IATC - Red/Blue Q&A: Pressure Test Lightning Talk Ideas (Panel) - TBD

thanks to all the the speakers we're gonna roll right into our panel QA we've got a microphone up here we can ask questions if you do need to change over to a different room that's fine but remember the questions are in the spirit of pressure testing the ideas in order to make them better even if you think the idea sucks let's let's have a little bit of kind of a innovative and improvisational spirit and say yes and so how can you make this idea a little bit better than it was before these folks came into the room and improve it iteratively this is where we put on our friendly pen testing red teaming hats like Bob said and maybe use the nerf

bats rather than the the fungo bats if you're a baseball fan so yes first question this one's received so my boss always asks me what are the assets were protecting when I want to bring new technology or new processing so I'm curious does anybody analyze what this major cybersecurity attack on the country would would do what the impact would be life loss financial impact have you seen that anywhere ever have you looked into it the closest thing I could say that would address that is from different presidential directives including DVD 41 which is out and easily read damage to property loss of life now what is will that one loss of life trip the wire that I'm talking about or is it

a catastrophic shutdown of all the electrical grid in one area and now you have lots and lots of loss of life I don't know what the delineator is I could imagine in a political sense that one loss of life could in certain circumstances be okay that's not that

some of the things so the government every year or two they run some exercises one of them is called cyber storm there's like three or four that seem to be competing for weird cyber names and a lot of those from what I understand have not focused on the loss of life issues they've been the power grid goes down yeah some of the stuff you guys are doing in the energy sector looking at I forget what you guys call yours which is not a government-led it's industry led right it's the it's the North American Electric Reliability corporation so Newark Newark runs so events yeah so Newark operates the grid X event every two years and coming near to you

November of this year is number four yeah so there have been some of those simulations that have been done in talking with some of the Congress people congressional staffers agencies how I quit Steve said you know a single loss of life might not be the things that trips that breaker especially when at a national level you have loss of life every single day right there's some number of people who just die from things every day that's true it's it's it's less funny than true but uh like if you look on the highways about eighty people every day died from car accidents some percentage of those are preventable so that's why the department Transportation is pushing so hard for

autonomous vehicles because the stats say that about sixty of those 80 every day could probably be saved so that's the type of thinking that they look at the scale at which they have to think in order to have a societal level of cohesion and kind of stability I think I saw a question over here somewhere oh there it goes okay so my question is for Steve also I enjoyed your talk but from a military perspective we talk about a nation state level attack that would you know affect a large part of our nation's defense capability or power grid or what have you I think part of our capability from a military standpoint to either deter that or

our attack comes from the a word right attribution and that's something a lot of people kind of like to assume away and it seems like we've got a real problem with that every time that we try to attribute any kind of major attack to a nation-state we largely get laughed at right it's like well if you if you want to attribute an attack to China just hire mandiant no problem they'll find China right so I think that's a problem and how do you see us solving that in the future from a military cyber standpoint because I think honestly if you don't like to as the gentleman talking about the electricity of the electricity exercises was talking about you know we

don't like to air our dirty laundry but if we have some that's it you know from from a national military standpoint we're not good at it we're not good at attributing those large attacks to a nation-state and so what is their cause to to not attack us because at this point we can't really generally find a smoking gun we haven't yet really unless I missed something so so I agree with you on that absolutely and I don't have an answer that is a there's another wicked problem that has being order to you all the time the only thing I would say is where I'm focusing is I don't want to have to go back after it so

attribution is when you want to go back I would rather us move into we're good at we're doing things look we've got nuclear weapons sitting there right we know that that keeps other people from using those we've got military capabilities in the military example we've got those capabilities forward deployed here's what we do we've shown willingness in theory that tamps down anybody else's desire to do things so then I don't have to have the attribution part because it is so difficult so I'm probably wishing that one away more than I should that's a very different difficult problem no doubt I mean I agree with you there I would rather get away from just the reactive mindset that's my concern

