Taking the Human Element to the MAX

well cool thank you how are you guys doing good I mean after lunch is like I don't know which is better aars before lunch or after lunch before lunch everybody's like dying they get out they want to go eat after lunch everybody's like man I just need all so I'm going to do my best to keep you awake that's all I can say appreciate you guys being here welcome to besides Kansas City if no one said that to you would let me be the first it's awesome to be here I'm excited to be here for the first time so let's dive on in ready lose track of things I think so we're gonna go back to this I know why

this isn't going all right so much better there we go that's what I want to see it's always good when I can fix the problems fast the EMP maligned much disgusted much scrutinized probably most well-known aircraft in the world at this point the 737 Max serence how many of you five years ago could honestly say you had heard of a 737 Max C maybe a handful a few more how many of you have heard of it now the whole yeah there's been a lot of obviously media cage about this right a lot of challenges a lot of problems a lot of criticism of Boeing the FAA actually I don't think anyone's criticized the otsb yet they're probably the ones who got

out of this squeaky clean let's start it yeah I like I kind of like the ntsp so we'll leave it there but you know you look at this situation it's just like what can you learn from this right obviously in the aviation world that's what they always try to figure out what can we learn from this but I started thinking about this and man you know what there's a lot of stuff that we can take away from this from a cyber security perspective but as you look at the things that have gone wrong with this series of an all the challenges that they've had it's uncanny how much of it just comes back to not really understanding

the human element so that seemed like a perfect opportunity to talk about the human element in cyber security so before we get started a little bit about me and uh disclimer too uh first and foremost that is going to be really small for yall to see but that's okay who I am I'm a hacker I'm a ceso I'm an author I'm a clearly um this is just what I do I've been in technology for 27 years I started as a developer okay I I love getting out in the community talking to people sharing my insane ideas about things and hearing other people either tell me why they're crazy or why they like them or what ideas they

have um I did write a book cyber security career guide uh that was 2022 so that's out there and that's why we have the author partment there um this is the other part this is why I love here using aviation as a metaphor inside of this I'm A Private Pilot uh something I dreamed of doing all my life a few years ago I finally made it a reality I also an airplane and fly all over the place so I'm A Private Pilot I'm instrument rated which just I can fly through the clouds or I can go up above 18,000 ft if I actually had an aircraft capable of that um ASL what is that mean aircraft single

engine land so at this moment I can only fly airplanes I can only fly them if they have single engine and I can only fly them if they're capable of landing on the ground so SE planes that kind of thing not so much now who I am not I am first of all not an aviation engineer or any type of engineer at all all right so as far as the things I'm going to describe to you today that's my bundle of expertise I am not a flight instructor so I'm going to give you lots of information this is none of this just flight instruction or anything that you should use in that sense you might come

out of here with some understandings of new things that's great I love it that's what I'm hoping for hopefully for sure you come out of here with some understandings and New Perspectives on cyber security I am also not a representative nor am I a fan of Boeing the ntsp or the FAA I work with all of those org well the L to organizations I don't work with boing at all I no boing but um yeah so this is not to bash Boeing this is not to praise Boeing this is not to make excuses or anything like that for any of these parties all right with that out of the way let's get into some definitions now I am not going to

stand up here and teach you a whole bunch about Aviation the goal here is talk cyber security it's cyber security conference that's what I'm here for but I'm going to give you some wildly oversimplified definitions of a few terms that were are going to be important later in the presentation just to understand a few things so again you know if you're a pilot and you see this you're like well not really don't give me the butt actually I don't all right there's a lot of but actes there's a lot of like that's not totally correct for purposes of this presentation it will help so the first one we're going to talk about is pitch when we talk about

an airplane we talk about its attitude and when we talk about its attitude we are not talking about its motion in any way sheap perform we are simply talking about how is it positioned on three axes there's pitch there's roll and there's yaw that's it okay has nothing to do with its actual motion through space and that'll be important later you'll see why but so now all you need to really think about is pitch is just where is that the nose of the correct is it angled up is it angled out or is it fall that's pinch all right second one is angle of attack now if you guys have been paying attention to the max eight

the crashes a few years ago angle of attack is something that came up a lot so what is angle of attack this is where pitch becomes important so angle attack refers to the angle between the wings which will change with the pitch of the airplane and the wind that's flowing AC cross them okay so it's not the pitch itself it's the angle between you know cuz it is totally normal for a plane to be flying like this all right so obviously the wind is going this way but the plane is pitched up so that's what we mean when we talk about angle and T and that can change for a variety of reasons and then finally a stall reason

