Hinne Hettema
[Ports of Auckland]
Hinne Hettema is the tactical security operations leader at Ports of Auckland.

His strengths are in SOC enablement, intelligence and incident response, as well as intelligence driven security operations and security architecture.

In a previous role, he led the security operations at the University of Auckland and has also worked as security architect. He has experience working in security operations in both ICT and ICS environments, setting and driving strategy and incident response. He studied Theoretical Chemistry (PhD 1993) and Philosophy (PhD 2012). As a theoretical chemist, he played with the supercomputers of the time. His first computer was hacked in 1991, after which he developed an enduring interest in cyber security. He is a blogger for APNIC, and maintains a security blog on his LinkedIn page.

Tutorial: Responding to incidents in industrial environments

Technical Level (3 being the highest score): 2

A course focused on incident response for industrial control systems and operational technology. These systems are invisible to most people, including IT people, and are often poorly understood. The course uses insights developed from OT characteristics, architecture and kill chains to develop a defence and incident response approach for operational technology.

From the perspective of someone working in IT incident response, there are several factors that set OT incident response aside: a substantially different risk profile and different incident response priorities, the presence of old technology, and the presence of technology unknown to traditional IT incident responders.

With an increasing amount of ‘convergence’ between IT and OT, it is important that incident responders train the relevant toolkits and learn to work to the required priorities.

Topics include:

1. OT Introduction

2. OT typical architecture
a. OT Assets and asset types
b. OT specific cyber risk profile
c. OT kill chains

3. Preparing for OT incidents
a. Physical access control
b. Detection tooling
c. Network tooling
d. Memory dump collection
e. PLC Collection
f. USB toolset
g. Jump bags and response tooling

4. Analysing incidents
a. Memory forensics on workstations
b. AD health checks
c. Logging approach
d. PCAPs and network traffic
e. PLC code blocks

5. Reporting and sharing

Secure your place now!