PrashantPrashant

foreign

[Music]

so I'll move forward critical infrastructure exploited what are we missing right we had a very interesting talk by vivekanara today from the roomy networks in the afternoon in the morning time he was talking about in exactly saying this this room he was talking about OD security understandings you know the gaps you know that we should lose our cyber hygiene more uh more fundamentally and and do it properly right I mean there's no it's not uh out in the heaven that you have to do security to the nine yards as long as you do your fundamentals properties um so what are we missing uh in the critical infrastructure space so many of you who can understand their

supply chain adapts their attacks are not critical infrastructure whether it is through nation state actors whether it is through you know adversaries out there uh their geopolitical tensions we have the Ukraine Russia what's going on right now you have heard that you are starting your greatest critical infrastructure literally going after the Energy System right so I'll speak about that a little bit on that even which happened in 2015 2016 in Ukraine and how Russia actually tried to stop attackers so uh there is certainly something missing here where we are not able to safeguard our systems uh the way we should or what are some of our challenges in this space uh the triconic system malware uh how

many of you have forages of this malware or even in terms of uh security okay a couple of hands there so this is uh this is one of the malware or one of the uh hacking exploits if you will which hit the Safety instrumented Systems of Saudi Arabia and uh as Vivek was saying in the morning I'll reiterate it again for executives it's not important on the ICS side or on the up side if your data is not available or if your systems are um you know have a confidentiality problem if you will they're more concerned about the safety aspect the people aspect the environment aspect and that's important for them so when you look at Safety Systems which

instrument and which take care of these critical infrastructure it's important that there is you know there are these malware families which are so targeted they go after those Mission critical functions which are supposed to be working fine because human lives cannot be replaced and data can be replaced right and so that notion of safety versus security when we talk about ICA and OT will come to that it is critical and important to understand uh when we move into this world of you know running commodity whether it is you know Gas Liquids you know electricity sector Etc we all live here it is imagine a scenario in the middle of winter at minus 30 35 degrees if your

electrical substation or your whole grid goes down those are some very key very fundamental uh scenarios which are necessible and it could lead to a loss of human life it could lead to you know different other aspects I'm not sure about civil unrest in Canada but you know it's it's important that you know you you take that into consideration so we have these issues which come up you have targeted attacks on these systems um Vivek also talked about another model called in Destroyer or five dreams so those are some areas where we do are missing some way of safeguarding and securing those systems right so why this approach or the appropriate I'm going to talk about on Cyber cerebrality

and the CCE methodology the five D's of sabotage so if this book talks about those five days which actually resonated with me as well uh when you talk about sabotage you talk about disrupt deny degrade destroy or deceive now think for a second and take a step back Henry Walkman in one of his S4 conferences by the way S4 conference if you don't know is very beautiful a very good conference you can go on YouTube it's a very nice conference I'm looking at OD security um so he said one statement which resonated with me as well so as they were Idaho National app was doing an assessment with their clients on this particular methodology a light bulb well

went out into a CEO's mind and he goes to Congress and he says a statement uh I can go through A disruption of my business activity but I can't go through a destruction of my Kodi systems because they're Legacy in nature and they will impact my mission critical operations take a second to digest that right destroying an equipment so that you cannot provide an important service to society versus disrupting operations which is also still bad but you can come back to your uh your your last the word cyber resiliency if anybody wants to you know think about that in that terms you're you are being attacked but you are still running your operations so that was important and is it possible to

destroy equipment yes if they're motivated enough nation state actors and you have ways to do that and we'll come to that how how this methodology talks about it so five days of sabotage keep that in mind as we move along this presentation so sometimes people say related to this to this particular methodology around consequence driven Sovereign engineering you know are we replacing our basic information security management are we replacing fundamentally our concept of how we look at security no for an Enterprise security is you know all nine yards from the I.T to the OT side right when you talk about basic risk management you're looking at the whole organization and then you go up the chain in the

pyramid and then you talk about business risk more at the c-suite level more at a sector level whether you are in the you know pipeline industry or whether you're in liquids or you're an electrical sector or manufacturing or water then comes at the National Security level where there are certain functions which run our society so importantly that it's hard for us to not look at them and make sure that they don't fail and that's the important part which is where I'll talk about this particular methodology on the consequence driven aspect of it um another thing very very interestingly uh you know Vivek said if anybody joined that call in the morning this is an engineering based approach to looking at