I put this on up here is it's going to come up but also is probably one of the most mised terms I cannot tell you how many times TSB is told a news reporter that the plane stalled and they said oh the engine stopped no a wrong answer stall is an aerodynamic condition all it means is that that angle of attack got too steep where as you can see here on the far right that third picture the air started to Buble or cavitate over the top of the wing that causes the wing to lose lift in the plane this cuz hopefully lift is a turnning all understand that's what keeps the airplane in the air so those

are three things now that's it I master class on Aviation um so let's dive into this let's talk about the 737 all right so to start things off the 737 has been around since 1967 was the first one that was as FL by a commercial this is the 737-100 the very first all right what I'm going to call your attention to I know the picture is kind of small so is the engine on that you can see the engines on these Wings they're fairly small okay they were a Rolls-Royce what we call low byass that's not important what that means just know that low bypass means it's Ling okay it's why it's got small opening in the front that's all you need

to know well most aircraft now come with what we call High bypass jet Eng so when they did this with a 737 that's a-300 Series so it's still 737 just a newer model think of it like a pointk release some of you might have seen this on 737 through FL where you see like the engine was shaped with the bottom flattened out okay they did that because you can see how all this plane sits to the ground they literally had to do that for ground clearance so they shr the size of that toling or what we call the the cell and that they also had to push the engine a little further forward on the wing you can kind of see that where

good portion of the engine is out in front of the wing okay so this is just Natural Evolution bigger more powerful engine it's also a little more efficient because it's more powerful that's what the large bypass gives us well with the 737 Max series they went bigger still and if you look at this really closely I know they're kind of small two things you'll notice one they are definitely bigger this is the G leap engine it's biggest baddest most fuel efficient one they've got to date and they had to push it even further forward on the wing because to bring it back any farther would have had to move lower to the ground and then we

would had again ground clearance problems so why do I tell you all of this well this feeds into the whole story of the max 8 now each time any aircraft wants to make a new airplane they have to go with a years long very super duper expensive certification process but if you just do a point release on a plane you you create a newer version of it you don't have to go through that same but there's there's thresholds to what is the considered the same versus what is new all right so when they went with the 737 Max in the max 9 series the goal was to create a bigger plane that was the same

as the 737 now this very re various reasons you could say cost cutting maybe but there also is one Airline who has built their entire business model off of flying only 737s do you all know who that is sou Southwest it's the only airplane they fly why do they do this because they can they only have to train their pilots on the same aircraft so any pilot at Southwest can fly any Southwest Air it's not the case if you're a Delta pilot you may be certified in the 757 and the 767 well you can't go flying Embry a okay but they have all those different planes so between that and then some parts commonality that's why Southwest

did this so now we start to get into the connection to cyber security let's talk about what some people were saying in that moment this was after the lioning crash a lot of people are talking about well you know 737 Max 8 they made all these changes and they made lots of decisions to to you know keep it the same just because they didn't want to go through the cost of that you know that certification cycle well it's not really true they're meeting customer needs they have this big customer Southwest Airline who said we need a bigger 737 but it has to be a 737 because we don't want to introduce a new aircraft to our line we

don't want to have to retrain all of our pilots and now have this scheduling Nightmare of You know this pilot or This Crew didn't make it and now we don't have a pilot because we don't have someone certified etc etc all right so what's going on here that we do in cyber security it's that lack of understanding of who our users are why they do the things they do all right how many times hard de you know users your weakest link or our devs are lazy just don't care our Executives hi they just don't give a [ __ ] about cyber security we've all heard that before right so a lot of times that happens in cyber security we

