Hungry, Hungry Hackers

all right thanks for coming everyone uh my name is sit codes uh also I'm subbing in as as Josh just mentioned for Casey John Ellis I've got his sunglasses who thinks we look actually quite similar who's met either of us in person before could be related yeah we look pretty s and we're both Australian and he's a little bit taller than me 63 so um but yeah I've got these sunglasses and when I put these on you can't tell us apart two red heads with red beards receding hairlines anyway um yeah this Talk's called Hungry Hungry hackers um it's about food Agriculture and cyber security risk it's also a Q&A so I want you to be able to ask questions as well

so I'll talk for probably about 25 30 minutes and this other gentleman here LP you can ask questions as well if you have a question that you're thinking about just write it down on your phone and I'm I'm sure we'll do mics or something at the end just one other thing I'm incredibly jet lagged so I apologize if I'm a little bit slow or a little bit doozy um I think I've slept I went to bed at 1:00 a.m. I woke up at 3:00 went to Denny's and I couldn't sleep again so I don't know whether it was the food yeah just incredibly jet lag so CU I flew obviously not from not locally so uh all

the way from Thailand so yeah this independent research um in that I wasn't paid for some of this stuff so uh all of the vulnerabilities that I talk about were reported to the vendors and in a in a you know a secure uh responsible disclosure way uh nothing in these talk represents future past present employers or Contracting things like that the contents of the slides are cre creative common zero and all of the trademarks belong to the owners of those trademarks so here's my socials you can find me on GitHub Twitter formally know oh X formally known as Twitter LinkedIn and just my website s. codes and you can also see Casey uh who's also

Australian um you know his links as well Casey John Ellis or CJ so what's this talk about um it's about a brief history leading up to now of cyber security in agriculture now I think maybe three or four years ago many people including myself actually literally had no idea that there was cyber in agriculture to be honest um some people like this other guy here he'll tell you a different story he was you know obviously works in the industry so as far as I know um yeah so we're talking about current future and um some past stuff so who's this talk for those interested in seeing how a couple of bugs can literally change the trajectory of an entire uh sector uh

in in fact it's critical infrastructure sector so you'll have a talk I think following mine about water and you've had other talks I guess on this track today and tomorrow that talk about other Industries medical and things like that that and a is a as in agriculture it it uh it needs a couple of eyes on it and I happen to be the person who put some eyes on it and got a few things to whip up in a bit of a storm it's also relevant for people who eat food so it's going to get rise yeah most people I assume they I saw some who didn't put their hand up but um just wondering how he's still alive anyway

birth of an idea this whole thing came about um through a friend of mine called Paul Roberts he uh writes for his publication security Ledger but um he also uh does a bit of right to repair stuff that I'll talk about he said to me one day in a phone call he goes oh dude it's so random that John Deere has no cves wow like and I thought yeah that's right [ __ ] there are no CVS in John Deere products he's like man wonder if someone could go and look at it you know he sort of dared me into it and that's what happened literally just said dude why does John De not have any cves I

thought oh I'll go change that that's exactly what we did so Paul um that's Mr Roberts there fantastic guy um he he runs a secure repairs organization which is a subset of right to repair stuff which is in my opinion right to repair and security are completely sorry they have overlap definitely overlap but they are separate issues and Paul is very good at illustrating those issues about you know if you if you can't repair something then you can't fix it if it's got a fatal critical bug or thing like things like that security issue with it so yeah B I took the bait um Paul literally just said to me you know there's no CVS I went got went and

had a look at it first thing I did was I signed up to the John Deere website with a developer account free developer account um and then started playing with the software and there's a form there I don't know it's quite zoomed out this screen is quite small but it's a form on their back end that allows you to add pieces of equipment to your account um and it says submit VIN number vehicle identification number uh but for for combine Harvesters and big machines that that are in agriculture uh if you add one to your farm and the farm that's linked to your John Deere account already has that piece of equipment in there it'll say

error this account or this it says here equipment already exists however in the Json response it has the entire account record for that item so it's got the it's got the that's the VIN number at the top um you you can't see this this Json it's it's a lot longer than this there's actually Pi in there it's got address line one address line two City postcode you know lease leasa leas e or something like that a lot of information in there um and so then at the time John D didn't actually have a bug Bounty program but I'll get into that in a moment um I actually sent well I I sent it to them to fix and

there was a little bit of a I actually did defon talk about this two years ago three years ago actually um the remote defc con it was a pre-recorded one about about this issue that we sent them and how they stuffed it all up and because they didn't have a bug Bounty at the time and all sorts of issues with with reporting to a program reporting to a company that doesn't have a bug Bounty it's kind of complex cuz it's like you send it to them and they don't know what to do and all sorts of stuff happen they learned their lesson obviously a lot of stuff has changed since then um but you know because they didn't have a program

