Among the sectors commonly identified as integral to Canada's Critical Infrastructure, Energy and Telecommunications are particularly important. New regulatory standards and frameworks are emerging for these sectors that reflect both this criticality, and the broader causes, vulnerabilities and fundamental weaknesses in our critical infrastructure. As recent history and events demonstrate, the need to find the optimal approach to cyber-security is urgent. In this endeavour, a close collaboration between Industry and Government is necessary, one where each recognizes and accepts its roles and responsibilities. Industry wants to know just how much security is enough, and Government must clearly define when and where its unique resources will be deployed.

Management/Executive Track - Bryan Singer, CISM, CISSP, Vice President Security Services, Wurldtech

The Next Generation of Industrial Cyber Security Risk Intelligence - Implications for Industrial Control Systems and Critical Infrastructure Protection
This presentation focuses on the many implications an industrial cyber-security vulnerability database has for ICS stakeholders. How such industrial cyber risk intelligence gives unparalleled visibility into the reliability, safety and security of the systems and networks essential to the operation and protection of the world's industrial infrastructure. In short, how such intelligence empowers operators to answer questions such as: How secure am I?; Where should I focus my resources?; and, am I taking appropriate measures to ensure the safety, and reliability of my operations?

Technical Track - Kalvin Falconar, Senior Solution Strategist, CA Canada Co. & Denny Prvu, Principal Consultant, CA Canada Co.

Business responsive organizations are continuing to put more pressure on IT for increased accessibility for collaboration, partnerships, joint-interest transactions, eBusiness and customer engagement.

How do you manage and control these new relationships? How do you enable more system activity without increased risk or exposure? How do you maintain compliance and auditability? There are growing challenges for protecting the sensitive data and applications residing on your servers. The increasing value of data, more stringent regulations, and an emerging class of corporate "insiders" compromise your information and intellectual property. This forces you to work harder to manage security policies across complex environments. While your IT organization remains responsive to business requirements.

What are leading organizations doing to streamline, simplify and automate protection of servers? What are leading organizations doing to manage user privileges and avoid costly exposures? One leading Canadian company, TELUS, has taken significant steps to ensure server resources are protected by employing Access Control solutions from CA. The solution operates at the system level to ensure efficient and consistent enforcement across all systems - including Windows, UNIX, Linux and virtualized environments. This provides TELUS a standard, single layer to support the auditing of each policy change and enforcement action in order to comply with global regulations. We will demonstrate how TELUS is protecting their valuable data and assts and how they’re adding value to the business by doing so.

Management/Executive Track - David Ruhlen, MBA, Consultant, Cyber-security Solutions Corp

Wringing Business Value from Cyber-security Standards
Mandated cyber-security standards for critical infrastructure protection are coming soon to the Canadian energy sector. Electric Utilities in Canada have already begun to consider the implications to their organizations of implementing the NERC Standards for Critical Infrastructure Protection, while the Oil & Gas industry has for the past year actively participated in the development of the CSA Security Management Strategy. This session will address security program and plan development from a C-suite perspective, showing how the emergence and heightened awareness of new cyber-security standards can serve to drive business value.

Technical Track - Venkat Pothamsetty, Industrial Security Architect, Cisco

Enterprise and Industrial Control Network Integration: Security and Architectural Considerations Industrial control systems (ICS)
are widely used throughout most manufacturing industries and utility infrastructures to monitor and control many kinds of equipment and processes. ICS vendors are rapidly migrating from proprietary networking technologies to IP-based networks, but the performance and security requirements for ICS networks differ from those of enterprise networks. This session focuses on architectural guidelines for deploying secure IP-based ICS's, including automation, process control, distributed control, and Supervisory Control & Data Acquisition (SCADA) systems. This session provides a basic introduction to ICS, reviews security threats to control systems, and discusses specific network architectures that provide appropriate performance for ICS and secure connectivity to enterprise networks. The session will also cover architectural considerations for segmentation, remote access, management, monitoring, auditing control system networks, industrial wireless for the integration of voice, physical security (video and access controllers), and sensor networks.

Keynote Speaker - Michael James Martin, MBA, GDM, SCPM, PMP, CBNT , Senior Managing Consultant, IBM

"A Business Intelligence Approach to Energy Analytics from the Field".
Why don't we let the systems keep our IT challenges under control? For decades, we have used unsophisticated machinery to monitor and control distant energy systems. Traditional IT systems, like SCADA have served the industry admirably. However, in the face of emerging competition, shorter lifecycles, faster monetization requirements, management of expensive assets, demands for green best practices, and risks from a multitude of anonymous threats, it is time for a richer, bi-directional, intelligent communications tactic. Diverse and disparate information needs to harmonize and organize to formulate a means to make better decisions quicker. Deep and meaningful analytics, coupled with a service-oriented architecture, and driven by autonomic computing intelligence will create systems that are self-organizing, self-healing, self-protecting, and self-managing. A robust framework for the future of these networks will be shared with the audience.