have that tendency to jump to conclusions and assume the worst mors rather than taking a step back and saying why why are they doing the things they're doing and how do I influence them to do it differently and maybe just maybe they have good intentions maybe they're trying to do the right things to you know make the company money so we all stay employed so how do we combat that it's with empathy this is something we unfortunately seem to lack still ins cber security and when I say empathy I'm talking about just understanding them right it's listening to them when you're talking about a a design of a software system are you actually listening to why

they're doing things the way they are or are you immediately formulating your have the argument white you can't do it that way or that's bad or you're just being lazy or just rushing you know actually listening understanding and honestly having the insight to see that you know what their priorities and motives are different than ours it doesn't make them any more or less valent than any of ours the end of the day if you work in a company or you work for an nonprofit or you work for an agency of the government we're all there to make those organizations successful in some way whether it's profit whether it's the mission whatever that's all of our goals we all play a

part in that we all have different components that feed that and so that's something we need to recognize for a cyber security perspective because it is the core of everything else I'm going to talk about it's the core of how you build out a truly credible and effective cyber secur program so automation let's talking about automation right automation is really great until it's not and where that applies in the 737 world how many of you have heard of MCAS most of you now because it was all over the news MCAS first of all was it introduced to the 737 Max series that is not the first aircraft to use it actually the KC 46 is another common

example where they took a 767 and converted for military using they had to create this thing so what is is MCAS MCAS is just a computer driven system that as the name would imply augments control pressures in the aircraft so it notices the airplane doing something and it it adds pressure to what the pilot feels in the O and that's a common practice that's not just MCAS everything even on Bo with their big yolks you know everybody thinks Airbus with a little side stick yeah fly by wire even the boings there's a certain amount of manipulation of just what that control feels like by systems on the plane that have nothing to do with what's actually happening in the

back MC was brought about in 737 for one reason and this is why I talked about those engines when they brought those engines forward what they discovered was at a high rate of velocity and with a significant amount of pitch the Nell around that aircraft actually creat its own lift which can cause the nose to pitch even more that's not a behavior you want and it has to do with where they position the those engines that far forward and thrust a whole lot of factors so they interest mcads to tone that down and then they started to realize it also happened in lower speed situations too so they have a reprogram mcads but mcass uses that thing on the right that is the

infamous angle of attack sensor it is what tells the computer how pitched up is really the wing compared to the wind that's passing by now contrary to what some people understood every 737 Max has two windows it's how they were used that was where there was this thing about y they only use one or the other we'll talk more about that later actually always use both but that's in the first story we'll get that later so where is that happen to cyber security I think we can all talk about stories probably of cases where an over Reliance on automation hurt right this story from Microsoft where they had a massive H Ownage in one of their regions

why because the power blip took out all the Automation and the few workers that they had because we don't need all the workers because of ba automation didn't know how to recover from or didn't have the capability to recover from and that's the problem when we look at cyber security we start thinking about automation automation is great Until It Breaks and then who's there to fix it well you better have some humans still standing there so all this talk about AI nobody's worried about their jobs you got to learn new skills but your job isn't going anywhere so what do we do about this we have to remember ultimately what we're trying to build in a cyber secur program

is a security enabled culture and I stress the enabled piece of that do we have people who feel enabled allowed to go out and actually make a cyber security decision in the moment do we have processes do we have governance that Fosters that all of these elements technology people tools processes governance is the one that the can't reain dark purple at the bottom because I know it's a dirty word we all hate I'm kidding where are my TRC folks okay to keep my ass after this we love governance I love governance anyway governance is necessary it's all a part of the system that makes it work we can't count on automation of Technology alone to get us through the

day it's not going to work and we have to understand how the people are going to react how they're going to work within our processes so our automation needs to take that into account just like you really wish MC don't have better job on the early 737 Max let's talk about training oh God you guys aren't going to be able to read this it's so funny so the the big part you can probably read right Boeing CEO admits theyve been trained pilots on hcast you may have heard about this in the news after some of those crashes well what you can't read back there is this last bullet here why didn't they well because it's

