If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
Key Takeaways
The video discusses the current state of cybersecurity, highlighting the pace of change vs pace of progress, monolithic focus on engineering, and lack of attention to policies and procedures, with experts from the SANS Institute providing insights on industrial control security, information sharing, and the need for converged programs to tackle operational risk, using tools such as Digital Ghost and gas turbines, and concepts like artificial intelligence, machine learning, and software-defined n
Full Transcript
the focus of this panel if we're doing so well I started as an optimist I started the summit with areas that we've gained real progress in and I think the last speakers have demonstrated some of that progress and the contributions to the field we've continued to progress but the question is if we're doing so well why are we doing so poorly I would argue this has to do with this concept of pace the pace of change against the pace of progress I still though as an optimist believe there's lots of opportunities available to us in the innovation that we're seeing and we want to explore that but we want to take a very critical look at where are we still falling down why why is that happening and that's going to be the focus of our panel the format today will be I'm going to give each one of our speakers three minutes of opening comments or remarks if they're observations as to where we are getting progress but what's holding us back where the challenges might lie then we're going to go into direct panel interaction between the audience so I want to see those yellow cards coming up to me over here and we're going to also have questions for each other we really want to kind of test the limits if you will it can be fast paced if we get lots of questions we're going to kind of go into lightning round if you will so really short answers if and then we're going to I want to give each one of our guests up here two minutes for closing remarks so they can kind of catch them with a what their conversation up here is all about so please be involved it's interactive so bring those cards up to me and we'll get started all right three minutes three minutes there's no clock time countdown timer how many they're in look at it just long the lady right here in the front would give you your of the real best part is she's in the dark see so we don't see any those people now and we got your glass so that's right so the main thing I see that's missing is I agree with your idea that the pace is different the pace of offense versus the pace of defense the pace of change the pace of oh wait we don't change anything in this space until it's really old but more importantly I think we're missing there it's not monolithic it's not all about engineering yes I are an engineer and I can spell it and IG oh wait oh T so the problem becomes one if we look at it from an engineering perspective we forget about management we forget about policies and procedures it doesn't take that long to change a router I mean you literally have to pull some plugs put a new one in so when the old one smoke leaves you put a new one in try changing the policies in your company for doing something try changing the regulations and I just finished a session up in DC last week where they're talking about what would happen if we had to change one line of code in every 737 they're only 9000 737s roughly flying right now so how long would it take to change the code how long would it take to test the code part of the current regulations or to change your argument them back in the air before they all expire being too old and so a big part of our problem is we've created very long difficult pipelines for regulations and change on the paperwork policy side and so we haven't looked at those and so when we discover that piece of code that grounds every 737 Southwest Airlines will either have two choices by a totally new fleet because there's no way they can run through the current change process mandated by FAA all these other regulations or on internal regulations to fix one line of code on all their airframes and so that's something that's holding us back as an industry now is the lack of paying attention to anything besides the ones and zeros how much crypto I need the true engineering it's the let's put it in operation and actually was when Adam said his first thing was to make it easy to implement I just went thank you because that's I think a missing piece very good we're going to turn it over to Rob which is really interesting because rub your the fleet guy right you're going to talk to talk to me about the opportunity in your opening comments what does it mean to manage a fleet what opportunities are hidden I mean art brings up a great point about trying to deal with this we talking about fleets of airplanes let's talk about the things that make airplanes go through the sky fleets of turbines yeah definitely thank you so I'm fairly new in my role about eighteen months came out of pretty much minted in Silicon Valley comfortable with platform as a service infrastructure to service secure development of applications those kind of things what's exciting about this is when I first got in my role what do you do you try to understand the problems of your customers face in 2016 we launched over 50 what we called security health checks globally on thermal fleet's and sites and we began to see a real pattern much of it also lined up with findings from the Department of Homeland Security and ics-cert which was another interesting coincidence and the findings were this we weren't doing intrusive testing it was more or less an audit of what Hardware would software do you have in place what sort of access control definitions or on your edge perimeter really fundamental stuff or at least people in security would think is pretty fundamental and we found a lot of really simple opportunities to make improvements whether it was the instrumentation of tools or services to help out and then the thinking too was because we're also at GE going the market with some products which are you know arguably very good at what they do but they're also very expensive and so there was this barrier I call it the cost value ratio where customers were looking what we're offering and they just couldn't get their heads around things so we saw an opportunity instead of coming in one time heavy-handed and saying look here's how you do security let's break it down and focus on a critical security controls