Cybersecurity, Space and Alcohol

i am not going to be looking at the discord during all of this fun stuff um but i want to try something a little different i did a talk down in austin texas on zoom and they told everybody to take their um to unmute themselves so when i get rocking and rolling if you're in a place that doesn't have like screaming babies or you know well any screaming babies or otherwise but if you're in a place where you can have some background noise and not disrupt just go ahead and unmute i plan on being like incredibly entertaining and if i don't hear giggles and laughs i will get like very sad and i'll quit in the middle of my

presentation and i it's not a threat i just know me i'm self-aware and if i can't hear you people um i will probably get bored all right there we are so yeah if you if you unmute yourself just give a little cough like and then i know it's happening oh there it is look at you guys go you will notice uh i do have baby yoda coming up on my side over here i went way overboard on the space memes and um i feel like that's okay you guys are my people did you run out of space for them we're leading with the space months already that's fantastic uh no no i did not uh with plenty of

space here um but i will tell you that this uh this talk is going to be out of this world um okay so that was a laugh line feel free to to double just testing the mic that's all right let's do this guys okay so this is a space talk but it's more than just a space talk it is a discussion of what does it look like to apply security controls to a brand new industry and so we're going to do some case studies we're going to look at some examples and we're going to talk about the methodology of how do you think about new industries and i am going to have to turn off this

discord thing because it just keeps going and i can't take it where are you discord i must kill you all right let's rock and roll okay so again disclaimer my love language is memes i am going to be going with a lot of means that's a good dog um and so let's just get a couple of them out of the way i like i like memes that are a little insulting to nerds um this whole star wars versus star trek thing i think it's great that we got spider-man there in the middle but this is gonna just keep coming and every once in a while i might get bored with what i'm talking about and we're

going to have a meme break in the middle of these conversations so actually this may not be a cyber security space talk this might just be an excuse for me to share a bunch of memes i hear that's what social media is for but let's meet me here i am i did some stuff um what i want you to know about is that i am one of the the founders of the field of study called psychological security where we're more interested in the gray matter uh between your ears than we were worried about bits and bytes we believe about uh you know hey the the primary security risk that we need to get better at

mitigating and supporting is the human group um i'm acting chief information security officer for nonprofit space for humanity i wrote a bunch of books that even my mother hasn't bought she bought my first one she bought the first one and then she's like the rest of them are basically you putting a new cover on the same content and she's right um no one checks no one reads them um i brokered a deal um the initial deal where we introduced virgin galactic's non-profit galactic united space for humanity and that resulted in this guy richard branson doing something pretty cool which was he gave two tickets on version galactic away to space for humanity and so hook security here is the fishing

simulation test for the non-profit space for humanity and so i count that as a win i count that as me having a company that is fishing in space and that i'm now officially a space entrepreneur who snuck in through the cyber security supply chain okay that's where we're at let's get into it so you might be wondering why i am talking about security space and alcohol right and then the punch line is is that we're going to cover some out of this world case studies and my gummy co-product my cobra um uh speaker here is going to be john lee picard and he's going to step in in a minute on every single on these slides

and tell you how he feels about it so let's jump into the the methodology that i typically follow when i'm trying to apply security controls to an unknown entity or unknown system um our new new industry and it really starts with these six steps which is understanding the big picture if you don't understand the big picture if you don't understand what you're trying to accomplish then you're not you're going to be solving problems that may not be actually solving the entire ecosystem that you're looking at and you're going to leave a lot of security holes on behind so you gotta understand the big picture and then you gotta understand the flow of data and value

inside of the big picture i break data and value out into two different things data is the stuff that we typically are concerned about data address out and flag data and use but i also say value because not all business processes are created equal and we can experience critical failures in some part of our businesses or organizations that simply just don't matter and then we have some that really really matter so it's not just data and business process but what's the value of this as being created inside of organizations then you've got to discover logical control points and discover and set policies this is where most of us really enjoy it we look at the thing find out