fundamentally embedded in the handling qualities of the airplane so when you train on the airplane you're being trained on mcast more answer we prove that we crash two of them that's a bad assumption but we do the same thing in cyber Securities can't really see it but this is a great proof point template this is what they brag about oh we we got 80% clickthrough rate when we released this to our customers they were 80% is that a good thing first of all why are you bragging about that um okay I guess yeah you're highlighting some issues but then what do we do when we do these fishing tests well we release the report right

here's the graph of how many people click through let me ask you a question when it comes to an attacker trying to fish your people do you care how many of those people clicked on some cont idea you had what an attacker might do no what you care about is did one person who was super busy and maybe not paying attention or who was thinking oh I'm going to get free Netflix for a month or whatever get duped into clicking on an attack you didn't think about right that's what we care about so and then of course you know after we do all this we were off oh it's s security awar this month it's October yay we

think about cyber the year and after that you guys can forget about it these aren't effective training techniques now I get it okay I do fishing simulations in my organization personally because I'm forced to by those governance people PCI is going to PCI I'm just that's what I'm saying right it's all about PCI or every other compliance and it forces you to do this so we do it but there are ways to handle this better and what is that we have to train for outcomes not actions did we just lose the I think we did I was going to say I think that went quiet de B Lally says it with an

exmination perfect we're gonna talk about error messages this is actually good I wish we not quite there you let's go that see now if I was in my airplane I have so many Spirit batteries h no that's all we'll just go the we'll go with this for the rest of the we that's cool so yeah dead battery that bright as day that was awesome um yeah if I was at my plane we would have Spar I carry a lot of spare batteries in my bags all right so what do we do with all this information how do we train people we need to train for outcomes the problem is you think about these fishing tests what are we doing we're training

for an action right what do we want to see them do I give you a fishing simulation what's the best outcome what or what what is the best action that we expect in a fishing campaign report report well what do we want the user what are we what AC are we looking for from the user it's our best form oh to reported to us yeah right they click the fishing button or they click reporter is fishing or whatever you've got maybe you've got Lotus Notes please tell me does anybody actually have lest notes anymore I hope not CRA there's any total Sidetrack do you notice how fast it's like squ um no we need to be training for

outcomes what are the outcomes we want the outcomes are we want them to recognize when something doesn't feel right we want them to recognize that email Isn't inherently not really the most trustworthy system cool right we want them to be communicative with us I don't care if you click the button I don't care if you delete it and say nothing I don't care if you forward it to me and say is this thing real I don't care if you call that person who just sent you that email and say did you really send me this correct right there's a hundred different ways that you can respond to effectively to a fishing email any of them are good so

long as they aren't I'm going to click the link and put my credits in and see what happens right so we have be training for those outcomes and then here's the key so how do we make how do I take a fishing simulation that I'm forced to do actually mostly by my customers not even regulations yeah can talk after um how do I make that useful because I'll guarantee you yes I run the reports like everybody else how many do we hit you know it's that review that last little bit here I don't care if you clicked or not I don't care if you deleted or not everybody in the company when we're done with a fishing

simulation gets information about what could you learn from this email what was here what were ways you could have handled this I'm not going to come chasing you somebody unfortunately in my organization will come chasing you make you go to training trying to get away from that I got them to stop with the three strikes rule by the way please give that toxicity out of your culture again you want them to communicate to you so if you say hey if you click three times you're fired well they're just they're not going to talk to you right I mean and they're going to hope they don't get caught I want them telling me Oh [ __ ] Alissa I just CED on this thing

are we in trouble did you put your credits in no okay you're good right that's what we care about so think about outcomes based education all right now let's talk about failure notes for a minute so the Lion Air crash which is one of the two actual crashes from the MC system one of the things they found in the cockpit voice recorder that surprised people was how long it took them to figure out how to turn this thing off and then after they did they turned it back on okay so this thing you weren't trained in you turned it off successfully got control of the aircraft then you turned it back on lost control of the

aircraft so the problem here is these two little switches that are on the left I guess yeah because of course that's the same they're on the left side right you see them circled there they're tiny okay but what those two little switches do is they turn off the mcast system but they don't just turn off the mcast system they turn off something that every pilot and every aircraft from the minute you get in your very first assess learns about and that's what this wheel is for it's called trim and what that does is that is a way a pilot controls how much pressure there is on the control yolk so that you know basically the goal being I adjust that so I can