I sent it to the news so I sent it to Vice um Lorenzo uh advice he's actually now Tech crunch it is it he is isn't yeah yeah thanks Paul um bugs allowed hackers to dox John Deere tractors the actual original title of this article was bugs allowed hackers to doxs all John Deere tractor owners however John Deere reached out to Lorenzo and said um it's not all tractors it's only a subset of tractors the ones that are been connected to the website and all the stuff and I'm like okay so it's only the connected words anyway it it went in circles and and Lorenzo dropped the word all and then he also came back to me and said oh John

Deere also disputed it and um John Deere sent them a comment to Lorenzo advice at the time yeah we were made aware of misconfigurations um separate online actions we took immediate action blah blah blah um and then the last sentence it says inate did not get access to customer accounts dealer accounts sensitive pii now think about that last one sensitive Pi sensitive um personal information my thought was was that true because when I was looking at the records I could see address line one first name last name all that details um and I think the key word there was the word sensitive because I think it's something to do with if it doesn't have an SSN or someone in the audience will

will have a better a better explanation what the difference between pi and sensitive Pi is but um John Deere you know anyway I shown it to Lorenzo I said look this is pretty it's the real record and he said oh yeah you're right anyway so that was I call that hacking for clout because I didn't I didn't get paid by John Deere there was no bug Bounty involved in fact at the time John Deere didn't have a bug Bounty they created a bug Bounty for me um and it was also a private program with no Bounty and no disclosure and I was like okay why why the [ __ ] why the [ __ ] would I sign up to

that um like think about it you're getting a private program like the leaderboard is going to be private it's literally just you and diar in a private DM together here's the bug yeah thanks no way see you get out of here um and I want to ask you a question why would I sign an NDA with John di um given their billions of dollars to spend on bugs and they by the way this is this is a couple years ago now they do have a bug bny program now and they do pay out they never paid me any any money as well but um cuz I rejected the program invite when I got it but um yeah yeah why would I sign an

NDA with John Di and when they have billions of dollars and then I thought to myself is it even ethical to ask that so it's like think it's like reverse ransomware kind of if you think about it you're asking like I'm not going to give you that bug because you're not paying for it so I'll publish it um think about it yeah it's kind of OBS um yeah so going public with a with a going public with a bug um you know you've got clout or just like you can publish it you can write about it people can link to it you can get stories about it or you follow the money and you submit it privately to a private program

or in John Deere's case um I chose the clout option and just send just sent it and I wouldn't even be talking to you today if I if I did sign that MDA so it's cool isn't it um is publicly roasting companies because I'm technically right now I'm kind of roasting John Deere a little bit um because I didn't I didn't never I never signed an NDA with deer I've signed NDA with other tractor companies but not deer so um deal de will get so angry when I tell him that anyway um they're probably watching actually so yeah so he publicly roasting a company helpful um there's pros and cons to this but I want

you to think about like is what I'm doing kind of savage or is it actually an ethical thing to do you tell me by the end of the talk if you think that going public uh about this John Deere stuff was actually you know in the interest of you all cuz you're all here to listen to stuff that uh if I had signed it it wouldn't be here so here's what happens when you publicly disclose a bug in the most uh outrageous way possible I think is this yours oh Paul that's Paul right there Paul Paul wrote that story that's crazy um that was a couple years ago yeah the author's in the audience that

wasn't planned by the way so um so I wrote this story uh a couple years back called extraordinary vulnerabilities discovered in TCL who knows what TCL TVs are okay cool cuz at the time 3 4 years ago almost yeah I mean not many people knew what TCL was I mean if you watch the NBA they're sponsored on everything big red Chinese Communist Party backed um company and they literally are a a strong arm Tech literally Huawei xiaomi seei um and a bunch of other companies and so I published this story about TCL TV's having a back door I called it extraordinary vulnerabilities but Department of Homeland Security called it a back door um and so Paul actually wrote this story

which is crazy so Department of DHS sorry DHS um basically used this story that I wrote which was full public um didn't sign an NDA with TCL at all and why would I probably probably in trouble for doing that anyway so Homeland Security did a thing about it and at the time acting secretary Chad wolf actually went on and said you know we're looking into companies such as TCL who we it was discovered recently that they Incorporated back doors in the TVs and I was thinking wow [ __ ] that was my bug um that I published and so what happened from that you know we're talking about this public thing about publicly disclosing bugs and and what

actually happened was this is a later event this this little study what's done there but um the share price dropped 15% in one day which was crazy cuz um there were a massive company the CEO who is a I think a CCB Committee Member he rebot a certain amount of shares and then it's all in actual fact who knows what the honor smartphone is honor it used to be the Huawei honor so there was a right right around this time 2021 um just before this just before this uh story came out Huawei was in talks with TCL both heavily um CCB companies because the Huawei phone was banned to come into the US the on a