approach and a capability maturity model which we felt really resonated and customers seem to be agreeing with us and it's just this idea of you know if you begin to implement controls it's not an all-or-nothing proposition begin to implement controls you dramatically make an attackers job much harder and at the end of the day I think that's that's the goal we need to have is how do you create frustration difficulty and challenge for those who want to compromise our systems much of it can be the implementation of some pretty fundamental controls you can grow your platform from there Tyler you're an exciting new role you're looking at the application of technology as a disruptive disruption for business models an opportunity to grow whole new productivity lines and make businesses more efficient yeah let me try and tie that in to the question about what we're doing wrong and I think this is my you was calculating out there in the hall this is my seventh summit and I think I've said the same line don't mean to participate in your in your memes on demand or yeah your memes on demand here but so two things came up in every conference that I've been at here and one is a medical condition called shiny object syndrome and the other medical condition in a working group item and these two things remain the connective tissue from when I first started in the space better part of ten years ago to today we eat ourselves by not being able to simplify what we're working on build business models and economic fabric that can help us all be successful in the supply side on the consulting side on the end user side we have this natural predisposition to move on to the next big thing before we've solved today's problem so my journey to where I'm at right now I started about ten years ago when when nobody was testing for vulnerabilities in a in a intelligent intelligent way so I wanted to solve a testing problem to find vulnerabilities in these systems we did that right away we faced well you're not testing every protocol you're not testing deep enough every every reason why this wasn't perfect so he said yeah yeah enough sweet boy and we'll keep doing that we put a testing platform out there then we wanted to have some benchmark across companies how do you certify and compare product day's robustness even though just the stack implementation versus product company B put a certification out there wasn't perfect then we you know a few years later we realized we have a people problem okay this whole IT OT thing I still don't believe in that I think it's still just T but at the end of the day we still have the right mix of skills and competencies would put GSE SP out there you wouldn't I mean you're evolved in that four months it wasn't perfect it wasn't exactly what the industry wanted but it was something and now we've got what 2,000 people call certification so my Arc has all been boats finding the real core issues and solving them and ignoring the shiny object syndrome and moving on and what we have had in the last four years Iran cyber security at shell blow away for our industrial facilities for four years and on the latter part of my four-year ten year we realized the technology was moving ahead so fast and the business cases for remote unmanned decoupled hardware software were so compelling we decided to bury security into our technology maturation journey which had a business case behind it and allowed us to continue to sustain for our customer relationships with the sorry our supplier relations of GE so what we did instead of now going and bolting on to the current estate the next cool thing is out there which is great I'm sure they're all cool but this particular infrastructure we're all working with right now it doesn't really come easily with us on the journey to software to find this open API is that we just can't keep bolting stuff on so we kind of ignored doing the next thing and said well how are we going to design the new architecture of the future let's get that right use the dollar that I have instead of doing having a finger in the current pot of fixing legacy systems I'm going to kind of go all-in for the future because I think that's where the business value and benefits going so might it might be perceived as a little bit like we're ignoring the current problems and consultants hate that because they have to make money today but if you don't see any brand of our consulting community both securing the industrial fee water its although patching bolting on stuff today so anyway that's that's what we're doing wrong we're not learning from simplified collaborative we all agree on five controls I come to the last conference I wanted to come back here five controls we all agree on all get it done wherever we are and come back and talk about the success of patching antivirus that kind of thing the challenge and lay down do it again for the second time number two Marty I know what Tyler's meme is going to be it's all about T I can I can all IT difficulty there's no intimacy by the way last concert I was at IOT near di Quixote this is a tough question I think and and if I look look back and we've seen some of that discussed this morning you've got these highly successful organizations that have you know invested in the control security of their industrial controls environments you've got vendors who have made similar investments in redesigning things I think I'm going to put a concept out on the table that that says we just we just haven't reached enough people yet we just haven't hit that critical mass of saturation where everybody in this environment knows instinctively that security is something that you just have to do just like safety you know so nobody in the right mind walked into any industrial environment without asking you know what are the safety procedures protocols no company's going to let you into their environment without sitting and watching their 15 minutes safety video you put on the right personal protective equipment and off you go we have to have that same culture and security I think that from a governmental standpoint you know we've seen certain sectors do really good with culture in the security area I think the financial sector is probably first and foremost there's some others or they're quick runners-up I think so we need to take these individual successes whether they're you know Adams you know success in this protocol area or Sanford success and we need to be able to broadcast them ubiquitously out across the environment or the sector and so I think that