3STHLM Newsletter June h4|Published Post Attachments Written By More news Previous Post Next Post h5|15 February 2019 30 August 2019 sp|Menu 28 Jun 2019 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation em|Best wishes from the CS3STHLM crew pa|Outline of this short newsletter We want to share some info about the recent development. We will carry on the tradition from when we where called 4SICS - to be a leading international conference on SCADA, ICS and critical infrastructure cyber security! We will have multiple stages with the best international speakers and trainers, having excellent social activities and provide hard-to-earn knowledge, no matter if it is deeply technical matters, sucessful solutions or policy briefs. In the program comittee, we are working with the submissions that we have received as the CFP closed. We have alot more submissions than available speaker slots! And still not all slots are for submitted proposals, but we have reserved some slots for invited speakers as well. Thus it is really hard to make the selection this year. We have announced a couple of speakers already, especially since they are related to investigations into the recently unveiled industroyer/CRASHOVERRIDE malware: We will have a special panel on the Ukraine 2016 event with detailed discussion, where both the ESET and Dragos specialists will attend. We plan to add more experts to this discussion. More speakers will be announced in the weeks to come, including keynote speakers! We will have a number of technical trainings related to network forenics, honeypots, hacking, etc. Thus, with the addition of 2 day training classes, the pre-conference activity will start already on the 23rd of october! We will have a welcome reception on the evening of the 24th and a conference dinner on the 25th. A reminder - the early bird prices are until 30 of June! You will find the ticket site here: or from the main CS3STHLM web page. As per the last 2 years, we will be in wonderful Nalen, in the heart of Stockholm. You will find information and directions at We have a special arrangement with Elite Palace Hotel located just ~200 meters away from the venue. Use this link to get our special discount when booking – Until the next news letter, Best wishes from the whole CS3STHLM team li|CFP work Announced speakers Technical Trainings Social events Early Bird tickets Venue Conference Hotel Joe Slowik of Dragos Inc (US), who will speak on “Strategic Network Defense in ICS Environments” The ESET team (SK) who have a presentation on “Industroyer: biggest threat to industrial control systems since Stuxnet” Erik Hjelmvik of Netresec (SE) will have a 2 day Network Forensic class Mikael Vingaard (DK) will have a 1 day Honeypot class h1|CS3STHLM CS3STHLM Newsletter June h3|Announced speakers Technical trainings Early Bird Venue Conference hotel h4|Published Written By More news Social Events Previous Post Next Post h5|8 May 2017 13 June 2017 sp|Menu 13 Jun 2017 Robert Malmgren CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa| li|Ignacio moreno canadas h1|CS3STHLM Application of RAMS methodologies in OT Security h4|Author Role Work Previous Presentation sp|Menu Ignacio Moreno Canadas OT Security COnsultant Accenture Stephen Hilt rmation pa|We are opening up the gates for the 5th CS3STHLM summit! In this newsletter we present the keynote speakers, our first presentation and a record number of training sessions! Many of you might already be aware of the new data privacy regulations (GDPR) that will be applied in Europe on May 25th. This regulation makes all of our old registers for mail information null and void by the end of May. If you would like to keep receiving our Newsletters with information about the CS3STHLM activities – PLEASE CLICK ON AND SEND US THE RESULTING MAIL. We are sorry for this inconvenience, but we feel it is important to respect the privacy of all persons. Spring cleaning has been done to our website. We have updated the web with information on the upcoming conference. A lot of new information has been published, and a lot more will be posted in the near future. We are thrilled and honoured to announce our two keynote speakers for the 2018 CS3Sthlm conference: Marty Edwards and Patrick C. Miller. Both keynote speakers have a long history in ICS security, one working within DHS and the ICS-CERT, the other being the grandfather of the NERC CIP. Both are also very experienced and well-respected speakers at conferences worldwide. For the Call For Participation, we got more than 50+ very good submissions from all over the planet. We have selected 16 top submissions to start with in this year’s agenda. Please check out the first batch of topics and presenters listed here and here We will add presenters to the lists over time, as we also have a few slots reserved for invited speakers. We will have a record number of training sessions to select from this year. It is the largest selection found at any ICS/SCADA conference, which allows you to select deep dives into the topic most interesting for you: ICS/SCADA Penetration Testing, ICS Threat Hunting, ICS Network Defense, ICS Network ForensICS, ISO 27019, ICS Honeypots. Information on trainings available at . Our strong lineup, with keynotes/presenters/trainings and with yet a number of unannounced speakers and events, is stronger than any of the previous years! Please take advantage of the MEDIUM BIRD DISCOUNT of 10% that is still valid until May 31st on all tickets! Please visit the to claim your discounted ticket. Last, and on the lighter side – we have had some questions regarding the meaning of CS3STHLM. “CS3” stands for Cyber Security, Critical Structures and Control Systems, “STHLM” is short for Stockholm where the summit is held annually, and had to be added not to confuse our name with other brands. The correct pronunciation is: /siː ɛs θriː stɒkhoʊlm/; Or better yet, grab one of the organizers when you are at the conference and ask them why we need such strange name for this thing…. Best wishes from the CS3STHLM crew li| h1|CS3STHLM CS3STHLM Newsletter April h4|Published Post Attachments Written By More news Important notice! Previous Post Next Post h5|20 December 2017 17 September 2018 sp|Menu 30 Apr 2018 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|Since at least 2017, we have observed an increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. This trend results from increasingly skilled threat actors moving from indiscriminate ransomware propagation to deliberate deployment of post-compromise malware. This increases the likelihood of substantial financial rewards, especially when targeted organizations have high-availability requirements and/or lack backup processes. Despite this scenario, it is not uncommon for ICS/OT security professionals to consider ransomware as an out-of-scope threat. Although it is true that this type of malware typically only propagates across IT systems, OT asset owners are often the most affected by its impacts. We find three main reasons to share responsibility to address this threat: The main objective of ICS/OT is to facilitate and scale the production of specific goods or services to satisfy a certain demand. Ransomware at different levels of the enterprise architecture may directly or