BsidesLV 2024 - IATC - Tuesday
Show transcript [en]
w [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] oh I'm just okay I to I'm just trying to give you something [Music] I'm just TR to something I do you I'm just to give you something [Music] a [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just TR to the I do for I'm just tring give you [Music] something I'm just dring give you something I do for you I'm just trying to give you something [Music] o [Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
[Music]
[Music]
[Applause]
[Music] n
[Music]
[Music]
[Music]
a [Music] oh [Music]
w
[Music]
[Music] a [Music] [Music] [Applause] [Music]
[Music]
[Music]
n [Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
[Music] o [Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music] he [Music]
he
[Music]
[Music]
[Music]
[Music] St a [Music] hey hey hey [Applause] [Music]
hey hey hey [Applause] [Music]
he [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music] he [Music] [Music] [Music]
[Music] he [Music] [Applause] [Music] oh [Music]
[Music]
oh yeah
[Music] h
[Music]
[Music] [Applause] [Music] [Applause] [Music] yeah oh [Music] [Applause] [Music] I'm [Music] just I'm just try to give you [Music] something I'm just try to give you something I'm just to give you something [Music] oh [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just tring to I I'm just TR to give you [Music] something I'm just trying to give you something I do for you I'm just trying to give you something [Music] o [Music]
a [Music]
[Music]
[Music]
[Music] [Music]
[Music]
a [Music]
[Music] [Applause]
oh [Music]
[Music]
[Applause]
[Music]
[Music]
[Music]
a [Music]
n [Music]
[Music]
[Music] [Music] [Music] [Applause] [Music]
[Music] super glad you are here this is the I am the Cavalry track and um yeah yes that's that is that is the appropriate response um we are very excited to provide to you over the course of two days 12 hours of very compelling content and um so I'd like we we've got a really good audience how many people here this is your first time at bsides we'll start with bsides oh that's amazing that is awesome so many people first time at bides okay how many people this is your first time in an I am the Cavalry TR raise your hand awesome it's fabulous um well we we've got um we've got some pretty compelling uh I would argue uh
interesting challenging a little bit provoking some would say unhappy news but I won't say unhappy news it's better to be prepared for that which is coming than to be surprised and not be aware um so uh H we getting the H voice huh all systems fail anyone it here any it professionals
here HDMI there's two of them there's one and two two
HDM oh fast too far all right while that's going we don't always need slides one more you want to it that's what happened upstairs we switched it to the other no oh [Music]
[Music] [Music] [Music] the basic conceit back then uh if I get the slides working you'll see we've improved it a little bit uh what I said with Nick Boko upstairs um 11 years ago August 1st was that um we our dependent Sun connected technology was growing faster than our ability to secure it and areas affecting Public Safety economic and National Security one more time I have another dongle too if your dongle is bad or can okay if you want we can put your slides on sure okay um that was true 11 years ago we wanted to focus on wearing bits and bites meet Flesh and Blood we want to focus on Public Safety human life initially you
might recall we did the uh five-star Automotive cyber safety framework on our first birthday to look at how cars could be safer we wanted to Pivot from an easy thing like cars with only 20 car makers to a much more uh challenging space of medical devices because there's 10,000 medical device makers of all sorts of of flavors and it was an audacious goal that if we use empathy and teamwork and complimentary skills if we were a helping hand instead of a pointing finger if we uh try to be part of the solution and meet people where they are identifying by an un risk use their love language that maybe we'd have greater results now over time as we
were embraced what we we've sort of morphed into is that through our overdependence on undependable Technologies we have created the conditions such that any accident or adversary can have a profound impact on Public Safety economic and National Security so quiet yourself for today we're going to kind of outline what today's going to look like and set the tone but really ask yourself whether you look at things like change healthc care which is a single common dependency across most of us Healthcare something north of 9 5% of hospitals had cash flow disruption for months most of the country's hospitals have four to 6 weeks of their burn rate on hand that's about it that's their cash
reserves and they were down for months so short of emergency relief um we had severe Financial strains on already strained US Health Care where you and your family need timely access to Patient Care when and where you need it so one hack everyone counted the dollar amount of the ransoms or the number of breached records what you should have been paying attention to is degraded delayed care uh when we look at National critical functions across Healthcare everyone focused on Hippa the the confidentiality of your Phi the and and they forget that there's three others we're responsible for which is uh maintain access to medical records which is how we know your chemotherapy cocktail if you need
it to stay alive and stay with your loved ones uh it's also how you can get approved for surgeries and other things like that more importantly than just the access to medical records is provide medical care timely access to care when and where you need it and as the protracted nature of financial disruption occurs and the workflow is broken and billing and insurance for payment is broken this further financially stresses hospitals to the point of closure as we described last year where we saw St Margaret's in Illinois close its door forever and it's not the first one to close its doors it was one of over 200 rural hospitals to permanently close on the US footprint
but this was the first one to publicly admit that their Ransom event had a contributing cause to their financial uh outcome so when we look at these things where we're not just looking at the confidentiality of the data but the ability to have access to your medical records to provide medical care in a Tim manner or to have a hospital close enough to you to get timely access to Patient Care you know these are growing consequences and that's a a hack well what about the crowd strike event we recently incurred malicious intent is not a prerequisite to harm that's part of our canonical fromo uh reminding us that it's accidents and adversaries so when we are
overdependence on those undependable things we expose ourselves to these disruptions so I want you to like Soul search um and tell me if you hear any lies detected across these critical infrastructure sectors Lifeline critical infrastructure sectors we are seeing more disruptions larger disruptions longer disruptions and more life safety affecting disruptions and the people in our communities don't call these hacks or glitches they just feel disrupted disrupts patient care it disrupts cash flow it disrupts workflow it disrupts flights to your own wedding and I feel increasingly like we are failing the public so it's not 100% your responsibility we have a government we have Private Industry we have the talent pool in this room and a Defcon
later this week but I believe we have allowed the public to trust things that are untrustworthy we made them feel like it was safe enough to connect Water and Wastewater facilities to the naked internet and through this overdependence on undependable things we're in the state we're in and the reason we want you to really be present and simmer and allow yourself yourself to be comfortable in your discomfort for today and tomorrow and we're going to outline what that looks like is that it's about to get worse so you don't have to believe in this as a certainty but we saw in January a few things uh one is the top four cyber leadership figures for the US testified
in unclassified briefings to Congress about their um detection and eviction of a campaign they refer to as volt typhoon has anyone in here not heard of volt typhoon you're going to hear a lot about it today and tomorrow okay so the very tiny thumbnail to not take oxygen away from some of the other uh presenters is that uh China's national public state of policy is they have intentions towards Taiwan as early as 2027 and part of the volt typhoon campaign that was shared with Congress in hearings you can watch and prob should watch I re-watched them again yesterday is you had the FBI director Christopher Ray uh sisa director Jen easterly uh recently uh retired General
nakason from NSA and the office of the national cyber director in the White House Harry Coker all telling Congress that they have found a campaign called volt typhoon in critical infrastructure present malware that they had to evict uh leg and weight not to Ransom not to shut it off for a day or two to not to um use as a botn net but as what they're calling pre-positioning it's in place as either a deterrent or on an escalatory ladder such that they could Reign chaos and destruction on this infrastructure uh to keep the us either distracted or out of the fight now how many of you took a flight to get here okay to take a little pressure off
how many of you heard the mandatory speech in the unlikely event of a water Landing what you know what you should do okay so maybe this is a very low probability event and maybe it's not 2027 some people think we can use economic sanctions or maybe diplomacy or maybe depends on who's in the White House on how we're going to treat something like this or maybe if you ask Demetri Al perich I think he's saying 28 29 so maybe you have a couple more years but I think the thing that you should simmer with today as an exercise think of this as a tabletop crisis simulation for the next two days in the unlikely event of a conflict it
will be a hybrid conflict and this isn't a theoretical scenario we have found the presence and intent in state of policy and whether it's China in 2027 as part of a hybrid conflict or sooner with Russia we have conflicts underway in Ukraine we have conflicts underway in the Middle East in Gaza and had some uh the recently flare ups with assassinations in tran so any one of these times we see a conflict it could be a hybrid conflict and what this room knows is that we are prone we've been prey and we've really been lucky that we haven't had sufficient Predator appetites and interests so since we know that we have had hacks of the water we drink as early
as the pandemic the food we put on a table with things like JBS Dole or the talk you're going to hear later today the oil and gas pipelines and municipalities that do Last Mile for power for the US or timely access to Patient Care in record levels hundreds of attacks per year and even when they don't hit the hospitals they can hit change health care we have seen proof of harm in the water we drink the food we put on our table the power for our communities and even the healthc care we depend upon so at RSA this year I did a talk in a workshop called getting serious as a double unand that things are both getting serious and as
high time that we did yes the government's doing some things yes they're doing some good things many of the things they're doing are going to take years to manifest so I pose to you if we are 2 and A2 years a little under two and a half years from a 2027 calendar what is the art of the possible that we could do to make sure that we're as resilient and ready as possible what can we do left a boom what what can we do right aoom if you want to sit through this as a citizen whose family could be affected directly think about what do I do for my household and if you have a little bit
more empathy and heroism in you what can you do for your town or your county and perhaps if you're feeling really heroic maybe what can you do for your state but we've tried the top down Federal push and there's a lot of things happening there and they will eventually bear fruit but we have excluded that last mile we've excluded the owners and operators in your communities the municipal leadership and our neighbors and they increasingly bear the brunt when we fail want try yep okay okay so let's do an exercise while he's doing this because you don't need to see for this close your eyes for a moment I want you to picture the hospital that you take your family to
what's it called how far away from it your house is it once you remember the last time you were there was it to see the birth of a child to take a wounded family member to say goodbye to a friend how far away is that hospital okay now I want you to picture that it's unavailable to you where would you go instead is it across town is it in the town next to you to you you know the name which one's closer now what if that's also owned by the same company that's ransomed okay open your eyes please last year I showed a map of the US then when I did a congressional task force for
healthcare industry cyber security in 2016 and 2017 we referred to the nation's 7,000 hospitals if you look at all the new materials from the government we refer to the nation's 6,000 hospitals what happened to the other thousand now this isn't cyber but us hospitals and privatized medicine for a whole bunch of Hazards Financial restra constraints nursing shortages a pandemic lots of different reasons private Equity Firm takeovers normal mergers and Acquisitions we went from 7,000 to 6,000 I showed a map last year that was animated with over 200 rural closures they're not just bought by somebody else some of them are gone forever and we know time is brain we know for heart you have 4.4 minutes to see a measurable
quantifiable difference in mortality rates for heart conditions we know for strokes it's 1 three four hours time is brain save life save brain talk again walk again Christian will go through that later so if you don't have a hospital within a couple hours driving distance of where you live you're increasingly likely to perish or suffer if you don't have a hospital so out of those 200 we've been pushing pretty hard for the last year as we were packing for Vegas this year a report came out through Beckers there are another 728 us hospitals at critical risk of immediate closure or at risk of closure so the bottom two you know the most intense two risk categories again not due to cyber
but it's based on their cash onand reserves so if they have four to six weeks cash on hand and a ransom could knock you out for 12 plus that's a death sentence they will not get back up from that punch they will either be put out of business in your communities or weaken sufficiently to be part of an acquisition strip mind with worsened outcome worsen care and worsen capacity so I am not holding us accountable for weaken stressed us Healthcare footprint I am pointing out that we've had hundreds of ransoms per year and none of those Hospital should close on our watch because of what we're doing or what we're failing to do so back to that point of being
over-dependent on Dependable things I think it's time we try something new uh there's a couple things I'm going to share so today let me start with today in tomorrow's track without visuals um number one uh we wanted to open today to ask you to sit through a very well chosen set of talks they're going to focus not on everything critical not on everywhere where bits and bites meat flesh and blood but on four key areas you're going to see a talk from sick codes and friends he's actually here this year his flights made it um no substitute for Casey John Ellis on hungry hungry hackers where we're going to look at some of the Strategic
concentration of risk and cold chain and food chain where disruptions can have a more profound impact so I want you to think about the food you eat hackers like to eat um we're also going to have have a talk on from Dr Christian DF one of the co-founders of cybermed summit.org and he's going to talk about Healthcare and intensive care we been talking we told Congress in 2017 healthcare industry cyber security was in critical condition the sector leadership intends that by 2029 to go from critical condition to stable condition and we said guys it's actually going the other way it's getting much more dangerous so uh we're going to hear from Christian about hospitals now these things are
interdependent so what we came to learn through some of this disaster planning for things like volt typhoon is what happens when the water goes out so at this year's cyber meded Summit in DC we had an emergency physician and disaster scientist walk socratically the audience through is it working okay we're we were walking the in the uh walking the audience through when the water goes off what breaks in the hospital and how quickly and let me just tell you you'll hear a little bit more more from Christian but no water means no hospital real fast you can go without power for a while you can go without food for a while no water means no
surgery no flushing of toilets no sanitation no scrubbing in no cooking of meals no hydrating in patients and that's just what's in the hospital wo okay so I'm going to call an audible given how little time is left and let me get through two more of these for today so so you're going to have uh hungry hungry hackers you're going to have healthc care is an intensive care Dean from the water sector is back and he's going to help us understand is it an inconvenience how inconvenient Andor catastrophic is it if we lose water and most of your communities have one and only one Water and Wastewater facility so Dean's going to give the perspective from the water industry
itself and he's increasingly been part of this hacker community and then Emma is going to talk about um Living With the Enemy how much certified pre-owned infrastructure we have in Municipal Power so this could be electricity oil and gas heat you name it so today is really going to simmer in what has happened in the last 12 months since we were last year on water food power and Urgent Care Emergency Care but also I've T I've asked each of them to say how bad could it get if you saw destructive malware not inconvenience malware but destructive malware hit any one of these and also which ones upstream and downstream you depend upon and if today
kind of Paints the edges of what are the elevated consequences we're facing then tomorrow has three 2hour blocks of uncomfortable conversations where we're going to look through what can we do to protect our families our communities both left of boom and right aoom so that we make sure that in the face of escalating disruption we start ratcheting down how disruptable we are so I have a few closing remarks to do in a second but do you want to do your uh Garden thing or yeah can do it really quick um all right this at times you may feel like this is doomsday preper remember in the unlikely event of a water landing we hope that never happens but there's no
technical barriers to us having destructive disruption of some of these four basics so maybe instead so we're not talking about doomsday preparation but just to we want to talk about life we want to talk about Gardens more on this is coming tomorrow but think of a garden think of a victory garden for those of you who are who do not not have real estate upon which you can garden and next slide think of a community garden we're going to we're going to try to engage with you to talk about the concept of community and what it means to work with each other toward a common goal and next slide and when we think about Gardens we should
100% think about water so um more on this to come um there are actual tangible things that we can do today more coming on this to prepare for certain unpleasant situations so it's not panic it's not merely pick up a hobby of gardening things are getting pretty serious I talked about Maslow's hierarchy needs a lot there's a lot of things that we could protect and do protect protect but we tend to protect the things that we can live without and we have mess with water with food with oil and gas for the Eastern seab board with the uh this the the municipals that run our towns and cities the schools your children attend higher ed federal agencies charge with National
Security timely access to Patient Care with now proven mortal consequences we know it's starting to affect patient care patient human life initially the CCO task force that Bo and I served on published the first statistic statistical proof of loss of life using data science during the pandemic from excess deaths associated with ICU strain this inspired other Publications that Christian de's going to walk you through where they saw the blast radius of an attack on UCS excuse me on scrips Institute in San Diego had worsened outcomes in the hospitals who took their overflow so the blast radius increased weight times worsened outcomes and then later he studied heart uh and other conditions that are time-sensitive to show that during a ransomware the
death toll goes up so he will explain that with the right language that I'm blowing and then we saw even if we can get the hospitals right or the communities who take the Overflow right that the financial constraint is not being down for a 6 to 12 week period it's being down Forever This is the map I referred to where you're starting to see every single one of those dots is a permanently closed facility and uh we learned in DC from the head of the healthcare and sector the healthcare and public health sector coordinating Council markk Dr Mark Jarrett that when a Hospital leaves a region there's a corresponding 10 to 15% drop of economic stability for that
region so what starts as a care desert becomes a desert desert as it can't sustain protection for the people who live there and if the people who live there are in a major hub for food production or manufacturing for our increasing Consolidated Supply chains depending on where this is in the map this can be a worsened outcome then we learned that even if you do everything right and even if you have the financial security to make sure you're not one of those dots that a common systemically important critical infrastructure entity like change can knock everybody down it's a class break so systemically important critical infrastructure has been a longstanding policy the cyberspace commission has been pushing
and nobody in the government nobody in the private sector wanted to do it they kept putting off their homework and hitting this news button and what I pointed out to CNN is if we don't proactively identify our systemically important entities and I'm hoping each of the four speakers today do so help hint to us what these systemically important entities are these weak links in the supply chain maybe a dozen or so that if they go down everybody goes down if we don't find them proactively our adversaries will continue to reveal them to us while we burn so I hope we don't have War tomorrow uh we're going to have some talks from me and um White House oncd
midday followed by uh boow woods and Carl to talk about wartime footings and Wars rumors of wars maybe we won't have one maybe we'll have some volt typhoon activity in 2027 or Beyond this elevated threat context but maybe we have more time the TR but one thing that is a deterrent for them trying is if we can get our act together on resilience it's not just China though where we have conflicts in Ukraine conflicts around Israel Gaza so we have Iran to contend with Russia to contend with North Korea's got a decent capability and if you haven't read ghost Fleet now is the time to do so I think August Cole made his book free for
download now you can have a global superpower it's really well fortified that you'd be an idiot to invade the city but you can also take it out with its aqueducts so I am going to ask that people pay Keen attention to water over the next two days and we don't have a ton of time the government's doing a lot of the right things but it's going to take 10 years for some of those policies to matriculate this room helped cause and pass into law the patch act last year so we have mandatory minimum cyber security hygiene for all medical devices as of last spring they have to be patchable they have to have coordinated disclosure programs to work withth
