IATC - ICS Security Assessments 101 or How da Fox I Test Dis?

this is i am the cavalry and i'm going to pass it over to yael thank you thank you very much you can hear me well there yeah okay so um welcome thanks for coming i'm jail i'm a security consultant working at bishop fox and today i'll be presenting an introduction to ic security assessments so let's begin with who am i not i am not an ics security expert but before you leave the talk before i begin let me explain why this talk over the past eight nine years that i've been working on cyber security i have done several penetration testings and other security assessments where clients sometimes come to us and ask for for us to perform or include ics

components into these security assessments so usually our approach is to avoid this because you know it's critical infrastructure and can be broken can be something that failed and that's not good right however i have done some research on this and the aim of this talk is not to give a methodology per se because there are a lot of material out there that you can check it out regarding methodology and how to approach this kind of infrastructure the idea of this presentation is to provide from my consultive experience some examples that fit in each of these steps of the methodology so so you can figure out a yeah what can you do when you face this

kind of infrastructure so um i'm not presenting new cool hacks for plc's or something like that but i did include some technical demos just to keep it spicy so first of all what is ics according to the nist special publication 837 ics refers to multiple components that can be found in industrial sectors and critical infrastructure this includes sensors actuators software hardware and so on basically it refers to everything that controls physical processes and usually there are there are physical actuators in there to process that given output and make a physical change into an industrial component some examples of those probably you have heard of many of these ones we have a supervisory control in that acquisition

or scada which usually are software installed on a computer and it allows users to track information that is coming from different kinds of equipment this software also allowed to perform operations or changing the programming of these components we also have distributed control systems or dc dcs which are a gathering of control components to be managed in a distributed manner instead of individually we have programmable logic controllers or plcs which are most of the commons ics components that you will heard and this is basically hardware with programmable memory that allows to process an input and doing some internal processing and generate an output with this rtus basically are hardware connectors between scala and dca systems in but we

have we may have more control components which are basically distributed in a layer structure from the physical layers until the corporate network that we will be analyzing in a moment but are these systems secure as you may know no system is secure at least not all the time ics is not the exception actually they tend to be even more insecure due to different factors and problematics that we can found that um differ a little bit from what we ordinarily see in it some of this is the inner design these control components generally are not meant to be secured they don't have security built on these devices why well because vendors have other programmatic at the time they

focus on operation and make the operation not fall to continue and these systems were never meant to be connected or interconnected in well in the internet that we are living today these systems are really also basically that's why the security is not built in so because of that we have for instance no controls for any authorization or confidentiality or integrity and this allowed to perform different attacks that you may see on the internet there are a lot of talks in youtube videos regarding how you can inject into these protocols how you can intercept and or modify the operation of these devices however we also have implementation flaws besides the inherit lack of security design in these systems when we

implement those components into our audi network we have also some implementation flaws for instance it and ot may be incorrectly or insufficiently segregated or isolated one of each other maybe more hosts that we intended for are have access to these ot devices we may have also had any issues such as default credentials lack of credentials you name it and what is more important is that we may think why vendors doesn't implement how are they security into these devices reality is that industries usually have little ability to include security controls into ics components so because of all that generally when we got access to ot devices that already means compromise but so how can we attack or how can we

access this kind of yeah of components i have included here three main categories you can find more in in the late territory of plcs and highly controlled environments methodology for the sake of this presentation i i took research which generally is made by an external entity or for vendors where the main goal is to test specific functionalities new releases new components to find nowadays new vulnerabilities all from the point of view of the research that doesn't mean that we as a security professional can do this if we have a research area we may have contacts with different vendors that could facilitate us to have these components and to test them with this specific goal we also have cyber security assessments

which can be done from a consulting perspective and the idea here is not to find new vulnerabilities or old days the idea here is to um doing not an intrusive test not an active test but we want to check that the implemented or the deployed components have actually met a best practices that they are hardened that there are policies and procedures not only in paper but they are applied both to it and ot we have access control and many other things and then we could can move to a more active testing that could be up interest or a red team also from the consulting point of view and well the goal is like every other pen test is

to gain access to persist to people to find vulnerabilities that can be exploited or we can maybe emulate unknown threat or to achieve custom goals that the client is requiring so how can we test these components the right way and i mean the right way because the reality is that these systems are prone to fail and we may broke something that's natural on on this kind of environments so the methodological approach we follow must take this into consideration and we always should keep in mind that we um we must avoid causing unacceptable impact on operations so does that mean that we can actually cause any uh damage to operations and well we don't want but

