When Incidents Get Physical: A View Of Incident Response In Critical Infrastructure - Akash Sandhu

Good morning everyone and uh thank you so much for joining me today for our first visa talk. I'll be doing a talk about when in critical. So this talk will not necessar

behind when we talk about in so a bit about myself. Uh my name is Akash. Uh my background is mainly in a few science uh with a I've had a growing interest in OT and construction. Over the summer I recently completed a competition in the sector where I gained my first experience with OT security team. uh in the past couple of years I competed in competitions such as the cyber data challenge and the cyber to uh these uh competitions involve you acting as a government adviser during an escalating cyber scenario which is impacting UK my main interest is in how cyber incidents create real world physical consequences so um a question to the audience if your

company was hit by a cyber in today what's the worst of Huh?

>> And clients are expecting replies, so they're a bit worried like, oh, we're not getting this done on time. That causes budget issues. If there's delays and issues with Yeah, essentially. Thank you. >> Thank you for that. So when it comes to the major cyber incident, most of us think in terms of it impacts uh downtime, data loss and sometime sometimes burning, stressful but not something that creates immediate physical hazards. Now imagine if the power grid went down. This is where we see how OT becomes something which uh an impact in OT because it exponentially grows. You see something such as like power loss it normally affects the company itself it affects whatever is impacted downream

whatever relies on the grid uh for example stuff like hospitals transports one single system has the impact of significant so what is operational technology operational technology is the uh hardware and software which is responsible for managing the physical processes um of um of of of systems uh operational is something which is extremely important for critical infrastructure. It's is what underpins it and is found in sort of like the power grid uh in water treatment plants and in and is something which is important for that level. Uh most so an example of um of a of operational technology is um industry uh control systems and and these are essentially systems which are responsible for um controlling machinery and and an example

of a industry system is a SC system. What scard is is essentially something which manages stuff like the grid. Um you probably already interacted with today. Say for example if you to the tube uh the automatic two doors or even just deescalator to get you up and down. So uh a couple of differences between it and multi with it um the confidentiality of most most important when it comes to it. We're mostly just dealing with data and uh with companies uh the most important thing is is ensuring that data doesn't get leaked. uh uh sorry referring back to the CIA tribe when we have confidentiality integrity and availability we prioritize confidentiality first however when it

comes to it's the opposite way around availability is almost the most important uh especially when it comes to safety critical things an example is say for example in a substation uh we might have a system which is responsible for constantly monitoring any faults or fails if this safe system was to uh was not available for a This could actually potential potentially lead to a natural fire as this is not able to monitor for any cause and what we see here is something that comes an actual physical consequence of a cyber incident. This is the when it comes to um a lot of times when our mindset we sure that we think that is something that's going to

happen actual physical customers and that actual itself in danger. Uh another another difference between IT and OT in IT systems are quite well documented. Um it's easy to find vendors for a lot of uh what we need our software needs. However, in OT systems can be our quite our legacy or our poorly documented. A lot of the human uh machine interface we find in devices probably run on operating systems such as Windows XP or Windows 7 still 20 years old. uh this makes upgrading these systems extremely difficult and also uh if there was a um it's not the case where you could easy find say for example a patch online uh in in it usually components are

replaceable and standardized you have a lot of already existing standardized stuff out there it's easy to come across um and and if scenario usually you'd be able to find something online however in OT a lot of the time equipment is good as well Even like for example when we look at the grid we have stuff that's maybe 50 60 years old um and the vendors who made it are probably no longer existing and the person who's behind the designing or implementing software we're probably dead uh this makes these systems fragile and hard to replace even for example when it comes to replacing a component lead types lead times to replace potentially take 3 years so how do I and instance differ in IT a

lot of times Isolation can be straightforward. Uh pull the plug and essentially traffic. However, in that's not necessarily the case. Uh isolations can disrupt physical processes and can cause um a significant cascading harm. Uh so when it comes it's not necessarily the case where and hope to uh in in it impact as you say within organization rarely you see a historic

