BSides CLT - Track 2

all not that I'm saying we should be like an overarching of all these things get that into that interness and that tie-in and understanding uh to know what your strengths are where your weaknesses are and what we can do about them uh so so yeah so why why would we only carry it out the move forward we look further we dig harder and hopefully make the upper management understand these are the real threats to your environment here's where it actually spreads out here here's where everything connects and combined and you know never stop you don't sit there and say check the box we're good ever it's always an evolving uh landscape you know the threats are always changing we'll come out with new technologies I'm sure soon enough that will completely revamp some of this so it's uh it's always a continuous uh maturity model getting to a certain stage and then moving further forward and then moving forward again and so on uh and make sure that you are like I said working with everybody integrated with those other teams and groups don't shun everybody don't try and make enemies at the end of the day yeah your job is to remove the vulnerability and it's like I'm not here to make friends but you know not necessarily make friends but make powerful acquaintances work with them be you know friendly where you can professional always and you get that understanding between the teams and the groups to where you can work harder together they'll be more open to the changes that you're suggesting and surprisingly enough they will come back to you on a number of occasions to say hey this is what we're doing and what we think we could do differently or how we think it could relate to your program and like phenomenal ideas that you can then come back and integrate because they're on board and they're fighting with you so it never hurts to to make that uh that attempt to kind of make those connections and drive forward as a team as opposed to uh on first you or any where uh so of course what is all of the skill mean uh hitting these misconceptions early on like I said is not an all-inclusive list but hit him up front you know if you were like me rolling into a company um for the first time you know either company after company or you just joined ask all those questions you know where's your cmdb what are your dependencies you know who's working with who and what what are your policies and procedures let me see them all you know uh who's the contacts that I really need to dig into really understand your environment and get into the weeds and the details you know even if I'm not scanning the manufacturing environment I still want to know what to do why they do it how they do it because that's important to them and it's important to us to understand what's important to them so that we can have those conversations so nothing sucks worse than walking in and saying well I don't know what you do but change and that's you know that's your your skill you know here we go I have lists I have PowerPoints it's cool just go with the flow they're gonna laugh at you and you know curse you behind your back um so digging in with all of those things and I reiterate a little bit of this stuff but it really is just drive the point home you know get that mindset going be open about it um sticking to the message uh is more about driving with these the the sweet the c-suite especially your directors all the management factors and saying look this is how this needs to go we need your backing we need you don't have it nobody's going to listen to it doesn't matter if you filled out that policy without you know the systems being on it or the CEO or whoever you need to get to sign these things for these people to listen it doesn't mean anything you know because they're they're going to come back and say well this is inconvenient I'm going to go above you and say no I can't do this and that manager is just going to be like okay whatever I don't want to deal with this here's this here's a signature you know they're exempt from whatever this is uh and then you get a setback the company gets a setback credibility is you know down the tubes because that other application owners and system owners are going to hear about it and when you walk in to start talking to them what do they care you've already been overridden once probably do it again some of them are really cool you walk in and they're like yeah let's go let's roll with it usually those are like your your base patching teams and whatnot and you know they're they're chilled to deal with um but yeah obviously not everybody's going to be there uh be clear on what the ramifications are you know what what's your issues uh what's gonna happen if you don't do these things you don't have to do a doom and gloom story you don't have to threaten them and say oh well if you don't do this you're going to get ransomware by the end of the year you know full of crap don't don't bother doing that because that again will affect your credibility um but be honest you know here are the potential threats to your environment here's what's going on here's why we're doing the things we're doing because you know what comes out of it and not even just ramifications but the benefits you know you know by doing you know software removal of things you don't need that's one of my uh I'm the ones with the with the software that's out there it's like you got these applications like nine of them that all do the same thing you really need nine different applications pick one or two you know because I'm there's usually something that will work across multiple lessons if not you have a couple out there make them go to a standard it's a lot easier to maintain it saves your your packaging and patching teams so much time and effort so therefore saves the company money everybody loves that one uh more money you save them the better off they are so less software we're maintaining for you cool uh and then you even find software applications that are out there like one-offs that somebody installed like five ten years ago that they haven't used since you know okay great I used that it works cool and then they forgot about it that guy's left the company the next one came in they're just like oh that's always been there cool always been this way that's another one of my favorite excuses um you know it's been this way for so long why would we change it now uh but you need to you need the need to change that mentality the culture of the business um be ready for that ongoing fight it doesn't always have to feel like a battle every time you go in but be prepared for it be armed