hackers they have to have s bombs they have to have threat models we have done a great job and it takes 15 years plus to rotate out all the bad stuff slowly over time so we're doing good things but we don't have infinite time so think like Apollo 13 they only had a little bit of time to save those uh astronauts and what was on board it's not science fiction movies with Tom Hanks it's a real thing that really happened remember Y2K was my first job a lot of people think it was a nothing Burger a lot of us know firsthand it was nothing Burger in part because we said here's how long we have here's the stuff that's too
important to fail how do we put our Cobalt programmers on those things and our testers on those things many of these owners and operators are what we referred to in the past is Target Rich cyber poor they can't just do best practices they can't just buy some products they can't just take free products from Google or Microsoft although that might be part of the solution so think about getting your stuff off Showdown think about avoiding the bad practices like end of life ons supported operating systems naked on the internet think about maybe the CIS cyber performance goals at the talk at RSA which I hope that you watch David and I talked about certain um things to that go away and
smash and break so to channel Kaminsky who is formative to the Cavalry in the first place and one of his best lines was of all the things hackers break and smash perhaps the most important assumptions maybe at your leisure talk about how if your business or your community thinks that they're insured they're not or that their bcds covers this downtime it doesn't or that your backups make you more resilient make them watch the video from Idaho National Labs blowing up the diesel generator and if you think our supply chain resilient on paper trust me during the pandemic it wasn't resilient in real life so you can watch that at a slower Pace as they pivot towards the next speaker here so
let me pivot to this today is going to be looking at the last 12 months of increasing disruptions and asking the question if we saw destructive malware like has been found and evicted already from things like fult typhoon what would happen and tomorrow is going to be getting really uncomfortable about what we can do about it as Citizens for our families for our communities on that hierarchy because the government's doing stuff it's just not going to manifest fast enough and if you haven't noticed we're about to have a bunch of Elections and change a political leadership and we're going to lose some momentum in the last two and a half years we have to prepare so on the
food You're going to hear from Casey on the water you're going to hear from Dean on the Municipal Power you're going to hear from Emma on the hospitals that you need for life and death you're going to hear from Christian we have some other great talks today but that footprint is not heading in the right direction could get worse from Financial constraint and once again for real this time if it's not us who is it and we can't do it alone so it's going to take some urgency and courage and once again you're the calie I have an announcement to make I hope I can do this quickly without cutting into our next speaker too
much all right let me do the announcement here so um last year I POS we've been doing this for a decade it's been amazing we've had more results than we thought we could but what should we do for the next decade should we end it transform it combine it with other initiatives and that's been a difficult thing to answer especially because some of these larger disruptions so I have to announce today at least one opportunity for this we're not committing the Cavalry to this without your consent but we are hoping this strikes aord with you um today we have announced um I have taken the lead of a one-year pilot Craig Newark from Craigslist a philanthropic
donor here has been taken by the urgency and the impact on civilians from the some of the materials that we've been working on especially in the context of a 2027 situation so I let's try to do this for memory um the why is we are over-dependent on undependable things increasingly manifesting harm for average Citizens We're increasingly failing them these these accidents and adversaries and that's mostly been accidents and financial adversaries so heading into 2027 could get worse so the what we're going to focus on the Nexus of water food emergency care and local power the when uh working backwards from a ticking clock of 2027 maybe we have extra maybe we have less the answer
becomes what is the art of the possible to to identify and buy down risk maybe it's not Shields up maybe it's connections down for these water facilities maybe it's not just do zero trust maybe it's that we work with them on tabletop crisis simulations and we find their Love Languages so the how I'm going to take a page out of disaster science When A hurricane's coming you don't wonder what the public can and can't digest there's three eyes that we're going to bring to bear here with a creative arts budget number one is in form number two is in influence number three is Inspire the more consequential a thing the more forthright we must be
you never exaggerate and this is going to be hard for this room you never discount or downplay you tell them what you know you tell them what you don't know in a way that they can understand number two you influence their behavior the ideal thing we think you could do to remove harm is XYZ failing that here's some other best Alternatives and then the Inspire is you stay in contact you encourage that if we stay updated and we innovate and we share Lessons Learned we're going to be okay so we're going to try to take a page out of these unnatural dis of natural disasters to help us with some of these unnatural disasters and then
lastly um it's not going to be technical manuals we're going to meet them where they are find their love language translate and make this accessible using for the first time a creative arts budget so these could be explainers these could be videos these could be podcasts these could be memes and World War II style po propaganda this could be Bar Rescue Kitchen Confidential type methods to do whatever works with AB testing intensely for one year where the pilot is going to be focused is initially on the Nexus between water and hospitals because no water no hospital so you are not required to participate but the working title as we work with the creative arts Sten sees and find our
ultimate language is undisrupted 27 so what is our Northstar of course we're not going to protect every water facility in every Community from every single attacker by 2027 but when you say how do I reduce a little risk you do certain things but if you ask how could I make this community undisrupted you might actually ask important things so keep in mind that Cavalry will continue on its own ideally with a focus on how to best protect you your family your community but we may also be able to create demand for some of these Central Federal resources in parallel so with that um there is also um a wired article this morning from Lily hey Newman that I'm dying to
read and uh I want to make sure that uh please suffer a a small amount of discomfort for a day or two and see where your it takes you in your brain and ask what you're willing and able to do maybe you know we can try some things this year and really scale some things next year and when we were running the pandemic stuff we didn't have three years to harden these vaccine supply chain targets or Rubble rubber glove targets or hospitals we had about three months and when you start to ask yourself what can I do in three months the answer is nonzero and sometimes it's really good so Necessities the mother invention we have
some of that now I respect it admire each of you look at all we've accomplished for the first 11 years let's really be present with our discomfort for the next two days I look forward to [Applause] it that was fantastic uh I'd like to welcome uh Dr dror he's a doctor Dr Raymond sheay to the um to the front here um Dr Raymond has an amazing background with trusted robots autonomous systems and the thing that everybody is always talking about all the time we're going to do it too we're going to talk about AI but we're going to we're going to talk about it in a in a manner that's that's really relevant in Germain
especially to Emergency Response um so he has a very long bio but it is online and so you can 100% read it but what you should do after he talks is you should definitely ask him about his experience with robotic lion cubs and his super ego superhero Alter Ego efforts to avert the next AI winter so Dr Raymond over to you okay good day everyone and uh thank you very much for the kind introduction and for uh inviting me to uh give this presentation um um so I'm talking about cyber security and AI risk management challenges for the next generation of Public Safety Systems um you know in that in the introductory speech we talked about you
know Healthcare being a massive uh Target what was touched on there that we'll expand on a little bit in this talk is that the folks who are keeping us safe are themselves very poorly resourced on Cyber but they're also being inundated with more and more people selling them things selling them AI selling the more these that and the other and there is a massive massive asymmetry in the amount of understanding between Public Safety folks who are keeping us safe and these people who are trying to push whatever they're trying to push just in terms of information generally not even in terms of risk management how do we help with this so that's kind of going to be what I'm
going to talk about uh for the next half hour or um the usual uh disclaimer that we all have okay um these are my views they're not representative the views of nist John's Hopkins any organization that I am or have been affiliated with and certain commercial products may be identified therefore fostering understanding um they don't imply recommendation or endorsement by myself or anyone else so U by the way everyone can hear me when I'm doing this right yeah all good perfect okay so uh very quick introduction who am I um so um I um I am a doctor not the healthcare kind of doctor I do surgery on robots um not surgery with robots um but uh my PhD is
in AI uh robot behaviors in that wonderful wonderful period between the end of the last AI winter and the influx of deep learning when mathematical Rigo kind of mattered I might be bitter um I got one chuckle from someone okay I I I might actually have a chance with this Audience by the way um first time at bsides so um thank you so apolog apologies if this talk is completely off from uh from what you used to a bides because I got no idea what you used to for here at bides um but I had a long-term interest in cyber security just from a fun perspective um who here remembers the first edition of hacking exposed the book okay yes so
that was kind of my entry into into this um you know back in the back in the days of uh of uh you know doing messing with Windows NT and and all that all that fun stuff um and you know I apart from playing with robots I I did things like uh you know teaching cyber crime and secure programming and Industrial Automation Robotics and things like that um relative to this discussion we're having here though and things moving slowly so um so actually last year was my first Defcon uh prior to that I had actually a bit of a gap my previous cyber security conference was Sans 2013 and it was interesting seeing all the
things that in 2013 they said these will be solved in 10 years and came to Devcon and they're not um how do we you know but we need to adj we need to deal with this because 2027 is not that far away and where this is particularly problematic is with the these things right these things you know we're having a hard enough time dealing with them from a Network's perspective from a computer's perspective from a cell phone's perspective what do you deal with when it's a medical device or when it's a robot and as was mentioned you cycle these things out in 15 years right what do you do with it when it's a car this
wasn't the point of this car but anyway so you know anyway so my background is in very much on the measurement science requirements side of the house that's why we have a car full of QR codes um testing the ability of to actually see is this the car I'm looking for right is this the Lost hiker is this the person who actually needs our attention when a robot goes in you know when they're doing triage who is actually you know who is who is uh uh you know injured and so on you know how do we measure the vision that's kind of where that's going from anyway teaching all that stuff anyway um moving on why
am I doing this I'm doing this because I see the big issue here is people are shouting Into The Ether and The Ether isn't listening right I really really loved the way it was put earlier that we need to speak to these people in their love language right and I hope to be able to talk to you a little bit about how to speak the love language of Public Safety because these people are crying out for our expertise right they're crying out for something that's going to help them deal with this information asymmetry where they're being sold all this stuff and you know they're being pressed on saying hey this will help you with your
outcomes or as some of them get told if you don't adopt this people are going to die and they don't know what the alternative is or what the downside is okay um anyway so um as may have been alluded to again I'm representing myself but I did do a lot of work with nist um I like definitions this is the first pain point that you will find when you're talking to Public Safety or in fact to and you Pro actually this is probably not not you know unfamiliar to most of you anyway is that there are lots and lots of people who mess up with the mess with the definitions to try and get people to
buy their thing right and the problem with that Public Safety run up against is used to having very good definitions for things they're not used to people playing silly buggers with the definitions like this so I'm going to use I'm going to propose uh a few a few things here for this discussion cyber secur we all know what cyber security is right we're at a cyber security event um if you've gone and had a look at all of the various um cyber security framework or guideline things and you compare all the definitions and see what is isn't part of it okay now you know I like n um s sp53 prevention of damage to protection of and restoration of
computers blah blah blah BL all that um make sure that the people you're talking to know what your a what is even within scope of what you're talking about that one's easy this is the one that I love what's artificial intelligence I as a as a devout Australian um I have a a nice saying for this one the definition for artificial intelligence is like the definition for football we are not going to agree right um I I used to get very very upset with people when they use the wrong definition of AI right now right now ai everyone thinks AI is like generative stuff or deep neural networks or something um you know I remember a time
when everyone was getting upset that AI everyone thought AI was machine learning this is actually the first one that um that Public Safety people and actually people who have this asymmetry get really really wrong and that is that AI is many many things where this is important is that there are many ways of getting the result there are many ways of doing license plate recognition there are many ways of doing routing of your your ambulance there are many ways of figuring out where to put your next fire station to get the best response right it's not just deep learning um helping to educate these people saying there are alternatives that are not just throw deep learning at the
problem or the latest you know deep learning startup and so on on the flip side of this on the AI side is that there are many dangers that are posed by AI that these people don't know about right and that we as practitioners of the Computer Sciences need to educate them about for example um one discussion that I had in this and we'll talk about this later with for Next Generation 911 yes we don't talk about that in a sec um who here knows about swatting who here knows about next Generation 911 okay so for the the the the the the a really quick version It's 911 but it lets you also submit imagery and video
because it helps it's rather than you know having some panicked call calling 911 and they can't talk coherently because they're in a panic and the best of us get there I've been there yeah and I thought I was pretty levelheaded right you can just send a picture and they can know exactly what's going on how much easier is it to swat someone when you have generative
AI now that's bad but at least the 911 folks kind of know about this they know enough about it to say yes this is a problem they know little enough about this to say but we'll just train another AI to detect it okay um there is a lot of Education that we need to do out there just on these basic concepts around AI Public Safety this is a scope question okay Public Safety is not just your you know ambulance fire police whoever right this country loves its privatization Public Safety also includes all of the companies that are providing Contract Services who are not necess who now have are kind of can in the the worst of Both
Worlds right in so far as they have to be commercially competitive they have to sell their service so they have to be buzzword compliant and they may not be fully regulated the same way and they may not have the resources or the impetus and yet these people are also part of Public Safety in so far as you know as was mentioned before talking about health care your hospital can do everything right but if the insurance processor gets popped you're still screwed um let's see um contract supplies okay um risk management um you know we're talking about identifying and controlling risks and a big chunk of risk management here that we all I think need to if we're
talking with these folks need to be very cognizant about well there a few things the first one is risk management is not risk minimization it is not risk elimination it is not risk avoidance what do I mean by this these are people who are authorized to drive 20ton vehicles the wrong way down Main Street through red lights that is not risk elimination or risk minimization from a driving perspective but it is a risk minimization from a society perspective relative to the probability of something going really bad if they don't get to the burning building in time right but Society participates in that risk management when we hear the sirens and we see the lights we know that we need
to do our part and get out of the way or be more attentive or at least be aware that something strange is about to happen and be more attentive in our risk management okay very simple example of how this how and this is so this is you know we're talking I think it was mentioned earlier these people don't have the resources to just apply a particular risk management thing to what they do it's worse than that their use case may not even allow it for example you have a large fire you have multiple fire departments responding they all have their devices right someone's going in they see you know for whatever reason their their communication device is broken
offline they come across someone from another Squad that's down their device is working they need to be able to pick it up and use it they don't know what the password is they're not even necessarily on the same authentication system their Federated you know access control it may not even be compatible right they have to get to yes on using that device device what happens if you just slapped a corporate device management policy on it not going to work yeah okay risk management is a really tricky sticking point for a lot of these organizations where and how to adapt these things that we all know from corporate and normal risk management how do we make it work for Public Safety but
also for water for you know food for all of this there are nuances that organizations don't even have the resources to be aware of we need to be aware of them at least when we're writing things to at least make these call outs right I'm sure a lot of people here right policy and things you know be mindful of hate there may be call outs at least flag hey this is a thing and Next Generation systems what is the next generation system in this context we're focusing on things that are moving fast enough that the risks are not obvious given what has come before that's a kind of a weird definition when we're talking about
managing risk especially for these organizations where the Personnel they they be they're employed because they're great firefighters right where they're employed because they will run into a burning building good Heavens I'm not going to run into a burning building right these people are good at that they're not employed because they're good at technology that's not their job yeah we need to help them get ahead of this and part of that starts with being mindful of of their pain points and challenges um by the way this is I'm going to S of Blas through the some of the rest of this just because I want to have lots and lots of discussion uh at the end so but anyway some examples of
Public Safety Systems we talked about next Generation 911 um robots and drones yeah um you know who here is does sort of you know OT type or iot type stuff okay um now imagine that your thing is now flying in the sky over there somewhere and you've got no idea if you're going to get it back um you know you have all kinds of sort of fun there um with your robots and your um and that's ignoring even all of the uh the the um uh sort of GE geopolitical overlay and the and the security overlay that's that's happening right now um you have increasingly connected systems um and this is you know your you know your dispatch system um
that tells you know where you know which ambulance to send where is connected to your 911 system your 911 system is connected to your your your your drone system your drone system is connected to your geographical information system and anyone can get in anywhere right um who here is familiar with what happened to Baltimore a few years ago Baltimore 911 okay a few of you um for those of you who aren't um you know have a look it's actually it's public knowledge now where there been case studies and all that 91 um Baltimore's 911 system got ransomware it took down all of the computer systems that they used to filter and screen to to actually go
through all of their the 911 calls and send them out to dispatch they kept going because all of the manage all the people who would normally be in management were running pieces of paper from room to room guess what saved them and c and helped them get back I'm Sorry by the way guess what caused them to happen in the first place contractor dropped the firewall to make something work um guess what got them back up a fire department happen to have a backup server that's the really really short version there's way more Nuance to it than that I'm oversimplifying right but these these increasingly connected systems are running far far ahead of their ability to deal with
this um increasingly smart vehicles and routing okay people don't generally think very much about the AI That's in their you know Google or ways or whatever your routing system is right that can kind of be life or death if you're trying to route an ambulance how is their data getting cleaned how is what are their risks involved when they switch from one system to another so what is some lwh hanging fruit how do we figure out lwh hanging fruit for what do we for what what do we think about because one of what we don't want to do is go into the local f department and go hey you need to adopt I don't know pick your favorite
framework right at best they're going to tell you to go away at worst they're actually going to try and do it I didn't get that backwards got to think about it okay a few things to think about overall technical impact okay is this actually going to make difference um and actually a lot of things when you think about it is this actually going to make a difference actually you got to think about it you know how bad can it get this seems to get the most attention but that's also not the most important thing right what is the likelihood of negative impact