phone they sold it to TCL uh in a in a joint venture with the government and right after that I published This research about TCL and then tcl's getting accused of back door they basically passed the buck to TCL to try and get it back in the US and then TCL was copping heat so they just basically screwed that entire deal up and um I think now they're the own company and they're owned by like 40 companies and half of them are the government and yeah it's chaos um there's a reason why the TVs are cheap yeah so back on topic with John de so do you think uh John Deere probably would have done things differently in

hindsight given now given now what I've told you about me publicly ragging on them as as we speak I'm literally ragging on right now um done two Defcon talks about them one where I jailbroke a tractor and I'll get into that shortly but I asked I think about it would John Deere have done something differently probably yeah but the main thing is would I be would I be here talking to you today if I had not publicly close the stuff about joh I wouldn't wouldn't be here wouldn't have done a deathcon talk and I encourage you the audience to do more public disclosures because it helps the industry and I'll talk about that why so because it might save your business

your industry um companies need to be ready to receive bugs even if they don't have a bug Bounty program at the time John D didn't have a bug Bounty program they were forced to create it because of me um and they tried that little NDA Shenanigans which I impolitely declined I I actually told him to get anyway but yeah so public disclosure full public disclosure is a form of responsible disclosure you know if you if you fully publicly disclose a bug and you send the link straight to MIT the the cve gets instantly published because the bug is is public and a lot of uh ever since this law another trick as well after that TCL think a couple of

months later um because it was such a a massive effect on TCL massive um part of the basically they're spying TVs anyway so um the the government put out new rules saying that in China you must submit cves or zero days through the government first or their their CT their local c um and I and I and Casey who is is me um we both on we both have a big inkling about that and thinking that it's definitely related to the TCL issue cuz um straight after that that massive shenanigan about the share price dropping and TCL and the onop phone all that stuff the the um the Chinese government changed it so you must submit

bugs through them and so some of the Chinese researchers now they just get on alt accounts on gith home and they just dump bugs um publicly when it happens so that they I think um [ __ ] which one was it not um what was the big bug a couple years back Luna Luna what was it anyway yeah so this is a Defcon talk I did breaking badly into agricult who's seen this talk okay sweet yeah so if you remember from that talk um there was a John Deere display I probably should have bought it actually it's uh anyway I've still got it still plays uh anyway I'll explain in that in a minute but um yeah this is the

flagship model at the time um yeah I got an x-terminal emulator running on it uh I rooted the device jail broke it um got some code then I could run games like Doom um and actually it's a farming edition of Doom and he can hunt down pinky demons actually the original version of this we had we changed some of the monsters to like cows and like rabbits and stuff and then I was I sent it to someone to to say like oh what do you think what do you think they like dude you can't kill [ __ ] animals I'm like what the this what's this anyway that's yeah apparently it was way too Savage

I'm like dude it's G it's Doom like the game is [ __ ] violent as [ __ ] um and that was the game running uh on on the that was on the stage of Def gon um but yeah so sure should more bugs be publicly disclosed like that cuz you know I would have had that cool opportunity to present the John Deere jail break on stage at Defcon I wouldn't be here Jo I wouldn't have you know Josh wouldn't have invited me to chat um had I had I not publicly roasted John Deere um but yeah yeah again how I signed that thing would I be standing here talking today and obviously the answer is no so

anyway what can a jailbroken tractor do um what can a jail broken tractor to do well if we look back at the conflict in Ukraine Russia um there was a story that came out from CNN it was kind of strange because CNN was the original source and there was like it had some stuff in there about like sources and anyway it was quite quite strange story however a lot of people wrote about it and it was that Russia had stolen $5 million worth of John Deere farm equipment from a dealership in milit pole Ukraine and they had taken it back to back to um Russia and by the time they turned it back on or whatever apparently the

combines had been bricked uh remotely and so people were actually John de thought it was a win and then people were saying well that's kind of screwed up because like can just breat my tractor what the hell um and if you think about it yeah they were inoperable so the problem with that is I just showed you you could play Doom on it so I became the dealer so I can now that I can play Doom on it I can totally turn that tractor back into a workable state so I can unbrick the tractor same as if you had a a phone gets iCloud locked you jailbreak it in some fashion and un unCloud lock it it

would be kind of there would be a market for stolen devices um so yeah pros and cons of breaking huge security risk obviously because I just showed you you can you can run your own software on it you can delete products you can steal things you can it also highlights massive design flaws so flaws in the the entire process of um of the construction of the product there are a lot of bugs in there that I found and actually I haven't told John Deere all of them because they haven't invited me to their Hardware security program so if you're listening uh invite me dogs anyway uh allows access to Inner working and customization beyond the oem's original

design so like clearly you're not supposed to play games on there you're not supposed to put YouTube on there or additional software and in fact you can steal intellectual property from it as well you can take out software he can reverse engineer products he can find even more bugs so I'm the third party yeah so loss of Ip to a third party me so anyway back on topic we're going to talk about some events I know Josh wants me to really talk about events and and things that are happening in a since this sort of happened so here's me didd dling and playing with the hardware and showing you how I can you know I'm the

good guy right if you think about it the bad guys are involved with ran somewhere so I'm just showing you you know I could jailbreak it oh I can play games on there John de thinks I'm the threat but the real threat obviously is crime um and I W I'll only show this this one and someone else will probably talk about um get the big gas pipeline but Colonial pipeline uh a major major major major event in the entire industrial um what's it called again ICS yeah IC industrial control control systems Etc critical infrastructure you know us gas stations run dry chaos chaos in the streets um beef Supply JBS who knows what JBS is okay