as i mentioned it it is a possibility and that can happen so we can we must plan on this so we don't actually disrupt critical components if we have the right conditions of when where and what to test we can avoid causing an acceptable our yeah damage to critical components and finally one thing we should care about as a consultant is that we need to prioritize efficient risk reduction i will dig a little bit more into this later in the reporting section but the idea is that we want to address the issues we found in a way that actually provides value to our clients so let's dig a little bit into the methodology and dan webber from collaborate security

established these steps as part of their methodology i took this as an input and the idea is not to dig deeper into these steps but again the area of the presentation is to provide some examples that fit on each of these steps so the first one is security effort prioritations what we want in this step is to understand the security requirements the organization has what policies exist on the plant or or industry both for ite and no team is there any segregation isolation do we have access control assets inventory do we have insulin response and recovery process and procedures we need to start with this because if we don't have these initial steps chances are that we won't be able to dig

further into more active testing because it won't provide any any real value to to a client if there is no an initial step on their security poster so oftentimes organizations may ask for a penetration testing on a red team in their industrial components but probably we need to work with the client and rescue this assessment so we can find a way we can provide actual value to to the things we are assessing the next step is process familiarization here we can here we can do architecture and physical reviews inspect processes to through walkthroughs in the plant or in the processes interviews with the many stakeholders is one of the key points of this kind of

assessments we need to talk with the people that are actually executing these processes and exec and understanding how they are working what processes are really in place not not only in papers and so if we have the previous step if we know already that there are policies and procedures we can test on them if there is segregation in isolation stated on paper we can test that we can make sure that this aggregation is actually applying to ot and i team so how can we do that we can do this by leveraging some published frameworks most of the um yeah one of the most famous is the nic cyber security framework which states some domains categories and subcategories

this is used in order to evaluate the security model of the organization that we are assessing in order to understand what what is the maturity of this security program it is not a one-size-fits-all approach however we need to customize the the assessment we are performing for the specific industry we are dealing with also it is worth mentioning that this cyber security assessments can be really complex can be a whole assessment by itself not just a step on the methodology why because it requires a deep understanding not only of security we need to understand architecture we need to understand technologies we need to understand the processes and policies that the organization is using or applying to their their systems

imagine we are telling people that has been working with this kind of devices for more than 30 years and we just go there and tell them you have no authentication for your protocol you need to implement security here here here you need to change the way you operate that's probably not going to happen if we don't understand that again as i mentioned before security sometimes is not on the side of the clients or they have little ability to implement security like this in in their systems so we need to understand the technical and not so technical aspects of their jobs in order to provide real value what we are recommending to fix also people on ics security

and ics sorry usually appreciate when security consultants or security experts understand the different approaches that it and ot have the different problems they could face so how does a cyber security assessment looks like looks like a spreadsheet sometimes it can be a tedious work it is indeed and in this first image i'm showing a requesting well the yeah it's kind of little but the idea is this is an information gallery request for a client where we want to know what procedures what documentation what they have for different domains based on the need cyber security framework we want to know if they have asset control policies if they have a security or or audit procedures if they have assets inventory

so we are requesting for this information so then we can leverage the cyber security framework using the categories and subcategories to review the documentation and find possible gaps into the implementation of these components here we can leverage also the interviews we have we or the walkthroughs in the plant because it is not a checklist we should not take this as a checklist okay they they have policies for access control they have asset inventory okay check it's not just that we have to make sure that the inventory is covering not only i.t they are covering the ot components that are actually deployed on the plant and make sure that they are complaining with this is not an auditory it's a

cyber security assessment so we need to find those gaps and see how can they improve their security model but we can not only rely on spreadsheets there are also tools out there that can help us to leverage these kind of assessments one of those is the cyber security evaluation tool it is by the cyber security and information security agency and the awesomeness of this tool is that it allows to load different frameworks that are published for scada and other process control components we can leverage these frameworks loaded into a matrix as it was an interview and what is more important it allows to customize these interviews or these questions that we may ask to to the organization

so we don't always need to perform a whole csa and again this can be really complex really time consuming and an assessment itself by a client that probably they want to buy it or they can afford it but we have to do process familiarization always to better understand the organization from a cyber security perspective why because this will allow us to do very important questions that will help us to go deeper into more active testing for instance we will know what is the most important part of their plant what happens if one or several critical processes they have breaks down or fails what happens if it fails for five minutes one hour a week some processes may fail because of their