right this is one that people generally really don't think about what is the likelihood of accept and understanding a fire department or a you know ambulance or whatever is way more you're get likely get way more compliance if there's acceptance and understanding if it's something they already know they need to be dealing with and where the solution is of the type that they can actually incorporate into their operations if you go to them and say here is something that has great technical impact it's really likely and they go huh you've got an up your battle I'm not saying those things aren't important but doing but being very aware of the likelihood of acceptance and understanding is is is critical and
let's see actionability likelihood of real world reduction in risk and actually I skimmed over my background so where this has come from in my previous life so I was developing performance measurements for robots for the robots that go into the building that even the firefighters won't go into and figure out if this if there's anyone there or figure out if the structure is safe enough for them to go into or that you know fly over the next Ridge after a you know after there's been a bit an earthquake or whatever and see what's going on over there and things like that and a lot the last two bullets are things that vendors don't seem to speak
to when they're talking with these people is this actually going to make my life better is this actually going to increase the outcomes or improve the outcomes okay so we really need to talk to these people how do we talk to them again if we just show up to the local Firehouse unless we already know them they're probably going to go who are you right what's our way in right where the Cavalry how do we how do we tell how how do we do it such that they know that that that we are the Cavalry okay so these people love their guidance and regulations okay they're you know they have procedures they have standards for
everything right I mean some of the earlier standards came out from issues where a whole bunch of fire departments showed up to the same disaster and they couldn't connect their fire hoses together because none of the fire hoses would link up right these people like their standards there are many things out there that these people look at and listen to right um I mean I'm I'm familiar with n cyber secur framework and the AI risk management framework you me who here is you know knows about either of those two documents okay these documents are put together with public comment we need people to write into these when they submit their R when they put out rfis when they put out their
drafts and say hey sounds great maybe we there needs to be a call out for the folks who have slightly different use cases and I'm not just by the way everything I've talked about I've talked about in the context of Public Safety it's not just Public Safety it's anyone who has a weird use case in a weird risk management profile right they need call outs for this right um you know how many people have seen a framework or a top 10 or a something used for something that's completely inappropriate right we need to write commentary we need to you know talk about how these things are you know applied inappropriately we need to be you know who who who by who here is
actually involved in writing policy okay so when you write policy you also have guidance documents around them right acknowledging the exceptions is a big chunk of this so that that way cuz the problem is the person who is helping Public Safety do this guidance and regulation stuff they're not necessarily familiar with this either they need that prompt to tell them hey for my application I need to think about this social media and podcast you know the whole the the the joke um how do you how do you uh how do you get a message out and this is old but telephone telax Tel fir fighter okay it's all the people who laugh laugh quietly because they're
showing their they little been been here for a bit too long um yeah so you know these people talk to each other there are plenty of social media podcast and things that these people listen to they really want people like us to talk to them they don't know who to reach out to right we need to be talking to these people we like I mean a lot of us like to talk or at least pretend to like to talk okay we need to reach out to these communities through these Avenues because here's the thing here's who's also reaching out through these Avenues the vendors who are telling them half the
truth um events so similarly you know trade shows conferences conventions again they're always looking for people who not just don't just understand the cyber security side of the house but understand what talking about before about their Nuance they don't just want someone to stand up and say rotate your passwords patch everything you put a firewall up use a VPN you know they want someone who can actually translate that into what is actually technically actionable in their application and it's actually going to be usable for them and they need people to talk to them about these things because again guess who's at these trade shows and the thing is by the way I'm not so casting shade on the vendors
right that their job is there to do a thing but there is that information asymmetry that we need to help them with um you know those of you who are sales representatives okay now I'm talking to the other side of that okay again you have a job to do the thing I often argue the thing I often point out though and actually I did this a lot back when I was doing robot testing the worst and you know talk about robots for this the worst robot in the world is indistinguishable for the best robot in the world used for the wrong purpose if I'm a robot vendor I do not want to sell my robot to
someone who is going to use it for the wrong purpose and get a bad result because remember what I said telephone telax Tel firefighter right everyone is going to know everyone is going to be told that my product is terrible with when it's not terrible it's just that it was sold for the wrong purpose right um we're actually we we we have made inroads on that side of the house for folks who are actually using for sales folks who are using these standards to tell people my RO my product is not good for this do not use it for this I would rather you buy someone else's product um I'm a little bit out from how
that works on the on the cyber security side of the house um um I don't know how much of that is happening um from this side from the other side I know they're getting horribly confused um but that I think should be something that people think about and they point and point out you know hey I've just realized you you got this thing you need to think about this risk when you're talking about my product and of course trainers are industry organizations um you know the again the industry organizations for Public Safety are crying out for the kind of expertise that again is going to sit down with them and go and not and not push a
product not to just parot have strong passwords you know use a VPN no who actually can do a put and I mean from from our perspective as practitioners it's not actually that much addition or thought but it's thought that that they need they don't understand okay so that's kind of you know I guess that's not even really love language as much as it is figuring out how to even get to the point where we're talking about their love language okay I guess we talked a little bit about love language earlier on but anyway um I have a a 10-minute uh 10-minute call which is perfect so let's have a little bit of discussion how do we help those who keep us safe so
I guess the first question is who here has and I guess we have a microphone run around or do we want to maybe do have a this or I keep it okay okay so um actually just B show Hands by the way who here has actually interacted with Public Safety the way I've defined it perfect okay so I've come at this from a particular angle is there anything critical here that any of you folks who have dealt with Public Safety think that I've missed please cuz of course I'm an academic right I spent 20 years in Academia and government research so I've been barely containing myself the whole time perfect so and I will say uh I'm Sarah I I am
the those people that you keep referring to the these people um I started my career in 911 before we had fancy computer we had a phone it rang that was what it did right so I've been in this industry a long time um now I'm a researcher disaster researcher professor and I think one of the fundamental issues that have is this public safety practitioners um at the field level they don't care about these things they put the red stuff wet stuff on the red stuff they put the bad guys in jail the emergency managers live in that space to try and coordinate but the decision makers don't speak the language of tech at all and that is a fundamental issue
we have they don't know where the I I can't even tell you how many people have come to me and said what's the best software for this I'm like well what do you need it to do things and stuff you they can't even they don't speak the language to the point that they don't they can't even scope a problem because it's a fundamental lack in their background their education their training part of it is government government um you have to really want to be a government Tech person because there's not a lot of money in it generally especially at the local level but this idea of I don't even know what's capable so I can't tell you what
I want it to do I just know I have a problem and that I think is The Sweet Spot in in conversation is is I can I can tell you what's wrong but I don't even know the possibility of fixing it so I can't go to a vendor and say I need this because when you ask a vendor every vendor has the best solution for your problem because you don't know what your problem actually is and and one of the best cases I've seen of that best worst however you want to look at it is a police department I worked for many years ago that implemented a new fancy computerated dispatch and computerated Reporting System all this stuff what
they didn't do was spec their internal systems and realized that none of the cops knew how to type so they went from recording all their reports and sending them to a transcriptionist now they had to type and people were getting written up because they they're months down the road they're behind they had to send a bunch of cops to typing school because they didn't fully scope the project because they didn't understand how so I think that's the that's the fundamental piece in here is they don't speak the language so they don't have and their education doesn't include any of the technology bits it's not there so perfect actually so that's a good one and I think it's actually one that I've
completely missed in this presentation so thank you so much for pointing it out is that they don't know what they don't know correct right they don't know so they're not even here because now they're going huh for something that's actually really important so question okay okay let's get let's okay I'm told to hurry it up okay yes hi I'm a ciso in light rail one of the biggest challenges are the life cycles in which these systems exist and we cannot make changes in a cheap way and we're now at seven and8 figure numbers for systems that are supposed to be in there for 15 years and so I think the biggest challenge is is you know as
cyber security continues to evolve in terms of threats and other things on the landscape how do you put something in today that was that can protect something that didn't even think about our back you know 10 15 years ago yeah exactly that that's and part of the problem there is there may not be a solution at that level right your risk management might well have to be accept that there is a risk and now you got to put governance policy procedure around it somehow right this point there's no easy there may not be an easy answer because there's no resources and time is one of the resources that they may not have yes how how are we doing for time
couple more questions okay um in the slide before we just said about how uh people can help maybe not for fire departments but police departments um we'll typically do a two-year audit sieges so they may already have a list of things they need to improve upon and so want to sort of knock on the door that could be an Avenue to say hey I'm here to help and can I take something off your plate there um just as an idea for everybody in the room yep yeah so knowing their Cycles which I yeah and there there's tons of audits that I think Public Safety and just if you're looking for Grants you have to do anyway
so there's probably a a list of activities they know they need to improve upon y who want anyone else no okay well look than did you have a okay well look thank you so very much um please do stay in touch um especially if anyone has any comments about I've been on the Academia government side I'd love to know more get more more you know in depth on the vendor side in the on the on the uh Private Industry side of the house so please do reach out to me um email address I'm you can find me on LinkedIn and all that but otherwise please enjoy the rest of the event and thanks once again again to the
organizers for inviting me and for you know listening to me for the last 45 [Applause] minutes thank you very much this is uh super come on up come on up and uh let's get let's get you
[Music] [Applause] [Music]
[Music]
[Music]
and as a professional um he's going to talk at length about um uh computers for kids and what what we really liked about this presentation was um this is a this is a model that as you listen think about your community and how you can get in get engaged with your community and actually provide uh some real good so uh please uh join me in a round of applause for Ira and welcome them welcome him thank [Applause]
you take a picture me show with a t-shirt test check awesome great I'm someone that likes to use my hands so this is awesome uh I I am Ira Victor I am one of you I have been coming to bides since it actually was open to the public um when it went when it left someone's house and actually went as a public event I have been coming as Josh knows to I am the Cavalry since Josh started I am the Cavalry so I am literally one of you I have been going my my first Defcon was Defcon 10 so I have been um immersed in information security for a long time it is an honor
to be here and present to you and to answer I I didn't know about the present the the slides for this last presentation I sat through it with as much interest as all of you did and it is wonderful I'm going to credit to Josh and his people for putting me after the first presentation I don't know if it was planned but I'm going to answer a lot of those questions in that presentation uh and a full disclosure I I do work in uh digital forensics and incident response I am part of my pro bono time is not just here for you as I am the Cavalry but I am an ambassador for this Center for Internet Security
controls and as this unfolds you'll find out more about that and what this what it has to do with our talk I'm also going to give you the precursors to look for when vendors sell you what they what they tell you will answer your problems but what to look for to know that that's not what what you're buying you're buying something else so there's a tease for what's coming up here I'm this this is another crazy coincidence I did name this security trk the Next Generation uh I did not know that this past weekend was the Star Trek convention it actually ended the day before yesterday someone asked me if that was planned it wasn't but I went
with it so stard date 32 3320 55 which was 25 years ago today on star date and what we were doing as a information security Community was we were trying to educate mainstream users about information security and digital privacy and most people I've been around long enough to know gave us blank stairs what the heck are you talking about I remember that and what we wanted to do at bides Defcon black hat RSA schoon what we wanted to do was protect against cyber criminals nation state spying financial fraud um so we had attacks how many of you remember I love you some really really bad Cyber attack and then we had the early ransomware one
of them was called cryptool Locker W to cry um and and there are many many more I actually go to look those up cuz I was going to put code red in there there were so many old attacks back then uh that we were trying to Ed the world about so I actually think we've made great progress I know we have a lot to do but Josh's announcement today was an example about the great progress that we've made that there's now going to be a publicity effort around awareness and information security even the fact Josh that you could have that conversation and not get blank stairs right that's a change from when we when I am the
Cavalry was started right I think that's great so I my my opinion is mission accomplished sort of sort of my thesis is what we've what we've helped uh train people outside of our community is that the threat is no longer abstract people now realize that it is a real threat that's good that's that's a big Improvement but now the challenge is how do we persuade the mainstream users that their systems and the things that they're doing in their life need to be secured they're aware of it but they're not quite sure what what the heck do we do now um a lot of times I've been told uh when I'm doing public speaking or I'm
having media appearances um said Ira you've just scared the heck out of me the the person interviewing me on TV Ira you've scared the heck out of me and what I want to say is okay well that's good but now we need to take take that fear and make it something of action and that's what I I consider the the people in the in the 21st century that have been involved in the security Community that's everybody here in the room people watching on video um have probably been involved in information security to some extent uh in the 20th century that's our generation broadly speaking so the question is what do we teach the next gener generation what are
we going to do to have security for the next generation and how do we harness this so couple of challenges um small organizations often cannot afford inhouse it let alone information security and that could be that could I want to broadly Define what's small you know less than 500 employees it might be a division of a larger company with less than 500 employees and spare spare resources right like a law enforcement department might be part of a a large entity legally but you were in light rail weren't you sir I was looking at you in light rail so you you may be part of a larger government entity but your group is would be considered small on its own
and what your budgets are I still count that as a smaller organization challenging to have in-house to afford good in-house it good house you know great that that your organization sir has a ciso a lot of them don't it's just voice it on it I further I'm going to ruffle some feathers here but I actually believe that a cyber security degree may not really adequately prepare graduates to defend against Real World threats how many of you know someone that has a degree in information security um uh and says I can't get a job because they say I have no experience and I tell them well I have a degree and they go right you have no
experience and so we've got a lot of people with degrees but they're not actually getting hired in their field of choice why you know how do we fix that because that's someone that has that awareness how do we harness that and fix that and um I think that part of what it h what the one of the keys that's missing my thesis is one of the keys that's missing in this pillar is practical real world response and when I tell that to people that have a degree like well Ira can you can you hire me on one of your projects so I can get some experience and and and I can't get any experience so when I apply I have no
experience what do I do I'll will answer that question I will answer that question so my what I want to impress upon you is all of us all of us that have been in the information security community in the 21st century we have I call this the the first generation we have because we know this stuff we know how bad things can be we have an ethical obligation to equip the Next Generation with the tools and knowledge to complete the mission okay yeah great sounds great Ira lots of platitudes thanks a lot bye I'll see you later no I going to tell you how we do that tell you how I'm doing it and how
all of you can be part of that so I I propose that we need a radical change in our attitudes to information security to complete the mission number one information security is not about products primarily it's primarily about process just just before this talk I was you know my phone is going off that is so embarrassing I can't tell you how embarrassed I am I'm probably am turning red Ashley um uh the the uh there a huge litigation that's happening right now between the airline industry and the tech companies over the massive outage that recently happened I just was reading it this morning swear to God one of the major airlin said we spent billion I'm I'm
paraphrasing it's a long story we spent billions of dollars on product it's not our fault this is the problem the CEO says we spent billions of dollars on products Sur I'm sorry to keep pointing out because it was so great in light rail we spent billions of dollars on some stuff we but it's not solving the problem that's exactly right because it's about process primarily not about product in order for us to empower the Next Generation we have to share our experiences all of us you're shaking your heads right we spent we're spending we spent a quarter million dollars buying this widget this black box and we racked it up and that's got all the
Blinky lights it must be doing something and we spent tens of thousands of dollars on something as a service for this and then our whole infrastructure craps out and we lose half a billion dollars it's a particular Airline I'm I'm referencing and they go we how can this happen we we're going to go Sue everyone because we spent all this money so first in this and again I'm going to come back to you sir and like what is your first name sir my Andy I hope you don't mind me using it because it was so awesome your last question so one of the elements is we need to change our understanding have a better understanding and all of us in
the community have a have a better understanding about what open source is practical Hands-On and what it is and what it can't do because Andy part of the answer your question is not Lo is not vendor lockin that's not the answer to the question about what do we do when we are change our needs change but we're locked into hard something as a service and some blinky light box in our rack and then the next the all this the part of this is also a public education Challenge and now I understand why Josh and his team like my proposal today because that was in it before I saw the the last talk all right now here's the big to the
big if there's if there's a few things you take from this talk today and nothing else this is one of them right here I this is from directly from my experience being in the community what are the telltale signs that uh a decision is being made to substitute information security true information security for just buying product that it's not product it's process is you look for the companies that boast to the investor community that their craft app is going to have a revenue hockey stick how many have heard of the revenue hockey stick okay look it up I did not make this up it's when the business's strategies are more geared to the investor Community than the users
and the customers and what they want is they want to they want to convince people that buy our buy our Blinky lights buy our XYZ as a service and your problems will be solved and what they're doing is they're signing up all these people so they can get this Revenue hockey stick where they start at the bottom where a few customers and then they ramp everything up there's a certain security company that had a big outage that was a big fan of the revenue hockey s now this is all publicly available information the investor Community to their credit expose what they do they do not hide this so you look and say do I see the