we'd rather sit around and argue that problem as opposed to what if we just show we're able to get our act together and it's not just military it's not just government our collective national act is so squared away that there's go yeah I'm not going to do that it's not worth it that's where I think we have a warrant this is yeah as Steve said there's not enough booze in the bar to really have the end of the deterrence conversation which is where attribution is really effective and only in some models of deterrence do you need attribution yeah it's it's the retribution piece it's the increased cost after the fact for attackers and I think a lot of that conversation comes

from the thought of you know we can't do any better to defend our nation against a nuclear attack other than deter the other guy from doing it because it seems like there's a lot of that conversation that comes in from the nuclear and military side and think about deterrence but like Steve said you know I'd rather build our walls higher to begin with I'd rather keep people out rather than worry about how to punch them in the face after they do something and I think that there's a certain segment of the InfoSec population who says well we're gonna give up on this idea of prevent we're just gonna detect quickly and respond quickly but how do you respond when you

have you know maybe a thousand people die right how you bring people back to life that's hard so the response and recovery piece of that is fundamentally different when you deal with so these bigger societal wide cyber issues and instead if we invested more of our political will an institutional will in the defense piece and the preventative piece then we could do two things one is raise the bar higher than the low-hanging fruit adversaries can jump so if we clear that battle space we don't have to worry about you know was this some dopey kid on a laptop in Southeast Asia we don't have to worry about was this Isis then we can only worry about the higher caliber actors

which makes it easier to do attribution and with a higher cyber tideline or cyber hygiene line you also get more into Gators that can point you in the right direction so right now like somebody gets hit there's probably not a lot of log files depending on who gets hit but if there's log files everywhere it's like having trip wires everywhere then it's easy to to tell it's easier to build a story to tell who was doing what so it makes attribution easier and it prevents attacks from succeeding to begin with so that's the way that I tend to look at it and you had a question like oh there any question for David so I'm part of a National Guard unit we've

worked with local public utility districts to help look at their security just completely voluntarily right plays one of the questions they've been really willing to hear our security advice because they don't have a lot of resident experience in Incident Response or really digging in and finding security problems so if we've got a hundred and what did you say 121 utilities part of this coalition do you feel like the security expertise is resident within that group to be able to actually respond or are we gonna end up with a an issue where we have 120 electricians plumbing so that's a great question so within within the the current membership of cyber mutual assistance we've got majors like big

major utilities with multiple millions of customers and we've got utilities that maybe are serving twenty thousand customers in you know in the middle of you know far away so there's a combination there's a recognition though that frankly the incentive for the majors to play is it's in everybody's interest to help the little operator out because if you're an attacker are you gonna you can go after the major and really beat on them hard you I guess you could how better wouldn't it be like easier to go after that the smaller operator so the objective is to have sharing sharing of expertise in and building a community across all the utilities that are a part of this so

we've met we had an in-person meeting in February we're gonna have another one in August but but to really build a community into within several mutual assistance one of the things that we strongly recommend is that the utilities take a look at their footprint and they look at their neighbors to the north south east east and west and if their neighbor and utility is not a part of several mutual assistance for them to poke them and say hey there's a thing you should be a part of and if their neighboring utility is a part of a cyber mutual assistance you poke them you say hey we need to talk about what is really going on within our

systems and we need to share we need to we can talk about indicators of compromise and we need to have a cup of coffee while the sky is blue and you know we can patiently talk with one another but before the storm starts this is another question for David specifically with mutual assistance one of the things you have with the hardware the the power lines etc is they are all standardized and easily replaceable now with the Cypress cyber mutual assistance is there also a regulatory look towards standardization and interoperability from a you know software systems perspective or industrial control systems perspective with these utilities so we recognize there's like super important differences between setting poles and hanging

conductor because you know a journeyman electrician is a journeyman electrician and they're they're pretty fungible you can move them all over the United States it's no problem with with cyber and with utilities and industrial control systems they are extremely customized to the specific application we we get that there is I think that as a general matter there's not high interest in the notion of oh we should all just do standardized implementation because I talk about common mode failure I mean to a degree common mode failure is is already a kind of a pretty high risk when we look at the number of major systems integrators industrial control system vendors that essentially all utilities use there's