you know although I really am reluctant as a government guy to go back and talk about information sharing I actually still think some of it's about information sharing you know because we we're still reluctant to report incidents when they happen I see people gobble up the statistics that we can come out with right I'm going to tell you that those statistics are skewed you know one of the things you asked me about when we're talking about apt well probably one of the reasons that you know I see a certain six are leaning towards apt is because that's what we're looking for you know so work we're looking for that writing systems we're not looking for you know Conficker that got there because the salesman's you know USB stick got in stuck into the computer so I think that we're still in this kind of vacuum quite frankly we're not enough people are openly and honestly sharing what's really happening in their systems in an anonymized fashion that we can all take benefit from it and I think that we've proven that the mechanisms are there we can protect the data we can sanitize the data I just don't think that we're seeing ubiquitous enough reporting in everything whether that's reporting of successes and hey I did this implementation and it works really really well to reporting of failures that said hey you know this you know we had this ransomware event we had this you know infection event okay let me open up to some ideas and questions and get that and of course please join me in asking questions of each other I buy into what Tyler was saying is we do a very poor job of looking forecasting forward and saying how do we secure the future of where things are moving we we are so ICS Security started when we started this thing we used to say 10 to 12 years behind IT security right and we got mired in that of this trying to bring this legacy infrastructure forward although it still is necessary in many cases it's just not sufficient for changing any outcome of the future so quick question I thought a very quick two-hour seminar on strategic planning and there was a big focus on understanding trends and forecasting forward to take a trend and understand what the implication will be to you not only now but over the next 18 to 24 months and beyond then was that mean for aligning resources and effort to finding what Tyler said what are the things that we need to do Marty is talk he talked about improper virtual using virtualization failures and VLANs or area things that he saw I wouldn't call those necessary trends but bring your own devices was a trend increased use of cloud services out there I'd add some and I'd like to hear from each panel member about what do you think the most important trends that we should really be thinking about to create to understand how best to create a better future I'd say convergence we've seen safety function converge at the network level now already it why I made great business sense to do that we're starting to see now logical convergence of both safety and control even in a single device in fact when manufacturers pushing that into the future is that the eight the single controller will have both logic and safety logic on the same controller convergence is an important trend I think that we're going to need to just kick this off for us to struggle with and understand as an implication for getting a more resilient system out of the end panel members thought other trends that we really need to tackle to get a better future oh I'm gonna stand up and I'm when you were saying what is the future before you said the word convergence convergence came to my mind because you can't stop it you can't stop the use of iPads you can't stop the use of phones you can't stop the business from saying I want to know data points on a turbine that's running on the side of an aircraft at 38,000 feet so that's going to happen whether we want it to happen we don't want it to happen secured not secured and so I think it goes back to Tyler summed it up well if you already know what's going to be happening going forward why don't you focus on getting the core what you need done done in that area and don't worry about the edges of that bell curve I mean Sdn I think is the future for this industry as well as everything else whether you like it or not it's coming it's going to show up and you can sit there and say well they don't have enough security or they don't have this so they don't have that it's still coming and so I think we have to figure out how to deal with that there therein lies the rub for me is that if we agree with that and our position would be there's a very attractive business case for removing the hardware software integration decoupling that model and and making our vendors unhappy with the margin sale that they get today but at the end of the day we have struggled with a resourcing and a skills gap for just today's problem we only have let's say 10 people we only have a dollar to spend I don't think we can effectively do both it's hard for me to say that because everybody wants to and I think we have to in some respects but if we don't challenge ourselves now to kind of think binary either we go in for the future and not be the people that probably the three of us here at least complained about ten years ago all those PLC engineers they forgot to put security into these things aha what was good for us from a business perspective but we yelled at them for not thinking about the future and here we are today with the exact same migration happening in front of us a technical estate change that is non-trivial in nature and yet we're still thinking about secure protocols with the current paradigm yeah interesting and cool but it doesn't go with us so one of the I think one of the things that we fail to it's a failure of imagination is is to take the opportunity to instead of fearing convergence or or fearing that additional complexity is embracing it and you know I have to be vendor agnostic but there's some really interesting technologies I think that are starting to emerge that are very tailored for kind of critical infrastructure kind of areas and that's taking some of these you know machine learning algorithms and you know almost artificial intelligence type of algorithms and turning them back and applying them to our systems and there's there's a couple solutions out there for example that are mining your entire data historian platform to look for anomalies or Forge data so that they can tell they can go oh by the way do you know that this signal over here is an