indirectly result in delayed, disrupted, or stopped production. The growth of post-compromise approaches to ransomware situate the attacker at a privileged position where they can explore target networks and identify critical systems before deploying the payload. The techniques, tactics, and procedures (TTPs) used for post-compromise ransomware resemble those employed by high-skilled actors across the lifecycle of past OT security incidents. Identification at earlier stages is only possible with collaboration between OT and IT security teams. In this talk, we highlight why ransomware is a relevant challenge for ICS/OT security practitioners, describe some of the main TTPs used by attackers for post-compromise ransomware, and share ideas for actionable ways to address this problem. We invite the audience to learn how to collaborate across the organization so the next time they need to talk about ransomware, they are not forced to delegate the task to the next available agent. No pre-requisites, should be interesting for the general audience as we have seen a variety of customers inquiring about this topic. We believe this topic would work well both for experienced security professionals looking for a deep dive, but also for other positions that seek to understand what the challenge is and what to do about it from an organizational level. The audience should expect to learn about the impacts of ransomware in industrial/critical infrastructure organizations, learn about past relevant cases, and take a deep dive into the TTPs that we have observed actors leveraging for post-compromise incidents. One of the main strengths of the talk is that it will leverage knowledge from our organization responding to and understanding ransomware incidents, but it will also place the information in the context of ICS/OT. It will also challenge some of the conceptions we currently have about the degree of collaboration between IT and ICS.OT security teams. Highlighting what can ICS/OT security teams do to address this challenge, mainly when it happens at different levels of the organization. Addressing the challenge of ransomware in industrial/critical infrastructure organization must be a shared responsibility. Even though there is no impact in the controllers, ransomware infections oftentimes result in direct or indirect delays and disruptions to production. li|Daniel kapellmann zafra h1|CS3STHLM Ransomware? Please Hold for The Next Available Agent h3|Type or target audience What audience should expect from the presentation Key takeaway h4|Author Role Work Previous Presentation Next Presentation sp|Menu Daniel Kapellmann Zafra Technical Analysis Manager FireEye Colin Cassidy Federico Maggi rmation pa|On Tuesday Oct 22, on the day before the CS3sthlm Summit starts, we will have a free of charge (but registration required) Expo day at our venue Nalen where our partners will display the latest cyber security solutions and services. We will have a full lineup of speakers during the Expo day. Free registration here: This will be the subject on Wednesday Oct 23rd when our annual CS3sthlm Gala Dinner speaker enters the stage! We are very proud to announce Herman Geijer, author and zombie survival expert, who will talk about surviving catastrophes using a zombie scenario! There are only limited amounts of seats left on our three different trainings that will take place before the CS3sthlm Summit, so are you thinking about attending them do reserve your spot soon: Sorry, not yet. We have an impressive line-up of speakers already but we are still waiting for a couple more answers, and that logistics are set. You can see our line-up of speakers here - and presentations here - Even bigger and better this year! And a completely new feature is that the CS3sthlm ICS lab will be open already on Monday Oct 21st! From 9AM to 8PM you are welcome to try out all new and old gadgets, many of them otherwise unavailable for testing. You will also be able to try out our challenges and meet other ICS security pros! If you have not yet booked your stay in Stockholm, please check the portal that hotel Elite Stockholm Plaza have made for out attendees. The hotel is situated only 200 meters from our venue, Nalen, and the fixed prices that they are offering are valid until Sept 23rd. Best wishes from the CS3STHLM crew li| h1|CS3STHLM CS3STHLM Newsletter August h2|Lots of interesting news on our upcoming event! h3|CS3sthlm Expo on 22nd October! Zombie Survival! Training time Summit agenda? ICS lab news Hotel discount h4|Published Post Attachments Written By More news Previous Post Next Post h5|28 June 2019 24 September 2019 sp|Menu 30 Aug 2019 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|After the first conference day founders Robert Malmgren and Erik Johansson are pleased to state that the year’s conference is the most successful so far, both in attendance and format. The new expo day added a welcome meeting arena for businesses, legislators and other stakeholders. The second day of the summit will open with Key Note Patrick Miller (US) and his presentation Innovative and disruptive technologies are enhancing and invading our traditional industrial business model. Future infrastructure organizations will need more data to operate efficiently and succeed in the brave new interconnected world. The diversity of new technologies and data will fuel more diversity in business opportunity. Everyone expects more OT, more IOT, and more IT - and all of it is supposed to be highly reliable and secure. These factors (and more) lead to a landscape shift for the industrial cybersecurity risk profile. In this session, hear ways to recognize the problems and gain some clarity on possible solutions through historic lessons, made up words, and practical front-line experience.a li| h1|CS3STHLM CS3STHLM Record Attendance h3|FIFTH EDITION OF ACCLAIMED CYBER SECURITY SUMMIT SEES RECORD ATTENDANCE h4|Published Post Attachments Written By More news Industrial Technology Trajectory: Running With Scissors Previous Post Next Post h5|22 October 2018 25 October 2018 sp|Menu 24 Oct 2018 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|CS3STHLM FIFTH CONFERENCE ON INDUSTRIAL CYBER SECURITY ADDRESSING THREATS AND POSSIBILITIES IN A GROWING DIGITAL ENVIRONMENT With tickets almost sold out, arranging Omnisiens are looking forward to a successful meeting for leading cyber security experts from around the world. CS3STHLM takes place in Nalen, Stockholm, October 22-25. Regrettably first day keynote speaker, Marty Edwards (US), has had to cancel due to personal reasons. Organizer Robert Malmgren from Omnisiens: ”- It’s unfortunate that Marty Edwards had to cancel at such short notice, but we feel confident that our replacement will complement our diverse agenda.” New keynote speaker for the first day will be Mark Bristow (US). The fifth edition of the acclaimed conference includes a formidable list of renowned speakers, and in addition to seminars and workshops there will be an complementary expo day on Tuesday the 23rd for companies and organisations within this field. The Expo day is free of charge but entrance require registration. Erik Johansson from Omnisiens: ”- The Expo is not only a great opportunity to network and discuss the market field