how systems work not a cyber based this is where cyber will play a role but it's in the engineering aspect of how things run so what what this whole particular aspect of this slide and what I'm trying to say is we are looking at certain Mission critical functions whether they are at a national security level whether they are at a company level without which either a nation state would lead to a lot of you know human unrest societal problems safety personal issues or at a company level a company may go out of business it cannot deliver its uh its critical function and I'll give you an example maybe in subsequent slides what a critical function actually

looks like now so cyber Defenders spend big time in money calculating uh likelihood of compromise they are going to get it get in get over it right Michael Hayden uh former director of CIA and so this is where I went again step back and give you an idea of why are we looking at consequences more on this than on the Cyber side you know this particular way of looking at things is is stating that adversaries would go into your environment assume that they are in your environment don't spend money time and effort trying to prevent them not to say that you should not do that those are areas where you need to spend your time in the

business side to make sure you're not being attacked but as you you are being reached your adversaries are in your environment now what you will do to come back to operations now what you will do to stand back on your legs and say in the midst of my you know of the Cyber sabotage or cyber breach I will keep running my operations so that's the Mind here when we look at risk many of you may you know may know this risk equation we look at characters adversaries they look at vulnerabilities we look at the likelihood of those being exploited and we look at the business impact so what we're stating here is take it for granted assume that

likelihood of you being compromised or breach is one that you will be compromised now from then on what else can you do to either reduce your business impact or be ready to run your operations in the midst of already being in being in an adversarial situation so that's the idea you know for we we because there's so much going on security you cannot pass on the whole world of cyber security so you are taking a step further and seeing okay I assume that I'm my majority of my network what do I do to try to defend myself and so this is where we need to understand as organizations or as as Nation what is some of our

critical functions we are delivering I'll give you an example for an oil and gas sector you know the pipeline industry or pipeline companies running operations they're sending out leaders from the pipeline they're sending you know natural gas down the pipeline what is the critical function they are delivering they're delivering the critical function of delivering natural gas for example to your homes so that you can heat your home and that's how they make money what happens behind the scenes are some of the critical functions which enable that natural gas to flow through the pipeline uh to your homes from Gathering site through the pipeline to the delivery stations so those critical functions to quantify them to document them to understand them

as an organization or even as a nation state or even as a province for example is important and what are some of the enabling functions which deliver that curriculum so some of these sectors or some of the you know winners out here infrastructure people process in Technologies I'm sure if maybe our students here when you when you learn in computer science they talk about people process technology right you know as you look at your strategy as you build your your use cases always look into that mindset of people what's my people's strength process technology they're including infrastructure in here to give you an idea that these are our fundamental pre pillars and they are called enabling

functions which provide a critical function of providing either a you know fuel to a pump station or to a power station electricity or electric fronts delivering natural gas through the pipelines so that's an important concept as we go into this idea that you have been reached bad guys are in your network what do I do to sustain my critical function again keep in mind we are not thinking about these critical functions also being impacted and I can still run my operations no we're talking about from an executive level at the C Suite or call it a kernel or a general of an army when they say this is some of my functions which has to keep running for

my business or for my company or for my Army to sustain operations in the field and I cannot live without them so I need to find ways to reduce the impact your point where they keep running and I keep delivering my service so that's that's the important aspect that's where the likelihood aspect goes uh goes up uh an example of a natural gas system so what you see here is basically a compressor station um just an example of a field site where you have a compressor station what I was trying to show in this and I'm trying to show in this slide is the fact that the critical function of any natural gas pipeline and as an example is the

delivery of natural gas when you gather it and you give it out in the uh the sides but in the middle you have balls you have compressor stations what is a compressor station by the way for those who don't know gas has the property where it flows it expands just like here when you flow it it will expand the molecules expand because as they go along there's you know more expensive and gear expense so you need to keep compressing it that's the physical farming right you need to keep compressing it as you keep sending it down the down the the pipeline towards the end if you don't compress it it will become so large then the you know the

