[Launchpad] Securing OT/ICS: Implementing CISA’s Secure by Demand Principles

This session explores CISA’s Secure by Demand guidance, highlighting 12 critical security elements that should seamlessly integrate into OT/ICS products for a defense-in-depth strategy, mitigating vulnerabilities and prioritizing Secure by Design principles.

The 12 Critical Security Elements:

1. Configuration Management: Securely track modifications to configurations and logic.
2. Logging in the Baseline Product: Standardized logs for security and incident response.
3. Open Standards: Interoperable standards ensure secure functionality and flexibility.
4. Ownership: Operator autonomy over maintenance and updates.
5. Protection of Data: Integrity and confidentiality of operational data at all times.
6. Secure by Default: Security features enabled out of the box to reduce attack surfaces.
7. Secure Communications: Authenticated encrypted communication with simplified certificate management.
8. Secure Controls: Resilience against malicious commands, ensuring system availability.
9. Strong Authentication: Phishing-resistant multifactor authentication; no shared role-based passwords.
10. Threat Modeling: Up-to-date threat model detailing security risks and mitigation.
11. Vulnerability Management: Rigorous testing and timely remediation of vulnerabilities.
12. Upgrade and Patch Tooling: Owner-controlled security updates with a streamlined process.
Attendees gain actionable insights for protecting OT/ICS environments against evolving threats. By embedding security into design and procurement, organizations foster a resilient industrial cybersecurity ecosystem that proactively defends against cyber risks.

This session will explore strategic approaches for integrating Secure by Demand principles and fortifying OT/ICS defenses.

Secure by Default: Hardening Industrial Automation Systems

In this session, we will demonstrate practical approaches to implementing secure-by-default principles in Industrial Automation control systems.
Key topics include:
• PLC Hardening: Using Rockwell Automation’s ControlLogix platform—which represents approximately 70% of the PLC market share in North America—to showcase best practices for securing programmable logic controllers.
• Role-Based Access Control (RBAC): How RBAC, combined with identity providers such as Entra ID, Okta, or on-prem Active Directory, can deliver a seamless Single Sign-On (SSO) experience. We’ll illustrate how this unified RBAC model can be extended across PLCs, HMIs, and Engineering Workstations (EWS).
• Zero Trust Foundations: Leveraging ODVA’s CIP Security to enable device-to-device authentication and authorization, ensure data integrity, and optionally provide confidentiality.
By the end of this session, you’ll gain actionable insights into securing industrial environments through layered security strategies aligned with modern cybersecurity principles.

Zero Trust: Thwarting Man-in-the-Middle Attacks on PLCs

This session explores common attack vectors targeting Operational Technology (OT) and Industrial Control Systems (ICS) and demonstrates how Zero Trust principles can strengthen security. We will examine ODVA’s CIP Security components, including:
• Authorization & Authentication: Certificate-based validation to ensure only authorized communication occurs.
• Device Integrity: Mechanisms that prevent or detect unauthorized alterations to communication.
• Confidentiality: Encryption to protect data in transit.
You’ll learn how CIP Security enables micro-segmentation through software-defined Zones and Conduits, aligning with IEC 62443 standards, and how OPC UA clients and servers can be integrated for secure interoperability.
Finally, we will showcase a live demonstration of a Man-in-the-Middle (MiTM) attack on a control system—where traffic between two PLCs is intercepted and manipulated—and reveal how CIP Security mitigates this threat to safeguard industrial environments.

Requires 2nd project for the Kali Attack box and table for Physical PLC Demo that is being attacked.

Patch Management for OT

Struggling to wrap your arms around deploying a patch management strategy in OT and don’t know where to start. Attend this session to learn how about tools that are available to assist in your efforts, discover automated tools for inventory to vulnerability correlation and review patch management prioritization methodologies based upon industry standards and Guidelines.

You Too Can Secure OT

Are you tired of hearing how ICS is “insecure by default”, but if you just buy this widget all your problems will go away? This session will enable traditional IT security people to get started securing their OT systems. This session briefly highlight the differences between OT and IT systems and then dive into a structured approach for managing OT security risk.

This session was delivered at RSA 2023 this year. Here is a more detailed abstract. Many IT security leadership roles have expanded their scope to secure OT systems. Despite the popular opinion that ICS is “insecure by design”, this has not been true for over a decade. Security misconfiguration of OT systems remains an issue. In this session, we will discuss how to get started securing your OT environment and what security capabilities exist in OT technology today.
To secure the ICS/OT space we must first understand the installed base. The extended lifecycle of most ICS, proprietary networks, and islands of automation make it challenging for OT automated inventory tools alone to provide an accurate installed base, down to the firmware version and rev of various controllers; thus, requiring a combination of OT automated inventory and a manual installed based evaluation.
With this updated installed base, an automatic correlation to the latest vulnerability and lifecycle status of the asset must be performed. This in combination with a high-level risk assessment (one of the first stages of an IEC 62443 risk assessment), should be used to drive the decision making for risk mitigation controls.
After a ICS/OT risk assessment has been performed, then controls can be selected using a Defense in Depth Strategy that includes but not limited to OT/IT segmentation via an iDMZ, logical segmentation with smaller subnets and VLAN’s, monitoring with an OT specific Network Intrusion Detection Systems (IDS) with direct connections to Intrusion Prevention Systems (IPS’s), Role Based Access Control (RBAC), 802.1x for Network Access Control (NAC), vendor agnostic “in motion“ secure protocols (CIP Security, IPsec, OPC-UA), ICS/OT device hardening, common time base with millisecond accurate time synchronization, elimination of traditional compute resources through zero-clients and endpoint protection.
The next phase in protection is preparation for incident response. OT specific business continuity and disaster recovery plays a key role in incident response; being able to quickly recover with the latest SCADA program, PLC program and VM. Ensuring time ICS synchronization and log immutability is also required for facilitating an accurate forensic response. Secure remote access for internal and external resources is a necessity for standard business operations and disaster recovery support.
In this session we will go through these phases and get into the details of how these controls can be used in conjunction to secure Industrial Control Systems.