telltale signs do I see them say the revenue hockey stick that we've tripled our Revenue in the last X number of months that's the revenue hockey stick they're focused on investors not on users not on security not on process on investors and I'll give you another Telltale sign call before you make a decision to buy the blinky light or someone's going to make the decision and you're in the team to blide the blinky light box and the service call up use little social engineering skills call up and pretend to be a customer can you talk to a real person are they really knowledgeable about information security are they knowledgeable about process or are they just there to facilitate the hockey
stick if they're just there to facilitate the hockey stick don't walk run or at least advise someone that if you were in the position to make a decision you wouldn't walk you'd run um uh the the one of those times that I made those calls on behalf of a client I swear to God the person I talked to and I said well why don't you do it this way I got to someone knowledgeable they said well that would be too difficult for us it was something very simple about process yeah CU too difficult because they're focused on the revenue hockey stick look for those signs walk away and boy the market works if if if all of if enough of us doesn't
be all of us if enough of us in the information security Community push back against the vendors push back look at my last bullet point when they have their meetings internally I've been in these meetings by the way when they have their meetings and you and someone talks about process about that being important for the for the company yeah but Ira we don't get the revenue hockey stick that way you're not thinking big enough and I was dismissed out not not psych not physically psychologically dismissed what I was saying Market pressure can change that when the revenue hockey stick doesn't hockey stick that's how we that's how that that change starts to happen so outsourced it I know some of
you I I'm an outsourced digital forensics and incident response professional my brethren in Outsource it that're probably some of you here are watching I'm sorry to say you guys and gals you're Focus too much on selling product when it comes to information security not process please be I am the Cavalry be the Cavalry that changes that because it's about more about information security and privacy is more about process than buying products secondly what goes for security awareness training is looking at Antiquated attacks it's generic and it's teaching people about attacks that don't even happen uh or haven't happened for a long time uh so that's another challenge that that we need to conquer and I have an answer
to that um and again I'm going to come back to this bias against open source there's a among non-technical people there is this response that I see that if it's open source that means that all my data is open like no that's not how it works but it's those of us in this community I'm seeing the shaking heads we have to be the Cavalry I am the cavalry and stand up in the room and says no in the room no that's not what open source is it's a misunderstanding that's not the part that's open it's not what we mean when we say open source that's not what we mean uh so I want to take a break here
um uh I did title my talk uh security Trek the Next Generation and one of the things that I found interesting about being a Star Trek fan is that when you have a security issue that you need to explain to someone a person there's almost always a Star Trek episode that has the issue and I came up with two examples um one is crowd strike son of a gun in the skitso man that's in Star Trek the Next Generation Series 2 episode 6 season two Pardon Me episode six data there's incompat in essence I'm summarizing a long plot incompatible code is loaded into Data that almost causes a catastrophe on the Enterprise sound familiar great way to
explain it now just as a personal sidebar and I'm always I want to talk about the community but my name Ira is not a very common name the main the protagonist in this episode is Dr Ira Graves it's so cool the um and I remember when this episode aired actually because the guy's name was Ira uh cdk global now cdk global has kind of been washed out of the headlines because of the crowd strike but it actually had a bigger impact in many ways than crowd strike did over half of the consumer and and Commercial uh vehicle business is uh powered by or uses CD CL cdk Global's uh software this is a company by their own
website says that they do they're an expert in everything related to technology marketing CRM Salesforce automation promotion uh search engine optimization we'll run your whole it and we're experts at information security in my opinion hogwash they were acquired by private equity and that private Equity company in in my observations of publicly available information were obsessed with the hockey stick and so they got hit by a really bad ransomware attack and because a lot of dealers had all their eggs in the cdk basket because cdk promised we'll take care of everything they went down hard as hard as as some of the airlines did they went down and it affected thousands and thousands of businesses across the
country now there's an episode called Gambit part one and two also Star Trek the Next Generation season 7 episode four and five where Captain Bard is held Ransom and they go over a lot of the issues and challenges for ransom what a great I do this everyone yes it's kind of fun to do it but also this is how we have to explain to the lay person this is not something kind of we don't understand what to do relate it to people in in ways that they can understand um one other little fun cool thing I found that picture with bard and some other some other character um have a little fun today at bides look
for a person who has hair like that I promise you there are people here at bsides that has a haircut like that somewhere here all right so what did what did I do what have what have we done and actually I'm going to you get ready to stand up because I'm here with someone to help me today so what what I did with a group of people about 17 years ago is we set up a Lions Club with one project Lions Clubs are uh over 100y old service organizations they're all across the country all across the world and they usually get involved each Club in multiple service causes in their Community we have one cause it's the
computers for kids club what we do is we recruit volunteers to help run the club it's 100% volunteer we service kids in the community that have no computers at home and we educate them about open source privacy and security everyone we have educated in the last 17 years 15,000 students and their parents about open source information security and privacy 15,000 100% volunteer we are people in our community that care about this and we I am the Cavalry Spirit we are the Cavalry we did it and we service K through 12 students we not we we require the students to take training for this and we require them to come with their parents so their parents learn about
security and privacy and the children learn about security and privacy Ashley stand up Ashley is our president of our chapter thank you Ashley and she helped me she helped me so much today in in in in legistics and things so she she's awesome but Ashley's an example of not only that we're helping kids we're bringing people in Ashley was not in the information security Community but she wanted to be so we bring in adults young adults but also people that are going through career changes that have the problem of I can't get hired to do security infos SEC because I have no experience we give them we the by going through as an adult going through our
program the our members get real world experience in information security and privacy that then is directly applicable into the job market we um I am proud to say that our current vice president and uh Jenna is her name she was working at Walmart driving a forklift when when she joined our club she has left the employment of Walmart and now she works for a a high-tech company doing work in our field and one of the elements was what she did in our computers for kids club because it gave her experience so she could jump out of that forklift job um and we have a multi-step approach to training that covers hardware and software and we're doing it in
Reno but we have because we're part of Alliance club we can scale this to anywhere any of you are in the world and I'll tell you about that in a moment but I also have a big announcement this right here in this room all of you that are watching this this is the worldwide announcement of the first desktop operating system that is compliant with the center for Internet Security controls for security and privacy free open-source software it is going to be launched at the end of this year and we partnered with the the our computers for kids club we partner with the center for Internet Security so that we're are the test bed and for people that want to get
involved in this there's an opportunity if you're already in information security to burnish your resume if you know people that want experience to get involved in this program to be part of this of the launch of this desktop operating system free open source everyone unlike Windows and Mac where out of the box the in my opinion what Microsoft and Apple has done is is deployed Millions upon millions of promiscuous devices and put it in the hands of consumers and small businesses shame on them because those devices out of the box in my experience are engineered to be compromised and I'll give you just one example I don't have I don't have time here to go through a
catalog of all the examples I'll just give you one when you pull those devices out of the box and you go to start them up to set them up not on active directory domain but stand alone they all run as local admin and no instructions like no like oh don't do this if you want to do this your hair is going to fall out if that's what you really want to do are you sure you really want to do this you know when you want to delete Microsoft software that's what they say your hair is going to fall out if you delete it but they don't say and and apple too is guilty of this they don't say hey our devices are
promiscuous and going to be compromised a moments if you run them as local admin by the way that's one of the CIS controls is do not run as local admin but yet millions of these devices are deployed every day that are running in that state so um uh we this is a this is going to be an operating system that is designed for security and privacy out of the box and free open source and we are going we've been deploying our own sort of home brew for greater security and privacy for the computers for kids club and we're going to be transitioning by the end of the year to the CIS uh version um it's going to be available
I'll give you the link in a moment for CIS you you don't need to be part of the Lions Club computers for kids club to get that um but you can work with us uh to to burnish your resume or know if you know people that don't to get involved in information security so we we view this and I'll tell you how you can get involved we view this as the handson experience on security process none of it has to do with a revenue hockey stick there's no XYZ as a service there's no oh buy our proprietary box and then it's arbitrarily end of life out of 36 months because the revenue hockey stick requires you to buy another one of the
stupid boxes none of that we you we this is about a culture of security and privacy process and that allows us that that will allow us to finish the mission we've started um doing so well in getting people aware but now we need to finish that mission and it's up to all of us up to you to do it so let me give you some examples here and I'll give you some contact info I'm going to put that up so you can take there now I have Ashley right here our president so at the end of the talk you can come to see me you can come to see Ashley as the president of the chapter you can also email or
send us a text we'll send you information here's what we will offer to anyone that is not um in does not live in Northern Nevada there are so many elements of what we do that are about process that don't require doesn't require you to be in Northern Nevada where we live um we as a matter of fact we were doing uh remote meetings before any Lions Clubs in the world we've been doing High hybrid meetings we do a meeting an organization meeting every week it's always been hybrid and we do not use zoom say another second thing the second thing to walk away from this if nothing else this is the second one do not use zoom it is
promiscuous by design it is promiscuous by Design there is free open-source um video conferencing jits and I have no connection to jitsy jit T.S jitsy meets it is free like open source free what a concept you can actually download jitsy and locally host your own jitsy little server you can you can put on a little small form factor box and run your own jitsy server but there's also Cloud jitsy so we meet on jitsy once a week or have an organization meeting for one hour once a week and by joining our club which means attending the meetings and then whatever you want to do we have many things that need to be done many of them can be done
remotely we've spent 17 years ironing Out The Kinks of how to give out 15,000 computers just with volunteers just a couple hints the computers are all donated to us so there are millions of of insecure compromised promiscuous by Design comp uh desktop computer systems uh I'll stick to North America but it's the world and by Design they're obsoleted by the tech companies that are concerned about their revenue hockey stick not about security or privacy of their customer in my opinion we take those Those comp organizations have to pay to have them hauled away they find out about us wait you guys will come pick them up what are you going to charge me nothing well
nothing like no nothing what do you do with them you just dump them out you know go somewhere in a river and dump them out no no no we refurbish them and we teach kids about privacy and security with open source wow can you pick up three pallets next week I kid you not I kid you not we get pallets of donated equipment and we take that equipment and refurbish it so it's free and we put our free open source software on it and we teach the kids this is how we do it all with volunteers and there's obviously with any process like this there's lots of Little Steps we know all those little steps so if you want to get if you want
to go in your community and read about what we do talk with us and do something on your own in your community please do it there are millions of these crappy insecure systems that are being dumped in garbage dumps or sent overseas to third world countries where little kids go through the motherboards and get heavy metal through their skin we can divert those you can divert those and if you want to do some version of this please go do it you can download the the CIS Linux and go do it if you want to be fostered by people that have been doing this for 17 years come join us remotely and then if you say great I learned this
stuff Ira now I want to do it in my community awesome we'll connect you up with the liance club there wherever you are in the country there's a liance club nearby that's why we one of the reasons that we affiliate with Lions Club they have a structure so we can focus on what we do we don't have to create a whole structure legally we do that through the through Lions Club International we are recognized by Lions Club International for our Innovation we're one of the fastest growing Lions Clubs in in this part of the country because of the Innovation what we do so yes we'd love you to get involved that way but any way
you want to do it we're we're we're we're free open source people people not going to stop you from doing something on your own whatever works for you but if to start my recommendation is start by participating with us for as much as little as you want and you can learn from that and then decide what you want to do um I also want it would be terrible if I didn't give you Center for Internet Security so the CIS security.org you will see information on their website by the end of the year about it's actually it's a version of Linux Mint and I'll tell everyone for everyone's benefit why we chose Linux Mint Linux Mint um is is a my phone is
still ringing son of a g two people I thought I shut it off God and it's a Spam call is that there's some like significance in that isn't there um we chose Linux Mint for the CIS version of uh the CIS compl Cent version of Linux and technically it's what we call a benchmark so we took Linux Mint and then we added a different process for its configuration to make the CIS version of Linux so it's Linux Mint it's the cinnamon desktop and we chose that for a couple of reasons one is this is so awesome everyone for you take this is like the third like really important thing user many end users small organizations end users home end users
other types of people that are end users when you when they get that automatic update to Windows 11 like what the hell happened to my computer where's the start menu on the lower left right I'm all shaking heads right so the first thing we tell people is Linux Mint is more like Windows 10 by a mile that Windows 11 is they're all of the sudden listening I we've got their attention the parents are like really where's the start button we'll show you where the start button is so that we chose that also Linux Mint cinnamon has a really big user base so we didn't with both our group the computers for kids club and Center for Internet Security we didn't
want um people to get used to a certain environment and then we had to switch them because we've all known there have been dros of Linux that have kind of come in and then faded and we we one of the things we do in the computers for kids club is if a student comes in we have a lot of elementary school and middle school students we tell them you you can keep this computer through the end of your education and if it breaks bring it back we'll either fix it or we'll give you another one I got six pallets out back we'll give you another one if it doesn't if it doesn't work so we want to keep
them on the same environment through their life cycle and Linux Mint has a very large user base a long history and great help menus too so we're very conscious and why we chose Linux Min and another plus how many of you have struggled getting a printer to work in desktop Linux I have oh my god um Linux Mint works really well with older print in my experience with older printers and we don't Supply printers uh it's it's another whole space and then there's an ink ISS is so we tell people that you know find a printer and Linux Mt work works really well for newer or older printers and actually a lot of times it configures faster than Windows
which is like pretty freaking amazing my opinion um so um uh we this is this is a lot of this is due to our you know our close collaboration with Center for Internet Security another big benefit of Center for Internet Security controls I'm going to put on my ambassador's cap uh Nevada was the third state to say that that the definition of reasonable security cuz that's the issue and the last speaker talked a lot about risk management and it's not there's no risk there's no nothing bad's going to happen or everything bad's going to happen that's not what risk is about right we all know that well the problem has been um when there's when there's uh
litigation civil litigation that happens what is what like with a crowd strike the issue is was the airline negligent or was crowd strike and Microsoft negligent that's what it's fundamentally going to come down to and then then the argument is well we Delta says we had reasonable Security in our systems and crowd strike and Microsoft will say well we had reasonable Security in our in our process and then a judge with zero information security training typically and a jury with zero information security training is is going to arbitrate what is reasonable security holy holy $500 million loss by Delta is going to be arbitrated by people that have no training and information security that's really bad so there's
been a movement to Define what reasonable security is Nevada was the third state to say the center for Internet Security controls defines what is reasonable security I wrote that law got that put in that's how I became the Ambassador actually they called me after that law was passed and created this ambassador program now about 12 states have some version of this um and there are no states that contradict it that's really important legally no state says no we don't we don't accept Center for Internet Security so all of you here that's this is the fourth thing that's really important whether you get involved with L or not in some way I hope you do but if you don't
understanding what reasonable security is what's the definition of reasonable security and it is now in more and more jurisdictions the center for Internet Security controls which no surprise is more about process than buying products and works really well with open source so I encourage you to look at that there also is a guide if you go if you do a search um just a regular duck ducko search not that other company that everybody heard of dock. go search and type in reasonable sec security guide Center for Internet Security there is a guide now so you can take that to management to justify process over product and there's a guide for that I'll get you a question
in just a moment so um I encourage you to do that and I'm going to I know I'm I'm I'm we I'm near I'm rounding third here so here's the contact information for the for the computers for kids club um also if you liked this talk I'm happy that you did it an honor and thank you Josh for allowing me to speak today it's been an honor to be amongst my friends um and present to you today I am doing uh after this talk was approved I was asked to give a talk at another conference it's a virtual conference I'm going to give a version of this talk if you know people that would like what I
talk about they can go to pfic conference.com there's a virtual conference on infosec and digital forensics on August 21st there's no charge it is they' it's it's free like open source and you can sign up I am giving the newon eastern time talk it's a version of this you can have people have ask me can I just log in just to watch this talk you have Ira absolutely you can log in and you can share this with other people that way so I hope you didn't mind Josh me me plugging that um and so I've got just a few more minutes you had a question thank you so my name is Angelica and I'm it
examiner for the state for the Department of financial institutions I'm also sock examiner when you're saying process over the product I had many credit unions telling me like I'm like what's your due diligence process and they said they say all the things but then it's if they don't have sakur report first of all we don't really know how to read it second of all if they have exceptions what do we supposed to do with that third of all we send them security questionnaire it's so hard to get them into sending it back to us yes fourth we get the security questionnaire so make any sense full disclosure I I am the acting ceso for a
credit union as a consultant okay I know this inside and out please have them I we had no push back from the Auditors and The Regulators with the adoption of Center for Internet Security and it's a cookbook mhm and the board bought it you know bought the idea and part of it was it's not about buying more blinky light boxes and X as a service it's it's about process and they could understand that okay okay and I I I I hope somebody here knows about the credit union that that went down in Northern California because I don't know anyone from that credit union and boy do they need they need this answer second thing the comp is for
kids club is it just for kids or also if I have the credit union members they're like they also sign up yes so great question so we give the computers to the kids locally but EV adults can can and should join listen I've been doing it for 17 years I learned stuff by teaching by tackling new challenges I say can hey Ira can you help tackle that yeah I'll tackle that that makes me better I Advance my skill set and the the benefit is when I do that with a Credit Union I got to be really careful because it's regulated and I have to you know I can't go off too far off the reservation but
