Key Takeaways from ICS Cybersecurity Conference

Securicon attended the 2019 ICS Cybersecurity Conference in Atlanta on October 21-24. It was a four-day whirlwind of speakers working at the cutting edge of OT security who provided a crash course on the state of the industry, and areas for improvement in 2020.

If you couldn’t make it to this incredible event, don’t worry, we’ve compiled our top four takeaways from the conference just for you.

1. OT cybersecurity can’t be automated

We all know that malware attacks against ICS systems have been rising for the past decade. According to Mark Carrigan from PAS Global, there’s good news: security officers are taking notice, and 84% of businesses have invested in solutions to address the IT/OT convergence.

Here’s the bad news: the demand for solutions has generated an influx of vendors who lull their clients into a false sense of security by making promises they can’t deliver. When it comes to threat detection, nothing beats human expertise, and over-dependence on automation allows targeted attacks to slip beneath the radar.

2. IoT is the next big threat for ICS

Distributed Energy Resources (DERs) are helping power companies to better manage the grid: unfortunately, they also create points of entry for attackers. In response, Jim McCarthy from the National Institute of Standards and Technology (NIST) spoke about ongoing efforts to regulate the Industrial Internet of Things (IIoT).

Lionel Jacobs from Palo Alto Networks argues that organizations should adopt a zero-trust policy towards IoT, segmenting SCADA and ICS networks with perimeters to reduce the lateral mobility of attackers. The dangers of IoT may be unavoidable, but with careful governance policies, they can also be managed.

3. Insider threats: still a problem

Conventional wisdom suggests that isolating control systems from network access is the best way to protect them. But – says Chad Lloyd from Schneider Electric – “air gaps” can produce a false sense of security, because they are still vulnerable to human failure inside organizations.

97% of attacks on critical infrastructure do not depend on clever exploits or vulnerabilities, but on social engineering attacks which trick personnel into divulging passwords and access information. It’s clear that more investment is needed to train personnel in cyber hygiene and prevent insider threats.

4.  Threat hunting is best way to strengthen networks

Thomas Pope from Dragos delivered an insightful presentation, showing that modern hackers increasingly rely on the same tactics, techniques and procedures (TTPs) that pen testers and threat hunters have been using for years.

For this reason, threat hunting remains one of the most powerful ways to prevent attacks before they occur. To prove the point, Illan Barda from Radiflow showed eye-opening results from red-teaming on a water treatment facility.

Adopting a Threat-Based Mindset

All our takeaways from the ICS Cybersecurity Conference emphasize one theme: OT-dependent organizations will have to adopt a threat-based mindset to fight the next generation of attacks on ICS and critical infrastructure.

With years of expertise trusted by the U.S. security community – including DoD, DHS and the U.S. Cyber Command – our people are equipped to find and eliminate modern OT threats with methodology including:

  • Vulnerability assessments and penetration tests
  • Red-team and blue-team services
  • Industrial Control System (ICS) assessments
  • Network engineering and security architecture design

Automated solutions just aren’t good enough: in 2020, partner with an organization that can see both the big picture and granular details of cybersecurity today.


Securicon’s threat management solutions are based on industry standards for safety and professionalism. With years of experience in ICS cybersecurity, we are here to protect your organization. Contact us for more information.

Always Expect the Worst: Anticipating Threats with Cyber Hunt

Once upon a time, security was about mitigating risks to an organization by following best practices and responding effectively to incidents when they arose.

This compliance and risk-based mindset is no longer enough: the past several years have seen escalating breaches and organized cyber-crime, showing that safety is now the exception and not the rule. A threat-based mindset is the only solution.

First, organizations asked themselves, “will we be attacked?” Later, “when will we be attacked?” Now the most logical question is: “when will we realize we’ve already been attacked?”

This is the philosophy behind cyber hunt: “the bad-guys are already here, and now we must find them.”

What is(n’t) Cyber Hunt?

Despite the fancy name, cyber hunt is a methodology that many organizations follow – in whole or in part – without actually calling it that. Simply put, hunting entails proactively searching for, anticipating, and eliminating threats to an organization’s security using tools, techniques and procedures designed to find and eradicate suspicious activity.  Many of these tools are the same as those used by the adversaries themselves.

Unfortunately, a lot of misconceptions surround cyber hunt, and sometimes – like the Tao – it’s easier to explain by explaining what it’s not. For instance, cyber hunt is not…

1. Incident Response

With the number of breaches that have already occurred in 2019 alone, it’s easy to understand why organizations go searching for a band-aid. But the point of cyber hunt is to eliminate threats before they have consequences.

Fixing a security breach is reactive; cyber hunt is proactive.