just let go the control Yol and the FL stay Lev okay that that's literally what it's there for there's a lot more complexity to it but don't worry about that so the the failure mode here what they were supposed to do was turn off those two switches now they lose not only the uncast system which stops it from you know trying to crash them but it means now they have to trim the aircraft by hand now if you've ever paid attention to a 737 when the doors open before you know they close everything you might see those little wheels there and they spin around and around and around they make a weird noise well most of the time that's

controlled electronically they have just a little switch on the control Yol but when you turn off you have to pop out that little handle you see there on the right and you have to crank that thing okay now imagine you're trying to control This Plane that's fighting you it's trying to dive and you're trying to pull it back and you're trying to crank this trim to get the the surfaces to behave the way you want them to well what ended up happening was they weren't able to use the manual trim at all they didn't know about the mcast system because as we talked about before they weren't trained so they turned the electric trim back

on even though their check was told them not to because it was so complex they couldn't do all the things they needed to do that they felt to get control of the plane they didn't know that you know when they turn this thing back on was just going to dive harder but that's what ended up happening and that is what ended up leading to that crash now there's a lot more but that's it but let's talk about the complexity of our security controls right because we do the same thing to our people you got you know hey you know patch your [ __ ] it's easy that's what cesa tells us just patch your [ __ ] not picking on CA I

actually like them but they did say that for a while right I mean that was basically their campaign Pat your stuff but then you hand him a vulnerability report that's got 7,000 findings on it yeah just go patch your [ __ ] yeah let me know I'll get to that next year right that's the response we get and understandably so um you can't see it at all I wish you could but the the next one on the right side that's a one single SC in entra ID how many of you are Azure customers using entra ID I see all the thumbs down that is the most complex set of permissions and rules and oh my God I

was I was just telling somebody I I all day Friday as a ciso I'm sitting there going through and reading through conditional access policies what a nightmare and then we expect users to be able to do the same people who aren't cyber Security Professionals supposed to be able to hand that to an it or God forbid someone in your devops pipeline supposed to manage that stuff they're not allowed they're not nobody should be allowed it's a mess it's so hard to understand and then we create these gigantic Frameworks like minor attack what come on so we have to be thinking about our users and how do we simplify that now I I saw this okay so

first of all I use the term continuous Improvement with my teams a ton incremental improvements I say it all the time they are so sick of hearing it but then I saw this picture and it really brought home what those phrases mean to me I don't know if you can tell but this is actually a 3D printed sign okay and it starts at Relentless where the very top of it is just maybe one or two filaments thick and it grows and grows and grows you think about how a 3D printer works that's how we have to be thinking about our cyber Security Programs too often we go chasing after that last layer the Improvement where

it's now you know they probably a few thousand passes thick and we spent so much time chasing that we don't just start making little progress what is the one thing I can tackle today that's going to make us a little more safe tomorrow and when you do that that's where we get that concept of like paralysis yeah paralysis by analysis or you know all that complexity just drives in in action people don't react they don't do the things we want them to do when we over comp complicate it make it feel ous and awful and terrible our developers tell us you're nuts if you think I'm going through a 40,000 finding veric code report and they're right would you read

through 40,000 ver code lines I the heck with that so I mean that these are the things we're talking about I'm not picking up ver code either okay all every SAS toil worked with does the same crap so we need to think about our cyber security programs that way all right now let's talk about assumptions of behaviors and error messages because that was so convenient that we had the dead battery error message all right so there's a few things going on on this slide what you see on the right is what we call a stick Shaker remember I talked about the stall before stall is probably one of the most common ways that airplanes crash

especially little airplanes but bigger ones too you get in a condition for whatever reason where you're not don't have enough air flow over the wings and it's doing that cavitation verbally thing and the plane loses and it goes into a spin and bad things happen planes literally fall out of the sky that stick Shaker is there in larger aircraft to let the pilot know yo you're about to stall it all does it literally just shakes the control yolk so that's what it's mounted to it's literally just a vibration unit attached to the control yolk and when you get near aall it shakes it because in a smaller airplane that happens naturally when you get close to the stall the plane buffets as