with the computers for kids club I say hey you know I think I have a new way to do this we could do it this this and this way can we try that and and then generally people say yeah let's give that a try because the it's not the risk of a of a you know Credit Union or a bank it's a computers for kids club so it's a really great way to get real world experience but to push yourself so yes adults in the credit union join that will give them secur the great security training and awareness by being involved in the in the club great question thank you so much any other question do I have
other questions time for one more question one more all right you know what that'll give time for the next speaker to set up I'm going to be around for a little bit please come find me come stand up again Ashley talk to Ashley and uh we'll we'll answer any of your questions oneon-one thank thank you again everyone thank you all right let me uh let me talk a little bit about the future and your future your future if you want to eat is it is now lunchtime please come back at 2 p.m. we're going to start with hungry hungry hackers followed by Blood In The Water followed by healthc care is an is in intensive care followed by living
with the enemies how to protect yourself in your energy systems we'll see how did I do you did awesome I didn't get here I got caught in the hall I sawy as that's great thank you I the water oh thank you oh thank you
[Music]
[Applause] [Music] [Applause] he n [Music] [Applause] [Music] a [Music]
n [Music]
[Music]
[Music]
[Music] track [Music] hey hey he [Applause] [Music]
hey hey hey he hey [Applause] [Music] [Music] a [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] oh
[Music] [Applause] [Music] oh [Music]
[Music]
he
[Music] h
[Music]
[Music] [Applause] [Music] [Applause] w a [Music] [Applause] [Music]
I'm I'm just TR to give you [Music] something I'm just TR to give you something I do I'm just TR to something he [Music] [Applause]
[Music]
[Music] [Music] I'm just I do I'm just TR to you [Music] something I'm just [Music] I I'm just trying to give you something [Music] w
[Music]
[Music]
[Music] a [Music]
[Music]
he
[Music]
[Music] [Applause] a
[Music]
[Music] [Music]
[Applause]
I
[Music]
[Music]
[Music] a [Music]
[Music] n [Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Applause] [Music] hey hey hey he [Music] [Applause] [Music] [Applause] [Music]
he [Music] he
[Music]
[Music]
[Music] track [Music] hey hey hey hey [Applause] [Music]
hey hey hey hey hey [Applause] [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music]
[Music] [Applause] [Music] he [Music]
[Music]
[Music]
he
[Music] h
[Music] you [Music]
[Music] oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] oh I'm just okay I do you I'm just trying to give you something [Music] I'm just tring something I do I'm just TR to give you something [Music] right [Music] [Applause] [Music] [Music]
[Music] [Music] I'm just try to I do for you I'm just try to give you [Music] something I'm just trying to give you [Music] something I'm just trying to give you something [Music] m [Music]
[Music]
[Music]
[Music] [Music]
[Music]
[Music]
[Music] [Applause]
[Music]
[Music] [Music]
[Applause]
he
[Music]
[Music]
a [Music] oh [Music]
oh
[Music]
[Music] a
[Music] [Applause] [Music]
[Music]
[Music]
[Music]
a [Music] [Music]
[Music] [Applause] [Music]
[Music]
[Music] oh
[Music] o [Music]
[Applause] [Music] he [Applause] [Music] [Applause] [Music] [Applause] [Music] he [Music]
he
[Music]
[Music]
[Music] track a [Music] hey hey hey [Applause] [Music]
hey hey hey [Applause] [Music] he [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music] a [Music] [Music] [Music]
he [Music]
[Music] [Applause] [Music] he
[Music]
[Music] oh yeah
[Music] h
[Music]
[Music] [Applause] [Music] [Applause] [Music] yeah oh [Music] [Applause] [Music] I'm just I I'm just TR to give you [Music] something I'm just TR to give you something I do BR I'm just TR to give you something [Music] oh [Music] w
[Music]
[Music] [Music] I'm just I I'm just TR to [Music] something I'm just TR to give you something do I'm just try to give you something [Music] oh [Music]
ah [Music]
[Music]
he [Music]
[Music] [Music]
[Music]
[Music]
[Music] be [Applause]
oh [Music]
[Music] [Music]
[Applause] a
[Music]
[Music]
[Music]
[Music]
a [Music]
n [Music]
[Music]
[Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
n
[Music] [Music] [Music] [Applause] [Music]
[Music]
[Music]
[Music]
[Applause] [Music] hey hey he hey he [Music] [Applause] [Music]
hey he he n [Music]
[Music]
[Music]
[Music] TR [Music] hey [Music] [Applause] [Music]
hey hey hey hey hey hey [Applause] EX [Music]
[Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Applause] [Music]
[Music] [Music] [Music]
[Music] [Applause] [Music] he [Music]
[Music]
[Music]
oh
[Music]
h [Music] he
[Music] [Applause] w [Music] [Applause] [Music]
[Music] I'm I'm just TR to give you [Music] something I'm just I I'm just tring get something [Music] w
[Music]
[Music] [Music] I'm just I'm just [Music] something I'm just string something okay I do brok I'm just trying to give you something [Music] w
[Music]
[Music]
[Music] a
[Music]
[Music]
he
[Music]
[Music] [Applause]
[Music]
[Music] [Music]
[Applause] [Music]
[Music]
[Music]
[Music] a [Music]
n
[Music]
[Music]
[Music] we a couple of room announcements before we begin we'd like to thank our sponsors special a diamond sponsors Prisma cloud and vanta and our gold sponsors Adobe Drop Zone Ai and some others it's their support along with our other sponsors donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure your cell phones are set to silence silent what are words words are hard that's why we have speakers all right with that out of the way that is my job done so I'll pass off the mic all right we'll still have two or three more minutes before we start
start this is stream [Music] [Music] [Music]
a [Music] [Applause] [Music]
[Music]
[Music] n [Music]
[Music] [Music] a [Music] [Applause] [Music]
[Music] oh [Music]
[Music] welcome back to the I am the Cavalry track for 2024 hope you had a good lunch hungry hungry hackers is up next um going to introduce our speakers I guess uh so last year uh fun story uh Mr sick codes could not get here in time from international flights so the other redhead with an accent Casey John Ellis filled in and we just pretended he was sit coach this year uh said it with love uh Casey is unable to make it here so sit codes will be playing both roles this year maybe next year we'll get double trouble for hungry hungry hackers uh sit codes um is going to take us through the hungry
hungry hackers in lie of Casey who uh we send much love and healing to um as he's recovering from some heart procedures uh really wants to be here um we are going to have a substitution or another Voice come up which is LP or last person who's incredibly well versed in some of these food supply issues so you're going to have your first of four Lifeline critical infrastructure sectors food followed by Emergency Care followed by water and followed by power for today and this is both a look back at what's happened since we were here last year and also how things could get dice here if we start to see things like volt typhoon in 2027 or or plus or minus um
um for if there's a conflict will it be a hybrid conflict so with that we have a very packed hour on hungry hungry hackers take it away Mr Jack sick
codes all right thanks for coming everyone uh my name is sit codes uh also I'm subbing in as as Josh just mentioned for Casey John Ellis I've got his sunglasses who thinks we look actually quite similar who's met either of us in person before could be related yeah we look pretty and we're both Australian and he's a little bit taller than me 63 so um but yeah I've got these sunglasses and when I put these on you can't tell us apart two red heads with red beards receding hairlines anyway um yeah this Talk's called Hungry Hungry hackers um it's about food Agriculture and cyber security risk it's also a Q&A so I want you to be able to ask questions as well
so I'll talk for probably about 25 30 minutes and this other gentleman here LP you can ask questions as well if you have a question that you're thinking about just write it down on your phone and I'm I'm sure we'll do mics or something at the end just one other thing I'm incredibly jet lagged so I apologize if I'm a little bit slow or a little bit doozy um I think I've slept I went to bed at 1:00 a.m. I woke up at 3: went to Denny's and I couldn't sleep again so I don't know whether there was the food yeah just incredibly jetlagged so cuz I flew obviously not from not locally so uh all the way from Thailand so yeah
this independent research um in that I wasn't paid for some of this stuff so uh all of the vulnerabilities that I talk about were reported to the vendors and in a in a you know a secure uh responsible disclosure way uh nothing in these talk represents future past present employers or Contracting things like that the contents of the slides are commod creative common zero and all of the trademarks belong to the owners of those trademarks so here's my socials you can find me on GitHub Twitter forly know oh X formly known as Twitter LinkedIn and just my website s. codes and you can also see Casey uh who's also Australian um you know his links as well
Casey John Ellis or CJ so what's this talk about um it's about a brief history leading up to now of cyber security in agriculture now I think maybe three or four years ago many people including myself actually literally had no idea that there was cyber in agriculture to be honest um some people like this other guy here he'll tell you a different story he was you know obviously works in the industry so as far as I know um yes so we're talking about current future and um some past stuff so who's this talk for those interested in seeing how a couple of bugs can literally change the trajectory of an entire uh sector uh in in fact it's critical infrastructure
sector so you'll have a talk I think following mine about water and you've had other talks I guess on this track today and tomorrow that talk about other Industries medical and things like that and a is a as in agriculture it it uh it needs a couple of eyes on it and I happen to be the person who put some eyes on it and got a few things to whip up in a bit of a storm it's also relevant for people who eat food so it's gonna get a rise yeah most people I assume I saw some who didn't put their hand up but um just wondering how he's still alive anyway birth of an idea this whole thing came
about um through a friend of mine called Paul Roberts he uh writes for his publication security Ledger but um he also uh does a bit of right to repair stuff that I'll talk about he said to me one day in a phone call he goes oh dude it's so random that John de has no cves wow like and I thought yeah yeah that's right uh there are no CVS in John Deere products he's like man wonder if someone could go and look at it you know he sort of dared me into it and that's what happened literally just said dude why does John De not have any cves I thought oh I'll go change that that's exactly what we did so Paul
um that's Mr Roberts here fantastic guy um he he runs a secure repairs organization which is a subset of right to repair stuff which is in my opinion right to repair and security are completely sorry they have over AP definitely overlap but they are separate issues and Paul is very good at illustrating those issues about you know if you if you can't repair something then you can't fix it if it's got a fatal critical bug or thing like things like that security issue with it so yeah B I took the bait um Paul literally just said to me you know there's no CVS I went got went and had a look at it first thing I did was I signed up to the John
Deere website with a developer account free developer account um and then started playing with the software and there's a form there I don't know it's quite zoomed out this screen's quite small but it's a form on their back end that allows you to add pieces of equipment to your account um and it says submit VIN number vehicle identification number uh but for for combine Harvesters and big machines that that are in agriculture uh if you add one to your farm and the farm that's link to your John Deere account already has that piece of equipment in there it'll say error this account or this it's says here equipment already exists however in the Json response it has the
entire account record for that item so it's got the it's got the that's the VIN number at the top um you can't see this this Json it's it's a lot longer than this there's actually pii in there it's got address line one address line two City postcode you know lease lease or lease e or something like that a lot of information in there um and so then at the time John did didn't actually have a bug Bounty program but I'll get into that in a moment um I actually sent well I I sent it to them to fix and there was a little bit of a I actually did a Defcon talk about this two years ago three years ago actually
um the remote Defcon it was a pre-recorded one about about this issue that we sent them and how they stuffed it all up and because they didn't have a bug Bounty at the time and all sorts of issues with with reporting to a program reporting to a company that doesn't have a bug bound it's kind of complex cuz it's like you send it to them and they don't know what to do and all s stuff happened they learned their lesson obviously a lot of stuff has changed since then um but you know cuz they didn't have a program I sent it to the news so I sent it to Vice um Lorenzo uh at Vice he's actually now Tech crunch it
is it he is isn't yeah yeah b ball um bugs allowed hackers to doxs John Deere tractors the actual original title of this article was bugs allowed hackers to doxs all John Deere tractor owners however John Deere reached out to Lorenzo and said um it's not all tractors it's only a subset of tractors the ones that have been connected to the website and all this stuff and I'm like okay so it's only the connected ones anyway it it went in circles and and Lorenzo dropped the word all and then he also came back to me and said oh John Deere also disputed it and um John Deere sent them a comment to Lorenzo ADV Vice
at the time you we were made aware of misconfigurations um separate online actions we took immediate action blah blah blah um and then the last sentence it says inate did not get access to customer accounts dealer accounts sensitive pii now think about that last one sensitive Pi sensitive um personal information my thought was was that true because when I was looking at the records I could see address line one first name last name all that details um and I think the key word there was the word sensitive because I think it's something to do with if it doesn't have an SSN or someone in the audience will have a better a better explanation what the
difference between pi and sensitive Pi is but um John Deere you know anyway I sent it to Lorenzo I said look this is pretty it's the real record and he said oh yeah you're right anyway so that was I call that hacking for clout because I didn't hack I didn't get paid by John Deere there was no bug Bounty involved in fact at the time John Deere didn't have a bug Bounty they created a bug Bounty for me um and it was also a private program with no bounty and no disclosure and I was like okay why why the why the would I sign up to that um like think about it you're getting a private program like the
leaderboard is going to be private it's literally just you and Di in a private DM together here's the bug yeah thanks no way see you get out of here um and I want to ask you a question why would I sign an NDA with John di um given their billions of dollars to spend on bugs and they by the way this is this is a couple years ago now they do have a bug Banny program now and they do pay out they never paid me any any money as well but um CU I rejected the program invite when I got it but um yeah yeah why would I sign an NDA with John Di and when they have
billions of dollars and then I thought to myself is it even ethical to ask that so it's like think it's like reverse randomware kind of if you think about it you're asking like I'm not going to give you that bug because you're not paying for it so I'll publish it um think about it yeah it's kind of kind of sus um yeah so going public with a with a going public with a bug um you know you've got clout or just like you can publish it you can write about it people can link to it you can get stories about it or you follow the money and you submit it privately to a private program
or in John Deere's case um I chose the clout option and just sent just sent it and I wouldn't even be talking to you today if I if I did sign that NDA so it's cool isn't it um is publicly Roasting Company cuz I'm technically right now I'm kind of roasting John Deere a little bit um because I didn't I didn't never I never signed an NDA with deer I've signed NDA with other tractor companies but not dear so um de de will get so angry when I tell him that anyway um they're probably watching actually so yeah so is publicly roasting a company helpful um there's pros and cons to this but I want you to think about like is
what I'm doing kind of savage or is it actually an ethical thing to do you tell me by the end of the talk if you think that going public uh about this John Deer stuff was actually you in the interest of you all cuz you're all here to listen to stuff that uh if I had signed it it wouldn't be here so here's what happens when you publicly disclose a bug in this most uh outrageous way possible I think is this yours oh Paul that's Paul right there Paul Paul wrote that story that's crazy um that was a couple years ago yeah the author's in the audience that wasn't planned by the way so um so I
wrote this story uh a couple years back called extraordinary vulnerabilities discovered in TCL who knows what TCL TVs are okay cool cuz at the time 3 four years ago almost yeah I mean not many people knew what TCL was I mean if you watch the NBA they're sponsored on everything big red Chinese Communist Party backed um company and they literally are uh a Strongarm Tech literally that Huawei xiaomi see me um and a bunch of others companies and so I published this story about TCL TVs having a back door I called it extraordinary vulnerabilities but Department of Homeland Security called it a back door um and so Paul actually wrote this story which is crazy
so Department of DHS sorry DHS um basically used this story that I wrote which was full public um didn't sign an NDA with TCL at all and why would I probably I probably get in trouble for doing that anyway so Homeland Security did a thing about it and at the time acting secretary Chad wolf actually went on and said you know we're looking into companies such as TCL who we it was discovered recently that they Incorporated back doors and their TVs and I was thinking wow that was my bug um that I published and so what happened from that you know we're talking about this public thing about publicly disclosing bugs and and what actually happened was this is a later
event this this little study what's done there but um the share price dropped 15% in one day which was crazy cuz um they're a massive company the CEO who was a I think a CCB Committee Member he rebot a certain amount of shares and then it's all in actual fact who knows what the honor smartphone is honor it used to be the Huawei honor so there was a right right around this time 2021 um just before this just before this uh story came out h was in talks with TCL both heavily um CCB companies because the Huawei phone was banned to come into the US The Hop phone they sold it to TCL uh in a in a
joint venture with the Shenzhen government and right after that I published This research about TCL and then tcl's getting accused of back door so they basically passed the buck to TCL to try and get it back in the US and then TCL was coping heat so they just basically screwed that entire deal up and um I think now they're they're the own company and they're owned by like 40 companies and half of them are the government and yeah it's chaos um there's a reason why the TVs are cheap yeah so back on topic with John Deere so do you think uh John Deere probably would have done things differently in hindsight given now given now what I've
told you about me publicly ragging on them as as we speak I'm literally ragging on right now um done two Defcon talks about them one where I jailbroke a tractor and I'll get into that shortly but I asked I think about it would John Deere have done something differently probably yeah but the main thing is would I be would I be here talking to you today if I had not publicly disclosed the stuff about John de I wouldn't wouldn't be here wouldn't have done an fcon talk and I encourage you the audience to do more public disclosures because it helps the industry and I'll talk about that why so cuz it might save your business your
industry um companies need to be ready to receive bugs even if they don't have a bug Bounty program at the time John D didn't have a bug Bounty program they were forced to create it because of me um and they tried that little NDA Shenanigans which I impolitely declined I I actually told him to get anyway but yeah so public disclosure full public disclosure is a form of responsible disclosure you know if you if you fully publicly disclose a bug and you send the link straight to MIT the the cve gets instantly published because the bug is is public and a lot of uh ever since this law another trick as well after that TCL think a couple of
months later um because there was such a massive effect on TCL massive um part of the basically they're spying TVs anyway so um the the government put out new rules saying that in China you must submit cves or zero days through the government first or their their CT their local CT um and I and I and Casey who is is me um we both on we both have a big inkling about that and thinking that it's definitely related to the TCL issue cuz um straight after that that massive shenanigan about the share price dropping and TCL and the onop phone all that stuff the the um the Chinese government changed it so you must submit
bugs through them and so some of the Chinese researchers now they just get on alt accounts on gith home and they just dump bugs um publicly when it happen so that they I think um which one was it not um what was the big bug a couple years back Le Luna Luna what was it anyway yeah so this is a Defcon talk I did Breaking badly into agricult who's seen this talk okay sweet yeah so if you remember from that talk um there was a John Deere display I probably should have bought it actually it's uh anyway I've still got it still plays uh anyway I'll explain that in a minute but um yeah this is the flagship model at the
time um yeah I got an ex terminal emulator running on it uh I rooted the device jail broke it um got some code then I could run games like Doom um and actually it's a farming edition of Doom and you can hunt down pinky demons actually the original version of this we had we changed some of the monsters to like cows and like rabbit and stuff and then I was I sent it to someone to to say like oh what do you think what do you think and they're like dude you can't kill animals I'm like what the this what's this anyway yeah apparently it was way too Savage I'm like dude it's it's Doom like
the game is violent as um and that was the game running uh on on the that was on the stage of death gone um but yeah so sure should more bugs be publicly disclosed like that cuz you know I would have had that cool opportunity to present the John Deere Jailbreak on stage at defc con I wouldn't be here Jo I wouldn't have you know Josh wouldn't have invited me to chat um had I had I not publicly roasted John Deere um but yeah yeah again had I signed that thing would I be standing here talking today and the obviously the answer is no so anyway what can a jailbroken tractor do um what can a jailbroken tractor to do
well if we look back at the conflict in UK ukine Russia um there was a story that came out from CNN it was kind of strange because CNN was the original source and there was like it had some stuff in there about like sources and anyway it was quite quite strange story however a lot of people wrote about it and it was that Russia had stolen $5 million worth of John Deere farm equipment from a dealership in milit pole Ukraine and they had taking it back to back to um Russia and by the time they turn it back on or whatever apparently the combines had been bricked uh remotely and so people were actually John Deere thought it was a win and then