capacity and the pressure in the air will not be not helpful it's not like liquid a liquid keeps going in a pipeline uh there's a certain pressure gas expands and if it needs to be compressed so there are different compressor stations as they call it uh turbines which actually run if these are turbines what you use in your uh in your airplanes GE turbines as airplanes run their uh their uh uh their systems similar to that so that function happens and so this is one example of an enabling function which we as probably a society don't know or you know many of you who don't are not limited to this industry the end the end product is we get

natural gas in our you know in our homes finally at the end from from where it is being generated so uh you have critical functions and you have enabling functions now imagine a bad guy or an adversary at a nation state level they go after your enabling functions so that your critical function script and that's what we are trying to uh to understand so if I attack my compressor station what I showed you last time and it's a very important compressor station in a section of a file and if that goes down I cannot deliver gas on the other side I'll give you an example in USA they uh they talk about um you know talking about National

Security they are they're taking use cases out with one electricity sector in Florida uh there's some natural gas pipelines too where they're looking at Natural Gas being sent to power plants natural gas fired power plants in Northeast U.S or in other areas and imagine if there is one single pipeline which is an artery providing power to five or six power plants and that pipeline goes down in the middle of winter and your power plants don't get natural gas they will stop functioning the ultimate effect is that Society will get impacted people might die in the middle of India and so you see the enabling function here is the flow of gas delivering power delivering gas to the power plants which

can ultimately provide electricity to the United States so you've seen that those terms how the critical functions and enabling functions play a role at a national security level and there are various ways Esa Transportation Security Administration for those who are in this industry um have certain regulations which have come up nor accepted regulations on the electricity sector electricity sector plays a much better role in terms of upping up their game in cyber security in this space but uh those are some of the areas where there's more Focus these days going on for many of you you know show of hands Colonial pipeline incidents right uh happened last year um and uh uh grants are very even happened on the

it side but impacted dot side but ultimately it uh it leads to those consequences which are hard to ignore one other example here uh is from finza the pipeline and hazardous material safety administration uh and they talk about the you know they have you know if you ever want to go and Google this particular website they have a website they have a registry of events which get notified by these operators for that this is a US regulator by the way and so they had a compressor station in West Virginia and there was an interruption with the electrical power to the station resulting in loss of instrument in safety gear system compressors air compressor systems require a manual

reset after power loss but station is unmanned inability to maintain sufficient pressurized Air volume to the station resulted in a shutdown of two gas compression units and a partial station so what you're seeing here is nothing to do with cyber what you're looking here is an example of two enabling functions power and people they were not there in that station power got interrupted and it was unmanned nobody could go into a manual reset and the station went down no and now our country subsequent slides you can take a step back and say if this could happen to a station the station can go down which would lead to other impacts down the line can cyber play a role to effect this

and yes there are methods by which cyber can play a role to affect this this is an engineering consequence this is on the ground consequence of what happens on a system but how cyber can play around with that so we'll come to that so vehicles of cyber sabotage uh cyber threat actors have an expensive collection of tools methods and resources to launch those attacks so I'll speak to another slide on this particular topic um the likelihood of the breach being one now this is where I was trying to speak that you know assume that compromise will happen in your organization assume that you will be breached by an adversary that an adversary has almost same knowledge as you about your

technology I'll give you an example right so I this is a Dell laptop right everybody has their own laptop you know I can't say this is a Dell laptop for me as Prashant anybody can go online and you can look at the manual of a Dell laptop and you will know exactly all the bells and whistles which I know often English technology now as an industry you're running certain equipment in your operations right you're running inside the natural gas pipeline a compressor station running a GE turbine or in a liquid system running a pump station or Schneider Electric or whatnot these are standard Technologies you can stop an adversary going and looking after the manuals and going and

looking after all mine yards to know how the technology runs so the knowledge of an adversary would be similar to yours that is something you cannot I mean they actually run labs there are examples from intelligence communities that some of the enemy nation state actors they run like Labs of equipment which are running in our major sectors in North America for example and they exactly know the equipment the version number the firmware updates and what you're running on your system so that is also one thing we need to get away with that you know you're not running in unique technology there is a uniqueness which I'll come to another slide what you are providing in

your systems and your processing but the technology itself and the knowledge and the information is the same that is functioning the adversary is not limited to network-based attacks right so when you're looking at Cyber you're not only looking at just uh the packets Going Through the Wire you're also looking at supply chain you're looking at contractors or people who can do this current although we can bring in malware you're looking at the people's side the vendor's side right the solar winds attack I have in this line going in the future right it was basically going after your vendor and that vendor is so pervasive in the organizations you don't have to directly go after the company