Management/Executive Track - Mark Zanotti, Lofty Perch Inc.

"Understanding your cyber security posture through self-assessment: Meeting security compliance with CS2SAT"
Modern day Critical Information Infrastructures are increasingly facing cyber security threats. In order to protect Critical Infrastructures and Key Resources (CI/KR), national security initiatives sponsored by both public and private sectors are starting to materialize. Being able to determine the cyber security profile of SCADA and Industrial Control Systems is becoming a vital capability sought by many critical infrastructure sector organizations, and pressing regulatory mandates are forcing organizations to become compliant regarding the protection of their key cyber assets.

This briefing will be a concise introduction to the Department of Homeland Security's Control System Cyber Security Self Assessment Tool (CS2ST). The briefing will be divided into two sections. This first section will provide detailed insight into the emerging standards that will have an effect on your organization. The second section will be a live demonstration of the CS2SAT and how it can assist your organization’s compliance initiatives. Attendees will have an opportunity to learn and understand how the tool works, see how the tool can be used across the entire control system domain (right down to the device level), and explore many of the features allowing users from every critical sector today to protect their industrial networks.

Standards that are covered will be:
NERC CIP-002 through CIP-009
NIST SP800-53 Rev.0
ISO/IEC 15408 v3
DoD Instruction 8500.2

Technical Track - Vaclav Vincalek, Pacific Coast Information Systems Ltd.

The Biggest Threat to Web Security
Many organizations are busy fortifying the "front door" of their IT infrastructure by closing off vulnerabilities to hackers. But it is becoming increasingly clear that individual efforts of responsible organizations will not be enough.

When authorized users on "secure" web applications unknowingly browse hacked sites, they can instantly infect their own system. And the web browser - the very thing that makes the Internet so useful for billions of people - is the ultimate vulnerability that helps hackers spread their malicious code across the web. Today up to 75 per cent of hacker attacks are targeted against web applications. Web security breaches are reported daily in the media. The threat is growing.

In the first portion of our presentation, we will review the evolution of security as it relates to web activity. We will then cover the kinds of attacks that are commonly used by hackers to exploit web applications using the frameworks established by security organizations such as SANs Institute and WASC. Next, we will demonstrate the ease of which a hacker can take advantage of insecure web applications to conduct malicious actions. Finally, we will discuss the safeguards organization can take to detect and safeguard against web application vulnerabilities.

Management/Executive Track - James Arlen, CISA, Senior Security Consultant TELUS Security Solutions

A Pragmatic Approach to Integrated Compliance Management in Regulated Environments:
Control Systems Owners are currently under attack. Not by the media, not by hackers, not even by insiders, but rather by the long and growing list of regulations, standards, and requirements which represent multiple attempts to govern the activities of both traditional IT and control systems environments.

Technical Track - Timothy Durnford, Country Manager, ArcSight Canada

A Practical Approach to Cyber Security within Control System Environments.

Dr. Stephen Flynn, Homeland Security Advisor to Senator Barack Obama, former US Coast Guard Commander and author of "The Edge of Disaster"

"Natural and manmade Disasters are not a question of if but only of when and how much damage will they cause. Changes in climate are elevating the risk of natural disasters. Acts of terrorism will remain a blight on the global landscape. Communities and firms are exposed directly and indirectly to the risks associated with increasingly complex and integrated telecommunications, energy and supply chain networks, and public services that are subject to periodic failures and disruption. Yet too often companies and citizens act as though disasters will happen only to someone else. Drawing on his best selling and critically acclaimed books, Dr. Stephen Flynn will outline why future historians may look back on the 21st Century as the Age of Catastrophes. But this era promises not just dangers but opportunities for those enterprises, communities, and countries that emphasize building a culture of resilience. The market will reward those firms and those nations that make preparedness a priority and be increasingly unforgiving of those that do not."

Brian Phillips, Director, Bell Canada

An Integrated Communications System Supporting Energy
The ability to integrate IT systems and emerging technologies with traditional critical infrastructure safeguards is the way forward in building critical public safety and infrastructure solutions. Both physical and logical security approaches are needed to prevent incidents and to meet changing compliance requirements as with Directive 71. What does the energy industry need to do to prevent attacks on its critical infrastructure? The emphasis of this presentation is prevention and protection - NOT consequence management and response.