however in impact isn't just something that affects the organization as we see in the example with the grid not only it's just the grid that gets affected is whatever who's uh reliant on it. uh whoever say for example hospital schools uh skill skill over is something that's more much more um in IT systems um behavior is being usually soft teams are well versed when it comes to a uh already exists uh well versed um uh what we have already seen and u something that can be managed easily not easy but essentially something not to uh difficult. However, when it comes to due to the nature of and how due to nature of legacy and how

uncertain systems are when it comes to we can't necessarily just stop it because we we're unsure like how what's whatffect or or how for example it could stop it where this component here. So um what is the impact like today in so most these are devices which are found devices connected to um OT systems and not necessarily um something that's like um essentially bedded um a lot lot is due to we credentials uh which still remain a big issue and um uh as of now we don't see too much of the internet uh too much of any devices to the internet. However, due to the convergence going out for some IT and a lot of these systems now

will be will actually have access will be access as of now we've not actually seen any fractions have displayed capabilities of actually disrupting um quite this could be due to that fact that um the air gas which existed in still remain resolved and um the case where um the threat actors themselves don't actually know what to do whenever they access an office. So now on to a scenario, a common OT scenario which um shows the the consequences and the physical impact that could potentially occur. Um obviously this is a worst case scenario and not something that's common place. So uh say for example if a water treatment plant was affected by a cyber uh the potential first impact would be

uh chemical dosia um becoming incorrect walls uh failing or behaving unpredictably and the leading to the output of clean water. It is therefore because of the second order effect of the loss of cleaning drink water which could potentially lead to stuff like hospitals homes reserves over those or even the closure of schools and public services. What we see here is something that's not only just affecting Wall Street. It's something which involves not only um will have to involve the local government emergency services and um those who are affected. Um and finally this could also cascade into a third order impact uh where it could where it could lead to public panic by water and uh the eventual

financial impact of conversation. So somewhat relevant to bring up um so black swans black swans are rare or predictable with an extreme impact. Uh the rare is that they're considered once in a lifetime. Um usually in OT because of the nature of the likelihood of occurring increases um this because systems are highly popular together in just the ripple effect of one thing leading to another which can have a major so key take this as we seen with the wallream example uh if say if types to kill. Uh not only uh the actual operations of the water treatment is stopped or impacted, you have the the worst case scenario of life contracting into water releasing the public causing physical harm to the

general public. Coordination is essential. These incidents not only require the team. A lot of times when it comes to a multi we have to relay and with the engineers who know more about the system itself and cascading effects make early critical as we see here if if say for example things start from the start um it could lead them cascading to something and um thank you for joining the talk today hope you enjoyed it and love to connect and uh hope to answer any questions you might have policy.

>> I I could guess um that you see a lot of incidents. >> Oh, coming up.

So uh thank you thank you for the question. So as of now we the incident that many occur is due to actually stuff which is loosely connected to all the devices. So there might be an IT device which has like a loose connection to something. some kind of power. It might be something which is connected like has their network like IoT which has their network open and through that they someone actually have access to power but due to the nature of exist what we call air. So whenever say for example connect to not there's the case where they might have access to the device but they can't move the I see

adoption of security. Do you feel that there's still a reliance on access control and best practice or do you feel there's more of an adoption now of of sort of okay change default passwords change those default credentials from the get go? >> Um yeah so thank you for the question. So uh with with what I've seen with obviously in particular a lot of times what because of some of these page what and even the related especially when it comes to like when you're trying to communicate do you are you do you understand okay what device are you aware like what are differentials doing change. That's one from actually from the Sunday to like the exercise.

So, so based on like research, there's definitely lots of opportunity and a lot of times this as well can cause a big big cost regarding nation state actors won't be able to come as a what their capabilities are actually systems. So, one more quick one.

Thank you for the question. So the example I've not actually seen but actually seen like if there's actually

shut it down. Let's get a round of applause.