you go after the the vendors and what who the company does business with another quick example uh in in the district of security you know as I said Siemens or GE um you know or Emerson I don't have to go after a particular company I can go after that vendor and as long as I go after that vendor and I tag or I create uh some kind of a malware in their system and imagine the amount of equipment being used in all other industries of that particular model or even that particular uh you know manufacturer and that's probably a larger we are impacting uh an organization rather than going crediting a particular organization so those are some examples

where adversaries not just you know there is this mindset that they will come through an internet go into your business Network on the IP side then go into your own key side and then try to break in and you know get your operations out no there are parallels out there they can come in electromagnetic posts they can go into your Fields right put an EMP gun towards your uh station controls and they can take out physical security right they can go after your wireless radio radio waves they can go after you know the people side as I said the manufacturers and those things are not pure network-based cyber those are different ways of coming into

your organization misuse of technology so as I said is one of them right living of the land techniques so misuse of Technology will impact your critical functions as I said these Technologies are there in your environment and I also said that imagine the adversary is it in your environment knowing all what you know about your technology uh they don't have to be different living of the land and have you all heard of this term so it's just like you are our anniversary is acting like you as an administrator on the system and they can run commands or do changes which are normally provided by technology for that technology again be big set in the morning and I'll

speak to that in the old smart incident that brought it up um you know they went in and you can change the set points of a chemical going into the water you know that's a function provided by an HMI software upon an HMI workstation it's nothing different as long as you have alarms those are you know you can alert upon them but the capabilities are provided to you so you're not looking at something totally different for an anniversary to come and do they can do and limit exactly what an administrator running system will do and how they can impacted back so keep that in mind as misuse of Technology can can go to an extent where they can have an adverse

impact on society a beautiful example of misuse of Technology the Ukraine crisis 2015 2016 when Russia attacked them right the UK negro is their electricity Electrical Company uh this is the one actually being attacked right now Russia is showing them and there's a patients uh sandborn is actually one of the uh APD actors from Russia who were supporters who were taught to be uh who infiltrated them but the idea was it was nothing unusual there is a YouTube video if you want to have a Google and check it out literally the technician on the station is calling the ID help that's been saying my mouse is moving my Mouse's pointer is moving are you doing anything on my system

and that mouse goes in and clicks all of the sub-release of an electrical system if you all know and then it basically bypasses that and brings the station down and so this is living on the land they already have access they are basically doing exactly what the technology allows them to do um and and creating creating problems your product has all Mars incident right uh as as we accept too the HMI system and they could have changed the set points uh in on the park on the water park on the water system so yeah I saw this an interesting anecdote from Google account here right uh those who failed to learn from this we are condemned to repeat it

we allow Ukraine to follow then because we know some of these things and this is not rocket science which has happened in the past we know some of the issues in the system we know what consequences can happen or be prepared to run operations cyber resiliency right Ukraine is probably 30 down as I probably heard from the president in terms of their collected all capacity as they're being attacked right now can you be resilient in those circumstances if they prepare for that a lot of lessons learned for future but the idea is let's prepare for those consequences which can impact you and you still keep running your operations if you can enable your critical functions that I was talking about even

in the midst of attack whether they're cyber whether they are physical in nature physical could be harder but you know you know there are ways to protect and prevent around that unverified trust right as misuse of technology is one vector unverified trust I won't go into all the details around it but supply chain third-party vendors uh we talk about who has access into the environment do we trust a contractor or do we trust a manufacturer's SMC coming and bringing their own contract our own laptop and plugging into the PLC of that particular turbine all your network controls are basically gone at that point because physically somebody has come in and they are looking and doing a firmware update on

their particular turbine which could bring that turbine down if that laptop is uh has a malware okay we have checks to make sure that that was not done we have ways to understand what technology is coming into our environment which people that intent are coming into our environment do we have any you know uh firmware issues or or software issues with a technology which is uh so that's that's uh misuse of trust solar winds attack I won't go into details again this is one example where the Sunburst malware uh was used and uh it impacted a lot of companies led to DHS and sees are providing an update in USA that very very important you know