people were saying well that's kind of screwed up because like you can just bre my tractor what the hell um and if you think about it yeah they were inoperable so the problem with that is I just showed you you can play Doom on it so I became the dealer so I can now that I can play Doom on it I can totally turn that tractor back into a workable state so I can unbrick the tractor same as if you had a a phone gets iCloud locked you jailbreak it in some fashion and un unCloud lock it it would be kind of there would be a market for stolen devices um so yeah pros and
cons of jailbreaking huge security risk obviously because I just showed you you can you can run your own software on it you can delete products you can steal things you can it also highlights massive design flaws so flaws in the the entire process of um of the construction of the product there are a lot of bugs in there that I found and actually I haven't told John Deere all of them because they haven't invited me to their Hardware security program so if you're listening uh invite me dogs anyway uh allows access to Inner working and customization beyond the oem's original design so like clearly you're not supposed to play games on there you're not supposed to put YouTube on there or
additional software and in fact you can steal intellectual property from it as well you can take out software he can reverse engineer products he can find even more bugs so I'm the third party so loss of Ip to a third party me so anyway back on topic we're going to talk about some events I know Josh wants me to really talk about events and and things that are happening in a since this sort of happened so here's me didd dling and playing with the hardware and showing you how I can you know I'm the good guy right if you think about it the bad guys are involved with rant somewhere so I'm just showing you you know I could
jailbreak it oh I can play games on there John Deere thinks I'm the threat but the real threat obviously is crime um and I won I'll only show this this one and someone else will probably talk about um the gas pipeline but Colonial pipeline uh a major major major major event in the entire industrial um what's it called again ICS yeah IC industrial control control systems Etc critical infrastructure you know us gas St run dry chaos chaos in the streets um beef Supply JBS who knows what JBS is okay JBS is a Meat Processing Company uh I assume they feed to Tyson or something like that and Cargill and whatnot basically yeah they were big in
Australia big in the US in fact I think they're the biggest one in the world so they paid I think $11 million so they paid $11 million to ransomware um actors to get their plants processing again Russian hackers targeted a bunch of Iowa Grain co-ops uh $5.9 million is of the ransom something like that yeah big money right huge money for these criminals it's all Bitcoin no tax as well um another thing here the task force on Precision agriculture so this is some really interesting task force that came out this one's more about like GPS and GPRS and things like that um but you can go and watch their their interesting YouTube um videos they go
for hours and hours and hours and and they discuss things that it's all public so it's quite interesting run by the FCC um but yeah so these are all in response again Colonial pipeline millions of dollars paid FBI involved do DOS involved Department of Transport effects gasoline jet fuel oil products then we got JBS beef P poultry poultry White House is involved Department of Agriculture is involved DHS n days offline processing meat apparently I think in in Australia there were literally trucks of cattle that were waiting to be processed they were just standing at the at the plant they can't do anything they can't they can't go anywhere they're just just yeah chaos chaos paid $11 million to fix
that AGCO random company um another company that's one of John D's competitors I want get into it but they make Massie Ferguson fent Challenger as far as I know is that right vario yeah vario as well um they lost a lot of data they got hacked big time um two we production halt as far as I know two weeks production that's that's on the assembly line two weeks off um crazy and uh if you think about it um yeah major damage right Maj reputation damage a little bit um little bit and yeah just just production in it's chaos this one here Cisco it's a more recent event I don't know why there's a battleship in the
background of this photo cuz it's like a it's like it's just a picture of a food truck and there's like a War behind it so um they had an event a security event start of last year um someone gained access in January they didn't find out till March that's how you know we're thinking food processing companies you know they're not you they're not like Delta crowd strike L um things like that yeah so apparently they lost 126,000 Social Security numbers as far as far as I know um yeah and you know Pi identity theft things like that another one doll who knows doll you know apples and he's got the sticker on it doll um
yeah they had an issue and again massive disruption in the supply chain unable to stock shelves with certain products um while they're while they're while they were being hacked I don't know if they paid they probably did um cuz you can imagine like a fruit packing company is not going to have the same sort of cyber infrastructure as maybe Facebook you know or meta according to the record. media food and egg had more than 160 ransomware attacks last year now I will get into this shortly but the food and a ISAC um gets mentioned here um it's kind of an interesting interesting topic the ISAC information information sharing in an ARA Center I'm not sure if um
yeah food food and egg there sort of like a sort of issue going on at the moment about starting that uh I think there should be two separate things food and agriculture but we'll get into that is food and security important enough yet and obviously the if you're thinking about it now I've told you all this stuff and how important is you thinking here yeah it probably is right so what if there was a crowd strike like attack on the food supply chain like how fast you think about the thousands of Delta flights that were with like 4 5,000 something imagine that but in food um it's kind of yeah you can't grasp the sort of
yeah imagine how fast the the country would just descend in chaos if people couldn't eat and not just the United States imagine a country that maybe has a single point of failure maybe they have one meat Packer or they have one grosser or something like that and they get Ransom it and the the whole place just shuts down and descends into looting and chaos and and yeah um but yeah no need to imagine because we already saw this sort of effect in 2020 or uh during the pandemic right we got people panic the Panic by run out get stuff um and there's this there was this article I think this is a got older story
2008 um nine MS from Anarchy and it was about basically if oil was to run dry petrol stations run dry trucks would stop rolling and Supermarket shells would be bare within 3 days that was 2008 I honestly think with the with the social media like it would take literally one day if people caught on that things were running dry they would go immediately and Panic by um so just keep that in mind when you think about is food security or food and agriculture an important sector and obviously it should be and it is and so for John Deere it became a massive priority after I hacked them um prior to this they had nothing on their website about cyber I
think since I hacked them two or three years go now I've been hacking them a couple times since they've been putting it in their annual report so that's good to see in fact they're actually done a lot since then and I will give them credit obviously CU at the time that they started bug Bounty and things like that they were the industry leader cuz they were the only company that had a bug Downy at the time as far as I know so apparently they had a John Deere defense system cyber Center that runs 24/7 365 and I'm like where the were they when I when I act up the first time I wasn't able to get about 6 years
a ago I'm like well I only hacked you guys 3 years ago so um yeah and they started last year they started the Cyber tractor challenge so I'm giving them massive credit here they started this 501c3 where um who knows what the Cyber food what is it cyber truck challenge there's a whole bunch of them yeah cool there's a whole bunch of them there's like a cyber boat Challenge and things like that basically people in the industry in that sector come together play with each other's machines sounds yeah get people in to hack them and if we look at the 2024 version that's the one that just got done a couple months back I think was couple months ago something
like that yeah um and as you can see there's more than John de because John de is the green one uh you got John di case NH they don't like me by the way um John de again fent and I think Massie Ferguson on the last one um and as you can see that's multiple competitors coming together as an industry to work on the same sort of product prod problem which is kind of strange when you think about it it's like all these companies they're they're a total competitors to each other that would get a Competitive Edge if they were able to get ahead of their competitor if you know what I'm you get what I'm saying
right they they cyber Auto cyber medical cyber drone cyber boat um this is a kind of funny thing they're talking about the guy who who co-founded or founded those other ones I think it's Carl Carl Heimer he was doubting that John Deere would doubting that John dewood could pull it off and they actually did pull it off so the first year was just John deer's products and I think that's something to do with 501c3 status or something you have to do a bit of business first to turn into a charity I'm not sure um because I don't I'm not from the United States but yeah I wasn't invited to that cyber truck cyber a cyber tractor
Challenge and I asked them if I could go and they said no and it's because of one of the companies that was there they don't like me and I can understand why cuz I also hacked them as well um and I wasn't as yeah but John by the way John de and myself very friendly now um and we got each other on LinkedIn we talk we talk with the security team and things like that but also the other companies got JCB I've spoke to Caterpillar we got Trimble all of these other companies that saw the John Deere talk and learned from it and go oh that affects our industry too or we're mining or we're you know we're mining or
or or we're logging or other Industries or Earth Earth move Earth moving Earth Works they all have similar products you know you got a can bus controlled vehicle even Automotive it you know someone coming in and hacking the the infotainment system in the car or hacking the display system in the tractor or the or the the big cat caterpillar mining truck everyone sort of caught on to it mining as well mining was a really big one they've got their together um mining they've got their own ISAC they've got you know annual meetings and there's no yeah I'll show you what happens when you don't work as an industry on on on and uh securing each other's productss so deer
went from no bug Bounty two years ago to running the industry event the Cyber tractor challenge with two of its direct competitors um so yeah good on you dear that's good um so where are we going with food and agriculture now um there's still no real ISAC now there is a food and a ISAC um and again that's information sharing an analysis Center these are the current members of the food ISAC as you can clearly see they're mainly food companies we got you know Pepsi Carill Tyson lamb something and potatoes um like these have like what does a potato have to do it's a kind of actually that's a pretty bad example because it's directly related but what
would a packet of PepsiCo Doritos have to do with a $500,000 combine harvester there's literally there's a lot of different you know there there's there's a St contrast and I think honestly food and egg ice should split up there should be a food ISAC there should be an a ISAC and John Deere and it's and it's cons John Deer and its competitors that I mentioned here we got cnh cnh AGCO class who else is there that's a big four right yeah that's pretty much it yeah there's only four major ones um they should probably come together and get organized because if you don't um legislation happens right so mining doesn't have this problem um fishing might probably doesn't have
this problem if you don't work together as a as a industry with the competitors uh the the Congress will get involved so that's what actually happened so recently um bipartisan Tom Cotton Froman Kirsten gilbran or gilbran they actually came together and said okay we need a bill that is literally called The Farm and Food security cyber security act so they came up with a bill um and it's quite it's it's quite Stern it's quite it's quite harsh it's like you need to do certain things every year certain tests every year we need to be doing all this stuff and I'm like well dear and and Co dear and Co and all of the other conspirators uh
competitors um maybe you should all work together and do this make this stuff yourself before congress makes bills for you um yeah the Bill's quite long talks about the the like you have to study threats to F and egg the impact of threats to production and processing and distribution Readiness of federal state and um local uh governments and existing policies and blah blah blah I'm like dude this stuff sounds like ISO standard stuff like why couldn't you do this without Rel legislation anyway so I'm I'm personally against I'm more against deregulation I prefer less intrusive government um but the the bill is literally begging the industry to get organized um before Congress does it for
you and that's what they're literally doing so all of these papers have come out since the Iowa grain grain co-ops got hacked since I hacked John Deere and all the other things that happened and this big Whirlwind of stuff happening about about cybercity and Agriculture and people learning about what can go wrong if if if you know say for say for example John Deere main main main the main Center of John Deere the John Deere information center in the where it is Iowa Data Center gets hacked and someone pushes out a malicious update to every single John your tractor and you have to go on manually fix the blue screen on it literally like crowd strike right this is a possibility
you know you have an Insider threat someone who works there an activist or something wants to push a massive update out to all of the John de tractors and brick them this is this stuff that's actually possible um and it would be cool if they worked together and sort of listed this stuff out um yeah so USDA is making their own reports about it us Aid is even chiming in um I don't know but yeah this one talks about more about smaller Nations and how they can get severely affected like us pretty resilient we got a lot of different manufacturers and it's kind of diverse in terms of um risk but there are countries that would be much smaller and
much more error prone anyway so this the last couple of slides before we get into a bit of Q&A ISO standards so um Automotive has its ISO standard 21434 specifically for road vehicles um and I mentioned that because um it it it's specifically for cars on the road however there are manufacturers like buggies and motorbikes and cranes and things that use the same oems and infrastructure and stuff to build the same products they're just not on the road but they just they follow the same ISO standard because it's a good standard they don't have to follow it they just follow it because it's good right um as far as I know agriculture is working on one it's in a draft status
they should probably hurry up like I said before legislation comes in and forces them off um but yeah that's uh that's as far as I know they're working on that um 24889 24889 the iso standard so for the for the recording um yeah Auto has its own ISAC I'm comparing it to Auto because you'll see in the next slide why um Auto ISAC really well done they've got the asrg I think it is automotive security Research Center they do pent test they have agms this cool stuff and look how many people work together on it um you know like everyone like everyone Polaris Volvo everyone M mlli Mazda everyone's there even John de is there um and case
New Holland they're relatively new members two new members because they understand that the food and EG ISAC who's claiming to be food and egg should probably split up they should have an A ISAC should be just the big four or five or whatever manufacturers or they should say look we've got the auto Sackets covers it because again the combines and stuff they do go on the road um and they probably can follow the 21434 that we mentioned but the new one that you've I don't know what it is you said it already but I forgot but um anyway let's get into some questions I think so that's the that's my presentation for
today oh yeah yeah yeah yeah yeah come on I got one yeah got one yeah can you you should be able to hear me okay okay so I'll throw some before we do Q&A just some really you can stay up if you want some some really quick facts um so my name is LP I work in the industry I do cyber security for a I've been doing that for probably as long as that's existed as a thing you can do I guess um so Josh asked me to talk a little bit about uh what happened next and I think sick had a slide about this so yeah the websites have been hacked right the back
end to Connected systems a tractor has been hacked and that's kind of the cool sexy thing that everybody thinks about like the big risk is what if my tractor gets hacked um just some really quick stats kind of depending where you look on the internet um various government agencies believe between 5 and 10% of the US GDP is directly a related so not like tier 2 tier three kind of stuff but direct GDP from a let's say it's 10 10% which is astronomical right it's a really big portion of the US GDP um a significant thing to note is food and EG is one of the COC critical infrastructure sectors we're in there our sector plan hasn't been updated
since 2015 the landscape of everything involved in AEG since 2015 is very different and that's the same for food production as well once you move a crop into a factory to have some kind of consumer good made out of it um and so that's N9 years right 201 2015 is N9 years ago just pretty long time um so that kind of gets us to like okay what's what's next right it's a big industry a machine back end of a machine has been affected um there's this really interesting thing that happens when you begin to look at Cross sector stuff uh and so I think we're going to hear a little bit about water and maybe power
at some point today um one of the big things really is is rail is a huge cross sector concern for a so if you move past what happens if I attack one person's tractor or one person's F how do I affect an industry the things we know about is like USDA says depending where in the country you are after harvest time 30 to 50% of All Grain moves by rail I think probably most people here know rail infrastructure is old and people are already finding vs in it uh and so that's that's kind of a huge thing that has to be considered in the system of growing food and getting it to Consumers um siik made a really
interesting comment about diversity of manufacturing and not really Soul sourcing suppliers that's kind of true Josh and I have had a lot of talks about this over about the last year and there are some definite points where certain types of goods like rubber Goods or Electronics like ecus uh yeah maybe they're not so supplier but maybe there's two and and what happens if that's affected um I I think that the nine days number is is not that far off as well right I I think you there are some good use cases for places like the Ukraine right now and Russia itself where you can see how rapidly Machinery begins to degrade when you don't have a p
Supply uh another one so another like critical sector obviously that applies to us is fuel uh and I'm going to link that to finance as well so so the ones I have really are chemical comms energy it Transportation water and finance when the pipeline thing happened everyone believes this is like an IC thing right but actually what happened is their financial system went down and their way to sell oil stopped and so they just stopped pumping oil so it's like okay yeah that's deeply important a combine's not going to run a tractor is not going to run without fuel but that was actually an attack on a financial system um so that's that's a really big one a cross sector um concern
I think that's that exists um and then obviously water I think we'll hear about water maybe then the next talk there's a great a great talk at Defcon in 2018 Ben nassie who's a a recent Archer from Israel um with some students found and built a botn net from Internet connected irrigation systems and these things like commercial raspberry pies with like rasbian the default creds and they're just online controlling water and they the research showed U I got numbers from their paper this morning with 1,400 of these devices they could drain like a standard American Municipal Water Tower it's like the big bubble on a stick in one hour and in most places in the nation that
they did an analysis if they had 24,000 Bots they could drain whole like countywide uh Reservoir like flood water and retention reservoirs which is astronomical water drain um and so things like this are not really yet being considered either by the government or the industry I I think the industry has a pretty good handle on it obviously there's always interaction right between industry versus like making a profit in regulation um but the government definitely I think is not aware of how interconnected some of these things are um and so the reason we're bringing them up today really is with Josh kicking off his new project this morning this is a pretty good time to really talk about big cross uh cross-
sector concerns that we have um and especially since we're doing the a thing why not bring it up um a a note on this this this last slide that sik had about the Cyber Security Act of 2024 is it l is it still up yeah it's here somewhere right I didn't write yeah yeah so it's interesting you said you didn't write a couple of people in this room were in Congress in January talk talking to people about what what makes sense to be in the bill right one of the good things is this initial bill is exploratory it gives the industry time to work together uh it's really a bill about doing an investigation writing a report identifying big threats
I I think Josh and I pretty confident all of the biggest threats won't be towards a singular industry they'll be there'll be cross- sector threats that really grind things to a halt as a system um I I think probably Q&A now right yeah so we're going to go into Q&A now but here's the thing it's questions and answers no comments okay so if you make a comment I'm going to take the mic back so you got to have a a fast no kidding fast question they'll get a fast answer hang on thanks everyone great uh great presentation great message uh just curious a lot of us here um are here for uh their technical proclivities but uh
for the non-technical person what can the non-technical person do to help solve cybercity problems in critical infrastructure like agriculture or others yeah I think like I said working together working with other companies in the industry like cyber is a shared risk and you have to like ask this guy how difficult do you think just thinking how difficult do you think it was for Dr to pick up the phone and say hey cnh hey Edo let's work on fixing this issue and Industry how difficult would that a phone or do you think that was the original plan and I'm sorry I question you question with a question to this guy so yeah I mean it's a good so your