for interested parties, but will also consist of exciting demonstrations and presentation from researchers and vendors.” Highlights from the program: CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se Recent APT Campaign targeting Energy Sector Assets, John Homer (US) Hunting and Responding in ICS, Ben Miller & Mark Stacey, (US) Unblockable Chains - Is Blockchain the ultimate malicious infrastructure?, Omer Zohar (IL) ICS Incident Response: Lessons and mitigations from the field, Mark Bristow (US) Attacking Cars Revisited: On the Road Towards a More Resilient Connected Vehicle Infrastructure, Kai Thomsen (DE) Supply Chain Cyber Security throughout the ICS Lifecycle, Erik Zouave (S) h1|CS3STHLM CS3STHLM fifth conference on industrial cyber security h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|15 October 2018 22 October 2018 sp|Menu 18 Oct 2018 Maria Engstrom Ostby CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|To show how seriously we take all parts of the CS3STHLM summit we have sent one team member to Carrara, Italy, in order to actually carve the prize for Best Presenter in white marble. If it turns out nicely you will be able to see, and maybe accept, the piece at CS3STHLM summit in October. If it fails you won’t. li| h1|CS3STHLM CFP - DON'T MISS OUR DEADLINE h3|WE WANT YOUR SUBMISSION FOR PRESENTATION OR WORKSHOP BY MAY 31 h4|Published Post Attachments Written By More news Previous Post Next Post h5|21 April 2017 13 June 2017 sp|Menu 8 May 2017 Robert Malmgren CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|More news on our upcoming event! This years keynote speaker is no other than the outstanding Ross Andersen from University of Cambridge Computer Laboratory, UK. He is the author of the now classic book ”Security Engineering” first published in 2001, and is now revising the third edition. Do not miss the Welcome Reception in the evening before the start of the Summit. There will be useful walk-throughs of our conference platform Hopin and our interactive tool Mentimeter, an interactive Quiz and more. We are also really proud to welcome back one of our favorite speakers, Jenny Radcliffe – The People Hacker! Notable for this year is that the purchase of a ticket to the CS3STHLM 2020 Summit also gives you the possibility to watch the whole program by VoD. At first, directly from the Hopin platform during the time that the CS3 Summit is live, and later from our web site www.cs3sthlm.se. The presentations will not be available on YouTube as they usually are. You can find the ticket here - The ticket price is EUR 299 (including VAT 25%) and is not refundable. When buying tickets, you will have to register name and email on the Hopin platform. Then you will first receive a simple transaction receipt via , but you will also receive a detailed receipt via email from CS3STHLM within 24 hours. Best wishes from the CS3STHLM crew li| h1|CS3STHLM CS3STHLM Newsletter October h2|Keynote by world famous author Professor Ross Andersen! Welcome Reception on Tuesday evening Oct 20th! CS3STHLM 2020 Video on Demand! h3|Tickets are for sale! h4|Published Post Attachments Written By More news Previous Post Next Post h5|24 September 2020 15 October 2020 sp|Menu 12 Oct 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|Some of the CS3STHLM crew went to 36C3 in Leipzig at the end of December, and we learned the German phrase ”Guten Rutsch!”, to wish everyone a good start of the New Year! That event was also a good start-up for the work with the upcoming CS3STHLM of 2020; lots of interesting talks and new ideas. We are now starting to publish all captured presentations from CS3STHLM 2019 on our YouTube channel: Please subscribe! First video out is of NETRESEC, , who gave a technical talk, including demonstrations, of Polarproxy and TLS stripping at the Harlem stage. Erik have synchronized the release of his presentation with a blog article describing in details the techniques and his tool for stripping away TLS encryption shown in the recorded presentation. We are also releasing a recording of of FoxGuard Solutions , presentation entitled “Nation-State Supply Chain Attacks for Dummies and You Too”. This presentation really made an impression both with the audience and with media, since it was the most noticed talk in press. These Summit-only tickets can later be combined with tickets for trainings and workshops. Within a month we will start the official CFP for CS3STHLM 2020, but you are most welcome to submit your abstracts or ideas already on cfp@cs3sthlm.se! Best wishes from the CS3STHLM crew li| st|Erik Hjelmvik Monta Elkins Do not forget - Early Bird discount 20% for summit tickets until end of March 2020! h1|CS3STHLM CS3STHLM Newsletter January h4|Published Post Attachments Written By More news Previous Post Next Post h5|28 October 2019 14 February 2020 sp|Menu 13 Jan 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|From the organizing side of CS3sthlm, we would like to express our warmest gratitude to everyone involved in making this years Summit, Expo, lab, trainings, and last but certainly not least the CTF such a success! We would like to give a big shoutout to all content providers, speakers, trainers - without you the event would not have been possible, and it was a honour to work with you! Special thanks goes out to our partners: Accenture Security, Bedriftsystemer AS, CyberX, Kaspersky, Nozomi Networks, Otorio, Recorded Future and sysctl, and also to the crews at Dynamic Duo, WeAreBryssel, Hell Production, Nikka systems, and all staff at Nalen. We have already started the long and winding road towards CS3sthlm 2020. The dates are - mark that in your calendars. As alumni attendees, we hope that you know that it will be a high quality conference and that you already can already book tickets for maximum discount until Dec 31. You can find the ticket here: As a content provider - we have already for submissions. And if you have critics, comments or ideas for enhancements we would like to hear from you. Everything that can make CS3sthlm even better, we would like to know! Mail us at If you have ideas for topics, presenters, content, areas of special interest, things that earns a deep dive, please reach out to us at . Your input is important to us. And once again – thank you! li| st|October 19-22 opened the h1|CS3STHLM CS3STHLM Newsletter October - Thank You h2|Thank you! h4|Published Post Attachments Written By More news Previous Post Next Post h5|8 October 2019 13 January 2020 sp|Menu 28 Oct 2019 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|Hohoho! When you read this Stockholm has passed the winter solstice (Mo 21 Dec 11.02 local time) and is finally going in the right direction! At least regarding daylight time, which with Sweden’s zero hours of visible sun should not be too hard to achieve. We are also near the holidays, which we would like to celebrate by giving you all a gift! The keynote presentation from CS3STHLM 2020 has been uploaded to our YouTube channel. The keynote was given by the inspirational Ross J Anderson, Professor of Security Engineering at the Department of Computer Science and Technology, at the University of Cambridge. So we wish you all a Happy Hogmanay with this link to the presentation: https://www.youtube.com/watch?v=jX2CoZkz8J4 