JBS is a Meat Processing Company uh I assume they feed the Tyson something like that and Cargill and whatnot basically yeah they were big in Australia big in the US in fact I think they're the biggest one in the world so they paid I think $11 million so they paid $11 million to ransomware um actors to get their plants processing again Russian hackers targeted a bunch of Iowa Grain co-ops uh $5.9 million is at the ransom something like that yeah big money right huge money for these criminals it's all Bitcoin no tax as well um another thing here the task force on Precision agriculture so this is some really interesting task force that came out this one's more about like GPS and

GPRS and things like that um but you can go and watch their their interesting YouTube um videos that go for hours and hours and hours and and they discuss things and it's all public so it's quite interesting run by the FCC um but yeah so these are all in response again Colonial pipeline millions of dollars paid FBI involved do do involved Department of Transport effects gasoline jet fuel oil products then we got JBS beef P porry poultry White House is involved Department of Agriculture is involved DHS nine days offline processing meat apparently I think in in Australia there were literally trucks of cattle that were waiting to be processed they were just standing at the at the plant they

can't do anything they can't they can't go anywhere they just just yeah chaos chaos paid 11 million to fix that AGCO random company um another company that's one of John D's competitors I won't get into it but they make Massie Ferguson fent Challenger as far as I know right vario vario as well um they lost a lot of data they got hacked big time um two we production halt as far as I know two weeks production that's that's on the assembly line 2 weeks off um crazy and uh if you think about it um yeah major damage right major reputation damage a little bit um a bit and yeah just just production in it's chaos this one here Cisco it's a

more recent event I don't know why there's a battleship in the background on this photo cuz it's like a it's like it's just a picture of a food truck and there's like a [ __ ] War [ __ ] behind it so um they had an event a security event start of last year um someone gained access in January they didn't find out till March that's how you know we're thinking food processing companies you know they're not you they're not like Delta crowd strike um things like that yeah so apparently they lost 126,000 Social Security numbers as far as far as I know um yeah and you know Pi identity theft things like that another

one doll who knows doll you know apples and he's got the sticker on it doll um yeah they had an issue and again massive disruption in the supply chain unable to stock shelves with certain products um while they're while they're while they were being hacked I don't know if they paid they probably did um because you can imagine like a fruit packing company is not going to have the same sort of cyber infrastructure as maybe Facebook you know or meta according to the record. media food and egg had more than 160 ransomware attacks last year now I will get into this shortly but the food and a ISAC um gets mentioned here um it's kind of an

interesting interesting topic the ISAC information information sharing in analysis Center I'm not sure if um yeah food food and egg there's sort of like a sort of issue going on at the moment about starting that uh I think there should be two separate things food and agriculture but we'll get into that is food and security important enough yet and obviously the if you're thinking about it now I've told you all the staff and how important it is you thinking here yeah it probably is right so what if there was a crowd strike like attack on the food supply chain like how fast you think about the thousands of Delta flights that were canceled like four 5,000 something imagine that but in

food um it's kind of yeah you kind of grasp the sort of yeah imagine how fast the the country would just descend into the chaos if people couldn't eat and not just the United States imagine a country that maybe has a single point of failure maybe they have one meat Packer or they have one grosser or something like that and they get Ransom W and the whole the whole place just shuts down and descends into looting and chaos and and yeah um but you no need to imagine because we already saw this sort of effect in 2020 uh during the pandemic right we got people panic the Panic buy run out get stuff um and there's this there was this

article I think this is got older story 2008 um 9 Ms from Anarchy and it was about basically if oil was to run dry petrol stations run dry trucks would stop rolling and Supermarket shells would be bare within 3 days that was 2008 I honestly think with the with the social media like it would take literally one day if people caught on that things were running dry they would go immediately and Panic by um so just keep that in mind when you think about is food security or food and agriculture an important sector and obviously it should be and it is and so for John di it became a massive priority after I hacked them um prior to this they had

nothing on their website about cyber I think since I hacked them two three years ago now I've been hacking them a couple times since they've been putting it in their annual report so that's good to see in fact they've actually done a lot since then and I will give them credit obviously cuz at the time that they started bug Bounty and things like that they were the industry leader cuz they were the only company that had a bug Bounty at the time as far as I know so apparently they had a John Deere defense system cyber Center that runs 247 365 and I'm like where the [ __ ] were they when I when I hacked them first