nature but others can cause even death of people if they fail for even one minute so we need to understand that we need to know if they have a segregated networks if they have a access control for the control components or their critical infrastructure limited to specific holes or specific components we also need to know if they have laboratory environments this is really important when we want to test critical processes that cannot be tested online so these important questions will help us to go deeper into the methodology so then after process familiarization we can move forward to a passive information gathering here we can include monitor network communications this can be done online or offline we can do

test hardening or we can test best practices that the components are deployed are meeting specific best practices for these protocols components and so on and we can also include hardware hacking in iot depending on what is implemented on their critical infrastructure to do those this story we have well several tools both automated we can do manual testing we can do or leverage scripting that many other people have published on github and there are also vendor solutions that implement this kind of threat monitoring by doing a constant uh review of the network communications within io we know t sorry so let's talk about a little bit about protocols interfaces and instruments in the ics systems they use different

protocols for real-time communications most of them are really old they were first designed for serial communications later on they implemented their tcp versions and for instance let's take modbus and x as an example which is one of the oldest protocols we can find of the on ics components these data it's from the 70s and well it meant it was meant to communicate with plcs initially through serial communications later on with tcpip and the idea is to modify the programming of these components we can found these different protocols also in a layered structure depending on what we are seeing if we are seeing actuators plcs scada systems or other systems can talk different protocols to communicate with different ics

components and well this little demo i think it can be seen more or less okay the idea here is to analyze a packet capture from modbus communications so we need to know a few things about the protocols we are analyzing in this case modbus lacks of authentication and lacks of encryption so we only need an ip address and a valid a function code in order to create a modbus session so for instance in serial communications modbus uses broadcast to basically this means that with one simple function called we can cause a denial of service condition because it is broadcasted through the entire network so again this protocol was designed for programming and modifying plcs rtus and other control

components and leveraging this we can inject basically a malicious code into into these components or modify the programming of these components in the give here what we are doing is analyzing this of this modbus operation we discriminate by iip and the package is sent between these hosts and if we go back a little bit into the process familiarization and the information gathering if we have a valid asset inventory we can leverage this and identify if these communications are happening between valid or allowed devices or maybe we are seeing an unidentified device that is talking with our control components and actually modifying their programming that could be interesting to further analyze it could be a yeah a system that is not inventory or

maybe it's a real attack we don't know but we can further investigate if we have the previous steps done so in the analysis we have two codes code five which is a writing function and an id which is a custom code that can be used for several things however there's an actual vulnerability in one schneider electric component that uses these knight codes to overwrite the programming of the of the component so again if we are not using these operations that can be something to analyze for or to investigate further now talking about active testing normally if you can access or scan the ot it's already game over this is how phrase one's a friend told me this guy is

actually an actual ics security expert and what he means is that even the most basic scanning most basic and non-intrusive scanning on a plc or a hardly a control network can be pretty dangerous that can because denial of service all along the network and the components so when we are doing active testing we need to understand what consequences it can have we can stop processes we can cause some damage to physical equipment and we can also even kill people in some extreme cases depending on what we are testing we what we are assessing so to avoid these potential damages we need to leverage or we can leverage staging or lab environments we can use redundancy if there is redundancy for

critical components we don't test what is in production or we we don't test the only point of failure that could break something really important for for the industry so also we can select best times of testing maybe there's a window where we can test these processes and nothing critical will will happen if we do the interviews before probably the the many stakeholders will let let us know when we can test better these these components and it is important also it is not on the on the slide but we also need to know our tools we need to be very careful with the upside we do with our testing tools we need to know how to customize them

to adequately to the environment way and we are testing and not just throwing tools that we find on github or also so within active testing we can do many things we start of course with basic enumeration as any other security assessment but we don't scan for all ports we don't do an nmap minus minus we can cause a denial of service sometimes there are some components that have open ports expecting to receive updates or a programming instructions and again we we don't have authentication at all in these protocols so by sending random data using nmap or whatever tool we can cause these devices to interpret that as an instruction it will change configuration and it will

crash so we don't want to we don't want to do that there are also several tools and scripts out there in github and other both free and from vendors solutions that can or try to do this basic enumeration the ideal it depends again on where and what we are testing the idea is to follow a more manual approach or to know really well our tools and how to personalize and to use them in certain environments the high-level methodology is to do a network sniffing follow with an rap scan do a map to specific ports we look for management interfaces we don't look for specific ics control components protocols yet and we do network analysis it can be