Many of you might have heard of the ongoing incident. This is a major incident and the impact grows while the investigations uncover more and more TTP’s, victims and other info. Many of CS3sthlm alumni has been active in covering this, done in-depth analysis or helpt creating tools to do post mortem analysis. Here are some of them: Joe Slowik has a great text at the Domaintools blog - Kim Zetter has covered several things including early signs - Erik Hjelmvik has a tool to reassemble victim data - Rob M. Lee of Dragos has been interviewed multiple times, for example for CBS new - The ticket price is EUR 299 (including Swedish VAT 25%) and it gives you access to all presentations from the October event to watch whenever it suits you the best. Furthermore, when buying the CS3STHLM 2020 VoD service you will be granted the purchase amount as a discount on next year’s Summit, be it physical or digital – or both! This link will get you to the registration page: The CS3STHLM 2020 presentations will not be available on YouTube as they usually are. Except for Ross Anderson, as said above! Best wishes from the CS3STHLM crew li| st|SUNBURST/SOLORIGATE h1|CS3STHLM CS3STHLM Newsletter December 2020 h3|CS3STHLM 2020 Video on Demand tickets are for sale! h4|Published Post Attachments Written By More news Ross Andersons’s presentation on the CS3STHLM YouTube channel! Previous Post h5|26 November 2020 sp|Menu 21 Dec 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|This years Summit on Cyber Security inand Critical Infrastructure takes place in October 21-22 – but in cyberspace. CS3STHLM 2020 is looking forward to a successful meeting for leading cyber security experts from around the world. This year the event will be virtual due to the pandemic situation. We had to adapt to the situation, and it took us a long time to find a way to move our event to a virtual platform without losing quality or content. Now we are proud and happy to once again announce an impressive line-up of speakers, covering a broad spectra of knowledge in the Cyber Security sphere. We have also brought with us the same production professionals that we usually work together with, to ensure quality and to try to transfer some of the CS3STHLM feeling onto the virtual stage. A new feature for CS3STHLM is that all material later will be available as VoD, Video on Demand, for all ticket holders. This is to make the content easily accessible at all times, compensating for the time zones differences around the globe. The CS3STHLM Partner Expo, usually arranged the day before the CS3STHLM Summit, is now integrated into the two days of the Summit, and the conference participants can visit exhibitors in the platforms Expo section, or take part in partner sessions. The CS3STHLM Expo is not only a great opportunity to network and discuss the market field for interested parties, but will also consist of exciting demonstrations and presentations from researchers and vendors says Erik Johansson from Omnisiens. CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se h1|CS3STHLM CS3STHLM seventh conference on Cyber Security h3|Robert Malmgren from Omnisiens: h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|17 September 2020 12 October 2020 sp|Menu 24 Sep 2020 Cissi Thorell CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|We are announcing the CS3STHLM 2020 Call For Presentations, which of course also includes suggestions for Trainings and Workshops! Submission deadline is set on March 15, and notifications will start a month later. See the submission details at Please do take a moment to read our all-embracing Code of Conduct, it is formed as a vision test for reasons! You can find it on our web page under Practical Details. We are closely watching the outbreak of the Coronavirus (COVID-19) but it is at this point too soon to see how this will affect the situation in October. More news to come on this issue, but we have started to form a plan B. And a plan C. The CS3STHLM 2020 Theme is Smarter! because our aim is that we all get smarter as a result of the event! Have you found our YouTube channel: yet? All videos from CS3STHLM 2019 will be published there, apart from the opt-out ones, of course. Please subscribe! Do not forget - Early Bird discount 20% for summit tickets until end of March 2020! These Summit-only tickets can later be combined with tickets for trainings and workshops. Best wishes from the CS3STHLM crew li| h1|CS3STHLM CS3STHLM Newsletter February h4|Published Post Attachments Written By More news Previous Post Next Post h5|14 February 2020 5 March 2020 sp|Menu 20 Feb 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|The first newsletter of the new year - and it is a short one! Cordial greetings from the CS3STHLM crew! li|The CFP for CS3STHLM 2019 is now open. Please give us your presentations/topics for trainings or workshops before March 29. Also, if you have any suggestions for who you would like to see at the CS3STHLM 2019 summit - send us a mail to cfp@cs3sthlm.se You can buy tickets with Early Bird 20% discount until March 31. The ticket can later be combined with a ticket for training/workshop. More material from CS3STHLM 2018 is now published on our h1|CS3STHLM CS3STHLM Newsletter February h4|Published Written By More news Previous Post Next Post h5|19 December 2018 28 June 2019 sp|Menu 15 Feb 2019 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|The CS3STHLM 2018 summit had several Top speaker presentations from from different angles of Cybersecurity, SCADA and Industrial Control Systems. As a holiday gift for you, we are now starting to publish presentations on our YouTube channel: Next year we will be back for the sixth edition of CS3STHLM and the dates are October 21st-24th – CS3STHLM 2019 Trainings will be Monday – Tuesday 21-22 CS3STHLM 2019 Expo day Tuesday October 22 CS3STHLM 2019 Summit starts Wednesday Oct 23 and ends Thursday October 24. Another holiday gift is that we already have opened the ticket sale for 2019 with a special discount of 30 % on the two-day conference ticket. Link: and the discounted ticket is available until January 31st. You can add training sessions to this ’summit only’ ticket at a later point. A very happy holiday season - from all of us, to all of you! Per request we have also added a number of vouchers, each valid for SEK 5.000kr, that later can be used for any CS3STHLM 2019 related cost like training, Expo or summit. If you still have budget to spend, that is! li| st|mark your calendars! Earliest Bird h1|CS3STHLM CS3STHLM Newsletter December h4|Published Post Attachments Written By More news Previous Post Next Post h5|25 October 2018 15 February 2019 sp|Menu 19 Dec 2018 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation em|The CS3STHLM crew pa|2017 was indeed a remarkable year, and some of the cyber security related things that happened will surely be remembered. Among them was the Wannacry malware hospitals, industrial companies and other important infrastructure. Things that also hit the front pages were outbreak that blindly struck against the analysis of Industroyer/CRASHOVERRIDE (ICS malware attacking Ukraine grid operator) and recently the TRITON/TRISIS/Hatman (attack tool against safety system). In Sweden, IT security incidents