time I wasn't able to get it about 6 years ago I'm like well I only hacked you guys three years ago so um yeah and they started last year they started the Cyber tractor challenge so I'm giving them massive credit here they started this 501c3 where um who knows what the Cyber food what is it cyber truck challenge there a whole bunch of them yeah cool there's a whole bunch of them there's like a cyber boat Challenge and things like that basically people in the industry in that sector come together play with each other's machines sounds yeah they get people in to hack them and if we look at the 2024 version that's the one that just got done a

couple months back I think was a couple months ago something like that yeah um and as you can see there's more than John DEA because John de is the green one uh you got John deia case NH they don't like me by the way um John de again fent and I think Massie Ferguson on the last one um and as you can see that's multiple competitors coming together as an industry to work on the same sort of product problem which is kind of strange when you think about it it's like all these companies they they're are total competitors to each other that would get a Competitive Edge if they were able to get ahead of their competitor if you

know what I'm you get what I'm saying right they they cyber Auto cyber medical cyber drone cyber boat um this is a kind of funny thing they're talking about the guy who who co-founded or founded those other ones I think it's Carl Carl Heimer he was doubting that John Deere would doubting that John Deere would could pull it off and they actually did pull it off so the first year was just on deer products and I think that's something to do with 501c3 status or something you have to do a bit of business first to turn into a charity I'm not sure um cuz I don't I'm not from the United States so but yeah wasn't

invited to that cyber Tru cyber EG cyber tractor Challenge and I asked them if I could go and they said no and it's because of one of the companies that was there they don't like me and I can understand why cuz I also hacked them as well um and I wasn't as yeah but John by the way John Deere and myself were very friendly now um and we got each other on LinkedIn we talk we talk with the security team and things like that but also the other companies got JCB I've spoke to Caterpillar we got Trimble all of these other companies that saw the John Deere talk and learned from it and go oh [ __ ] that affects our

industry too or we're mining or we're you know we're mining or or or we're logging or other Industries or Earth Earth move Earth moving Earthworks they all have similar products you know you got a can bus controled vehicle even Automotive it you know someone coming in and hacking the the infotainment system in the car or hacking the display system in the tractor or the or the the big cat caterpillar um mining truck everyone sort of caught on to it mining as well mining was a really big one they've got their [ __ ] together um mining they've got their own ISAC they've got you know annual meetings and there's no yeah I'll show you what happens when you don't

work as an industry on on on uh securing each other's products so deer went from no bug Bounty two years ago to running the industry event the Cyber tractor challenge with two of its direct competitors um so yeah good on you dear that's good um so where are we going with food and agriculture now um there's still no real ISAC now there is a food and egg ISAC um and again that's information sharing in analysis Center these are the current members of the food ISAC as you can clearly see they're mainly food companies we got you know pepsy Cargill Tyson lamb something and potatoes um like these have like what does a potato have to do it's a kind of

actually that's a pretty bad example cuz it's directly related but what would a packet PepsiCo Doritos have to do with a $500,000 combine harvester there's literally there's a lot of different you know there there's a there's a St contrast and I think honestly food and egg ISAC should split up there should be a food ISAC there should be an AG ISAC and John Deere and it's and its cons John Deere and its competitors that I mentioned here we got cnh cnh Adco class who else is there that's a big four right yeah that's pretty much it yeah there's only four major ones um they should probably come together and get organized because if you don't um

legislation happens right so mining doesn't have this problem um fishing might probably doesn't have this problem if you don't work together as a as like industry with the competitors uh the the Congress will get involved so that's what actually happened so recently um bipartisan Tom Cotton from Republic Kirsten gilbran or gilbran they actually came together and said okay we need a bill that is literally called The Farm and Food security cyber security act so they came up with a bill um and it's quite it's quite Stern it's quite it's quite harsh it's like you need to do certain things every year certain tests every year we need to be doing all this stuff and I'm like well dear and and Co

D Co and all of the other conspirators uh competitors [Laughter] um maybe you should all work together and do this make this stuff yourself before congress makes bills for you um yeah the Bill's quite long talks about the the like you have to study threats to food and egg the impact of threats to production and processing and distribution Readiness of federal state and um local uh governments and existing policies and blah blah blah I'm like dude this stuff sounds like ISO standard stuff like why couldn't you do this without legislation anyway so I'm I'm I'm personally against I'm more against deregulation prefer less intrusive government um but the the bill is literally begging the industry to get

organized um before Congress does it for you and that's what they're literally doing so all of these papers have come out since the Iowa grain grain co-ops got hacked since I hacked John Deere and and all the other things that happened and this big Whirlwind of stuff happening about about cybercity and Agriculture and people learning about what could go wrong if if if you know say say for example John Deere main main main the main Center of John Deere the John Deere information center and the where it is Iowa Data Center gets hacked and someone pushes out a malicious update to every single John your tractor and you have to go on manually fix the blue screen on it