exact replica of a signal that we saw five and a half years ago you know that 30-second sound bite was the same and I think when you think outside the box like that we can come up with some pretty innovative solutions for this space but we quite often you know fell failure of imagination don't we just don't quite go there right so no question so I guess the question is as we think about some of these it's fertile ground if you will areas that if we put our concentration like Tyler said and we don't get distracted we really focused in on three or four things you know Marty in your talk you talked about you know you're seeing a lack of even monitoring right the network wellbore the host level within a control system environment or having these problems that people - even know they have we saw an incident in nuclear power plants right a German nuclear power plant operator who turned around and finds Rama and configure that were probably had infected their systems at least six years ago right when they go to do a modernization upgrade they find the infection for the very first time why because they were just doing you know protections and here's the first time they'd actually touched that exact six-year in that six years there they find it was infected they have to go do that so the question is each one of you have hinted and brought up areas of what I would say fertile ground right everything from data driven predictive systems that can look at the data if you will maybe a network destroying host historian law that says we're seeing some type of anomaly helping you decision support wise making you a better decision being able to look at fleets of things and learn very quickly to apply it in the fix a problem somewhere by looking at a single machine or single implementation of something other areas would be in in decoupling software from hardware or software defined networks open up a host of opportunities for us in terms of what we could do for resilience perspective so what are the major fertile areas if we were to pick three things to focus on what were the three things that you know this audience ought to go out and think about how they're going to be doing the future of control systems and automation for resilience and security perspective an entire know if you want to bring up you know things like robotics I mean quite honestly we live in a fixed model we're used to servers are here hoster here we have PLC's there we're seeing more and more mobility everything from the actual assets themselves skid mounted moving around individual components bring your own devices showing up in environments and robotics now interacting industrial environments so I still think we're narrowing in on the problems that exist today so I was at a talk last week or Peter Thiel basically is an investor for those es don't know and pretty smart guy does anybody who uses big data ai analytics and cloud and assumes that they can put any of that intelligently on the current infrastructure is a fraud this is in front of my CEO Koch be CEO excellent CEO ministers from Kuwait and you're AAMCO because it's true technically you can't do all these analytics that we sell each other with the systems we have we either have to clean up the estate standardize the protocols the data structures and then start thinking about the cool sexy AI the machine learning or we just accept that we're going to be in a technical debt State in perpetuity where our consultants are going to make less money by adding another layer of firewalls or anomaly detection and by the way anomaly detection for who I have probably one of the most mature security programs around and I don't have anybody that can have another thin client application with another bunch of information there's no role that exists in shell that can handle any analytics coming from what's on my network and if that's the case for us less mature now we're only mature because we have a great act and had lots of money but less the chair companies can't do anything with the data they have why I've given more data Mart Rob I agree so one of the challenges that hits me commercially is how do we go back at the end of these environments and sort of standardize the platform so you can manage it more easily that's one of the ways a cloud guys going to think write manage the platform manage the infrastructure stay in control of it updated more easily etc one of the areas of friction that I see is is sort of pricing and go to market strategy going very heavy-handed plant by plant and we see this at GE to hopefully we can transform this to some respect we're still selling hardware we haven't gotten out of the Industrial Age right and so what we need to get into is how do we instrument these platforms that we can sell software and services upon down the road I can make any money on hardware I can make any money on servers it's all going to be in services analytics those kind of things on the on the analytic side we're doing some very interesting things I mean I'm trying to be a little judicious and not just pitch G here we have a program called digital ghost where we took a bunch of researchers into a room guys actually designed the gas turbines for about two weeks and said guys make a list of all the ways someone can just screw this thing up and you get bonus points for screwing it up in a really catastrophic way they came up with about 225 different threat cases and and then some of our data scientists developed an algorithm that could account for those or identify these exploits against against an asset using existing sensor data next step on that is to create self-healing control systems so how does a control system once an anomalies detected identify that and then accommodate for it by resetting to some sort of baseline standard or safe operating level some interesting stuff going on now healing self feeling self denied there - two suicides the court they defend the death detention offense all right you talked about regulation and so Tyler I you know everyone we're talking about saying is just let's boldly go to a new place and change the game can we I mean regulation is something that is you know is mired in our understanding of the past we write it down in black and white so now everyone go out and do these things and typically it ends up it's a big parachute and ends up slowing us down it doesn't recognize all these model changes are you seeing well I'm seeing that today I think it goes to the other missing element that we haven't talked about which is people and yesterday