led to the resignation of two ministers from the government, and a journalists use of Shodan led to that one of Swedens largest news room had a series of reports on what is Internet accessible, when they found heating/hydropower/windpower/elevators and more, sitting on the Internet for anyone to access. The CS3STHLM 2017 summit (previously known as 4SICS) had several presentations related to all these issues. As a holiday gift for you, we have now published a number of presentations on our YouTube channel: Next year we will be back for the fifth time and the dates are October 22nd-25th. We are already on the lookout for summit content, so do let us know what you think we should present in order to make next years workshops and conference as useful and rewarding as possible. Another holiday gift is that we already have opened the ticket sale for 2018 with a special Earliest Bird discount of 30 % on the two-day conference ticket. Link: and the discounted ticket is available until January 12th. A very happy holiday season - from all of us, to all of you! The CS3STHLM crew li| h1|CS3STHLM CS3STHLM Newsletter December h4|Published Written By More news Previous Post Next Post h5|4 October 2017 30 April 2018 sp|Menu 20 Dec 2017 Robert Malmgren CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|Greetings from a Stockholm that this time of year can easily be summarized with the color grey. We bring you good news on how to handle early winter and Corona restrictions! The ticket price is (including Swedish VAT 25%) and it gives you access to all presentations from the October event to watch whenever it suits you the best. Furthermore, when buying the CS3STHLM 2020 VoD service you will be granted the purchase amount as a discount on next year’s Summit, be it physical or digital – or both! The CS3STHLM 2020 presentations will be available on YouTube as they usually are. Sadly, during the CS3STHLM event this year we did not manage to arrange any trainings or workshops. Now we have been discussing to start an “ICS Gym” activity already the coming spring, and we would love to have some input from you on that issue. What type of training would you need to expand your knowledge? Are you experienced in something that others might need to learn? Every type of subject within the Cyber Security range, and in length from 20 minutes to 2 days are of interest for us. Please give us your thoughts on the whats and hows of knowledge sharing to . Best wishes from the CS3STHLM crew li| st|EUR 299 not h1|CS3STHLM CS3STHLM Newsletter November 2020 h3|CS3STHLM 2020 Video on Demand tickets are for sale! Training! h4|Published Post Attachments Written By More news Previous Post Next Post h5|23 October 2020 21 December 2020 sp|Menu 26 Nov 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|In Sweden it is still September for a couple of hours! This year we will have presentations at multiple stages, so you have to cherry pick your favorites, or bring a colleague if you need to cover things in parallel! And as you can see below, it is really good to go to Stockholm already on Monday, even if the conference as such begins wednesday! Download the from Appstore or Google Play to keep up to date with info before and during the CS3sthlm week. Torstein Gimnes Are, Digital Marshall & CISO in Norsk Hydro will deliver and describe how his team in their international corporation battled a major ransomware attack earlier this year. This presentation will give unique opportunities to listen and learn about global incident and crisis management at an organisation where ICS is the lifeblood of the operation. will be given by Andy Greenberg, award-winning senior writer for Wired magazine, where he covers security, privacy, information freedom, and hacker culture. His presentation is based on his upcoming book SANDWORM, about a mysterious series of cyberattacks and the team behind it. Targeting utility companies, NATO, and electric grids in Eastern Europe, and others, there is a lot to learn from Mr Greenbergs story. All CS3 Summit attendees will get a copy the book, and have possibilities to get it signed, two weeks before the official global release. The DHS Cybersecurity and Infrastructure Agency will be hosting a technical This CTF is designed to expose analysts to hunting across ICS networks for malicious behavior. With puzzles appropriate for both the beginner and the experienced analyst, all are invited to participate. Challenges include artifacts generated from IT/OT host forensic data, network data (from both bro logs and pcap), and OT equipment actively being exploited by a threat actor. Mail us at and announce your participation! , starting around 4 pm, our where all our conference attendees can join. Enroll here: there will be the , with both exhibition and speakers. Speakers include our partners and academic researchers from KTH and Linköping presenting the latest in their ICS related research. Enroll here: There are still a few seats open at 2 o the 3 trainings: 1 day and 2 day . More info here: At CS3 this year we will have multiple content going on at multiple stages. During at one stage we will have a large number of speakers presenting on cyber ranges, cyber exercise and training. A lot of examples will be based on the . Best wishes from a busy CS3STHLM crew! li| st|CS3sthlm app Wednesday keynote Thursday keynote ICS-focused Capture the Flag challenge. The ICS CTF will be open daytime Monday and Tuesday. During Monday evening partner Kaspersky will host a KIPS game Daytime Tuesday CS3sthlm Expo Hands-on threat modeling for ICS-OT Network ForensICS Wednesday afternoon worlds largest red/blue team exercise LockedShields h1|CS3STHLM CS3STHLM Newsletter September h4|Published Post Attachments Written By More news News and highlights Previous Post Next Post h5|24 September 2019 8 October 2019 sp|Menu 30 Sep 2019 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|On the 23rd, we will have an Expo at our venue Nalen. Partners will display the latest cyber security solutions and services. We will have a full lineup of speakers during the Expo day on the Harlem stage. Get the agenda for the day here Free registration here: Info on Expo partners and new CS3sthlm partners, shown further down! This year we will offer six different trainings, to have something for all our participants. Some are technical deep dives, some are more theoretical or policy oriented. Here is some short info on the trainings: See all trainings here: We are more or less ready with the lineup for this year with close to 30 presenters. We have experts from all over the world, giving presentations in as diverse areas such as Cyber attacks against cars, lessons from incidents and attacks, writing a adding malware into blockchain solutions. See all speakers here We will continue the success with the ICS security lab from previous years. Attendees will have opportunities to try out various ICS equipment, cyber security protection mechanisms, and to see demonstrations of attacks. More info on the lab here Please take note - hotel Elite Stockholm Plaza will only hold the reserved block of rooms for CS3sthlm until the 21st of september. If you have not already booked your hotel room, now is the time! Use this link li|should be part of your toolbox