literally like crowd strike right this is a possibility you know you have an Insider threat someone who works there an activist or something wants to push a massive update out to all of the John Deere tractors and brick them you this is this stuff that's actually possible um and and it would be cool if they worked together and sort of listed this stuff out um yeah so USDA is making their own reports about it us Aid is even chiming in um I don't know but yeah this one talks about more about smaller Nations and how they can get severely affected like us pretty resilient we got a lot of different manufacturers and it's kind of diverse in terms of um risk

but there are countries that would be much smaller and much more error prone anyway so this the last couple of slides before we get into a bit of Q&A ISO standards so um Automotive has its ISO standard 21434 specifically for road vehicles um and I mentioned that because um it it if it's specifically for cars on the road however there are manufacturers like buggies and motorbikes and cranes and things that use the same OEM and infrastructure and stuff to build the same products they're just not on the road but they just they follow the same ISO standard cuz it's a good standard they don't have to follow it they just follow it cuz it's good

right um as far as I know agriculture is working on one it's in a draft status they should probably hurry up like I said before legislation comes in enforces them off um but yeah that's uh that's as far as I know they're working on that um 24889 24889 the iso standard so for the for the recording um yeah Auto has its own ISAC I'm comparing it to Auto because you'll see in the next slide why um Auto ISAC really well done they've got the ASR I think it is automotive security Research Center they do pent test they have agms all this cool stuff and look how many people work together on it um you know like everyone

like everyone Polaris Volvo everyone M melli Mazda everyone's there even John de is there um and Cas New Holland they're relatively new members two new members cuz they understand that the food and egg ISAC who's claiming to be food and egg should probably split up they should have a a ISAC should be just the big four or five or whatever manufacturers or they should say look we've got the auto ISAC it covers it because again the combines and stuff they do go on the road um and they probably can follow the 21434 that we mentioned but the new one that you've I don't know what it is you said it already but I forgot but um anyway let's

get into some questions I think so that's the that's my presentation for today [Applause] oh yeah yeah yeah yeah yeah yeah come on I got one yeah I got one yeah can you you should be able to hear me okay yeah toally okay so I'll throw some before we do Q&A just some really you can stay up if you want me some some really quick facts um so my name is LP I work in the industry I do cyber security for a I've been doing that for probably as long as that's existed as a thing you can do I guess um so Josh asked me to talk a little bit about uh what happens next and I think

sck had a slide about this so yeah the websites have been hacked right the back end to Connected systems a tractor has been hacked and that's kind of the cool sexy thing that everybody thinks about like the big risk is what if my tractor gets hacked um just some really quick stats kind of depending where you look on the internet um various government agencies believe between 5 and 10% of the US GDP is directly aggrevated so not like tier 2 tier three kind of stuff but direct GDP from a let's say it's 10 10% which is astronomical right so really big portion of the US GDP um a significant thing to note is food and egg is one of the COC critical

infrastructure sectors we're in there our sector plan hasn't been updated since 2015 the landscape of everything involved in a since 2015 is very different and that's the same for food production as well once you move a crop into a factory to have some kind of consumer good made out of it um and so that's 9 years right 201 2015 is 9 years ago just pretty long time um um so that kind of gets us to like okay what's what's next right it's a big industry a machine back end of a machine has been affected um there's this really interesting thing that happens when you begin to look at Cross sector stuff uh and so I think we're going to hear a

little bit about water and maybe power at some point today um one of the big things really is is rail is a huge cross- sector conern concern for a so if you move past what happens if I attack one person's tractor or one person's Farm how do I affect an industry the things we know about is like USDA says depending where in the country you are after harvest time 30 to 50% of All Grain moves by rail I think probably most people here know rail infrastructure is old and people are already finding vules in it uh and so that's that's kind of a huge thing that has to be considered in the system of growing food and

getting it to Consumers um sik made a really interesting comment about diversity of manufacturing and not really Soul sourcing suppliers that's kind of true Josh and I have had a lot of talks about this over about the last year and there are some definite points where certain types of goods like rubber Goods or Electronics like ecus uh yeah maybe they're not Soul supplier but maybe there's two and and what happens if that's affected um I I think that the N9 days number is is not that far off as well right I I think you there are some good use cases for places like the Ukraine right now and Russia itself where you can see how rapidly Machinery

begins to degrade when you don't have a p Supply uh another one so another like critical sector obviously that applies to us is fuel uh and I'm going to link that to finance as well so so the ones I have really are chemical Comm energy it Transportation water and finance when the pipeline thing happened everyone believes this is like an IC thing right but actually what happened is their financial system went down and their way to sell oil stopped and so they just stopped pumping oil so it's like okay yeah that's deeply important a combine's not going to run a tractor is not going to run without fuel but that was actually an attack on a