question obviously difficult right the answer is extremely difficult yeah especially when you're in a public company and your industry hasn't gone through like the Cyber thing you you see this pattern right it's over and over and over it's like you can't work with the competition it's a competitive Advantage our lawyers will be mad shareholders will be mad blah blah blah right and and what happens is the big bad will happen to someone and then kind of slowly everyone's like oh this other industry did this and security actually only happens when we all do it together right I think right you call the big bad yeah that's actually what yeah I think cuz when I hacked Dr all of the
competitors were like oh that could happen to us uh you know you you you might know about it another industry knows about it uh sorry all the other competitors and they would reach out to me eventually be like oh dude I love that talk about this that that we also are implementing some changes at the company now because of that or you know I I remember one guy at Trimble that I spoke to who was at Defcon he said um the year after we spoke trimble's a guidance company GPS that actually feeds into a lot of the ad companies as well and also a bunch of other Industries as well and they they're like I was like
hey dude what's what what what's happened in the last year he's like oh dude I got a whole team now you he was able to access the CEO and be like oh dude we need a team look at this talk we need a team now so I think I think you're right the industry might need an event um but but his qu your question initially is like how do we as mostly ostensibly like deeply technical people relay these things to people that are not right and and I think the answer is one is like knowing or being someone that's really good at communications right you have to tailor a message to the audience a lot
of times doing that through examples right like the the biggest thing is communication and Outreach you kind of like it's easier if you stick to a thing you know so if you don't know anything about a I wouldn't say like hey hey go and give these toing points to just some random guy driving a tractor right right but but it is like people you know in a community you know is trying to build good mental models for them that they can understand like relate it to something else and and explain those things then it does get a bit tricky right ultimately with most things that are in Industry you you vote with money right and so if people are
buying things in any industry and you want to promote secure things one of the best things you can do is like oh you know I heard you're going to go buy like whatever a new electric bicycle I just happen to see like this one's really secure and that one's kind of this random thing and stuff like that I think really is where it begins all right as fast as you can um I'm only familiar with Farms that do fruits and vegetables so when you're talking about the ISAC not really making sense for food and agriculture agriculture can you draw the distinction tldd like what you see as the division yeah for me I'm think when I think when
I think agriculture in my head I'm thinking like smart EG cuz for me like there's no security in a potato in the ground you know what I mean there's like but when you think about for me it's the machines and stuff like that the hardware stuff cuz I'm a hardware hacker um I think so right yeah yeah so like I focus on you that half of it and so for me you the bag of chips at the whatever is not relevant to me that's how I just think that I do it like that but I think there's an issue with this the the food and AEG ISAC is run by the it ISAC um and
as you can see like no one's picking up on it the the bigger thing is that like the food and a ISAC appears right now to be geared towards food like food production once it's left a field right and and so that gap of like the OEM to how does that thing get on a truck or in a train is is what's not covered there really but again when we we talk about that when splitting it up but we we both agree that it's all part of the system as well and it needs to be that as well so maybe they need to yeah I just I just personally I think they they they should
get a little bit more organized the companies and the ISAC yeah awesome stuff uh this is probably for LP but either one of you um we're talking about cross sector dependencies you're going to hear from Christian deth uh later about hospitals closing in Rural America you're going to hear about water in a minute yeah um given the concentration of how many crops are done by fewer Mega Farms now and geographically what's the Nexus of if a hospital goes down does it affect the workforce or production uh if there's a water attack does it affect overwatering or underwatering has anyone looked at the the which parts of the country can't have a hospital failure that type of
thing yeah that's that's an excellent question um I I think some some I mean so like you actually asked me this a few weeks ago right I think to prime it and i' I cannot stop thinking about it all the time specifically the hospital thing some of them are really obvious right if there's a if there's some kind of water impact in in a crop heavy farming kind of region like obviously yeah there's huge impact I think weather weather's a really good example right cuz weather's unpredictable yeah and it can affect an entire Year's crop righty but then like what he's talking about like this so there's this like interesting thing happening rural hospitals All Over America closing due
to lack of funding uh aggregation of resources big hospitals right blah blah blah but yeah what what happens right if you're the 70-year-old guy and you're out on the farm and you fall off the tractor you get some kind of small industrial accident right is is there an impact regionally to farming and I think yeah reasonably after thinking about it for two weeks obviously people are less inclined to get the care they need that takes them out of the field production slows down is there some kind of event horizon where if too many close one of the things people care about is Healthcare either they don't get it so production suffers or people choose to
stop doing that job I I think it's a real it's absolutely a real thing that's not considered I've got one note to that I remember Kevin Kenny saying to me when aamay went down briefly I think about one and a half years ago two years ago John Deer Operation Center is behind akami and um Kevin called me up he go dude Kevin's from Nebraska really funny guy and he's like dude uh the John Deere operation Center's down and I'm like that's my American accent by the that was really good yes um yeah so he he's like dude it's down I'm like dude what does that mean he's like there's not enough toilet paper in the midwest to clean this mess
up and it stuck in my head that quote so you know that that John Deere operations center is where some of the information about guidance and stuff goes back it's also the place where I was able to submit VIN numbers and get information back about uh the customers um but yeah if that goes down then I mean what would the what would the the other comp competitors they're not as much I don't know much about the competitors so I know a lot about John de there cuz I've hacked him a lot so I mean all of the big ones are Global multinationals right right okay perhaps the last question yeah so I mean obviously everyone would notice and it would suck
really bad if like every John Deere tractor in the country got bricks but critical infrastructure is a geopolitical issue and so what if there was hypothetically a piece of malware that made everything in a certain Fleet 3% less effective like how may maybe it overs sprays or they're not on track as much as they should be how resilient do you think the industry is to that and then on top of that how quickly do you think that would even be tracked as a cyber issue and not just a mechanical one or Farm failure or something like that I mean complex topic I'm not the best at at the at the small scale code stuff on the ecus but I know
from a competitor that I was I can't talk about it NDA so let's let's so let's that's a really that one's an interesting question right so let's say what what do you the the first question you can ask is what kind of gain do you get from smart and precision agricultural equipment that you don't get from someone manually sitting in a cab right and and you get widely varying claims right but kind of the industry you see numbers that I never see anything that exceeds 10% and that seems to be the high right you buy this one expensive system you'll get single digit percentage gain which is still huge um but there's a lot of variability
in soil quality and bugs and web and whatnot right I think it would take maybe until you're kind of a co-op selling grain before someone noticed in the data and I'm not sure it' be agricultural companies as much as it would be Financial people doing like stuff with Futures right realizing a consistent significant uh disparity but that that may not be true it's kind of a guess right um do I think that could happen yeah absolutely think it could do I think 3% if you could affect everything 3 or 4% at a nation state level that's giving someone a huge Advantage so definitely a thing that has to be washed out for but also the solutions to that
come to some really common cyber security stuff right it's like it's like sign code and make sure you'll only accept a signed update on an ECU um don't don't give half million machines all the same key right when you sign that software stuff like that or if you have root like I g& you can you can you can don't don't let people be rude yeah you can change it skip key check equals like one so you can you can sign your own packages and update it so I think that was the last question right is anyone if anyone else ask us questions you can come up I guess after like con or something yeah please join me in
thanking our wonderful speakers
[Music] extremely excited about this we've got a uh we've got Mr Dean Ford who's going to talk to us about
water so we'll let uh we'll get all set
up I put it [Music]
check oo that's hot check test test test test test check check check check good everybody hear me yeah that's I'll go fast your picture huh oh where do you [Music]
[Applause] [Music] he hey hey
hey e
what I'm not on what I am not on Twitter I'm not on Facebook I'm not anything LinkedIn I'm on LinkedIn how's it going guys uh I just want to reiterate our photo policy I know that your natural impulse uh when you see something really awesome and cool and generally good for everyone everywhere is to uh put your phone out and take a picture but everything is recorded for everyone's convenience so if you could really avoid that inut we'd all greatly appreciate it thank you very much all right um well with that we are we are just so delighted to welcome Mr Dean forward to the stage um Dean was with us last year and really laid down
the truth regarding Water Systems the great the thing I love about Dean is he is a water system practitioner first he's literally installing and maintaining Water Systems across this country and Josh and I and others are like helping him to not sleep because we're talking about cyber stuff so Dean brings um the experience of of Hands-On application of actual technology and Associated dangers to the discussion so please join me and welcoming Dean to the stage thank you sir thank you all right so I feel like this is lower now check test good okay thank you okay everyone so um third time here uh this year we're talking a little bit more Josh is once again um informed me of
some things that I didn't know about and now I can't sleep anymore um so some of these slides are just for for anybody that needs the deck but real quick uh I'm not an operator I'm an automation professional um and a professional engineer so um my job I have a duty to protect the public that's what being a PE means I my personal license is on the line for all the work that I do um and where I focus is the the the area of operational technology some of you probably know it as IC industrial control systems or automation or not really robots but it's all kind of the same the same stuff it's not I it um I'm
not a hacker I'm not a cyber guy um but I can certainly find the problems when those things occur and um as uh three or four personality profiles have told me I'm a challenger of basic assumptions that's probably why we get along so well um I have four basic principles one there is no such thing as an accident that is an impossibility someone has made a decision someone has put something in motion to cause an incident to occur there is no such thing as an accident people are the asset so we talk about all these assets and da d d unfortunately the finance people s figured this out excuse me on the balance sheet you're all are liabilities
I never have understood that especially if you're a consulting firm when what you do is sell people your people are a liability not on the asset side of the equation one of these days they'll figure that out um I'm really excited about cyber from the standpoint that it is the great unifier um it is the one topic that every business division in any company has to get unified on or they're going to have a lot of problems right so I see that as a huge opportunity and um in my opinion cyber is just one of many many many many many risks that we have to manage every day so I think one of the talks earlier was about risk management
that's really what cyber is all right so let's get going here let's go on a journey let's talk about where we've been over the last couple of years um where are we and where we're going um and what can we do to change the path so last year year before I think I threw this one up um just to give everybody an idea of just where is it that your water comes from right so um and and how much we as humans impact that um uh if you're a climate denier you know I'm sorry you know science doesn't do care what you believe so the um the things are that you know snow it's just a big cycle right we
don't create water there is no like some magical hand comes down and creates water it's always in cycle um and we contaminate the hell out of it with everything that we do and we let the ground suck all the contaminants out we put it back in and it starts all over right so just as a as a point you know as we run it through water is one of the few resources we only use once now there are some cities that are starting to get smarter about that but if you think about it when you flush the toilet where does it go back into the river for the next city to suck in and process and
ship out right but you've only used it once um like I said there are some cities that are getting a lot smarter you'll see the purple pipes is a universal color for recycled water um it's not treated enough well enough to drink but it's well enough enough to water your grass which is a concept I've never understood um so also you know water is a utility right so water you think of well it's an electric system Electric Systems in and Water Systems all have the same customer um they both have meters on the facility they've got some delivery device into the facility um the difference is that there is no National Grid of water right
right so I can't buy water if I'm in Maryland I can't buy water from La um from a wind farm or from a a lake right so all your systems are local so the water that you're drinking at home might not even be the same water you're drinking at at work right might be two entirely different systems which also means two entirely different sources um when you get into water there's there's you can pull water from Rivers you can pull it from a reservoir or a lake you can Pump It Up of the ground uh there's a lot of different areas the the failures that occur in those systems can can wreak havoc but it's localized right um let's think back
not too long ago to to uh Jackson Mississippi right uh completely shut down a town that was already uh in bad shape and uh on the water side we have to treat the you know the electrical guys they just pump it to you and then the electrons Go off into the ground and you suck them back later right water we got to do something with it we can't just dump it on the ground we got to treat it and we've got to make sure that it goes back in a clean environment so is anybody really uh anybody been in water industry or uh complex manufacturing so let's talk a little bit about what an OT Network might look like
or or a water Network at a at a facility um and why this problem is so complex so this is just a a high level very high level view of all the different systems that exist at a water uh utility um there's a lot of Point Solutions the the one of the challenges that water utilities have are they don't have the money or the expertise to go out and buy sap that combines a bunch of stuff into one database right they end up with a t T of little Point Solutions so your customer data might be sitting you as a billing as a receiving a bill that might be sitting in one database but the data about the meter on the side
of your house is in another database the pipe that's going into your house is going to be over in another database um you know it just it it's just a a hodg podge of of information and as I'm sure we all understand right what happens when we have all sorts of different pieces of data all sitting floating around out there it increases our tax surface right did I get that right all right so um and and the other challenge that I see in the water industry is we've got a ton of vendors coming in and say oh you know what I'll improve your billing by 10% um give me all your data and I want
to pump it up to the cloud and now I got now you've got a connection to Cloud um a lot of utilities are moving to um uh Smart Meters great stuff right smart meter um did you know that I can tell if you have a prostate cancer issue from your water meter if you flush a toilet a lot at night and the when you should be sleeping generally somebody has some kind of an issue that we're dealing with um that the water utility doesn't own that data when they hire a badger meter or somebody else they give up the right to that data so it's kind of like the the Facebook metadata stuff right or the the NSA and
the metadata right you you don't know where that data is going so um you know that's what it is uh on the OT so if that was the overall Network the Enterprise Network on the OT side this is a pretty good example of the challenge that we've got in a water system is similar to an electric system in that it's a geographic nightmare right it can it can span for hundreds of square miles I've got might have a pumping station on one side of a mountain that I got to talk to back to the the main where the water source is and I've got to pass all that stuff through so again attack services are are
everywhere I got you know the a lot of these networks are so old you know they're 450 megahertz radios out there talking to each other guess what when those things went in there wasn't a thing as such as encryption you got to have a lot you got to really try to to get onto the network but it's possible um so again a lot of stuff going on there the cost of improving these systems ranges in the tens of millions of dollars to go in and and Swap this stuff out um there's a lot of ways to do that but you know who pays more than and I'll throw a number out is anybody in here pay more than $100 a
month for their water bill right it's probably costing the utility $200 a month to deliver it to you but you know we talk about raising the the utility fee by pennies and everybody has a heart attack so this is an area that's very underfunded and requires a lot of Grants and things to make that stuff work so replacing this stuff isn't in the isn't in the in the future so there's a report um came came out uh recently 2012 that said uh hey guys we have a problem in the this was like at the beginning of all the infrastructure talks right infrastructure week d d well in 2012 a water industry came out and said hey we've got a trillion dollar
problem forget about all the Technologies we're talking about the pipes in the ground we've got to get out and replace all the pipes in the ground that were only supposed to last 60 years 50 years they're now approaching 100 years there's still pipes were digging out of the water out of the floor out of the ground in New York City some of the bigger cities that have been around a little bit longer that are wooden um cast iron everybody remember Flint Michigan all the lead problems right so that problem has not fixed itself um and it's only getting worse so keep that in mind as we talk about a few other things so I say cyber is barely on the radar if
you look down at you know computers and and workstations and cyber and uh Cisco switches and things like that they're all on these Cycles right when you get into it you get budgets for that stuff um you know who's working on a laptop that's older than four years old right from your company um I can tell you that I readily go in and assess Control Systems you know you get to do your email on a four-year-old machine but you're running your plant on an NT box it might might be under 10 years old maybe um so we've got this huge disparity between the the control systems the brains of the entire operation um and some of the stuff is so
old it won't run on anything else so now we we've got to keep things alive based on eBay um but more importantly the 60-year-old stuff the stuff that's in the ground the pipes we haven't been able to figure out how to replace that I I remember having a conversation with one uh surprisingly large city and they were talking about oh yeah we we're replacing 10 miles of pipe a year and so I was like okay so you've got like there's like 3800 miles of pipe I was like so 10 miles it's going to be it's like correct me if I'm wrong but the pipe is going to be obsolete before before you get back around to replace it
again it's like you know I'm not a mathematician but you know I know how to use Excel so this stuff is going on all the time and unfortunately there's just a lot of competing competing folks in the in for the money right and then this is the other one that has cracked me up so I I entered the water industry about 2014 and you know I was all excited about how everybody talks to each other and they do these surveys and everything so this was the most recent survey from 2021 and I I should have found the one from 2014 cuz it's identical I well I mean they move around but they never change right they
never say hey my God cyber security big problem well until I started talking to Josh big mistake um so each year it's the same list only it's in a slightly different order right and it kind of I I started to call it the fad list because it's just like whatever everybody kind of thinks is the issue is what shows up there's not really a whole lot of analysis um so since our last meeting there's been a few things going on that have been pretty exciting to my mind we had some presidential strategy coming around around um a call for the EPA who if you didn't know the EPA goes out inspects every water system it's a
sanitary inspection sanitary survey they go out to every water system um I think it's on a yearly basis might be every other year um just make sure that things are in good shape right um they're checking for that you're doing your samples correctly and and your equipment's working and stuff so brilliant idea let's call let's use that same resource to go out and also do a quick assessment on the cyber security posture of these of these facilities so that got shot down by the water industry because we don't want anybody coming in telling us what to do um a lot of internal arguments going on about that um I I don't quite understand why um you
know to me it was something we could start to work with it at least it was a good framework the people inside the water industry have been asking for something like this for a long time but we decided to shoot it down um our friend the volt typhoon thank you Josh another thing I was very happy not knowing about um that was been revealed um do everybody remember the little pump attack on the Israeli pumps that came out a little while ago we're going to use that as an example here in a little bit um that's been new and um I'll I'll defer to Josh for this one because I don't know a lot about it but this is where some of the
the current thinking on uh that's really got me engaged about the cascading failures right um so we'll we'll use that here in a little bit as well um crowd strike so everybody REM well I don't know ago so there's a few folks in here that might not know this but everybody how many people remember the old saying never got fired for hiring IBM right we're going to go out and get crowd strike because they're the best and we'll be protected right so Ira was talking about earlier about open source um how you know he doesn't understand why people don't understand open source I understand it fully I can't Sue open source I can't transfer liability to open source well if I'm the