Brian Phillips will discuss critical infrastructure protection. Using Vancouver 2010 Olympics Games as an example, he will highlight some of the vulnerable components and threats to energy and IT infrastructures. He will also discuss the lessons and innovations that continually emerge from the planning process and their potential value for executives in your organizations.

Patrick Gray, Senior Security Strategist, Cisco and 20 year FBI veteran.

The internet landscape has shifted. What used to be a playground for hackers, crackers and script kiddies, is now a borderless abyss of organized crime fueled by financial gain. This presentation will explore the current threat landscape by highlighting the newest cyber criminals and examining the latest tactics employed by these predators. Gray will address how spammers, phishers, worm writes and hackers interact with this new crime element and how we can prepare our infrastructure to stave off these relentless attacks and protect our critical business assets. Additionally, the presentation will touch on how Web 2.0 is affecting the security of our networks.

Management/Executive Track - Mauricio Sanchez, Chief Network Security Architect, ProCurve Networking by HP

Secrets of Network Security
The age of innocence is over. Technologies and those using them have become more savvy and, at times, more dangerous. This session offers direction for navigating these stormy conditions by dispelling myths about and revealing secrets to network security. Myth: shrink-wrapped products and patches provide sufficient infrastructure protection. Secret: you can actually spend less to ensure your network is more secure. These and more will be exposed, with practical guidance for designing and enhancing your network with utmost protection.

Technical Track - IBM - Hyman D. ("Hy") Chantz, CISSP, founding member and Certified Executive Consultant, IBM's Global Security and Privacy Practice

Radio, Wireless, and RFID in the Energy Industry: Challenges and Opportunities
The need for security, efficiency and timeliness impacts all elements of the energy and communications industries, and of the customers we serve. Radio devices of all sorts - cellular, wi-fi, RFID, and many others - have become ubiquitous throughout our industries - from petroleum exploration, to equipment tracking, to SCADA, to reading of end-customer meters. This presentation analyzes the security implications of present and emerging Radio-Frequency (RF) devices, and their potential threats, risks and advantages. It discusses tangible defences and countermeasures, and how cost-effective, judicious deployment can not only provide protection to your company, but permit competitive advantage. Through this talk, you will gain a better understanding of how to chose and implement a balanced, sustainable technical trajectory that furthers your operational capabilities, appropriately addresses risk, increases efficiency, and enhances your security posture.

Management/Executive Track - Michael Legary, Founder, Seccuris Inc. CSA, CISSP, CISM, CISA, CCSA, GCIH

Virtually Secure: Uncovering the Risks of Virtualization
Organizations have been quickly leveraging the benefits of virtualized platforms in their datacenters, often unknowingly increasing the exposure of their most prized assets. Michael will highlight the key concerns around virtualization technologies including the answers to questions such as are virtualized servers PCI compliant and what minimum controls must exist to protect the hypervisor? He will walk the audience through the latest technical threats and shed light on the solutions and controls available to secure your virtual environments.

Technical Track - Ganesh Devarajan, Head of Security Analyst and Digital Vaccine Team, Tipping Point

SCADA Networks: Security tools and Vulnerability assessments?
Today's products are all about being out there first and doing things fast, increasing productivity with better performance and interconnectivity and of course with some built-in security features and checks. This talk will focus on various methodologies to bolster security in these networks. The talk shall focus on some of the past attacks and how they were carried out along with some of the recent vulnerabilities and their details. We shall also talk about the various tools that can be used to assess the software security. We shall discuss about the tools that perform pen-testing, tools that can be used to replay attacks to check if the particular software version is vulnerable, and tools that can be used to verify the RFC implementations of various protocols that the software supports. Finally, there will be a demo of the Sulley fuzzing framework.

Donald Meyer, Product Marketing Manager, High-End Security Systems, Juniper Networks

SCADA (Supervisory Control and Data Acquisition) networks were designed and built before the age of cybercrimes with a primary focus on performance, availability and reliability - not security. As SCADA systems integrate with corporate networks and the Internet and SCADA vulnerabilities become more widely known, organizations are taking a hard look at risks in their operations and scrambling to fill the security gaps. Fortunately, a new generation of high-performance security products lets utilities defend their SCADA networks using the same technology that protects telecommunications, banking, and other critical IT infrastructure. The general principles are the same: keep outsiders out, keep insiders honest, keep an eye out for trouble, and keep communications open, clear, and fast - especially during emergencies. This is a review of some of the security technologies now available to protect SCADA, computer, and communications networks.