what can possibly go wrong come up with mitigation strategies and begin to set policies like thou shall not that's where we come up with a lot of that part uh and then we did the design and deploy the security solutions so not even it takes us till step forward before we actually start doing some of our job which is actually deploying and creating security controls and systems that mitigate the risk but then we usually stop so here's my favorite part is conduct audit and governance activities to make sure that the controls are actually producing desired results and then establish security culture now some might say you should probably have a security culture at the beginning

and that's probably true but i didn't remember to put it in until the last part which is kind of the problem isn't it is that sometimes we do all this other work and we don't say we should start with the security culture and then you just typically win right john sure john luke he's got my back so we're going to run through a case study of how do you apply those six points um and we're going to cover something called beer access management this is when we wrapped three million dollars worth of security software around a kegerator so here's how we do this step one you want to understand the big picture why are we doing this and what

do we look like this is when you ask your executives or you ask whoever's in charge or the stakeholders to tell you why are we doing project abc or what's the big goal so the big goal was let's increase company morale and the solution to do that was we should totally install a kegerator great benefits why are we doing this strategy what do we hope to what does it look like when we have success well we have an average of two beers will get the typical cyber security nerd into flow state drastically increasing their productivity and their quality of work it also lowers their uh inhibitions meaning that they'll actually collaborate with other human beings better um

however there are some risks where after two beers you get what we call in the the uh a drunk nerd and the drunk nerd is a special kind of creature um where productivity productivity and quality go way down and inhibitions go way down and then you really begin to hear the nerd's opinions and that's fine we're glad they're there but it is counterproductive to increasing company morale so how do you mitigate that risk well we thought what we need to do is we need to mitigate the number of beers are we going to restrict the number of beers on a period of time to optimal beer um capacity for flow state ratio i really should have a graph i bet it'll

be a cool graph yeah cheers cheers buddy all right so case study continued now that we understand why we're doing it what's the flow what's data how do we get i know where the value is well we got to understand the system and then we got to understand where we're going to put a control uh spot so we found the optimal control system and spot was at the line between the keg and the actual tap and we found that we can do roll base liquid flow control based off of a solenoid so the nerds in my company got together and they installed an electric solenoid inside of the keg grader and attached it to a raspberry pi that has an optical

sensor and we were going to use that optical sensor to read a qr code on your phone so they created back-end code and a database that allows you to check qr codes in and out as the rapper raspberry pi was reading the uh the stuff on your phone based on the role of the users the solenoid will be open for a particular amount of time so if you are the typical nerd in my company you get a 12-second pour and we check it twice but if you're me and you own the company i wanted unlimited access i wanted to pour i wanted admin access root access i didn't want to be limited because sometimes i'm

entertaining and i want to be able to pour beer for whoever i wanted so again we wrapped three million dollars worth of the ibm software that we were working on um and use the uh back thing for the identity and access management stuff i'm i'm very happy with it um that's it in in practice you type in your name you do the thing and so we then so we went through and we actually created the the the technology we rolled out the solutions um but if you see here at the bottom um we uh we you shouldn't let the prisoners build the prison right so we were going to turn into a beer robot and

take it to festivals um we were getting super distracted i would like to point out in the bottom left corner that there is a plastic knife with a zip tie that's used to hold the actual um optical reader um we spent a lot of money on the software just not on the hardware so let's talk about what we were actually able to do we deployed everything and theoretically life was good but then we went into conducting audit and governance activities to make sure we were getting our desired results and it seemed to work but after we did pen testing and we tried social engineering we did all your thing we found out we failed literally everywhere

we thought we we had a cool security solution but what we did is put security theater in place and not actual real security uh social engineering happened rampant where people would switch um and hand out their ids to each other so that if they were limited to two and i don't happen to drink but you can have mine too it's just like being at a conference where you have that one person who's always going around collecting everyone's tickets and like can i have your ticket and then they go when they you drink all of the ibm beer being at the conference but the real problem was me i was the actual one the one was getting socially

