Once again the RSA Conference is upon us, and we have a wealth of opportunities to learn, network, promote what we do, or just take a break from our normal rat race. For many of us, attending, though, next week will be a marathon of meetings, demonstrations, sessions, vendor parties, and shuttling in between. It’s an exhausting but usually beneficial endeavor. But there is a lot going on. For those focused on critical infrastructure cybersecurity, there are a variety of sessions that range from the high-level policy discussion to the more technical how-to. While critical infrastructure frequently pops up in all kinds of topics, I thought I would highlight twelve sessions that seem to best fit the topic. To make things easier, I’ll group them into logical areas.
Probably one of the first industries we think of when critical infrastructure is mentioned is electric power. There are four that specifically target this industry.
Smart Grid Security: A Look to the Future (Wednesday, February 26, 10:40 a.m. – 11 a.m. | West | Room 2016): In a shameless plug, I encourage everyone to attend my session on smart grid security. Unlike many smart grid sessions focusing on smart meter hacking or on the broad outlines of smart grid, this session will focus on technologies that are still evolving. We’ll discuss plug-in electric vehicles and their implications when they eventually serve as a power source for the grid. The session will also highlight security concerns such as microgrids, distributed generation, and evolving markets. Even if you don’t work for a utility, this session will offer perspectives that you may not have considered for both the power industry and the larger world of the Internet of Things.
Utilities and Cybersecurity – Myth and Realty (Friday, February 28, 9 a.m. – 10 a.m. | West | Room: 2016): This session offers insights from cybersecurity leaders at some of our nation’s most innovative utilities. We hear about threats and the possibility that the grid is already compromised. The panelists will set the record straight on how utilities actually operate and dispel the myths that seem to constantly propagate. Before you panic after hearing a briefing from a vulnerability researcher, listen to these folks.
A Hacker’s Perspective: How I Took Over Your City’s Power Grid (Friday, February 28 | 11:40 a.m. – 12 p.m. | West | Room: 3002): Speaking of panic, be sure to stop by Andrew Whitaker’s presentation on how his group of pen testers were able to compromise physical and cybersecurity measures to hack into a utility’s supervisory control and data acquisition (SCADA) systems. But don’t forget the lessons learned in the earlier panel. Some utilities have better security than others, but even the best of them need the kind of refresher Andrew offers on areas that may fall through the cracks.
Operation Olympic Games Is the Tom Clancy Spy Story that Changed Everything (Friday, February 28 | 9 a.m. – 10 a.m. | West | Room: 3002): For something a little scarier, I encourage everyone to attend Richard Howard’s retrospective on the development and deployment of Stuxnet, the exploit that changed the way all of us look at critical infrastructure security. While the story is interesting, the implications for future attacks are even more compelling as nation states, terrorists, and cyber criminals build upon Stuxnet’s “innovations” to develop and deploy even more insidious cyber weapons.
Internet of Things
Technologies like smart grid are often considered a subset of the much larger universe of the Internet of Things that has gotten lots of attention lately. Because our critical infrastructure sectors are the heaviest users of network-connected embedded devices, it makes sense for those entrusted with these key assets to stay on stop of developments in this area, as many innovations will find their way into systems responsible for keeping us safe, such as medical devices, vehicle assistance systems, flight control systems, traffic management systems, and energy management systems.
Make Way for the Internet of Things (Thursday, February 27| 9:20 a.m. – 10:20 a.m. | West | Room: 2016): Benjamin Jun, chief technology officer with Rambus’ Cryptography Research division, has had a front row seat for the innovations taking place with the Internet of Things through the work his company has done with embedded devices. His discussion of the growth of this important technology and the security risks is bound to be fascinating.
Internet of Things... Promising but Let's Not Forget Security Please! (Monday, February 24 | 2:25 p.m. – 2:45 p.m. | West | Room: 3012): Eric Vyncke from Cisco, who has fully committed to the Internet of Things evolution, provides his take on the security challenges we face with this amazing technology.
Turning Medical Device Hacks into Tools for Defenders (Thursday, February 27, 2014 | 10:40 a.m. – 11:40 a.m. | West | Room: 3006): Accuvant’s Jamie Gamble and Tim West introduce us to one of those Internet of Things technologies, medical devices, and highlight the risks we face as they become more prevalent and interconnected.
The Current State of Automotive Security (Friday, February 28 | 9 a.m. – 10 a.m. | West | Room: 3018): While interconnectivity is at a very early stage for the automobile, the prevalence of embedded devices is nothing new. However, we’ve only scratched the surface on the kinds of cybersecurity risks we’re likely to face in the future. Chris Valasek from IOActive, the famous hardware hacking firm, walks us through these dangers.
Big Data's Potential in Helping to Secure the Internet of Things (Wednesday, February 26, 2014 | 9:20 a.m. – 10:20 a.m. | West | Room: 3022): While I’m sure most of you will have your fill of all things “Big Data” at this conference, I encourage you to check out Jim Kobielus’ talk on how Big Data can help to secure the vast and unwieldy Internet of Things. It certainly makes sense that with a large number of devices come a lot of data to be managed, and Big Data is here to make sense of it all.
Beyond Information Warfare: The History of the Future of Security (Wednesday, February 26| 11:20 a.m. – 11:40 a.m. | West | Room: 2016): Winn Schwartau’s talk should give us all pause to think about just what we plan to use technology for and the potential unintended consequences. The Internet of Things is likely to revolutionize how we live our lives, but it also presents risks based on who controls the technology and for what purposes. The robots may never really take over, but at some point, it may feel like they have. This talk should give us some ideas of what we may be up against.
Broader Critical Infrastructure Challenges
While critical infrastructure is a somewhat amorphous concept, we nonetheless recognize the importance it plays in our lives. That means government and industry must not only address challenges to individual components, they must also deal with the commonalities such as our supply chains, regulatory functions, and control system components used in multiple industries. These talks address these broader concerns.
Effects-based Targeting for Critical Infrastructure (Tuesday, February 25 | 4 p.m. – 5 p.m. | West | Room: 3002): Sean McBride draws from the lessons learned from Stuxnet to offer insights on what future attacks on U.S. critical infrastructure might look like.
Facts vs. Fear: Foreign Technology Risks in Critical Industry Sectors (Tuesday, February 25, 2014 | 2:40 p.m. – 3:40 p.m. | West | Room: 2009): This expert panel dives into the challenges posed by our vast and international supply chain to critical infrastructure sectors. They will highlight the legitimate concerns and dispel misconception while offering concrete steps to address vulnerabilities and manage risk.