to detect anomalies in your ICS network by taking Mikael Vingaards ICS honeypot class. This is a very hands-on class. Read an interview with Mike here: class is given for the 3rd time. Always sold out. Packed with network level examinations and protocol analysis, and you need to bring your computer. training can be very useful for those interested in policy level work for the oil/gas industry or electrical utility industry. Read an interview with Dr Beirer here is a hand-on class where you will learn to find errors and vulnerabilities in a ICS system. To add something little extra, the class also includes a capture-the-flag competition between the attendees. is given by Joe Slowik of Dragos Inc to help you become better at defending your ICS systems. from Dragos will get you started with threat hunting in your ICS environment h1|CS3STHLM CS3STHLM Newsletter September h4|Published Post Attachments Written By More news CS3sthlm Expo on 23rd Oct Technical Training More Speakers ICS Security Lab Hotel Discount New Partners Previous Post Next Post h5|18 September 2018 26 September 2018 sp|Menu 19 Sep 2018 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|The CS3STHLM summit is just a bit over a month away. Today we have speakers from many corners of the earth, and we have already attendees from most continents! We will be at the beutiful venue Nalen in central Stockholm again. We will have presentations on various topics, including: As always we will have a mix of attack and defence stances, between technology and policy level, between theory and real-dirt-under-your-nails practise. We will continue the tradition from 4SICS to use multiple stages, and presentations will be done in different formats – a main stage, a TV studio setup for more intimate atmosphere and dialogues, and an impromptu stage in GeekLounge for improvised presentations (lightning talks, work in progress presentations, etc). View speaker info here - View info on presentations here - We are fortunate to have three excellent pre-conference trainings/tutorials: Tickets for all different workshops are available now. Please remember that one workshop is 2 day and the others are 1 day. If you select the 2 day workshop, make sure that you arrive and can start monday morning! This year we will have a larger and more professional ICS security lab in place. Besides the number of equipment available, we will also help interested attendees to better play with it at their level of knowledge. Beginners will find help to do basic probeing and pokeing at exotic devices. Intermediates will be able to do more advanced experiments with bugs. Experts will be able to participate in winning prices if they submit newly found vulnerabilities to the CERT representatives at the conference. This year we will also introduce an IoT security lab where people can play around with SOHO equipment, lightbulbs with IP addresses, embedded devices, etc. We still have rooms left in the block with discounts that we negotiated with the hotel closest to the venue. We want to inform you that rooms are going quickly and the cut-of-date for when the discount is no longer available is less than two weeks away. Dont miss out on having this! Info on venue, dates, airports, subways, hotels, etc can be found at the info web here: To get a taste of what the summit is, you can find old presentations from 2015 and 2016 on li|how security impact safety how to sucessfully roll out cyber security policies at multinational corporations Security (or the lack thereof) in IoT First hand accounts of the ongoing Ukraine cyber attacks New, secure, protocols for SCADA/ICS Lessons learned from handling an enourmous APT at a critical infrastructure provider Learn about tricks and defense in Social Engineering h1|CS3STHLM CS3STHLM Newsletter September h4|Published Written By More news Speakers and presentations Workshops Security lab: ICS and IoT Practical things Historic presentations Previous Post Next Post h5|13 June 2017 14 September 2017 sp|Menu 13 Sep 2017 Robert Malmgren CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|News on our upcoming event! The traditional CS3 Summit content, presentations, partner exhibitions and social events will be happening online on the . Instead of travelling to Stockholm, you can now participate in the CS3STHLM event from wherever you want. And to counter time zone differences and offer the best accessibility, you can as a ticket holder, either participate in the live event (CET Stockholm time zone Oct 21-22), or watch it later as VOD, Video on Demand. You can find the ticket here - The ticket price is EUR 299 (including VAT 25%) and is not refundable. When buying tickets, you will have to register name and email on the Hopin platform. Then you will first receive a simple transaction receipt via Hopin, but you will also receive a detailed receipt via email from CS3STHLM within 24 hours. Sorry, but we could not manage to move the trainings into our virtual platform this year. Yes, the Expo will be running in parallel on the platform during the CS3sthlm Summit Oct 21-22. Do visit our partners and check out their virtual exhibitions and sessions. You can see the Summit agenda here - . Do also check out our impressive line-up of speakers here - and you can find the presentations here - Best wishes from the CS3STHLM crew li| h1|CS3STHLM CS3STHLM Newsletter September h2|CS3sthlm Virtual Summit of 2020! Tickets are for sale! No trainings ☹ CS3sthlm Expo! CS3sthlm Summit agenda! h4|Published Post Attachments Written By More news Previous Post Next Post h5|10 July 2020 24 September 2020 sp|Menu 17 Sep 2020 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|This years edition of CS3STHLM presented an Expo Day as well as an extended interaction between participants and panelists. 10 students from Norway and Sweden were invited to take part of a challenge which resulted in two students from Norway and Sweden winning a reward. Spot The Honey Pot was a challenge initiated by Mikael Vingaard (DK) for participants to find Honey Pots within the ICS networks, won by Matan Dobrushin from Otorio. Key Note Speaker on Thursday, Patrick Miller (US), praised the summit for not just high quality content, but also great production, great atmosphere and great venue. The founders of CS3STHLM, Robert Malmgren and Erik Johansson, thanked the 200 some participants, speakers, panelists and crew and rounded up the 2018 summit with a poll for Speaker of The Year, and this years winners are Erwin Kooi and Rick van Hees with their presentation The good, the bad and the segmented. CS3STLHM 2019 will take place at Nalen in Stockholm October 21-24 li| h1|CS3STHLM CS3STHLM Summary of 2018 Event h3|APPRECIATED EXPANSION OF ACCLAIMED CYBER SECURITY CONFERENCE h4|Published Written By More news Previous Post Next Post h5|24 October 2018 19 December 2018 sp|Menu 25 Oct 2018 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|At the upcoming CS3sthlm Summit (23-24 Oct 2019) in Stockholm, Sweden, attendees can listen to a keynote presentation by Wired senior writer Andy Greenberg. In his not yet released book, Sandworm, that will be distributed to the CS3 attendees, he tells a chilling story about identifying and tracking an elite team of agents bent on digital sabotage. Back