Cybersecuring Your Building Control Systems and Property

    Monday, June 27, 2016: 2:15 PM - 3:15 PM

    Speaker(s)

    Michael Chipley PhD, PMP, LEED AP
    President
    PMC Group LLC

    Elevator Speech:
    Hacking building control systems is easy, defending them is hard. This session will get you started by providing an overview of control system basics and protocols, how to use the NIST information assurance risk management framework, describe the plans, tools and methods to inventory, diagram, identify, attack, exploit, contain and eradicate a cyber-event. It will also include live demonstrations.


    Description

    The nation’s buildings are increasingly relying on building control systems (otherwise known as operational technology) that are Internet-enabled. These systems provide critical services that allow a building to meet the functional and operational needs of building occupants, but they can also be easy targets for hackers and people with malicious intent. Attackers can exploit these systems to gain unauthorized access to facilities; cause physical destruction of building equipment; be used as an entry point to the traditional informational technology (IT) systems and data; and expose an organization to significant financial obligations to contain and eradicate malware or recover from a cyber-event.

    This session will provide an overview of control system basics and protocols, how to use the NIST information assurance risk management framework, describe the plans, tools and methods to inventory, diagram, identify, attack, exploit, contain and eradicate a cyber-event. It will also include live demonstrations of Shodan to illustrate how easy and quickly an attacker can drill down into an organization’s control systems, most often with an unprotected direct internet connection and direct login to the operators console.


    Track: 


    Learning Objectives

    1. Learn the 5 essential plans every organization needs to cyber secure building control systems and corporate IT systems (SSP, POAM, ITCP, IRP, SAP).

    2. Discover how to make sure your building control systems are in a DMZ, segmented from the IT systems, and do not have a direct internet connection.

    3. Learn which cyber tools to specify and use in contracting language and service level agreements (CSET, Shodan, Kali, Exploit DB).

    4. Acquire the knowledge and tools you need to put your new plan into action.

    Handouts


    Sponsored by:

    Genea