have your facts straight have your details well especially the four times you do this or the more more you've been rolling through it that's just more experience and ammo for you to walk in there and be like look I know these things work um and also be flexible at the same time so it's not just about this has worked before for this company or this has worked good for this department within a company you know understanding back to to my point earlier understanding those individual groups will help you tailor what you're doing with them one size does not fit all it's not a cookie cutter world and we have to understand that and move forward in that fashion um let's see and and yeah decide for yourself what's what's important so for us it should be exceeding you know that checkbox mentality and exceeding that you know we passed the audit reaching out and building a teacher for a company and a better better Prospect to move forward with I might do it on time okay all right cool all right so uh digging into like business owners management I'm sure we have some of those floating around I hope so things that that you really need to work with uh and uh understand when when digging in with your teams to say you know what do you need how can I help you um is you know support and accept those challenges from the team if you're if your vulnerable management team or security teams of any other type are not challenging you on things and saying look we really need to do this I don't care if you know it's not the budget or you know it would be easier to do it a different way you're just tired of hearing somebody whine and complaining you know from a particular application you know don't fall into any of that stuff you know let them challenge you hear them out ask them good questions though at the same time and there will also be a step for them coming up in the next slide to respond as well uh stay engaged in it that much or okay um all right so stay engaged with those teams you know keep on tap on target with it so you're not you're not just like okay you know report in when it starts report in you know quarterly and then when it's done you know get in there talk to them on a on like a weekly basis at the least and I'll find out what's going on get status updates and and really um keep on Taps of what's going on because when they come with you with a a request or a challenge that they're having you should be aware of what's going on what they've already walked through what who you need to talk to it shouldn't be a big rush to find out who you need to deal with or uh maybe where the holdup is or what even is going on in the project to be like all right hold on step back you know I thought everything was going great two months ago um so so keep on top with that when you ask questions you know how is it related to the program how is it related to what the task you're doing or what you're trying to accomplish you know what are the impacts barriers expectations both short long term um and then what are those advantages of disadvantage advance that you're really looking at so and they should be able to answer these questions so uh and then again look into the implementer section which is next um get that backing from upper management if you're implementing this stuff and you don't have that backing like I said you're screwed uh collect everything you can I think I've pounded that into the ground by now ask your questions you know you know from each team understand their processes understand what's going on today um and then I have a whole list there for where we start that's you know just a whole slew of things that you would want to to dig into and talk to to collect documentation on uh to to really get you to where you need to go all and then going beyond that you know what additional areas can you really dig into you know hit those blind spots hit the user awareness trade hit those backups and disaster recovery um get into talking about you know penetration testing and social engineering tests and such you know make sure they're aware that there's so much more to this program that where there can be uh then they're really looking at considering at the time so all right um so yeah so just trying to in this one give you like a bit to think about uh things that I've run into you know last few years like I said um trials and such ways around the things that I've done to kind of to get past it and it's just kind of like that learning curve to where it's like let me get that that foot up uh when I go into the next environment avoid those missteps you know best you can you're not going to be able to get over every pothole in the road there's going to be something that comes up to be flexible all it's an ongoing process this never ends so you're always going to be evolving and maturing this process it's never like oh hey we hit the end we're good um there's no 100 win like I said they're gonna get it one way or another it's going to happen no matter how strong your defenses are no matter how intelligent the uh the user Community is how trained up they are um there's going to be some way so be ready for that and that's why we dig into those backup programs and other options get your hunt teams involved Etc um be aware you're part of a larger Community I was actually asked earlier today if I knew about any like discords for something we're a VM Community existed and I drew a blank um honestly so I will be researching that to add to see who's out there but you're definitely not alone uh they're definitely more of us there with the uptick and companies really looking at these programs you know people are going to need help you know people are going to have experience they're going to be running into issues you know reach out and that work uh I think these conferences are pretty good for getting names and have action even if you're just talking to a pen tester you know or some other discipline they have ideas they have knowledge they've seen a lot of these things um work with them and that even gets you some more direct knowledge of a particular area that you're going to be speaking to at some point or another and as I mentioned I have a paper I wrote up which is most of this information maybe a little bit more uh that I've asked to be attached along with this presentation um so I think that'll be available on the east side site afterwards so uh any questions beyond that um my overtime right I'm like right at a minute all right so any immediate questions cool uh otherwise I'll be floating around the next two days anyway so if you in the future to just you know you know have a chat