2. Spy vs. Spy

The term “hunt” means “track and kill,” which lends itself to the impression that cyber hunt entails “hacking the hackers”. But while this notion may occasionally apply in government contexts, it does not apply in the commercial space.

cyber hunt, anticipating security threats

First of all, laws apply to ethical hackers in the vast majority of cases. Secondly, cyber hunt is about tracking and eradicating threats, which means pushing malicious actors out of a system; it doesn’t mean going after them or “hacking back”.

3. Pen Testing

It’s easy to understand why pen testing gets mixed up with cyber hunt. The two practices overlap in many ways, and – as we will see – pen testing is part of the cyber hunt toolkit. Pen testing is useful for diagnostics and discovery, while novel threats and attack vectors generally lie outside the scope of effort. On the other hand, they do not lie outside the scope of cyber hunt.

How The Game is Played

At Securicon, we have refined our cyber hunt methodology for over a decade in conjunction with branches of the U.S military and public corporations. Every step of a full hunt is not always necessary – the point is to fit an organization’s unique security needs.

1. Mission Analysis

Unlike generalized areas of risk-management, cyber hunt is focused to identify and protect critical systems or assets that are essential to an organization’s success, such as financial systems, manufacturing systems and applications or Industrial Control Systems. With this understanding, our cyber hunt teams conduct thorough interviews to assess,

  • Mission Objective – establishes the core functions and objectives of an organization. In the private sector, this is likely the successful delivery of a product or service.
  • Key Terrain – applies to all systems critical for accomplishing the mission objective, including systems, applications, servers, firewalls, etc. Systems related to non-core functions such as company email are generally not considered key terrain.
  • Threat Profile – every industry, business and government branch will have a history of threats which can be analyzed to identify the most vulnerable areas of an organization, and the style of attacks which it is likely to face. We also work to determine who likely threat-actors may be based on known adversarial intent and ability to exploit vulnerabilities specific to the organization we are supporting.

2. Vulnerability Analysis

Searching for threats begins by checking for known vulnerabilities. This is the area where pen-testing and cyber hunt intersect, although many sources of information will be considered including:

  • Scans for anomalous network activity and other indicators of compromise
  • “Dropped” files (signs of a system intrusion)
  • Keyloggers, trojans, backdoors and other forms of malware

Some organizations will go so far as deploying a Red Team to simulate an actual attack on systems, which can take guesswork out of determining what can really be compromised.

The discovery of a vulnerability is only the first step in a longer process of aggressively seeking out threats. Items found during an initial sweep are often superficial in terms of risk factor but discovering them can lead down deeper rabbit holes, leading to the fun stage.

3. Monitor and Remediate

After threats are discovered, they are – of course – remediated. But the work of a cyber hunt team isn’t finished: if there was a motive to strike once, there will be a motive to strike once more, and systems will continue to be monitored.

Forensic analysis may be conducted on malware, network activity and other traces of an attack to find more information about the perpetrators. This information can be used to uncover more threats and identify them more quickly in the future.

A Level Playing Field

A rise in threat-oriented mentality is a result of the rise in cyber threats, which in turn has much to do with several trends, including:

  • Political motives for cyber-terrorism
  • Thriving black markets for personally identifiable information (PII)
  • Increased availability and low cost of hacking tools and hardware
  • Rise in organized, advanced persistent threats (APTs)

Yesterday’s landscape of threats mainly persisted of small-time black-hats, script kiddies and the occasional nation-state actor. Today, formidable threats can arise anywhere at any time.

We hear all about the attackers: it’s time to arm the victims. By using the tools and methods that create threats to eliminate them, cyber hunt finally levels the playing field for everyone.


Dave Carpenter leads a team of skilled security and risk management professionals. He has managed several major cybersecurity initiatives enhancing the overall security posture of our clients.

Prior to Securicon, Dave supported the Information Assurance team at Spirit Aerosystems, where he developed, implemented, and coordinated a Global Risk Management Program based on RMF, and was on the Business Management team for New Programs. Additionally, he was a Security Consultant at ICF International, creating and enforcing security and privacy policies, and TSA’s Registered Traveler Program.

David served in the U.S. Air Force, both Active Duty and Reserve.  He serves in the Maryland ANG, managing, training, and equipping a Cyber Operations Force and recently led a Cyber Vulnerability and Analysis Hunt team.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!

Looking Ahead: Why 2019 Will Be the Year of Cyberwarfare

cyber security data breachesOne year away from the third decade of the 21st century and technology has finally caught up with science fiction. In 2019, we’re going to hear more news about driverless cars, revolutions in artificial intelligence and commercial applications for drones. One thing is for sure: it’s an exciting time to be alive.

Unfortunately, advances in technology bring about advances in public threats; 2019 is not an exception. Last year we saw a startling number of security breaches, ransomware attacks and data leaks from Fortune 500 organizations. Hackers are getting smarter all the time, and – with increased incentive to profit from booming digital black markets – they haven’t rested yet.