engineered and they were going after um you know protected what is it pam it stands for protected or privileged access management right so we failed there absolutely everywhere and the problem was is that we didn't actually do a security culture because if i was the problem and i was the executive i did leading by example and the reason why we didn't have a security culture is because my executive staff which was me didn't take this thing serious so i did the uh the only thing i should do and rather than fix the security problems i fired hr and removed all policies around alcohol yeah take that okay so where we're at in this whole journey

is that was a case study on how we go and look at a new piece of technology or something that is a new industry and how do you actually go through and and think about it most of us have done something very very similar to that oh by the way this is what we ended up creating we ended up creating um a solution where i love that meme so that's what we built that is that's by the way that's what i like to refer to as security theater where there's a lot of flashing lights and a lot of stuff and people are behaving and what they think is the right way but there's actually no contact there's no actually

deterrent and we don't actually work but this is i also call this only uh doing security for compliance and not actually getting the real job done but my diet i digress so let's talk about space um we're going to apply that same methodology the six steps that i talked about to the overall space industry and i'm going to dive a little bit more into where the space industry is going what's actually happening with uh space we're going to talk about a couple of high-level hacks that have already happened in space and why they're absolutely ridiculous and then we're going to talk about what might be next and finally i'm going to introduce you to a a project i'm launching in april of

2022 where i'm going to put a automated moonshine distillery on the moon but we'll get to that in just a minute so here are all the steps right yeah the risk culture i should not forget that that's just a review that's probably a slide hey take a screenshot if you want it's cool but here we go so the space industry let's understand the big picture the goal is to allow humans and their technologies to operate in space providing digital services adaptive manufacturing resource collection energy generation and distribution and human experiences by the way i'm making all of this up based off my own personal experiences and the effort i've spent in space over the last

12 months i am going to use some stuff from the davos conference that i attended and i'm also going to use some stuff from the the governing boards that are doing their best to create the standards but most of this stuff is my opinion so take it with a grain of salt strategy build a global supply chain that supports launch capability research and development command and control and platform for delivering product service and solutions as outlined by our goals i feel like i do business talk pretty well benefits space can do a bunch of stuff primarily a catalyst for new products and services risks but all this new technology is going to be happening without cyber

security people involved i um just a uh i was going to say show of hands but i'm not gonna look um just like coughing has anyone ever been a part of a project where somebody really really smart has created technology or wrote anything out and then they came to cyber security to say hey maybe you guys could secure this for us and then we ended up blowing up their entire budget and then began to take a whole lot of time and we missed their timelines and now no one wants to talk to us at the christmas party anybody no just me that's cool um so how do we mitigate that risk well the thing is is that we got to get

involved early and the good news is that the space industry is acting differently we are being invited into a lot of the the conversations around how technology is being done and we really need to uh continue that and by doing that we're going to be able to um um make we're not going to make the same mistakes we made with the internet fingers crossed um with the new stuff that we're building but we we need to come prepared so we also need to understand what kind of security standards and controls we're going to actually request which means our cyber security people have to partner with the space people in order to make this happen and this is what

most people think about space they think about these three guys riding rockets to space but i'm about to show you that that is not the case launching launch capability is actually so very very very small compared to the 366 billion dollar global economy by the way i think that yeah 2019 we're actually heading on our way to be over a trillion dollars by 2030 and it's not just launch capabilities and it's not just all of that it's actually all of the side stuff that gets created so the effort of going to space creates a bunch of side products and technologies and all these things have different ways of working with the existing technologies that we have and every time

one of those guys touch base with another one of our existing technologies we've got to find a way to secure it and cyber security is going to have to jump into this so as the space industry grows and innovation from the space industry happens we're going to get a flood of new technologies that's going to require people like us to jump in there and help them figure it out hey good news there's not a shortage of cyber security professionals and good news we always get the budget we asked for so this should be this should be a complete layup that was sarcasm but i'm hopeful come on john we can do this together we're going