both online and offline and then we can follow custom attacks and provided we are careful well we are what we are testing where and when other thing we can do with active testing is for future scans some of the vendors of specific control components will provide a some audit files that could be loaded into specific tools for instance the bandolier project from digital bonds they created some of these audit files to load to be loaded on nesos and to analyze a specific i think it was modbus protocol and nestos itself include included a function called ics scada smart scanning but as rapid7 states it could break something so even with that features we need to be careful and we need to

understand how they are working for this specific case the idea is that when wherever nessus finds an ics component it stops scanning so they don't bring things but in order to identify that there is an ics control component there nasa's already touched it and this torch could cause a damage so we need to be careful with that another thing we can do is secondary application testing in this case if we found a management interfaces in this control components we can perform a basic web application testing we can see if those interfaces are protected by password for instance if they are to analyze if they have weak passwords or default passwords and for instance well we need to

remember that the attacker will take the easy space but not necessarily they will start attacking ics protocols because that could be um really dangerous even for an attacker and it could go just by testing the web applications that are published and are accessible for anyone from the corporate network for instance in this case we are seeing some uh two interfaces one from honeywell intellige intellidoc system which is for gas detection and the other one is after a automation portal these devices have default and weak credentials and basically allow access as a domain a user and they allow to modify the network configuration of these devices depending on how and where they are deployed this could be really

dangerous if they are detecting critical components so and then we can move with ics exploitation again when we do exploitation in ics it's not the same as a normal penetration testing we want to follow an approach of a means to an end we don't want to exploit things that the client or the industry already know they are vulnerable to we we don't want to to arrive the organization and tell them okay i can inject in your modus protocol they already know that i mean there's a lot of information on that we need to be very careful why we are exploiting certain things maybe we want to assess the actual risk of a critical process the the client wants us to share

to show the the actual risk to to exploit something in that critical process and and what again we can use different tuning meant for this kind of components and it will be always dangerous to use this tooling and without the proper upset on those so we also have the manual testing as mentioned before there are a lot of protocols components uh configurations network networks so there are a lot of ways to do ics exploration i included some demos i'm gonna fast forward them a little bit because they are quite too long but in this case i put together a model using two siemens logo plcs one of those has an old version of of the firmware of the device and is

allowing an attacker to leverage unencrypted storage of passwords so the plc allows to implement some passwords on their programming or in their modifications however this attack allows to disclose these credentials so the first part is showing just how it works it has a water sensor that once it's loaded into water and reach certain level it will turn red the screens of the plc's indicating that it has reached certain level and then it has an actuator in this case it's just a fan but it could be a turbine or something more uh yeah more industrial this is the programming of of these plcs they are working in a master slave mode so the idea here or what i want to show

is that the master is receiving this information and it is then publishing this information to the slave or the slaves plcs through the transport service access point which basically is a a protocol used for addressing applications a plc can open a server in a specific s7 port or s7 connection and will wait for connections from other plc's into this specific s7 connection s7 by the way is the protocol these plcs are using so this is a configuration and then it's quite small but again the idea here i it's begin doing a basic scanning not touching anything related to ics necessarily we are done we are doing a http ftps search different kind of protocols but specific

and then in this case i was using um well we identified the protocol which is running on port 5.0 now i'm lying we identify first the web interfaces the http ports we access those http ports and this without actually scanning ics protocols we already identified that we have a siemens uh this device in there just by browsing into the web interface that is published we then try it is password protected we can try some some credentials on it we observe that in the first case this device has a password access disabled so we won't be able to do anything there like sorry but then we moved to the other plc doing exactly the same we browse to

the web application we identify it it has some documentation on it which allows us to identify which version is running on this device so we know this device is not vulnerable because of the version but because of what we have seen on these plcs and the difference between them we can assume the other plc is another version because this is the most recent one so using love environment we can leverage those cvs and we can use in this case the client can facilitate us with this dll now it was in the dealer it was a jar file which ha hard coded the sorry the key used for this attack so it is hardcoded on the programming

software used to program these devices this key which is then leveraged by an nmap script we have to do some adjustments so we can change the the key to the correct format we modify the ncs grid on the left then we run it against the specific protocol this time we know we have an uh siemens plc in there so we already know which protocol we can use in this case it says s7 which is published on the phi of two port we check it is open and then we launch the attack which in this case uh yeah shows all the clear text credentials where i where it applies even for the web access so leveraging these credentials and

using some of the well-known vulnerabilities or misconfigurations we already know we can use them for the other plc which actually have a web access so it is just reusing credentials found in one plc in the other plc and i sorry i moved finally we have we have access to the plc and in this case it's not showing much but in real life chances are that we have not only showing what is happening on the physical device but that we also have the ability to change the physical configuration through this web configuration or through this web application so this is one demo and the other one is this one leveraging sorry in this case what we want to do is to