you got Patcher systems from this particular update so what is the solution for all this time I've been talking about you know Idaho National Labs FBI this is the methodology Zoom adversaries in your environment assume living of the land assume consequences are are going to be there so how do we look about as companies as organizations to go after solving this problem again there is you know there's no solution ever of a 100 to any problem you always be your best refer to it but which is where I said adversary would know what technology you use the knowledge of it so is you so where are you different let's take a look the defender's advantage

the perfect comic the adversary will always know at least as much as you about your technology maybe even more but they don't always know how you use your technology to deliver

the understanding of how critical function is uniquely implemented at anonymous right we have unique business processes we have unique ways of using that technology and for that matter we have unique ways of creating our infrastructure take an example you have a main gas pipeline say two gas pipelines going you know redundant to each other say really having GE turbines running compressor compressing the natural gas and flowing it through that is unique to me another organization may have just one Pipeline with one from presentation same technology I'm using the same technology but I have my own designs to provide it on Wednesday I have my own ways where I know if this compressor station goes down this one will take over so I know

my ways of delivering gaps I know my ways of delivering commodity or energy and how I can support it and be resilient and that is used adversaries generally don't know unless they are within you as insiders about how you run your own operations and that's where you need to find ways how you can mitigate those threats which an adversary can bring in learning of the land knowing your technology what can you do to stop them and I'll come to that on how that will be accomplished so that's the defender's advantage of you knowing more about how you run your operations with the same technology compared to an industry consequence driven cyber informed when I say consequence driven again we are

looking at consequences first more than we are looking at the Cyber aspect of it so methodology that guides organizations that really finding it because it has traffic effects resulting from cyber anymore we're looking at the task properties right those subset of mission critical functions if they go down will lead to business going out of business or relationships having issues so CCE overview there are four phases for this methodology I'll give some references in the end as well if you're interested in looking at it uh consequence prioritization system of system analysis consequence based targeting and mitigation interactions in a nutshell consequence prioritization talks about high consequence events uh if you have hardness from low frequency High consequence events they

haven't quite less but once they happen they could lead to a failure uh you know of operations so we prioritize these consequences and there's nothing cyber here again if you look and you talk to the engineers on the ground you talk to The Operators on the ground the technicians and you try to understand what are those consequences and you make a list of those High consequences from those High consequence events then we'll look at how is my system architected you do a full documentation of access paths people process technology infrastructure all the enabling functions which provide me those important critical functions if they go down those are my high Concepts so you do a full full lay of the land

understanding how your systems are architected and providing that you know that function consequences targeting this is from a threat actor's perspective you are looking from outside in that he knows about all your access paths and say number two and also knows what consequences can be uh you know what could lead to high quality now I'll need to I need to prioritize which of my consequences could be affected by a cyber industry does that make sense so this is more looking from a thread actress perspective how they can impact between those Concepts because they could be 10 consequences but not all 10 can be actionable that is where little bit of likelihood and prioritization comes into place so

keep that in mind when I think likelihood being one that is more on assuming that reach will happen this is more prioritization of consequences which one should I act first on my organization from an adversary perspective and try to fix it and mitigation and protection so I'll come to those finally you find some of those stock cap Majors those engineering controls which can stop an anniversity so that's the kind of understanding you look at your high consequence even understand your system understand an adversary's perspective how they can impact your system and then what are your mitigations and protections to stop those High consequence events to become operational yeah another quick way of looking at it more

detailed approach but uh I wouldn't go into too much details around this the idea is pretty much the same as I talked before this is an important point I wanted to share with you all um so man in the loop approach those who are process control Engineers or those who know about OT security or industrial control security this is uh Colonial stanislav uh petrol you can Google him he was the man who was credited to have saved the world in 1982. you can actually Google and there's a documentary on him he was a Russian Colonel sitting in the missile control command and control system in close to Moscow 1983 heightened awareness around Cold War five alerts came in high alerts that

five icbms have been launched from USA towards Russia and he was the duty officer at that time who was supposed to make a decision whether they were real events or false alarms and send it up the chain to the Army command and get an order to basically relaunch nuclear weapons uh towards the USA and this guy at that time made a decision that those were false alarms imagine this is the scenario the time and the you know you you as a person at that time and you have to make a call you can't fake and within five to ten minutes you would be obliterated right so one of his arguments was that they had a Doctrine in Russian army