to make that thing happen so how do we go through and change the game well we got to basically jump in at the very beginning and i love my last bullet point here if i do say so myself we need to fundamentally disrupt the way that we create technology in the space industry to make the cyber crime that's so hard to fight right now completely obsolete and that really starts with um partnering with some folks so one of the things we're working on is some partnerships with the jet propulsion laboratory we're partnering when i say we i mean some of the stuff that i'm i'm working on we're attempting to build a team that is doing all this so

we've got partnerships with jet propulsion laboratory we've got some board of advisor members who are helping with um who've actually put devices on asteroids and we have a flight director for the last two mars rover landings advising us on how to approach the space industry and apply cyber security controls to them and i'm really talking about the gray matter stuff this is mostly the hook security stuff that i'm talking about but we need you right we need you and let me tell you why it's because of the five percent rule i personally believe that 95 of what's going on in the space industry is exactly what we already have everything for and it's only five percent different right

so if you go to automotive do we still have the same 95 of cyber security controls we're going to have to put in place but it's where that new technology is it's a little bit different our proprietary is only for the actual um industry is where the rubber hits the road and so i believe with the innovation coming out of space that we need smart human beings smart cyber security people to get into the early meetings in order to have a voice inside of this five percent of the technology and it's everywhere so you got the raspberry so let's talk about some some hacks i'm gonna go through about three of them we're not gonna dive deep into them and

please don't ask me questions about these because all i know is what's on these slides but if you do ask me a question i will make stuff up and i will sound confident when i say it so raspberry pi was used to steal data from the jet propulsion laboratory uh it was sitting on a normal network and it was just sitting there for 10 months just sucking stuff off the network and tossing it out um through a secure channel and no one discovered it it's crazy yeah i know we're getting sad picard now uh here's my favorite this is my absolute favorite when the international space station was still running windows xp yes team it was

running windows xp um the russian cosmonauts had a a a bad habit of just plugging in random usb drives that they brought from earth into the computers on the international space station and they were carrying malware and viruses and things like that so for a very long time we were able to put a human in space but we still couldn't convince that human not to put an untrusted usb device into a usb drive i i shouldn't i shouldn't laugh but i i find that just like wow uh and i love this last part right it's not a frequency current it's not a frequent occurrence but it definitely isn't the first time this is great anyway good thing lives aren't on the

line uh and uh the thing about nickels uh was it i got a nickel for every time it happened which isn't a lot of nickels but it's weird it happened more than once that's right that's right i got a fist full of nickels wait wait why do you have a fistful that doesn't make any sense that's hilarious so uh this one gps location hacking and spoofs this is this is the thing that's happening ghost maps being pushed down um yeah that's horrible being able to not even have to take control of the device but take control of the gps and the human just follows it on the consumption side and then on the actual device side

um gps is just so vulnerable right this one here is not funny there was a plane that lost connection to gps and these pilots had to land by hand like a boeing 777 is a big bird and there's a lot of human beings on it and you don't want eight minutes before you land or eight where is it eight miles before you land for you to all of a sudden get taken off your game and thank goodness these pilots have the right kind of training but if you can do this kind of stuff i mean we're talking serious things here yeah super disappointing so let's jump away from these case studies and let's jump back into what i believe

the thing that we can do most in the space industry which is help with people processes and systems and [Music] john luke is talking about the force which is fantastic so who's currently working on security in space and what are the standards so believe it or not there's a lot of people who are actually doing this kind of stuff there's a lot of people who are working on it but no one really has a lead so space is ac is trying very hard to organize all the chaos um but there still isn't a uh someone who's raised their hand and had mass adoptions for all of these different people who are doing the work right you would think that maybe

um the united states space force might step in um but i'm gonna pause for a moment and just think about what a yeah what a absolutely missed opportunity to come up with a wicked cool name for a new military i mean it's like no one tried it was like um space force that makes sense where should we get a logo i don't know what do people recognize yeah right maybe don't use starfleet command for space force i don't know it's fine but the good news is that a lot of these folks are actually um trying to work together and the good and the reason why that's good news is that anybody including anybody on this call