leverage uh or to abuse the s7 protocol i don't know if it can be seen very well but using the same model we already identified there's an s7 protocol in there we already know that we have two plc's one in master and one in slave mode so imagine you have several slaves not only one slave and we can pick one of those without affecting the actual process and we can test on this specific device as isolated from the critical process itself so what we want to do is to test the configuration as mentioned before the master is publishing the information he got from the sensor into the other slaves uh well in into one tsap

application and the other slaves are gathering this information from this d-sub connection so what we want to do here is to leverage this in the first case i use a publish script that allows to do that to identify these apps on the plcs we run it the tool didn't identify and it is any valid this app so i moved to python using the snap 7 library i was able to let me show you to connect to the device there using a specific address so we are seeing in this example what we are seeing there is what is being published on this specific memory address of the device which in reality is the data gathered from the actual sensor the water level

sensor so what we want to do with that is to change this information and inject some invalid or not expected data so again we do some changes and we do an injection however by doing it manually we inject the data but whenever we read again we get the actual information because the sensor is sending constantly the information so our injection won't work unless we use a loop so as you can see on the right there are the two plcs we are attacking the one on the right and as we can see the sensor is of the water it's right here so whenever we start the loop injecting some random data it turns red the master is not

affected but we are writing into the memory of the attack plc and the water sensor is of the water the fan is also being actioned so in this case if we are testing this in a controlled environment we are affecting or we are showing the risk of getting access to these protocols without any other controls in it and we are not affecting the the master which can be the critical process of this and also we can script that make a little tool that can serve us for further engagements and yep it works so trust me you are vulnerable and no security assessment is done without the documentation but what we want to recommend for this

kind of assessments we probably or we certainly don't want a compressive list of issues to address why again these industries already have they have issues they have little ability to include security of these components so what we want to do is to prioritize efficient risk reduction which i mentioned at the beginning of the presentation but what we meant with this is that we need to understand that itnot face different problems they have different operational goals so what are good issues to report lack of authentication clear test protocols legacy software insecure applications yes of course we need to to report that because those are issues but if we only report that and the industries already know that what value are we providing to

these clients so what instead uh as i mentioned also before vendors usually expect that clients implement security requirements into their uh critical components or critical processes while clients expect that vendors include security on their critical components and this is a never-ending problem or fight between those two and if we as a consultant just get there any and suggest to or recommend to do what they already know does not provide any value to them instead of that we need to leverage the cyber security assessment we have done we need to leverage the passive information gathering the understanding of the industry and if we do some active testing we need to leverage all those steps in the methodology so we can

recommend things that actually provide value to the security program of the organization and it can be improved for instance we have uh well i included some examples here such as insufficient communications between it and ot it this is a great issue to report if those teams are not talking to each other chances are that what is being implemented in it is not implemented in ot and we have lack of security in those communications also if the cyber security program that is being implemented in iit probably it is quite robust but if it doesn't include ot chances are that ot is quite unprotected from basic attacks such as um reaching the ot infrastructure from the corporate network which as stated

before access oftentimes means compromise and so also if we don't have clear duties between it and ot there's a problem because if you have found different issues to the security program and they don't know who should be implementing these fixes this won't happen and it's an issue that you reported and it's just there without any solution also we we should identify physical security weaknesses those are security controls that are implemented physically so if there are physical security vulnerabilities and we can access those devices physically that's also already compromised lack of monitoring insufficient hardening unnecessary network services running those are also world mention issues to report recommended time of objective again we are not attacking some critical components and

expect that they recover from us failing or throwing away their critical components we need to test this probably through tabletop exercises or we can test this in love environments also single point of failure if these critical components have one single point of failure that could be pretty dangerous they have a they have to have redundancy on it so they don't break if one fails and missing patches of course that's something worth mentioning so a little storytelling regarding a red teaming assessment we performed some years ago and that included some ics on it this assessment was for a mining industry they required to validate or to assess their response and detection capabilities against real threats real threats for them

meant competitors national state actors or even

organized crime yeah and even organized crime they wanted access specifically to information for for these mining in for this mine in this case so the rating goals that we crafted for this assessment was to assess the external network get access to internal network and persist for a period of time then do some lateral movement privilege escalation with the goal of accessing this critical information and also to access some scada and other critical component systems um of course to measure the detection and response capabilities they have and access to strategical data and from the operational impacts we have the client or the mind asked us to evaluate some critical components they have in place this included the

