As industrial control systems (ICS) and critical infrastructure rapidly undergo digital transformation, cybersecurity risks are escalating. For asset owners, effectively mitigating site-specific cybersecurity risks has become a critical challenge. This session will introduce the ISASecure ACSSA (Automation Control System Security Assurance) international certification program and explore how it integrates with ISA/IEC 62443 standards to provide a comprehensive security assessment and validation solution for industrial environments, helping asset owners identify and reduce cybersecurity risks across their operational sites.

The speaker has been actively involved in the design and implementation strategy of ISASecure ACSSA, which aligns with key ISA/IEC 62443 standards, including 62443-2-1, 62443-2-4, 62443-3-2, and 62443-3-3. These standards collectively enable tailored security measures for industries such as oil & gas, power grids, water utilities, and building automation, ensuring sector-specific cybersecurity protection.

This session will provide an in-depth analysis of the ISASecure ACSSA program, guiding enterprises and asset owners in conducting comprehensive cybersecurity risk assessments and enhancing their security resilience based on industry-specific needs. By adopting these methodologies, organizations can effectively address evolving cybersecurity threats, ensuring the security and stable operation of critical infrastructure.

Picture Archiving and Communication System (PACS) servers are crucial for managing patient imaging data in medical institutions. This presentation explores the essential functions of PACS servers and the structure of DICOM (Digital Imaging and Communications in Medicine) files, emphasizing the importance of unique identifiers.

We discuss the processing and transmission of DICOM files using various protocols and uncover significant privacy and security risks associated with exposed PACS servers and DICOM files on the internet.

Our research has identified multiple vulnerabilities in PACS servers, including use-after-free, stack-based buffer overflow, and path traversal, which could disrupt medical operations or result in the deletion of patient data.

The goal of this presentation is to raise security awareness and provide practical mitigation strategies for medical staff and server developers to protect sensitive medical data.

This presentation will delve into how to select the appropriate security level based on the IEC 62443 standard to meet site-specific needs, helping the audience strike the best balance between cybersecurity protection and investment effectiveness. The speaker will draw on years of practical experience to analyze the challenges industrial control systems face when applying the IEC 62443-3-3 standard, including technical limitations, organizational culture, and resource allocation issues, and will share real-life examples of how to overcome these obstacles. The presentation will cover risk assessment methods, security level selection strategies, and how to effectively implement standard requirements across different industries.

In recent decades, new automation technologies and new communications protocols were widely leveraged by Oil and Gas Industries, regardless of upstream, middle stream, and downstream, to improve productivity and to have better monitoring. On the other hand, it also creates new cybersecurity problems, including device vulnerabilities, insecure OT protocols and communications, and OT industries prone to attackers. Nevertheless, the Oil and Gas industries are not so tolerant because a single spark can start a prairie fire. Although Taiwan is not a major player in the Oil and Gas Industry, it's still an issue because we deeply rely on it. In this presentation, we will go through the pros and cons of Cybersecurity for Oil and Gas industries and provide resolutions/mitigations for related problems.

The integration of Enterprise Risk Management (ERM) with Information and Communication Technology (ICT) risk is crucial for modern organizations. With the rapid advancement of technology and digital transformation, ICT risk has become one of the primary challenges faced by enterprises. NIST SP800-221 emphasizes the necessity of incorporating ICT risk management into the enterprise risk portfolio and provides detailed guidelines to help organizations effectively manage these risks. By combining ICT risk with the ERM framework, organizations can better identify, analyze, and respond to potential risks, thereby enhancing organizational resilience and strategic decision-making capabilities. This integration not only helps protect the security and integrity of information systems but also ensures that risk management measures are aligned with the organization's mission and business objectives.

The new EU legislation, 2014/53/EU, under the Radio Equipment Directive 3.3 (d) (e) (f), has activated mandatory cybersecurity regulations.

As a formal mandatory regulation, coupled with three new standards totaling over 600 pages, it presents a challenging compliance issue for many manufacturers hoping to export IoT products with wireless capabilities to the EU. How to achieve compliance will be a difficult problem, from the initial product and standard response selection, clarification of specific terminology definitions within the standards, whether EU type certification is mandatory, to how to confirm if one's product can achieve compliance through self-assessment.

These questions will be answered in this seminar.

"Attacks on rail systems have increased by 220%." Last August, a retired official from the U.S. National Security Agency (NSA) pointed out that threats to railways have become the spark that ignites warfare in regional conflicts. In recent years, incidents such as train hijackings, railway paralysis, and the cutting off of supply lines have emerged as new national security concerns worldwide. In response, the U.S. National Institute of Standards and Technology (NIST) and the Transportation Security Administration (TSA) jointly issued more stringent rail safety standards in October 2022 to counter these threats and protect critical transportation systems like subways, railways, and train networks.

However, due to the early development of railway and train control systems, many insecure train signaling systems have been widely adopted around the world and have become the mainstream choice for both public transportation and freight operations.

To fully explore the scope of these threats, this session will consolidate and review the six major systems used in global railways and public transportation (e.g., CBTC, ATP, ATC, and PZB) and examine their underlying track signaling control systems. We will begin with a research on ATS (Automatic Train Stop) presented at CODE BLUE 2024—a classic system that has been extensively deployed in Japan and Europe. Its signaling design is intended to automatically stop a train in the event of an emergency, without requiring human intervention. However, once attackers gain sufficient understanding, they can exploit this mechanism to control train operations; even the modern ATC (Automatic Train Control) systems used in North American railways carry similar risks.

The session will cover topics including braking devices, automated signal-based braking, and the communication design and security risks associated with HOTT (Head of Train Telemetry) and EOTT (End of Train Telemetry), along with real-world replay signal attacks. It will conclude with recommendations for preventive measures, aimed at guiding the future development and planning of rail cybersecurity systems to safeguard critical rail infrastructure.