anybody's interesting can actually get to work they can jump into the middle of these conversations their arms are wide open for anyone who's willing to spend some time on it there is a huge shortage of cyber security professionals who can think big thoughts in these conversations and so if you've ever had a desire to work in the space industry i'm telling you you're you're in a great time you're in a great time um so where do you fit in right well i think that we are best suited to discover the logical control points in sign of systems and policies meaning that a lot of what we have done in the past is this admin work database work

like we're all really good at a lot of different parts of how infrastructure connects together which means that we have a gift at being able to see these different control points that most people might not see and the way our minds work allows us to go through and advise on how do we set policies so this means we get to dig into the weeds on how every different part of supply chain production and consumption chains work by the way this is a lot this is a whole lot of work right you can't just look at the space industry because every company is different every process is different and we're going to need thousands if not tens of thousands of

people putting in you know hundreds and hundreds of hours to actually make this thing work and that's why we need everybody to jump in like there's lots of really cool people doing um case studies on hacking satellites but satellites are actually my least interesting they are actually the least thing that is interesting to me and i'll tell you why in just a moment so yeah start thinking space security thoughts and on potential security controls by learning more about how all the different parts work how do satellites talk to command and control how do we verify you know how do we make sure that the rockets we're launching have the right temperature and heat variants and things like this technology

everywhere inside of space but here's what i wanted you to see so this is just looking at the satellite industry okay so 237 billion and you would think that manufacturing and launch would be great but if you look that's you know 4 billion in manufacturing 1.3 billion in launch where's the real money the real money is in all of the services that support everything else by factors of math it is bigger right that is 217 billion in services supporting operations launch and manufacturing that's all the boring stuff that's the supply chain stuff that's that's email that's all the things right and and the thing is is that's where that 95 is we can step in

immediately and start supporting the space industry by approaching this huge services deficit that they're having and supporting that over there and and that's the basically the launchpad the launchpad see how i said launchpad with the launch anyway it was a pretty good pun you guys missed it and this is how we're going to do it so here's a tool for you guys this is a fancy spreadsheet i put together you don't need to use a francis spreadsheet what you need to do is if you're enterprised there's plenty of data analytic tools out there but what i want you to be able to do is look at a particular process which is you know how do we do abc and then be

able to rank it inside of a spreadsheet get a heat map and being able to show an executive who has budget a heat map or one picture that enacts change in policy or deploys budget for controls so i'm going to show you what i mean by that does that make sense by the way yeah i'm gonna assume it does okay so let's talk about my moonshot moonshine project um and i am 100 serious on trying to put an uh an automated moonshine distillery on the moon that will send me moonshine back from the moon um it's going to be awesome all right here's why we're doing it um i was really getting excited about talking about space manufacturing and

the ability to get power and things like that and but as soon as i start talking about the engineering and the science behind what it takes to do adaptive manufacturing product creation um in space most human beings just gave me a glazed look so i had to come up with a catchy marketing ploy which was putting a moonshine distillery on the moon but while we're doing that is i want to demonstrate our ability to manufacture products on celestial bodies inside of our solar system leveraging locally found resources for energy and for the manufacturing of those products and i want to do that all in the eyes from the point of view from a cyber security professional where at the very

beginning of this we are demonstrating the kind of security that you need to have to do commerce in space so rather than me spending the money to do that came up with the idea to crowdfund a prize like an x prize or something like that and have a governing body that has this cash prize and get engineering schools all over the world to participate in this and while we're doing it that governing board would actually hack the crap out of those teams um throughout the entire way we would do non-stop um red team activities at these teams to make them learn from the beginning to lock down their stuff so success is measured by launching a

team being able to launch a bottle of moonshine back to earth where it is consumed by me on a fancy yacht it's not enough to bring it back to earth if i don't drink it on a yacht so by doing a prize that'll create a sufficient marketing buzz around the project and we can educate the world and of what are the benefits for off-site manufacturing and i have this thing where man if i can get the engineering space engineers of the future scared and aware and you know with cyber security in their blood then i can change the next 20 years of space because they'll remember that one time back in college where they were about to