It’s Getting Political

Things are going to be a little different this year. Hacking culture has always been entangled with a certain political ethos (hence the connection between Anonymous and the anarchist thriller V for Vendetta), but in recent years money has dominated as the end game in a majority of highly publicized attacks.

With rising political unrest around the world, cyber attacks are becoming more about nations, countries and governments than ever before. Take several examples:

  • In March of last year, the FBI and Department of Homeland Security (DHS) filed a joint report disclosing that Russian hackers had been tied to attacks on U.S infrastructure, including energy, water and aviation. The attackers stole sensitive information for unknown purposes, spreading widespread alarm.
  • For some time, different departments of the U.S government dealt with information security, including the FBI, CISA and NSA. In November of 2018, Congress approved the formation of a ‘Cybersecurity Agency,’ signaling a unified bipartisan emphasis on the threat of cyberattacks against the U.S.
  • Last December, Chinese nationals Zhu Hua and Zhang Shilong were indicted for stealing vast amounts of sensitive data related to American industries and technologies. The attackers also stole social security numbers and other personal information from over 100,000 U.S Navy personnel, officially ending a three-year agreement between the U.S and China not to engage in cyberattacks or espionage.

While the threat of cyberwarfare has existed since cyberattacks became a technological possibility, it was once – for the most part – an intrigue of science fiction and futurism. Now that key government resources are increasingly digitized, the threat has become a palpable reality.

As former DHS Under Secretary Suzanne Spaulding observes, “Until recently the US did not publicly attribute various cyber incidents to specific nations, despite public pressure to do so.” The country’s attitude has finally changed: when it comes to international relationships, cyberwarfare is no longer a weird exception to the rule.

New Technology, New Threats

In addition to the new temperature that has raised cybersecurity stakes for world powers, 2019 will likely witness the rise of new threats that experts are only just coming to terms with.

Here are a few that will pose a risk for domestic security:

  1. Attacks Fueled by IoT Botnets

In order to manage incoming traffic from visitors, websites must be hosted on servers with enough bandwidth. One common way to attack a server is to send a large amount of fake traffic from multiple computers, thus exceeding the server’s bandwidth and taking it offline.

These Distributed Denial of Service (DDoS) attacks are hardly new, but in recent years, the Internet of Things (IoT) has made them dramatically more powerful.

Here’s the basic script: a hacker discretely accesses thousands of Internet connected devices – from phones to smart thermostats – and links them altogether in a “botnet”. Then the hacker instructs the devices to target a server, overwhelming it with traffic.

Three years ago, this kind of attack took large portions of the Internet offline along the U.S east coast. Now, Symantec predicts that IoT botnets will be used to conduct much more sophisticated attacks giving attackers unprecedented power.

  1. Critical Infrastructure Attacks

We’ve already mentioned that in 2018, the U.S acknowledged cyber attacks against critical infrastructure. This event wasn’t a proof-of-concept: in 2015, attackers successfully targeted the Ukrainian power grid, and managed to leave 230,000 citizens without electricity.

While it’s not a brand-new idea, infrastructure attacks are becoming more common for a simple reason: more of it is connected to the web. This vulnerability goes to show that IoT isn’t just a tool for attackers to use; it’s a weakness for them to exploit.

As Brian NeSmith of Forbes Council points out,

“With digital technology wherever we look and the explosion of the internet of things (IoT), the possibilities of cyber-mayhem are limitless. Think of nuclear reactors, chemical plants and satellites in space — all are potentially vulnerable targets.”

The possibility that hackers could cripple the U.S power grid was so concerning to U.S Senators that last year, they proposed a bill that would have banned digital control systems sometimes used by power stations.

  1. Spear Phishing and APT Groups

Most organizations are aware of phishing threats: an attacker can use false login portals, domains and forms to dupe employees into sharing sensitive information that can be used to further sabotage a business.

Phishing attacks have been common from the beginning of the Internet, but spear phishing is an entirely different animal. Also known as “targeted phishing,” spear phishers single out an organization or business and tailor the attack to ensnare a target.

Much like social engineering, spearfishing is effective because it exploits intimate knowledge of an organization or insider. They are both more dangerous and more convincing than traditional phishing attacks and present an active threat to government agencies.

The Chinese attackers who targeted NASA last year employed spear phishing to access sensitive information, and it’s a favorite tactic of organizations deemed Advanced Persistent Threats (APTs) by the U.S government.

In December of last year, the U.S. House of Representatives passed a bill requiring the White House to maintain an active list of APTs and the individuals who work for them. It is but one step on the long road to America’s national security in the wake of new cyber threats.


Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!