financial system um so that's that's a really big one a cross- sector um concern I think that's that exists um and then obviously water I think we'll hear about water maybe the the next talk there's a great a great talk at Defcon in 2018 Ben nassie who's a a researcher from Israel um with some students found and built a botn net from Internet connected irrigation systems and and these things like commercial raspberry pies with like rasbian the default creds and they're just online controlling water and they their research showed U I got numbers from their paper this morning with 1,400 of these devices they could drain like a standard American Municipal Water Tower it's like the big bubble on a stick in

one hour and in most places in the nation that they did an analysis if they had 24,000 Bots they could drain whole like countywide uh Reservoir like flood water and retention reservoirs which is astronomical water drain um and so things like this are not really yet being considered either by the government or the industry I I think the industry has a pretty good handle on it obviously there's always interaction right between industry versus like making a profit and regulation um but the government definitely I think is not aware of how interconnected some of these things are um and so the reason we're bringing them up today really is with Josh kicking off his new project

this morning this a pretty good time to really talk about big cross uh cross- sector concerns that we have um and especially since we're doing the a thing why not bring it up um a a note on this this this last slide that sik had about the Cyber Security Act of 2024 is it is it still up yeah it's here somewhere right I didn't write yeah yeah so it's interesting you said you didn't write a couple of people in this room were in Congress in January talk talking to people about what what makes sense to be in the bill right one of the good things is this initial bill is exploratory it gives the industry

time to work together uh it's really a bill about doing an investigation writing a report identifying big threats I I think Josh and I pretty confident all of the biggest threats won't be towards a singular industry there'll be there'll be cross- sector threats that really grind things to a halt as a system um I I think probably Q&A now right yeah so we're going to go into Q&A now but here's the thing it's questions and answers no comments okay so if you make a comment I'm going to take the mic back so you got to have a a fast no kidding fast question they'll get a fast answer hang on thanks everyone great uh great

presentation great message uh just curious a lot of us here um are here for uh their technical proclivities but uh for the non-technical person what can the non-technical person do to help solve cyber security problems in critical infrastructure like agriculture or others yeah I think like I said working together working with other companies in the industry like cyber is a shared risk and you have to like ask this guy how difficult do you think just thinking how difficult do you think it was for Di to pick up the phone and say hey cnh hey Edo let's work on fixing this issue in that industry how difficult would that a phone call be or do you think that was the original plan

and I'm sorry I question you question with a question to this guy so yeah I mean it's a good to your question obviously difficult right the answer is extremely difficult yeah especially when you're a public company yeah and your industry hasn't gone through like the Cyber thing you you see this pattern right it's over and over and over it's like you can't work with the competition it's a competitive Advantage alalo will be mad shareholders will be mad blah blah blah right and what happens is the big bad will happen to someone and then kind of slowly everyone's like oh this other industry did this and security actually only happens when we all do it together right

I think right you call the big bad yeah that's actually what yeah I think cuz when I hacked Dr all of the competitors were like oh [ __ ] that could happened to us uh you know you you you might know about it another industry knows about it uh so all the other competitors and they would reach out to me eventually and be like oh dude I love that talk about this that that we also are implementing some changes at the company now because of that or you know I I remember one guy at Trimble that I spoke to who was at Defcon he said um the year after we spoke trimble's a guidance company GPS

that actually feeds into a lot of the ad companies as well and also a bunch of other Industries as well and they they like I was like hey dude what's what what's happened in the last year oh dude I got a whole team now and was able to access the CEO and be like oh dude we need a team look at this talk we need a team now so I think I think you're right the industry might need an event um but but here qu your question initially is like how do we as mostly ostensibly like deeply technical people relay these things to people that are not right and and I think the answer is

one is like knowing or being someone that's really good at communications right you have to tailor a message to to the audience a lot of times doing that through examples right like the the biggest thing is communication and Outreach you kind of like it's easier if you stick to a thing you know so if you don't know anything about a I wouldn't say like hey go and give these toing points to just some random guy driving a tractor right right but but it is like people you know in a community you know is trying to build good mental models for them that they can understand like relate it to something else and and explain those things then it does get a

bit tricky right ultimately with most things that are in Industry you you vote with money right and so if people are buying things in any industry and you want to promote secure things one of the best things you can do is like oh you know I heard you're going to go buy like whatever a new electric bicycle I just happen to see like this one's really secure and that one's kind of this random thing and stuff like that I think really is where it begins all right as fast as you can um I'm only familiar with Farms that do fruits and vegetables so when you're talking about the ISAC not really making sense for food and agriculture

agriculture can you draw the distinction tldr like what you see as a division yeah for me I'm think when I think when I think agriculture in my head I'm thinking like smart EG cuz for me like there's no security in a potato in the ground you know what I mean there's like but when you think about for me it's the machines and stuff like that the hardware stuff cuz I'm a hardware hacker um I think so right yeah yeah so like I focus on that half of it and so for me yeah the bag of chips at the whatever is not relevant to me that's how I just think that I do it like that but I think