that if U.S were to attack Russia they won't do it in five or ten icbms they would do an all-out unoffensive on you so that was one he said doesn't make sense that only five icbms have been sent the other he's not he didn't only rely on the computer system which actually he built or how to build with most of the other Engineers that this is giving me the exact data so he went out and got confirmation from other sources on the ground radar systems Air Force Navy instead do you see those uh things coming in they said no we see nothing coming so that was another feeling and then he said no I think it's a false alarm it's

waited for 23 minutes and he took a sigh of relief because that was the time from U.S to Russia with 20 23 minutes would have coming up continent and he said lucky enough you know I was right right so the idea is about manual control you know then you have this Google nests in your environment when you have this total automation going in you're providing that automation to artificial intelligence or machine learning you're losing that control you're losing you know still I believe man is still I think the most intelligent machine still around and you can make decisions which these Control Systems can are so make sure you have that control mechanism whether it's a man in the loop whether

it's a safe part of engineering asset which I'll talk about is important as you make those decisions and not rely quickly on the automation side and I'm sure many of my OT friends out here or those who are in this field or Engineers would agree to this aspect that you know these systems cannot be fully relied on you cannot automate everything to the team you need to have some control call it the emergency shutdown call it because you know man in the loop who can make that call and break right so very interesting study take a look and he got a lot of awards he got traffic mounted in Russia by the way funny enough he

didn't put his War diary properly in that day so he said I was on the phone and I was on you know another phone trying to talk out I can't have five you know hands do we also make notes exactly what I'm doing at what point in time and they reprimanded him because he didn't have good uh log of them rather than saving the world uh lastly the engineering mitigation and protections uh so this is that mitigation protection aspect of this methodology when we talk about automation engineering we talk about control systems we sometimes have to take a step back and listen to Engineers on the ground and say guys act like an engineer think

like an adversary so you can think like an adversary we did give a very interesting example again in the morning he said you know if you have a fuel tank and the tank gets overflowed and goes out you can create a fit around it where that overflow commodity goes and you know can still be contained and isolated that's a simple engineering backstop or a backstop to somebody saying oh I would have wrote the tank and I was successful in basically breaking the all the barriers and led to you know the Overflow of the commodity and you know I referred to the system no you know another example of the Andrew Bachman gave was they did a uh in Aurora cast if

you all if you know you can Google that then Aurora test was done in 2008 and nine where a Transformer was basically blown up it's a YouTube video where DHS did a study a Transformer was grown up from remotely uh and they found out with all of the amount of dollars and efforts they put in that a simple wire bypass could have disabled that Master from way and so those engineering backstops those walls which can be taken off are examples which can reduce your impact on your system this is physics and physics can be used to reduce their impact to what can be enabled through these convenience so that's the idea now engineering is built on uh on immutable laws of physics

and that cannot be broken you have a formula of how a chemical has been put it you have a problem of how gas turbine would run so you follow your instincts on that aspect uh last from the summary key Concepts you know the adversary is targeting critical and functions and how we deliver them don't blindly trust everything the adversary may know what your systems are but not necessarily how they are uniquely implemented in your organization The Defenders advantage of the perfect knowledge actually we have advantages that take the adversity he used to acquire and that comes back to our knowing of our system and operations always protect your data but that is more on the confidentiality side again

you know I guess not to repeat the choir again um on the icsi we flicked the CIA Triad For Those whom we know confidentiality integrity and availabilities on the business side of the fence on the ID side where your your privacy of data is probably more important on the ICS and OT side they call it the AIC Triad it's the availability integrity and then the Confederation which probably matters but it's the availability of systems the reliability and safety of operations and running of those engineering artifacts not the data around it which is more important for that operation uh key terms are they won't speak them again but uh I think I'm almost at the end of it some references here from

inl from the S4 conference and this is the book if anybody wants to go and kind of get an idea on how this this is done and I have my friend Douglas here uh he is one of our volunteers of besides Calgary he works with me and Enbridge as well uh it's me and his face a very nice guy so he is offered to give us a practical example of how this would come to pass so I'll give Doug a chance to if you want to take a look under the seaside sure Sean and I had Grand plans to actually get this together and do a live demo for you but you'll have to come down

in about 30 minutes so the video that try this 90 second trip to instantly reduce your winter energy bills by 85. you want me to get the video first or you want to go videos good sure five percent this jet engineer [Music] ing um

of

them what you're looking at on the bottom of the freight operators

[Music]