they call it and you feel it so it's there and Pilots are training over and over relentlessly from your very first training session in the smallest little SES now your a student pilot looking to get your Private Pilot all the way up to your semiannual recurrent training as an Air transport Pilot Flying for the airlines we're all taught the plane is starting to buff it or stall you push the nose down okay it's a simple thing your angle of attack's too high push the nose down you're going to restore air flow the plane will stay flying now I mentioned before we have these two angle of attack sensors in the airplane right that tell the pilot

what's going on with that where my angle of attack is the mcast system is watching that that stick Shaker is also watching that so what happens when you have MCAS plus a stick Shaker plus a malfunctioning angle of attack sensor it says you're pitched way up well three things MCAS is found out says Hey noes down come on bring it down and it keeps going it keeps going and keeps going meanwhile the pilots had the stick Shaker going off and the plane is screaming at them that they're stalling what does a pilot do when your response to a stall is to push the stick forward but the plane is already diving and you're trying to pull it

back and this led to which you can't see in the upper right there is the title of the report from the NTSB talking about the assumptions the faulty assumptions that were made about the pilot behaviors here and it's you know it was assumed that the pilots would understand you know a stick Shaker and do the right thing and they train on that but it was never thought about what happens when MCAS malfunctions the other direction and pushes this thing down and meanwhile you've got that stick Shaker going now a quick sidebar you guys have probably heard I said before that there are two aoas sensors on every 737 there was misinformation out there about a feature that was missing or it

was optional it wasn't the sensor what it was was that little guy right up there at the top which is an indicator of what is the active angle of attack sensor reading okay that was the optional feature and honestly you can debate whether you actually need that or not now the problem came in that with that also came this little bit at the bottom and going to claims this was unintentional it wasn't supposed to be you had to have that optional feature at the top to also get this alert at the bottom that alert at the bottom is what told you when one angle of attack sentencer said you pitched way up and the other said now you're Flying

L that might have helped but then again without having trained them on the mcast system I don't know how you expect them to know that that mismatch is suddenly feeding what's going on in the plane so but how does that pertain to cyber security well I'm going to have to read another one to you because these are so little and R the screens are going to be the small but that top one is my favorite how many of you have seen these these banners like this and Outlook so let me read them to you the top one says the center of this email cannot be validated and may not match the person in the front field okay I

understand that then the next message says this email originated from outside the organization do not click on links or open attachments unless you recognize the sender the [ __ ] you just send is I'm supposed to figure it out now but that's what we do and then below it you see you know what else do we do always use MFA MFA everywhere put it on everything it's like that hot sauce I put that [ __ ] on everything but then we come back and we say well wait how much MFA is too much MF because now we have MFA fatigue low we we can't expect user success in these moments when this is how we do

things I literally well if you don't trust the sender you already told me you don't trust them why would I how am I supposed to know if I trust them or not you just sent me an email and says well maybe this didn't come from who it says it came from couldn't we simplify that a little bit hey maybe you should call the person that this seems to have come from and find out if they sent it to you that would be much easier to understand message but that's not what we do now the way where this all stems from both in the 737 in those air messages is we don't really think about failure OTS the way we

should you know maybe if we do really good threat modeling we'll sit there and actually walk through a failure from top to bottom and consider all of the systems within that interact with whatever system just failed more often than that we don't sit down and talk about that anyone there see me talk about threat modeling that's threat modeling right there we all do it every day what could possibly go wrong that's all it is it's asking that question and then it's if you really want to do this and understand modes it's sitting down with all those people and talking about well what would happen if how would your system respond well if the AOA sensor

goes Bonkers on one side how is mcass going to respond what's that going to do with the stick shaking about what's it going to show on the primary flight display these are the things you have to walk through what's going to happen if you know suddenly entra CU we'll pick on them some more we stop getting signning alert what happening to anybody by the way who's got Microsoft you've seen problems with signning logs if so talk to me after we got some chatting to do but what's going to happen what's going to happen in the s what's Defender going to do what is our IM process going to do how are all those systems going to