there's an issue with this the the food and AEG ISAC is run by the it ISAC um and as you can see like no one's picking up on it the the bigger thing is that like the food and a ISAC appears right now to be geared towards food like food production once it's left a field right and and so that gap of like the OEM to how does that thing get on a trucker and our train is is what's not covered there really but again and when we we talk about that when splitting it up but we we both agree that it's all part of the system as well and it needs to be that

as well so maybe they need to yeah I just I just personally I think they they they should get a little bit more organized the companies and the ISAC yeah awesome stuff uh this is probably for LP but either one of you um we're talking about cross- sector dependencies you're going to hear from Christian deth uh later about hospitals closing in Rural America you're going to hear about water in a minute yeah um given the concentration of how many crops are done by fewer Mega Farms now and geographically what's the Nexus of if a hospital goes down does it affect the workforce or production uh if there's a water attack does it affect overwatering or underwatering has anyone looked at

the the which parts of the country can't have a hospital failure that type of thing yeah that's that's an excellent question um I think some some I mean so like you actually asked me this a few weeks ago right I think to prime it and I've I cannot stop thinking about it all the time specifically the hospital thing some of them are really obvious right if there's a if there's a some kind of water impact in in a crop heavy farming kind of region like obviously you there huge impact I think weather weather's a really good example right because weather's unpredictable yeah and it can affect an entire Year's crop right but then like what he's talking

about like this there's this like interesting thing happening rural hospitals All Over America closing due to lack of funding uh aggregation of resources big hospitals right blah blah blah but yeah what what happens right if you're the 170-year-old guy and you're out on the farm and you fall off the tractor you get in some kind of small industrial accident right is is there an impact regionally to farming and I think yeah reasonably after thinking about it for 2 weeks obviously people are less inclined to get the care they need that takes them out of the field production slows down is there some kind of event horizon where if too many clothes one of the things people

care about is Healthcare either they don't get it so production suffers or people choose to stop doing that job I I think it's a real it's absolutely a real thing that's not considered I've got one note to that I remember Kevin Kenny saying to me when aamay went down briefly I think about one and a half years ago two years ago John Deere operations Center is behind aite and um Kevin called me up go dude Kevin's from Nebraska really funny guy and he's like dude [ __ ] uh the John Deere operation Center's down and I'm like that's my American accent by the way that was really good good um yeah so he he's like dude it's

down I'm like dude what does that mean he's like there's not enough toilet paper in the midwest to clean this mess up and it stuck in my head that quote so you know that that John Deere operations center is where some of the information about guidance and stuff goes back it's also the place where I was able to submit VIN numbers and get information back about uh the customers um but yeah if that goes down then I mean what would the what would the the other comp competitors they're not as much I don't know much about the competitors so I know a lot about John de though because I've hacked them a lot so I mean all of

the big ones are Global multinationals right right okay perhaps the last question yeah so I mean obviously everyone would notice and it would suck really bad if like every John Deere tractor in the country got bricks but critical infrastructure is a geopolitical issue and so what if there was hypothetically a piece of malware that made everything in a certain Fleet 3% less effective like how may maybe it overs sprays or they're not on track as much as they should be how resilient do you think the industry is to that and then on top of that how quickly do you think that would even be tracked as a cyber issue and not just a mechanical one or Farm failure or something like

that I mean complex topic I'm not the best at at the at the small scale code stuff on the ecus but I know from a competitor that I was I can't talk about it NDA [ __ ] so let's let's so let's that's a really that one's an interesting question right so let's say what what do you the a first question you can ask is what kind of gain do you get from smart and precision agricultural equipment you don't get from someone manually sitting in a cab right and and you get widely varying claims right but kind of the industry you see numbers that I never seen that exceeds 10% and that seems to be the

high right you buy this one expensive system you'll get single digit percentage gain which is still huge um but there's a lot of variability in soil quality and bugs and weather and and whatnot right I think it would take maybe until you're kind of a co-op selling grain before someone noticed in the data and I'm not sure it' be agricultural companies as much as it would be Financial people doing like stuff with Futures right realizing a consistent significant um disparity but that that may not be true it's kind of a guess right um do I think that could happen yeah I absolutely think it could do I think 3% if you could affect everything 3 or 4% at a nation state level that's

giving someone a huge Advantage so definitely a thing that has to be washed out for but also the solutions to that come to some really common cyber secur stuffff right it's like it's like sign code and make sure you'll only accept a signed update on an ECU um don't don't give half million machines all the same key right when you sign that software stuff like that or if you have root like I did on g&d you can you can you can don't don't let people be roote yeah you can change it skip key check equals like one so you can sign your own packages and update it so I think that was the last question right does anyone if

anyone else ask us questions you can come up I guess after like congregate or something yeah please join me in thanking our wonderful speakers [Applause]