monitoring of the mind the tracking systems proximity alert systems and the ventilation systems so how do we did we execute this assessment we did through two phases the first phase was using a css csi like exercise it was really reduced we don't do an extensive cyber security assessment but we did interviews we did a site a walkthrough we understand the processes they they have specifically for the four a critical process they want us to assess we needed to understand how they were operating if they have a way to prove them on love environments of if they are just in production and there was no other way to test them so for this from this phase we got a

surface attack identification we understanding the yeah the organization environment and we were able to break through into individual components also for these individual components we understand that ventilation systems were out of scope because there was too much risk to test these systems online because failure of ventilation systems meant dead for the people inside the mine so definitely we can't test that and there was no lab environment or other ways to test it and we get to know this because of the previous non-intrusive engagement we do it for for the organization and then we follow with the simulations we did some wireless and physical attack testing social engineering we got logical access and we tried to move or to reach the

information they wanted and for the other components for the proximity alert and tracking systems those systems were also critical because they were used inside the mine and failure of these systems could could cause probably not dead necessarily but yes accidents and yeah that's something that we couldn't afford however those systems could be analyzed uh offline they had these systems of line for us to analyze them so in this case that was a an attack vector and but finally some key take highways and we need to understand that it and ot are different they pose different challenges they have different operational goals and it is important for us if we are assessing ics industries to understand

that those differences so we can provide actual value to the company um ic security assessments are similar to other security assessments but they have some different things there that we need to be careful of we need to understand the context we need to have a testing methodology and then we can start scanning or attacking as then we were mentioned we start testing passively and we escalate safely so knowing the industry and understanding what are the context of what is the context and the needs of the clients we are assessing it's necessary for us to perform an efficient risk reduction recommendations and not only ask our clients to fix everything or to include security in everything

and we need to remember that rich rich of these systems probably means already game over we don't want to just came to the organization and tell them what they already know we need to find in different ways to provide actual value to to these clients and if you want more i have some references for you some talks some documents some do it yourself things and some tooling on github and that's it if you have any questions you can pick me up twitter and or ask here [Applause] okay so sometimes i role play and let's start by saying i am not going to be attacking or critiquing his talk one of the things i tell the cavalry

folks is that sometimes the opposite of a profound truth is not a lie but another profound truth and together you have a greater truth and sometimes we have cognitive dissonance so to connect this to chris hopps keynote yesterday about fragile versus resilient versus anti-fragile if even scanning these environments is dangerous and therefore we choose not to prove how dangerous that is because the client wouldn't want us to break things that's a truth and it's dangerous so do you believe an adversary from north korea russia or even an accident from a ransom crew would use kid gloves and just not actually sneeze on these things so one of the things we wrestled with at sissa and we

made the sisa.gov bad practices was that the use of unsupported end-to-life software is dangerous in critical infrastructure now that is not to lack empathy for the fact that these are really old devices they are very mission critical if you break that mind that mind might shut down forever and if it's that fragile are we resilient that's not a rhetorical question if it's that fragile are we resilient and back to his other truth that these things once you get physical access there's no authentication you can just inject all this all the modbus traffic you want we tend to believe in an air gap and they rarely were ever there but now you every single one of your employers

has a digital transformation officer who's deliberately adding remote telemetry bi-directional predictive analytics predictive maintenance to be able to avail themselves of data science and machine learning and other good things but the assumptions that were safe because of an air gap are gone so the world has changed and adversaries are now being more brazen and they are attacking water and food supply and while it is incredibly disruptive to maybe physically break some of this old equipment the only thing harder than planned change management window is unplanned change management window and during the pandemic on the vaccine supply chains we didn't have the luxury of hoping that no one would sneeze so i don't know what to do about it but

what i know is when you look at a consultant being hired by an enterprise we're looking at the stakeholders wants and needs and fears and what's off limits but when you add in other players like actual adversaries or the people who need the water the oil and gas the electricity the timely access to patient care there's a lot more people affected so we're in a very uncomfortable space and part of what i'm asking the cavalry to do is we should not just walk past these fragile brittle unscannable systems and say that's as good as we can get there's no money and congress is increasingly getting appetite so i don't have an answer for it but take everything he shared with us

which is valuable true and compare it to now what do we do when anyone can sneeze on these things or just even port scanning them may be too violent an act do you feel safe that the critical infrastructure is resilient don't know what to do about it but i want us to simmer in that discomfort thank you

thank you