all right thanks [Applause] since the camera's not working I'm gonna I'm in a free room uh I I am a sand instructor so uh first by show of hands how many people have taken a sand scores before awesome so you already know I'm going to talk about a mile a minute it's gonna be like a fire hose the entire time you're only about 30 of the information as we go through it I've got 30 slides and 30 minutes to go through it so it's going to be really rapid fire okay I joke I mean I do have 30 slides and I do have 30 minutes but uh that's typically the pace that we do at a sand scores um so what I'm gonna do is actually talk about operational technology so another show of hands how many people are on the OT side of the house I mean people know what operational technology is I know all my co-workers at dragos over there anybody else OT no okay what's that overtime there we go okay different than that I guess that could be a different chalk uh overtime versus it you don't get it uh congratulations to being a salary employee um okay so how many people then identify as the I.T side of the house that information technology okay how many people are in management okay compliance okay all right so I'm going to touch on a little bit of all that um because that gets a little bit messy here so though that really helps me out to understand sort of what level I could talk to you about through different things I'm not some very nerdy OT specific things but I'm also going to have a very simple if my pointer wants to work which of course it doesn't because now I'm presenting and now I'm stuck at the podium there we go okay yeah hold on technology is so awesome when it works right there we go okay so I'm going to quickly talk about the differences between it and OT I'll probably spend a little bit more time there because most of you aren't familiar with OT which is perfect as a perfect audience to be able to learn something new right um oh you got to be kidding me I got one click out of you okay is that uh I'm wondering if it's my adapter okay this is a perfect security lesson right here I'm going to put it in a random USB port uh now it wants a keyboard assistance okay now it wants to show you the rest of my desktop all right we're just gonna ignore all about them and I'm gonna go back to doing this annoyingly okay this is what happens when I try to get fancy with things everyone's on YouTube like not seeing me just seeing these slides go back and forth like what's going on here okay so I'm going to talk a little bit about first the differences between it and O2 um then I'm going to talk about some recent events in OT and why you should care about it really um especially for those of you on the information technology side of the house those will be brand new for a lot of you and then how do we solve what I would call The otit Divide so when we think about the differences between these two things I've got traditional I.T where you think a lot about confidentiality uh what do you do with data at rest study in motion when I'm on the OT side of the house I'm in a control room I'm not as animated as that character there and I'm dealing with zeros and ones that will impact the physical world instead of being stored somewhere it's actively doing something with physics as a result to give you an idea of what we're talking about think about things like Motors generators we have Safety Systems we have different input output devices uh those are not the IEDs that you think they are those are intelligent electronic devices um these are things that you may find in a substation and a power plant in a water facility in a chemical facility you're dealing with plant life at that point you're dealing with engineering and to sort of summarize this is what you'll typically hear about when talking about cyber physical which is sort of the category for everything we have industrial Control Systems automation single purpose use of these uh different categories of operational technology and that's where you start hearing about some of these things down here uh scada supervisory control and data acquisition uh field devices like substations so the data has to go out someplace and somebody has to do some sort of control of it at a central location uh distributed Control Systems you may have them dealing with home automation systems and obviously things that we're dealing with in medical devices as well uh so you can think about that if you have like an insulin pump that would be operational technology at zero or one that's saying here is a sensor that is saying how much glucose you have in your body we have to give you more insulin as a result of that that would be that operational technology the zero or one is doing something in the physical world and over time these have gotten highly connected when we first started dealing with Control Systems uh you basically just had you know a lot of levers uh some cranes I've got over here they weren't connected to anything over time we started adding more connectivity because you got more optimization out of them and then today I have wireless sensors in my plant life I've got some really scary things of people use iPads in the plants don't know why you want to do that but apparently they do now um so we've gotten more and more connected as a result and this came from this whole conversation that organizers have an industrial organizations want to understand this idea of visualization and having more optimization across their plant life so you can see here this is where that security conversation really gets difficult because when you're talking about why you shouldn't connect these things hey you're gonna have an increase of Tax Service you don't want a niche State adversary inside of our plans well the CEO is talking about well I could have increased efficiency if I can get all the data from all my plans and start figuring out well maybe if I just change the mixture of fuel by two percent I could say five million dollars per year and then you come as a security person be like please don't do that I don't want you to connect 12 turbines across our entire fleet and you're starting to argue then with what the return on investment is uh air reduction better Safety Management in some cases reduce Workforce constraints I work with one plant where the facility actually had an engineer whose job it was once a week to go and drive four hours to remote site take some readings turn a valve four hours back the boss came in and said why would we do that why don't we just put a remote sensor out there now let's do this all remotely can do it from an iPad now here it's