[Music]

[Music] so and then that's fine Emergency Services

[Music]

for example if you shut those things down too quickly break them if you want to do one you're not going to Home Depot you're waiting six months so that's kind of the consequence stuff that we've been talking about the CCE is I don't care how you broke it I'm out of business business that's good so this will be live to come and play with them or we can even demo the emergency shutdown all that kind of stuff and it was just a little much to try and get it working here because there's a bunch of paraphernalia protections you can appreciate but the radio there's some guys walking around here with these things called flippers and uh

so it's not anybody coming by to clean the bathrooms to shut your stuff down it's it's a dangerous idea and we use lots of radio curriculum it's all over the place so any passing is good so I thought it was great talking Sean thanks yeah thank you thank you Doug um

any questions by the way any comments feedback does this uh like overlap the FCC certification Bell fqc fuc like the uh functional safety engineer from Germany uh no I've not heard of that certification I don't uh just to share on that point so Idaho National Labs also has another methodology called cyber PHA that cyber process Hazard analysis for those who are in this speed process Hazard analysis or Hazard studies are done where they look at safety so they do it and a comparison between cyber PHA which is related to standards like IEC 62443 those kind of standards and the CCE methodology they both relate to consequences how consequences can impact safety of systems but that's more of the

competitive analysis of that of your your moving towards but not sure about that particular version foreign

but I think I think in North America we we do a better job compared to other you know other from geopolitical regions in the world including America and Canada America definitely takes a lead in my opinion because they have some regulations they have more you know more effort in terms of people process technology you know information sharing session sectors Etc but um you know Canada is catching up the public safety Canada is in Columbia arms and they deal with this kind of Regulation and safety of critical infrastructure and interesting enough I'm giving a talk in ICS Symposium next week right from October exactly on this topic from but from inside the threat perspective um so yeah there is uh there is

information sharing Gathering regulation which is playing the role but it all comes down to awareness right and uh and ultimately what companies see is important for their operations and so it's a public private partnership you cannot put the onus on one or the other it has to be informed on both sides um U.S is taking the lead in my opinion because of the attacks they have had and the colonial Pipeline and whatnot Canada is is there you know Australia New Zealand UK they're they're falling behind the five eyes of the world as they call it um but a lot to learn because the world is changing you know if you see a little bit differently these systems run out of

Life water gas power right and if they run our life and they get impacted it it drives back home a very important point that what are we doing

so I would say from a cc methodology perspective uh those mitigations and protections which was the phase four uh many organizations actually go from phase one directly to phase four they say why I already know my consequences I why I can put in my protection why do I need to do a system of system analysis and figure out what an adversity is going to do for me I know my consequences I'll do that so I would say in the mitigation section where um you know again depending on control systems but that human engineering knowledge whether it's an HMI technician on the ground we can look at those controls those set points uh do we have

business processes around that technicians are doing and doing firmware updates do we listen to them and their feedback as they bring it on right we or or we are just saying you're overpassing their knowledge that will stay and should always stay that that understanding of the engineer's perspective and knowledge of the system and listening to them would say and we I think honestly enough are still learning how to move from the foreign

and so you know it's a work in progress but I I certainly believe you know many times on that point they say this methodology as Andrew Bachman says go back to Legacy control because we're digging in a manual intervention here we're meeting an engineer engineering back here so we're not becoming more digitally enabled we're rather going back with Aegis but that's not true and even if it is true I would rather have an analog phone in the Army Academy right I can talk to somebody rather than you know having a Rogers out there then I cannot talk to anybody um so it's it's how you pick your system and and be resilient honestly enough if

that works that works because communication is important so um so it's that mindset so I would still say the role of him of a manual control the role of analog the role of engineering controls would still remain to reduce that impact however much digitally enabled or cyber removable thank you that helps you to understand the severity of the internet exactly and this is exactly you know the point look at consequences how it's going to impact you what are you doing to try to communicate it you can have all nine yards thank you for being a patient audience [Applause]