Management/Executive Track - Scott Montgomery, Vice President, Product Management, Secure Computing

The rise of the Internet and the rapid spread of inexpensive bandwidth have made "Security by Obscurity" a thing of the past. Critical infrastructure systems are now interconnected with IT systems, accessed by remote users via wireless devices, used by non-trusted operators to provide data mining opportunities for their corporations, and tied in to third party networks for multi-enterprise coordination. These points of interconnect mean that the security threats that have permeated IT systems for decades can now be spread into critical infrastructure systems virtually undetected, making them vulnerable to hackers, saboteurs, and cyber criminals.

This session will provide some insight into the threats being posed and discuss four security requirements essential to protect the world's critical cyber infrastructure.

Technical Track - Lisa Lorenzin, Principal Solutions Architect, Juniper Networks

Network Access Control (NAC) is one of the critical challenges in securing today's enterprise. How do you accommodate a variety of users - such as guests, partners, contractors, & employees - with disparate resource access requirements, privileges, & levels of trust, in a single enterprise network? And how do you build a security framework that works with your existing infrastructure, allows integration of multiple vendors' products to ensure best-of-breed technology, and creates a solid foundation for future growth - both what we expect to come and what we can't even imagine yet?

Open standards - designed to ensure multi-vendor interoperability across a wide variety of endpoints, network technologies, and policies - enable technology that helps ensure endpoint compliance with integrity policies at and after network connection. The Trusted Computing Group (TCG), an industry standards body formed to develop, define, and promote open standards for trusted computing and security technologies, has developed an open architecture and standards for Network Access Control called Trusted Network Connect (TNC). TNC is designed to encompass a wide variety of products and technologies, and is the foundation for new NAC standards being developed in the IETF, enabling NAC solutions that will protect your network today and grow with you into the future.

Management/Executive Track - Brian Geffert, Principal, AERS, Deloitte & Touche, Washington, DC LLP, CISSP, ISSMP, CISM, MBA and David A Moore, President and CEO, AcuTech Consulting Group

CFATS: An Emerging Regulatory Challenge for Cyber Security
CFATS is an emerging cyber security challenge for companies that possess certain chemicals on their facilities because of its very broad scope and complexity of their organizations. Yet, companies are already expected to become compliant, as 2 January 2008 marked the initial deadline for the first regulatory action that chemical companies must take in order to comply with the Chemical Facility Anti-Terrorism Standards (CFATS). In addition, there are more regulations on the horizon as a result of the 9/11 bill. Adding to these challenges is the common phenomenon of siloed-approaches to compliance in large, complex businesses today. The good news is that many companies are already complying with other cyber security standards such as HIPAA, ISO17799, etc. - albeit in a disparate fashion. As such, there is the opportunity to leverage existing efforts for CFATS compliance. In order to do that, however, companies must take an enterprise approach to their compliance activities. Companies that adopt an integrated approach across the enterprise will be able to meet the CFATS requirements in a more cost-effective and structured way by leveraging the good work done in the past. In addition, they will be best positioned to comply with future regulations and could also discover opportunities for business improvement as a result of aligning compliance efforts.

Technical Track - Barry Kokotailo, Systems Security Specialist, CSA/CSNA/CISSP/CEH/EnCE

Anti-Surveillance or How Not To Get Caught
In today's environment corporations and government are implementing technology to monitor and curtail the activities of employees, contractors and other entities. Reasons range from legal ramifications such as lawsuits to regulatory requirements such as FOIP. This presentation will demonstrate how people use technology to circumvent the current monitoring and forensics capabilities of corporate Canada. These techniques can be applied by people with little to no technical background and is highly effective in eliminating detection, identification and prosecution.

Jason Wright, Sr. Product Marketing Manager, Fortinet

Why Security Consolidation is Critical in Defending Against Today's Blended Attacks
As an IT professional concerned with network security, you are confronted by a constantly-evolving array of threats and increasing compliance requirements. You also must balance your ability to manage this dynamic threat-scape against many other imperatives, including cost (both CapEx and OpEx), limited power and data center space, manageability, and, increasing environmental concerns.

This presentation will give you the knowledge and tools you need to evaluate different solutions and answer critical questions: Is my network secure? Are point solutions practical? Are unified threat solutions enterprise-class technology? How can I implement multi-threat security with limited budget? How can my security systems help my organization go "green"?

According to Gartner, "Ongoing convergence in technologies, market models and organizational processes offers enterprises a significant opportunity to reduce security costs, while improving security levels"(Gartner 2008). This presentation will equip IT leaders to seize the opportunities and benefits of convergence/consolidation.