there's not there's not tons of them how the specifics of their implementation will vary widely in terms of configuration files in the cetera but the hardware itself is pretty common throughout the industry so one of the issues that came up was when when the program was first being built people said how do you wish to do this should we have a database we'll have a database of skills oh that would be awesome and then other people said that's a terrible idea a database of skills and personnel and all that it doesn't make sense it changes a hundred times faster than you can actually ever write it or share it don't do that so what the what the

counterpoint is is don't inventory you know all potential stuff but if there's a utility who has a problem and they call for help we expect that utility to be able to say what it is that they need because if you call for help really you should be able to say what I need I need five forensic examiners I need 50 break fix technicians to be able to say yes yes yes I agree and enter a 20 digit license code you know based off a gold image or I need I need reverse-engineering animalist sir what is it that I need so the the utility who's got the problem has to be able to define effectively what it is that they

need and then we believe that the community will be there to provide the answer to responsive to the need it to make sense yeah one thing that's interesting about that is I could see to one of the previous questions that you know if you have an organization that is very immature in a certain capability that might come into response like you know let's I got in my consulting past I've worked with big enterprises who are you know they have great let's say pen testing capabilities but they're incident respond they've got like you know two people who kind of do Incident Response and everything is outsourced for example like just because an organization isn't or is big or is you

know fulfilling some the industry need doesn't necessarily mean that they're mature on all fronts and so like an inventory of maturity like capability maturity it could be an interesting like proactive way to align the right resources and groups to do a particular response scenario I would think it would also help to for the organizations who are calling for help as well as the others and have some cross-pollination of ideas and skills and build up the maturity and make it more standardized systematized across the industry um my question is for both David and Bo and I hope this state doesn't deviate too much from the focus but about a year and a half ago I had a an occasion to attend

an FBI in forgot me ting where I met a gentleman that was talking about electronic or electromagnetic pulse EMP threats and to be quite honest it was a little bit of a stretch for me so we investigated some more we went to the National space weather workgroup meeting that was held in Colorado a year ago and one thing led to another and and and what we came is that that the electromagnetic magnetic pulse is a huge threat to the electrical grid and also that that in traditional engineering methods we have not addressed that possibility in so I'm wondering from Bo's perspective as you work with medical device manufacturers if if that's being addressed or if that

has come up in the discussions I haven't thought too much about EMP I know a lot of people to find that it's a class of electronic warfare where they also classed cyber is a different part of that I don't tend to just because they're wholly different threats I mean one is you know you're talking about decimating a physical layer the other one is pretty much everything else medical device makers unless they're dealing with radioactivity to begin with they're not really thinking about shielding other than what's required by the FCC and and other governmental agencies that regulate shielding electromagnetic interference my my personal feeling is if you're dealing with an adversary who can muster the the

logistical and technical capability to pull off an EMP you're probably talking about a nation state or something very near to a nation state anyways at which point that's a higher bar then we'll be able to get to with a lot of the things it would be commercial grade stuff off the shelf I don't know if you if you wanted to tackle that or that's another one where we could have a whole long discussion over beers the Russians have done certain things and other people have done certain things so I'll take that as an invitation to keep my comments short because we will probably talk about some other things as well one of the things that that the electric

industry is doing is there's an organization called the a pre the electricity power Research Institute they have launched a three-year program to look at different aspects of EMP ie IMI HMMP the whole deal in issue reports throughout one of the challenges with EMP is you don't have to start talking very long before you start run into classified space and one of the one of the challenges is that utility operators owners say ok if there is a if there is a particular design basis threat give us the specs and will totally buy equipment that matches those specs and then we we talked to our partners in DoD in DoD says you know I would just love to tell

you but you know we we go above this line and now I can't talk about anymore because it's classified so it's a really challenging topic in and I know that there are certainly advocates who just they love to get out their aluminum bats actually and beat on the heads of the electric sector and you know call us really bad names I would say we're happy to do what we know what to do in in terms of things like design basis and you know really the the technical issues related to defending against those types of events but frankly we also have a dependency on our on our DoD to dissuade or prevent that type of activity we're