in 2014, the world witnessed the start of a mysterious series of cyberattacks. Targeting American utility companies, NATO, and electric grids in Eastern Europe, the strikes grew ever more brazen. They culminated in the summer of 2017, when the malware known as NotPetya was unleashed, penetrating, disrupting, and paralyzing some of the world’s largest businesses – from drug manufacturers to software developers to shipping companies. At the attack’s epicenter in Ukraine, ATMs froze. The railway and postal systems shut down. Hospitals went dark. NotPetya spread around the world, inflicting an unprecedented ten billion dollars in damage – the largest, most devastating cyberattack the world had ever seen. The hackers behind these attacks are quickly gaining a reputation as the most dangerous team of cyberwarriors in history: a group known as . According to many different sources they working in the service of Russia’s military intelligence agency, and they represent a persistent, highly skilled force, one whose talents are matched by their willingness to launch broad, unrestrained attacks on the most critical infrastructure of their adversaries. They target government and private sector, military and civilians alike. In Andy Greenbergs keynote at CS3sthlm on Thursday morning Oct 24th 2019 will he highlight the main lessons from the Ukrainian Cyberwar and beyond, inspired by experiences from his upcoming book “Sandworm - A new era of cyberwar and the hunt for the kremlin’s most dangerous hackers”. Joseph Cox, Motherboard, who have read a preview copy of the book make a comment on Twitter: “God damn it’s gripping”. Other comment that it’s a chilling, globe-spanning detective story, which considers the danger these type of cyberwarriors poses to national security and stability. In the book, foreign government manipulations comes into focus, which exposes the realities of todays global digital offensive, and the era where warfare ceases to be waged on the battlefield. It reveals how the line between digital and physical conflict, between wartime and peacetime, have begun to blur – with world-shaking implications. Attendees at the CS3sthlm Summit in Stockholm will receive a copy of the upcoming book Sandworm, before its release in November. The CS3sthlm is the premier annual international industrial cybersecurity event in Northern Europe. The sixth edition of the CS3sthlm Summit takes place in October 23-24 at Nalen in Stockholm, Sweden. The objectives of CS3sthlm is not only to present the latest development and trends from international experts and researchers, but also to establish a platform where people and organizations can share experience and knowledge among peers in order to better protect our civilization against cyberattacks. li| st|Sandworm h1|CS3STHLM h2|Keynote at CS3sthlm on Thursday Oct 24th CS3sthlm - an event for increased cybersecurity in critical infrastructure sp|Menu rmation em|A detailed description of the book, made by the publisher, describes it as follows: pa|Researchers from Slovakian Anti Virus company ESET have publicized information on malware especially targeted for automation in power grids. The malware is tied to an attack in Ukraine 2016. ESET have worked alongside researchers from another company, Dragos, to analyze the code. Investigators from ESET and Dragos will come to Cyber Security Summit CS3STHLM in Stockholm in October to present and discuss their findings. Robert Lipovski, one of the researchers at ESET, states in Washington Post: “The potential impact of malware like this is huge. It’s not restricted to Ukraine. The industrial hardware that the malware communicates with is used in critical infrastructure worldwide.” This malware is called the most dangerous code since Stuxnet, malware discovered in 2010 aimed specifically towards Iran’s nuclear program. Robert Malmgren, owner and co-founder of CS3STHLM: ” The fact that this malware can be used and re-used in critical infrastructure everywhere makes it an enormous threat to non protected Industrial Control Systems.” CS3STHLM takes place at Nalen in Stockholm October 24-26. www.cs3sthlm.se For more information regarding the malware, please contact Robert Malmgren Phone: +46 708 33 03 78 CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se h1|CS3STHLM Malware that can knock out power grids discovered h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|13 June 2017 13 September 2017 sp|Menu 13 Jun 2017 Maria Engstrom Ostby CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|When the conference opens for the 5th consecutive year participants can download an app with agenda, presentations of speakers, and the possibility of partaking in polls, give direct response to seminars, lectures and questions asked from stage. This also means a channel for newsflashes, changes in the program and messages from conference management. You find the app in usual app stores. Mikael Vingaard, (DK), invites all participants to a competition to find Honey Pots: Can you spot the honey-pot(s) @ the ICS Lab? - challenge yourself and find the honey-pot(s) hidden - submit your findings and win a prize! Competition starts 24.oct Wednesday at 10.00 am and ends Thursday at 14.30. The winner will be announced during the closing session, and need to be in the audience during the closing session. Use whatever tools (e.g. telnet, nmap, PLCscan etc) to find the honeypot(s), we have placed @ the ICS Lab industrial networks! Be a good ICS neighbor, don’t try to change the configuration on anything, DDOS’ing or otherwise break stuff on purpose - or in any way make the competition harder for your fellow contesters. You may work together as a team, but only one prize is rewarded. To keep things interesting, we will change the Honeypot environment, during the whole CS3sthlm conference. There might be many honey-pots hidden - and not only on one single ICS networks - so do remember to look at ICS_Lab network 1 to 4. In case, that several contesters gets the same (correct) reply - there will be a drawing, to find the winner. To participate, do send an email with the following to stockholm@defenica.com before Thursday 14.30 : a) Your name b) time of your research - aka. the date+ Hour as we will dynamically change the honeypot(s) during CS3. C) IP’s of the honeypots you have spotted - do remember to write on what ICS_LAB network it was found, e.g. IP x.x.x.x on ICS network 4 + IP z.y.y.y on ICS network 2 GPDR stuff; the information collected during “Spot the Honeypot” will only be used for this competition. May the best honey-pot spotter win :-) li| h1|CS3STHLM CS3STHLM App and Honey Pot Competition h3|CS3STHLM LAUNCHES CONFERENCE APP HONEY POT CHASE COMPETITION h4|Published Post Attachments Written By More news “Spot the Honey-pot” - The rules of engagement; Previous Post Next Post h5|18 October 2018 24 October 2018 sp|Menu 22 Oct 2018 CS3STHLM Crew CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|The 4th edition of the top international summit on SCADA/ICS and critical infrastructure includes a seminar called ’Effective threat mitigation strategies’ hosted by Advenica. The company is providing new ways in cyber security, protecting critical infrastructures with innovative solutions. One of the founders of CS3STHLM, Robert