react what's it going to look like what weird indications might we see that aren't going to match up to a simple answer of what the problem is think about that in terms of the of instant response from minute this system goes offline for some reason what's that going to look like to us how's that how are we going to respond how are we going to know that oh that that may have just been hit with rid somewhere are our error messages really going to tell us that or is there a specific set of behaviors we might need to identify that we haven't really talked about so when we think about tabletops like it has to be more than just make

sure everybody gets in the room together they call the right people they react and we send the right commun ation those are all really good you have to do that but also tabletop just what is it going to actually look like if that cool scenario you came up with for your tabletop actually happened what would that actually look like and unfortunately most of the tabletops I've been to people don't do that it's we make a lot of assumptions we discovered this thing well how the hell did we discover what happened what did it do so think about that as you're scheduling your tabletops how can you bring that discipline in all right everybody know what this is what

is this door plug it's a door plug it is not a plug door did we learn what the difference is between these two by the way the plug door is the real door that you walk through the door plug is this thing that you put in there when there isn't a door all right so obviously now we've switched gears we've gone from our MC induced crashes to the infamous Alaska Airlines 737 max9 that the door just decided to depart I don't want to be here anymore I'm out so what's interesting here is notice the title a failed handoff I think a lot of us have heard ad nauseum about the relationship between Spirit Aviation and

is not the airline Spirit that's someone else they F the big you know School Bus looking things Spirit Aerospace get the right name Spirit Aerospace and Boe right Spirit Aerospace puts these fuselages together they have people who literally do all the riveting and all the things they put it all together all the different panels and parts go on they then ship that fuselage from Kanas yep there we go wait I got come on I'm in Kansas City no one's going to yell out come on they come from Kansas and I'm not picking the Kansas I'm picking on spear not really but they slly ship them they get to Boeing and they find out you know then Boeing

starts building now there are believe it or not and despite what the media is telling you there are actually quality controls in ples however they were finding out that there were so many problems with quality that they actually had Aeros uh spirit aerospace engineers embedded boing out in Seattle who were fixing when they screwed things up so the story what we actually know at this point now we don't know everything that's the actual plug door or door plug that popped out okay and there's no BL circles on there show the bolts that are supposed to just keep the door from sliding up so that it can then pop off were not there and what actually

happened here is that this plane was identified by Boeing as having a failure there was a problem there was a problem with 47 rivets around this door so what they had to do is they had to remove the door well they didn't remove the door they opened the door or the door plug and this is where things get fun because there is two ways you can deal with this you can either open it or you can remove it if you remove it it requires a whole lengthy set of inspections but if you open it it's like you opened any other door plug or any other plug door see this is so confusing it's like you open any

other plug door which obviously is a normal operation that happens hundreds of times a month and therefore there's not an inspection required now what this really comes down to is there was a mismatch between the spirit system that was used to track these things and the Boe one so when Spirit marked it we opened the door plug to make the repair it didn't trigger Boeing to say oh we need to reinspect that door when it's done so when they fail to put bolts in bad things happened so where does this happen we have systems that don't communicate all the time right our Sims aren't getting information the way they're supposed to be and we run into these same things so

how do we tackle that well sometimes integration can actually be more important than capability now I've been picking on Microsoft people I would say this Microsoft may not be the best a bre of anything but when you put all that [ __ ] together wow does it let you do some really crazy cool stuff because it's all integrated everything is there together now I could say the same with many other people I were quite familiar with vendors who might be sponsoring this conference um I got to put in a little PL cuz she's sitting up here um but no I mean Cisco same thing I know evil evil words but sometimes when we're looking at

products instead of always being about what's hey what's in that upper right quadrant on darkner maybe we should just be looking at what do you integrate with how do you integrate with my different systems do you have a existing integration built or is this something that we have to spawn ourselves because that can make every bit of difference now let's talk about a little bit of good news if you all heard the audio from the Alaska Airlines flight you know that that pilot man she was dead C I don't know how but I mean the door blew open her headset blew off there's a hole in the back of the plane they don't know what's