not good at stopping misses so I see we've got a handful of hands in the air we've got about four minutes left before we're gonna break for lunch we are going to continue down into the pub 365 again today so we can pick up some of these conversations there but maybe we can do like a lightning round of questions one two three and then we'll do a lightning round of answers up until our time okay so my question is for Bhavana is it Carolyn or Carolyn Carolyne so as far as electronic medical records go you talked about ways to convince management to spend money on security teams and you talked about you know compliance with industry standards

compliance with regulations and then risk as far as the industry standards and regulations go what's the current state of them are they convincing to upper management is it helpful to have more or is it counterproductive to have more you know for for EMR companies okay so a question one is regulations do they help our herd get get budget for management are we supposed to answer we saw let's get three questions and then we'll go with the answers that way we'll have more time cool we're running low on time so just a comment rather than a question Steve I'm from the ISP I'm here to help the good news is that things are probably a little bit better than you

think there's definitely a lot of room for improvement though so find me afterwards I have some very specific suggestions for you this is questions also for Caroline um you mentioned before doing the I ego shaming of your ears your CFO saying all the people around us our peers are doing better than we are and so forth so you should put more money into that one of the things that Tom the Verizon but not quite here yet is insurance and at some point the CFO can very legitimately say it's gonna cost me how much to fix this myself and there's no guarantee we've actually fixed it versus I can pay that amount or potentially less and even if

it happens we're covered and do you see that trend toward insuring it go against give me more money all the time yeah so is it cool I can just respond to these really quickly in the interest of time so with regards to the insurance thing cyber insurance has actually been around for a long time an organization I worked for 10 years ago it and I think it's a really important option to put on the table especially with you know the gentleman back here one of the themes that you've referenced is actually a skill set problem so we have a major talent shortage in cybersecurity and if you can't find people to do the job even if you have

the money to pay for them then maybe insurance is a better option for you know it really depends on the organization I don't know that in a lot of cases only insurance is gonna be your best option I think when it comes to cyber insurance just like when it comes to life insurance health insurance you gotta look at the fine print so when does it apply and when does it not apply and when it does not apply what sort of mitigating controls do you have so I think it's a valid option to put on the table and then you know the conversation really becomes about about under what circumstances would we not be able to

make a claim and how do we account for those and with response you know my response to kind of the question about industry standards best practice frameworks it's it's another like kind of lame response like it depends on who you're talking to but but that's the truth right so when I was at Zynga we were starting the security team from scratch they got a lot of money because they had a major incident and they said okay build a team and we built the team and then we hired a CIO and the CIO said to my boss who was a CIS oh hey it seems like you have a lot of really smart people and they're really busy but how

do I know that they're working on the right things and you know we responded and she said well it would be a lot easier for me if you guys would just do an ISO assessment and then I would have an industry level accepted you know lens through which to view your program the other common scenario that I see is so I work for a vendor and our clients have their preference for whatever you know lens they see the world through and a lot of times there's a framework or best practice and so we'll kind of ask like well what do you what do you need and to what extent can the documentation that we've prepared accommodate that but I'll

let Bob speak to the medical specific component of that yes so one interesting thing that I've found about both regulatory standards and you know the best practice like ISO and you know NIST or whatever other standards is that for us it has been convincing in the sense that it's been in hindrance for business development purposes or other things that the company is trying to do so like you know HIPAA if you're dealing at health healthcare is like the very very low bar that you have to get across but you know doing something like CMS is a RS or suck to or you know all of those other I trust all of those other regulatory or industry standards

when you're when you're working with other enterprises or you're trying to sell into new markets those things are enablers for the business they're not I mean they are a pain in the ass but if you frame them as enablers and things that are gonna actually help you help the business owners open up new doors I found that to be really really effective so like for instance going through sock to sock to type to audit for us for a couple of our products allows us to just get into a lot more enterprises for example and then one other quick comment on the insurance so we we have cyber liability insurance and one thing that is worth keeping in mind that if you

don't have some semblance of a security program in place they can refuse to give you coverage or they can refuse to pay like they reserve the right to pay out claims so you know anyone who like a CFO who is thinking that they're just going to throw you know 50 grand and insurance annually and get everything taken care of like a couple million dollar policy they're probably hearing some pretty bad advice and it's so it's worth getting in front of that all right well thank you to the panelists again [Applause]