general manager and I'm trying to figure all this stuff out my insurance companies want to know what the hell we're doing for cyber ah we got crowd strike so you know diversification of of vendors I think is a very important um problem that we' got to start dealing with um and then I I do agree with Ira's hockey stick thing dragos trout strike they're not out there to do c they're out there to make money let's just be honest about it right so um and then this whole concept of cascading failure across sectors um we'll do a little bit of exercises on that here in a minute so um is everybody following this this concept any questions yet on your where
your water kind of stape your Waters in before I roll into some exercises does everybody know your where your water comes from is it Wells or aquafers or a lake or a reservoir you know what plant it's coming from you know how old your pipes are this is all publicly available information you can go and ask for it okay well we'll keep on rolling then ready for the the audience participation did I cover everything keep going okay so let's get into some of this what is a cascading failure anybody down right rrolling on down one failure happens into the next one into the next one right just keeps like what's another word for The Dominoes right boom boom boom boom boom
right so one failure triggers another failure triggers another failure triggers another fa so let's do a little example we'll pick an easy one um oh I should have coordinated this and turned the lights off at the same time brats so power goes off in this hotel right now what what's the next thing that happens what do you think happens what was that generator comes on but what's the generator going to
run well no I'm sorry the generator is really just going to power the life safety type stuff right some some of the lights not all the lights I bet the AC is going to turn off right but it's going to control enough stuff that ures the safety of people right that's all the requirement is I don't you don't have to keep the cash register on although I'm sure they do here that's life safety to them so kind of get that that process right so the generator comes on what do you think else is going to happen going to escort us out all right there's going to be something happen with people right do you think there
I'm sorry we're going to turn the flashlight on everybody's going to turn their flashlights on so there's going to be a little bit of confusion right everybody's going to try and figure out what's going on where are they um is anybody going to panic yes yes yes is it rational panicking maybe maybe especially if you're in the bathroom right and it goes totally dark what else STS air conditioning is going to stop what's it going to do in here when it's 12 did it finally where are we right now yeah when it's outside how long are we going to be
comfortable so I can keep asking what else is going to happen elevators throw them out here elevators will fail elevators will stop ators will likely stop and that makes sense right they're supposed you're not supposed to use an elevator and fire so it's kind of the same thing do you think there's going to be a notifications that go out maybe I bet the fire alarm I bet the fire alarm will probably call out right and say hey I've Lo we've lost power um we'll need help of some kind eventually move people different hotel maybe let's say it's a long outage right so it's longer than longer than a day I doubt you're they're going to let
I doubt anybody's going to let somebody sleep in 112 degree room right so yeah there'll be a pretty big massive evacuation so can we all say though it's going to be pretty controlled I mean there's there's no real life threatening emergency going on right at the hotel uh unless somebody gets trampled for a mass panic or something right what was that I I'm sorry the hotel doors may or may not open oh yeah well um and In fairness there's a mechanical piece to that right they all have breakaways so I don't know if you noticed that but every every one of those doors will breakway so I would argue that there is in fact potential
for lifethreatening issues because if you have people who are on insulin if you got people attending this convention or in their rooms and they have insulin and they lose their fridge they're going to need to go to the hospital or they're going to die right interesting so we might have all of a sudden a real supply problem right all of a sudden a bunch of insulin that's in the in these refrigerators is going to go bad well they got to go replace that from somewhere great sorry now that you mention that than you for the fridge I was going to say you have all the you have all the restaurants here you have everything that depends on so all that food's going
to spoil not to mention the casino uh you know they'll lock up the trays so there won't be any more income coming in so good yeah but yeah everybody's got going to want their money back on their machines that are right I won this what happens that could be turned into a panic attack as as someone who lives in Houston and spent 9 days in July without power in our area deregulation is finest although in all fairness I have a whole house generator so my house is air conditioned but here's all the little things that people bringing up there's a myriad a ton of disassociated that cannot be centrally managed issues the city can manage some things
traffic lights the city can manage some things getting gas to gas stations the city can't manage insulin people going to the ER the city can't manage all sorts of tons of different things and so one thing trips off a wide variety of unmanaged events and there's where your little mess becomes he was he's not a plant okay you had one I was going to first first nine days is a really long time yeah but I mean like i' I've lived in New York City for 27 years we had a blackout in 2003 sorry I was going to say I lived in New York City in 20 when the big brown out there was a big blackout in 2003 the
city did not panic I mean everyone kept their cool granted the power went back on about 6 hours later you know the stores were giving away ice cream you know it was kind of a carnival atmosphere it was nice sunny day it wasn't like there wasn't a storm bearing down on us right but the mass panic that you might Envision that doesn't really happen we didn't have looting this time we did in 77 but this time things are things are pretty cool now nine days that might be different right right fair point so oh yeah this want local perspective yeah so all the hotels are on solar grid that they went off the main grid I think it
was like four or five years ago so they're all in their own grid they all pay for solar power you'll see them out in the desert different places kind of a good idea also we're a number one destination uh terrist City potentially so we have systems got a lot of number ones going on here um so in a regular place yes very much but even and then as far as people panicking how many were at Devcon last year how many were at the bomb threat last year like no one panicked everyone was just okay I'm going to leave so what you'd also would see immediately is there's a lot of plane closed officers there's also a um
fire station on the Strip which would immediately all go into an act until they know it wasn't a terrorist event great you're all falling into my
web so um I think it's fascinating and worth punctuating that it de it really matters how long the downtime is so we can usually have a downtime tolerance and a recovery time objective but most of these infrastructure plannings are not really thinking through how bad it can get and then on the solar panel thing I'm going to call an audible and give this one of our future [Laughter] speakers so for one hotel fair enough there might be a backup generator for the rest of them the way the grid is set up around the the strip there's small pockets of micro grids that would kick in for maybe 4 hours right um but other than that the solar can't actually this
is one thing that's actually caused fights and riots in other cities is people believe that their solar is going to give them backup generation they were Smiths sold it by a whole bunch of installers over the years I'm going to get murdered for saying this by someone um but yeah they they miss sold it over the years and so people started to believe they'd spent all this money on backup generation and it was actually just a solar plant that couldn't do it so um there's this interesting feature of renewable energy that's also creating riots during outes which is fun so China it's all China it's all made in China yeah so some what are some common themes
there so the the the duration of the outage matters right um how impactful it is to to life um it matters um size geographic area size I won't say that [Laughter] can we get in trouble for stuff like that true right I I passed through something in the airport says if it happens here it happened here the question of how long is it known now that's a great point right so when it initially happens there's a bunch of people that get deployed to start figuring that out but that's you know that never really gets out there it's like sitting at the gate it's like what's going on now so for the folks on the video the
statement that art made which was very profound is that when the event happens while you're in the event you don't literally know the duration of the of the event right and people get mad generally when they don't have a planning Horizon because they don't know if they should stay or they should go or if they go where should they go yeah yep that's a great point and the the other part that I'm not sure is a little more more difficult to pick up on and and Josh has educated me on this the other thing that we're relying on there is that the people that we're relying on aren't living the same Norm thing that we're living right so the
firefighters have a place to go that has electricity and air conditioning the hospitals all those folks have a place to go and come back to work and help us out you had another point we believe that we believe that the city of Houston found stations the backup wer even installed weren't installed they were there repeat that so the the what he was say was the the city of Houston discovered nine nine fire stations had physically had generator but it wasn't installed perfect comp City the regulations in the city live in yeah really okay got to repeat it so damn so uh the the regulations in the city you live in can also impact this in the case
of Vegas air conditioning is fairly important hey um one thing who people who won't have power is the lanan or Lane workers families is usually one of the more interesting if the whole city was a people people that actually need to come and probably fix something and check what's gone off generally also have families who will be stuck with nothing and so we're getting there now the Web is starting to get bigger
yes so the first thing first thing that might lead to some Panic is whether your cell phone still has coverage right so whether the tower still alive so how big is this outage kind of to add to the the point of person over there that mentioned it and the regulation is um this past winter had a outage on the coast in Oregon and when my co-workers with their solar that they were promised would work during the outage which was about a week found out as soon as power went out that the converter wasn't set up to flip over to the backup but it had never been tested and I I think that kind of goes
to a lot of the points of yeah there's no testing in a lot of it right good point so a false sense of security all right so I'm weaving a web here so let's take in a different scenario so let's talk about the Cyber Avenger attack so some pump controller I I could care less where it was made um I couldn't care less where it was made um so let's just say some device I think we talked a little bit about that with the tractors earlier some devices out there right that somebody's embedded some software into and they decide one day they wake up on the wrong side of the bed and they turn it all
off in the OT world the common well the the the best thing that we normally do is we just start replacing stuff so let's say this is a a crowd strike level controller so everybody's got four two one whatever so these things fail we can probably get by there's portable generators portable pumps um the water industry is got a lot of backups so we can probably throw something in there for a little while but we need to replace this controller so we're going to call who call the person that gave it to us right installed it for us so they're going to need okay so now I got this all of a sudden this tiny little company
that probably doesn't have you know who knows where they're made but all of a sudden they're going to get hit so the we're talking supply chain so let's start thinking about what happens in a supply chain around something like this so are they going to have a 100 of these things are they going to have 10 2,000 of these things sitting around most likely not well and and and be so the lead time on stuff like this is generally weeks um you know thanks to our friends in the automotive industry and Justin Time Manufacturing there's not a lot of spare inventory laying around um a lot of times when we do capital projects one of
the line items in the capital project is to supply the project with spares critical spares um I am shocked at how many times that actually doesn't happen that money ends up going somewhere else in the job and the shelves are bare yes sir I think you had commented earlier like this might be a small company maybe they don't have a whole lot of customer service reps uh this leads potentially to an information vacuum it which point malicious people might start taking advantage of the situation yeah
yep now I know this is a hypothetical but if I recall that compromise or quote scare quotes hacking was a password of 11 one one and couldn't we assume that if it's replaced by the same manufacturer that they the new Replacements also have said flaw information vacuum do we even know at the time did we even know what it was right we just knew that this thing was acting up and this I if I recall right this actually didn't cause any damage this was a a threat that came up and I think one utility or two utilities actually had a problem I want to bring you back to your earlier slide about how many little water companies there actually
are this is not dealing with big water companies this is dealing with literally right there 151,000 different water companies how many of those and this is a question for you because you've been there would they even know what sub and what year installed that stuff so do they even know who to call do they even know they have a problem exactly short of oh it's not working now I have to go get someone like your company to come out and figure out why it's not working right and it's kind of like when air conditioning season starts anywhere in the country hbac companies are like kaching that's a great point so anyway what I was trying to do
here think of also the the toilet paper crisis right there was no real toilet paper crisis but we sure as hell manufactured one right and out of out of what but did somebody else have a sorry that you in the blue shirt
yeah so with the pump controller if that's the one model that's everywhere then everything that's in stock is also so that one model which means your supply chain problems just your supply Chain's jump is is is gone which means you have to go back to manufacturing right uh and redesign something or or whatever work and then the issue with the the paper the toilet paper um most it there was plenty of toilet paper the problem is it was in the wrong format because they had U the the the toilet paper that went to corporate locations was was was in excess they had way too much of it but the toilet paper for home use was was there wasn't there
was actually a supply issue right because of where people were using it yep yep so just trying to get us to think a little bit about supply chain so first the first scenario was thinking about the the people and what you know's going on your world this one's a little bit about supply chain so guess what let's bring them all together so city of Las Vegas uh a smarter presenter would have looked this up before the presentation uh I know there's a city the city has a um one major uh utility um but let's just say that the whole thing fails now how could it fail funny you should ask so um again Vegas probably isn't as bad but let's
pick maybe I should have picked a different location but if if somebody were to get into the controllers in the IC System and hit everything with a water Spike or water hammer does everybody know what that is water hammer so if I am uh if I change the direction or the the velocity quickly in water it creates something that it's basically the sound the speed of sound and it moves through the water pipe p in a in a spike um and it generally sounds like somebody's hit the pipe with a hammer water hammer so you can hear these things in manufacturing that happens all the time well if you've got a pipe that's 70 80 years old it was only
supposed to be in the ground for 40 years old and you hit it with a spike that might be two or three times its design capacity brittle equipment overdesign pressure what might possibly happen poof right worse than that it's probably going to go poof in multiple locations not just one because a spike rolls through the whole system so that's the water hammer right so everybody learned a little process today they be on the test lock the door um so what we've got to do then is say okay well how big of a deal is it to create something like that well I could use a pump controller if I'm flowing and I'm keeping pressure um
a average water pressure at somebody's house is about 60 lbs um 45 to to 80 is kind of what the rules are um but let's say we hit that thing or we can stop a pump we can stop a whole system so going from 60 lb to zero or Zer to 60 lb either way can cause a problem it's going to be a lot easier to stop it so if we could stop it we could close a valve and send the shock wave through the system um either way we can create some pretty big problems right so so I don't want people to think that this isn't something that can can happen this is something that can happen there's a
lot of lot of equipment in place to keep these things from happening we uh we put devices on valves so that they they close very slowly regardless of what the control system's doing um so there's a lot of mechanical things in place but it can't happen so let's just say we we take out a couple of the big mains um that are feeding the whole system right or we take out a couple of plants so Josh has been wanting to talk about this for for weeks so let's start down the process so there is no water turn on the tap we're all going to have water for a little while we're going to be a flush
the toilet for a little bit because gravity is our friend in water right so you the reason we put water towers up that's a direct pipe to your house we don't control it it just however tall the tower is that's how much pressure you got at your house right and then there's Regulators throughout the system so there's all those tanks are going to have to empty out we're not going to be real we're not going to be able to refill them but somebody's going to be out there watering their grass in the middle of a water outage and all that water is going to go to somewhere it's not needed cuz we don't you know it's
America we don't tell people what to do so we don't control that stuff so couple of days maybe maybe we get by for 24 hours let's just say that we get by for 24 hours and now we now though you turn on the water faucet and it's done what happens next so you don't have water at home you don't have water at the office who else doesn't have water restaurants restaurants don't have water so electricity is still on so the food in the fridge is okay but you can't wash it or clean up or fire hydrants fire hydrants don't have water guess what your fire hydrants guess where they're fed from same place as your
house I got one for you Dean sir uh the data centers that need about five g b 5 million gallons a day there's a couple of major hubs here those those can't those servers can't run without water uh agreed yes I will just make it simple yes so data so this uh concept of losing your Tower might be a real possibility my dentist office will close why would your dentist's office close David because without water the nice person can't spray water into my face as they clean my teeth okay fair so they'll close yeah and my teeth will not be clean that and that we don't want that no it will probably shut down the
airport airport is going to shut down you can't run an airport you can't run an airport without an air crash rescue Without fire trucks and if fire trucks don't have water they can't make foam and if you don't have a fire department you can't run a commercial airplanes what would happen here at the hotel we'd all cook no restaurants no AC no restaurants no fire protection are you going to be able to occupy a building Without fire protection with firewatch but most people are going to want to check out and go where airport so that's not going to work so where are they going to go next Rent A Car Rent A Car you think there's enough
rental clock here somebody said one word it was a very important word started with an H H hospital hospital hospitals hospitals so we can't run a hospital without water
that's all right we just put off all the elective surgery oh wait there's already patients in there so all the people that we we were relying on to help us evacuate from here they don't have water either dehydration population population what was it so we'll be able to use up some drinking water bottles for a little while right so Christian's Pro hopefully going to double click on this in his talk but uh not only does the hospital come to screeching Hal pretty quickly but the her surrounding population gets dehydrated and needs medical attention so decreased capacity combined with elevated require needs right so now do you start to see this cascading failure scenario right so we
won't have to belabor this much more I think everybody sees where we're going with this um and nobody's running for the hills yet maybe it's not a good idea to build a city maybe it's not a good idea to build a city of a million people in the middle of a desert put that into your tourism commission there um so anyway that this concept of cascading failure to me is a fairly New Concept um you know we've all talked about our individual sectors having problems and what that does I I think Co and some other things and some of the advanced thinking that Josh and his guys are doing has been pretty interesting around this so
um just talking through some demand side users so we lose the water plant we lose our source of water residentials you're no longer going to be able to have portable Waters or sanitary water commercial buildings industrial energy not going to be able to make necessarily make water or make electricity for a while um after again after a period of time even the data centers you know they've got reserves right they're not making new water but eventually those reserves are going to evaporate um it just it just it rolls down so I wanted to show a couple of things so domestic water use in gallons per day um over here on the right um Josh was very keen
on this because of how this map correlates to other maps that are out there uh and and where these population centers are and how critical some of these you know there's critical infrastructure and then there's like critical infrastructure so you've got this and you know you map that against uh each circle here represents the size of water withdrawal by county and this I I did this little one here just to give you an idea so that's 2100 million gallons a day does anybody put that in perspective what a million gallons looks like again a smarter presenter put that together for you but again look at some of these dots right look where they are obviously big
cities but also out in the middle of nowhere where
Related talks
51:51
32:48
33:48
54:33
31:06
20:51