Malmgren, expresses excitement over the collaboration; ” This fits perfectly with our profile and we are looking forward to learn about Advenica’s new security solutions.” Advenica elaborates ”Last years have presented an increasing number of bumps in the road for cyber security defenders. The vast number of different attack vectors and the explosion in number of malware variants has made yesterday’s cyber defense strategies obsolete. The goal of cyber security is to ensure robust operation of the defended system – not to find as many pieces of malware as possible. Yesterday’s strategy is efficient at finding malware – but fail in ensuring robust operation”. CS3STHLM is an international summit that focus entirely on cyber security protection of SCADA/ICS and critical infrastructure. CS3STHLM attracts about 250-300 people from around the world to meet, network and gain knowledge. CS3STHLM takes place October 23-26 at the venue Nalen in central Stockholm. CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se h1|CS3STHLM Advenica announces new collaboration with CS3STHLM h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|13 September 2017 4 October 2017 sp|Menu 14 Sep 2017 Maria Engstrom Ostby CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|Due to a conflict of interest regarding the name SICS between the summit 4SICS and Swedish Institute of Computer Science, Omnisiens announces the fourth summit to be arranged under the new name CS3 STHLM. Three CS stand for Cyber Security, Control Systems and Critical Structures, and STHLM is an official acronym for Stockholm. CS3 STHLM takes place in Stockholm this October 24-26. Top level cyber security experts from all over the world will gather again in the old concert venue Nalen in Stockholm for the internationally acclaimed summit. Owners of arranging company Omnisiens, Swedish cyber security experts Erik Johansson and Robert Malmgren, state: -”We changed the name because we had to, but we are convinced our target group will find us, and that it won’t be such a big deal. Ticket sales are up and running, and we look forward to presenting yet another exciting mix of speakers and topics.” Interest for the summit is expected to escalate while awareness of hacker attacks and vulnerabilities in IoT (Internet of Things), rises. Tickets are on sale with an early bird price until June 30. CS3STHLM is hosted by Omnisiens, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) Key note speakers previous years: Selected topics from previous years, among ca 12-20 per year: In depth analysis of the attacks against Ukraine with Robert M Lee from Dragos and Anton Cherepanov together with Robert Lipovsky from anti virus company ESET who presented a thorough walk through of what is known about the virus ”Black Energy”, which was used against power companies in Ukraine. Internet of Things; John Matherly, creator of Shodan, called the world’s most dangerous search engine leads a discussion of escalation of IoT with a number of the world’s leading experts on the subject. Hackable pacemakers discussed by scientists Marie Moe and Eireann Leverett, they present weaknesses and possible threats against Moe’s own pacemaker. A kind of threat that led Dick Cheney, previous Vice President of The US, to discountct his pacemaker from the Internet to avoid being targeted by hackers. The summit’s moderator is since the start Anne Marie Eklund Löwinder, AMEL, Head of Security at IIS, The Internet Foundation in Sweden, and one of seven crypto officers in the world with a key to the Internet root zone. CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se 2014 Stefan Lüders, Head of Computer Security at CERN 2015 Kim Zetter, editor at Wired Magazine and author of the book Countdown to Zero Day 2016 Robert M Lee, SCADA expert who was one of the investigators of the attack on Ukraine h1|CS3STHLM Cyber Security Summit 4SICS Relaunches as CS3STHLM h3|FACTS CS3STHLM h4|Published Post Attachments Written By For more info contact More news Next Post FACTS CS3STHLM h5|8 May 2017 sp|Menu 21 Apr 2017 Maria Engstrom Ostby CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation pa|In the light of growing vulnerabilities, this year’s top summit on Cyber Security inand Critical Infrastructure will give delegates possibilities to partake in real-time simulations and challenges in an updated and bigger ICS lab. The lab is hosted by ROMAB, Norwegian Energy CERT and equipment provided by the Norwegian National Security Authority, NSM. The summit takes place in Stockholm October 24-26. This year the lab is declared to be bigger, better and more interesting than ever before with added ICS and ICS communication equipment to the lab. New equipment has resulted in a simulation of communication in industrial control systems with some ICS specific protocols including OPC communication being in progress. It is also extended with a part that is for IoT security. The Internet of things, (IoT), is the network of physical devices, vehicles, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data. Margrete Raaum from Norwegian Energy CERT: -”Nothing gives as valuable cyber security learning as real hands-on work. Teaming up with ROMAB to create a dynamic and realistic learning environment is exciting, and we hope this will benefit ICS security engineers all over Scandinavia and beyond” This year there is a much larger team involved in setting up, running the lab, or have special tasks involving the lab during the conference. The team members include Lars-Erik Smevold of KraftCERT (NO) who will be in charge of the lab, Nicklas Keijser (SE), who is an expert on SCADA/ICS development, Robert Malmgren (SE) of ROMAB, Erik Hjelmvik (SE) of NETRESEC and Mikael Vingaard (DK). Robert Malmgren, founder of CS3STHLM and owner of ROMAB elaborates: -”We are honored to have the Norwegian energy sector CERT KraftCERT, as cooperators to ROMAB in setting up this year hosting the ICS and IoT security lab! This is a truly great partnership over the border with our Scandinavian friends in an effort to build competence and relationships for all that strive to secure the society and its critical infrastructure by starting with its fundamentals - the very systems that run our basic functions, like the electrical grid. Thank you to the Norwegian National Security Authority (NSM) to lending out equipment to the lab” CS3STHLM is arranged by Omnisiens AB, owned by Swedish Cyber Security Experts Robert Malmgren; voted number one IT security specialist in Sweden in trade magazine Computer Sweden and Erik Johansson, PhD; Security Researcher, Advisor, and Contractor working at the intersection of Information Technology (IT) and Operational Technology (OT) li|Cissi Thorell Press Officer press@cs3sthlm.se h1|CS3STHLM CS3STHLM Presents ICS- and IoT Lab together with Norwegian Energy CERT h4|Published Post Attachments Written By For more info contact More news Previous Post Next Post FACTS CS3STHLM h5|14 September 2017 20 December 2017 sp|Menu 4 Oct 2017 Maria Engstrom Ostby CS3STHLM Newsletter December 2020 21 December 2020 CS3STHLM Newsletter November 2020 26 November 2020 CS3STHLM 2020 - Thank You! 23 October 2020 CS3STHLM Newsletter October 12 October 2020 CS3STHLM Newsletter September 17 September 2020 rmation