going on everybody's got their little masks on you know the the rubber jungle as they call it all the masks fall so and obviously the other pilot was equally calm because in 20 minutes they were down below 10,000 ft and then back onto the ground that's awesome they reacted almost instantaneously by the way when this happened and again things they're trained to do but the key thing you're at 16,000 fet everything goes to hell masks around the jungles down you got to get below 10,000 ft where everyone can breathe again they did that in less than a minute that's how quickly they reacted like I said within 20 minutes they were on the ground and

radio calls from I the first officer I believe like they haven't really said for sure uh whether she was flying I mean it sounds like if she was outrageous she probably wasn't he the other P was probably flying don't know who was who but in any EV awesome stuff the reality is well as Ai and everything else the good news is the human element is still our best weapon I don't give a [ __ ] who out there wants to scream and yell about the human element being the weakest link blah blah blah blah blah it's the human element that brings us in this just doesn't smell right something's wrong you don't get that from an

AI we have perceptual flexibility we can intake different inputs that are look very different but mean the same thing and we can make those connections and adaptive cognition what do I mean by that well what I'm talking about here is literally making those decisions that are in your own best interest and being able to adapt those based on what it is that you're perceiving those are things we don't get from AI today we may I'm not going to say never but it could be a very long road before we do ever get there this is what the human element brings us so we ultimately now hey we've moved away from 737s for a minute because that's an

Airbus spoiler but you all know this one too right Sully Landing that thing in the Hudson River we have to recognize that at the end of the day it's going to take indiv individual expertise and heroics to get us through whether we're talking about an incident response whether we're talking about building out our cyber security infrastructure whatever it is that's not something to be avoided that's something to be embraced and leveraged and used every step of the way now we don't want it locked into an individual but we want to make use of that that's why we hire really incredibly smart super talented people and then finally the causation versus shame if you guys don't know the relationship

between the NTSB and the FAA the NTSB goes out and they research facts they don't use names they don't talk about blame they look specifically for what the hell happened and how can we learn from it the FAA a regulating body loves to blame as they are right now with Boeing and to be fair they're also giving an Airbus a whole lot of crap because in all this mass of boing what we didn't hear about was air buses where one engine would just shut down flight does that sound scary yeah yeah I mean okay the point is these things happen in a very you know minor minor minor percentage of the time but they do happen and that's why we

have training Pilots to deal with it but anyway the point is when we go with blame we don't learn and it's the same thing in cyber security how can we go about sharing this information and it's hard especially when it comes to breaches because nobody wants to talk about it because the lawyers tell us not to and I work for a company in the legal industry all right so plug for cisa the joint cyber defense collaborative is one where we're breaking through this the other is hey you know how can we learn from our instance and how are we reporting on what we can learn from them last thing I'm going to talk about because I promised I would the Swiss

Cheese model who's heard of this how do we apply it in cyber security what's the most prominent place we claim we use Swiss Cheese model defense and DEP defense and death is what it actually should be but where we actually see swiss cheese model talked about when people talk about theor attack framework oh that's applying it wrong when I talk about the Swiss Cheese model and the NTSB does this all the time it's what are the failures that we had that led to this happening it's not what did the attacker do and let's find that step in the Cyber kill chain we can't predict what attackers are going to do we've tried that for 25 years I've

been doing this and we fail we need to be focusing on what mistakes are we making and how do we stop those holes from aligning that then lets the attacker in so I'm gonna leave me with a quick quote from Sully because I love this one because it talks about that Pilots are taught to always have situational awareness to have that mental picture of what's happening it's a great idea and when it fails it fails miserably like when we give them all sorts of crazy messages that don't mean anything or they're being told they're stalling while their nose down right these are the things that we need to be working on and it takes that human element to be

able to overcome those sometimes so with that uh quickly I'll throw this up here just for the moment um because I know I'm running a couple minutes over I apologize um if you need want to contact me please do I'm always happy to talk security talk Aviation the YouTube link at the top I have both I have security content out there I've got Aviation content out there happy to talk to you guys anytime with that thank you all so much and most importantly thank you to all of our amazing sponsors who made sure we could all be here today and have this fun