win this thing but then they got hacked um and really solidify these memories and put a security culture in from the beginning the risk is we're going to be creating the risk because we're going to be disrupting and attacking them and so they have to incorporate cyber security defense measures but the problem is is that no one knows how to do this so this is when you go into a new um industry or a new kind of organization we don't have all the processes and procedures documented you have to discover them all so one of the things you do is you start looking at near uh industry examples and so here is how do we explore to find water by the way

rocket propellant that's moonshine baby that is moonshine so the exact same process that we're going to follow to do some of this stuff we can just as easily create moonshine and by the way that's how we're getting around some of the alcohol distribution laws on the planet earth is we're not sending moonshine back from the moon we're sending rocket fuel back from the moon so what else are we going to look at so like i said we ought to look at something that's similar so there's already a lot of work done for asteroid mining and there's already a lot of work done for moonshine distillery so looking at those two different things we are able to then find all the

different processes that we need to look at to combine so we have a really good idea of what kind of value chain and data chain we're going to be looking at for the security controls and i'm going to ask a bunch of questions right i'm going to say give me a list of all the business systems give me a list of the processes inside of those systems the business subsystems et cetera et cetera et cetera so if i go back it is this spreadsheet right here where i'm going to be asking for all of this information so i can do a business continuity heat map and show risk and that's the boring stuff guys this

this is weeks and weeks and weeks and weeks of work just to get a beginning of the data that we need and so it's a really really heavy look i just thought so i i'm a bit dyslexic and i saw in the bottom right corner list of key stakeholders and for a split second i thought i wrote list of key skateboards and i was like that wasn't right oh bacard you and even your funny jokes he loves this stuff all right so then you go into what we already all know how to do which is running your very straightforward um cyber security assessment using one of your favorite frameworks i don't care which one you use they're all great i'd

rather you be having the conversation with the space people than actually not and so what i would be doing is attaching some of these frameworks to the development processes of the competition meaning that these folks while they're reporting out of progress back to us also going to have to go through security assessments and all the best practices that we wish everyone would do um so i'm going to be wrapping up here um this the real point of all this was to try to get you excited about space to get excited about the fact that you have a unique skill set and understanding how everything works together and that the best thing that you can possibly do is

jump in where you see fit and do and help guide them through this and what you need to know before you can help because sometimes trying to help will hurt people before you can help you have to understand the big picture you have to understand the flow of the data and the value discover logical points in the system and set policies um design and deploy security solutions conduct audit and governance and establish the security culture and then again when when when and picard thinks you can do it so we're done team that was my talk um i'm happy to take some questions i see that there's some chat going on here but uh i'm going to

[Music] close that up because it wasn't funny does anybody have any you can take yourself off mute by the way go ahead and jump in and say words because um yeah hold on and if nobody has any questions i have a question yeah let's do it for a student no experience no nothing still in college the idea of working with space from a cyber security aspect is extremely appealing i know right that is it's seriously really really cool i've never thought about it where would where would someone what when you have your entire career in front of you where do you start if that is appealing to you you test the waters there the the cyber i'm sorry the space

startup field is booming it's huge the first thing you do is you volunteer like if you're still in school and you're still going and you probably can say i've only got 10 hours a week or 10 hours a month that i can help offer your services to space non-profits to space startups to all those kind of things and build a bit of a book of business and resume so you can say yeah i am in the space industry i've helped space companies i understand space culture let me and by the time you're out of school there you go you you have a start because it is about who you know and it's about making those connections so

step up serve but there's also a rabid amount of cyber security jobs out there inside of the space startup field typically though these these companies are i don't know enough about that particular field to advise you on that but what worked for me and how i got into the space industry is i went and i volunteered for a space nonprofit and that's worked real well for me okay thank you anybody else

all right well i had fun i hope you had fun too