and your strategy summit you actually called me on you know that the financial services sector seems to kind of have a handle on this security thing and I agree because the CEO of all these big banks the entire time he's been in banking money has been a digital construct I mean in today's world of banking they stopped putting stuff out at counters decades ago it's all about you know digital things and so they've grown up digital in their industry and they understand that and so this is part of their culture whereas I'm in South Texas adding a gas well and the guy goes what do we need security for we're drilling gas you know and the mindset is not onto all this new cool shiny object stuff yet well when you go to Washington DC and you say we need to regulate they think about well maybe we should regulate against viruses or spam or we hear about this in the news right so until the people writing regulations and that also includes inside companies until they really get a handle on how all this works that business case element we're going to be shackled by someone that writes a really well-meaning idea that if you change a line of code on an aircraft anywhere on any of their systems until it's requalified for flight on all of them none of them fly which seems like a great idea then we stop flying and we stop doing these things so the regulation problem is a big piece people understanding problem and it's going to take time to grow them remember every filter of ripping or placing four regulations or any new regulations so maybe we have a chance to make the change here in the United States real quick just one of the issues that I struggle with too is data sufficiency around attribution how do you create actually models and actually work to solve problems you know you have out there life insurance pretty safe that somebody knows when I'm going to keel over and how much to charge me for it right but not so with an exploit on industrial control system I'm banking they've been even tested a little bit so there's a little more data there so drivers for change let me ask you panel members do you think insurance will become a big driver I've seen big changes in real property insurance coverage I've seen taking on risk and exposure where the insurance companies are realizing some of these are systemic risks so there's there's a residual exposure are that gonna be a big driver do you think insurance companies will help drive big technology decisions in the future on that one but just answer I think so but we thought so ten years ago I think one of the guys speaking tomorrow we used to work as a cyber czar after Perry Peterson and he tried this the map is very difficult to get right and risk associated with funding bad math and an insurance perspective it's very high so again ten years hasn't it's all been a smarter people I'm aware of is that something we can count on going forward but back to the people problem sneaking around saying something is a problem and doing something about it we talk about people as an issue okay one of our problems in shell is that we wanted to endorse and help with the GS ESP to help augment our workflow because we're getting very crappy people from consultants talking about things they didn't understand but we didn't also get is diversity in that workflow by your force right and part of our initiatives to get women into the GS ESP like I don't mean to come down you at all but there's no women speakers here at all and millennial millennial we also wanted to have more younger people and I was excited about a program now with the prayer and there's no 20 year olds I counted anybody who is around planning it don't see anything that maybe I missed you but those are two things we can all probably agree are going to contribute to a future problem can we just solve it to get right fire-engine speakers next year great so Mike Mike I think I want comment on the insurance thing and I agree Tyler we never knew normal we had ignored the diversity we haven't made in the program I think I think we have to get to the point where the the insurance underwriting industry understands right I mean that's part of if you map that back to the information sharing problem it's a great I think it's a data problem there isn't enough you know good sound evidence that they can build the actuarial data off of but I don't I don't think that as a CEO you can make the decision whether you're going to self-insure and accept that risk yourself or whether you're going to farm it out until you understand that that price point right and we just haven't got there yet but I believe that you know that that is one of the drivers that drive things like regulation it drives the way that that all of this works is the money right we're not the equation that tells you what this event cost I think the market yeah will be one of the big big big pushes okay let's go to lightning round so we got lots of questions and we've got a great panel here so let's do let's let's rip through this and let's not shy away from things I know Tyler bones it's a panel and maybe one answer for each one of you if the panel could get an ICS vendor to do three items to prove security what are the three points so maybe each of you pick one and we'll come up our list of three one of the things you should ask soldered money document your protocols and and you know let's stop hiding behind perhaps no party I did still say well you still ad go and ask your favorite vendor to explain their protocols ok document sessions interactions and those types of things Tyler one thing update your patches give me a service that monetizes and values that that security control irrespective of it being patches and users system aerators operators and suppliers on one thing very good Rob leader yourself very similar you get mirror didn't give you the pod clean up and maintain HMI house and also be aware of what tax even running in the environment yes your safe secure configurations and an understanding of the behavior of the system turn it which is kind what Marty was saying turn over what we should expect for behaviors of the system ok all right make them updatable and actually do that it goes back to Tyler's patching thing tired of seeing windows for oh man we were we're mire in the past so okay Tyler you're gonna have that you're going to come back spend time to entire audience tonight and we got to think up great things for future alright many organizations manage threats in separate silos right they have IT groups and by the way I have a quote for you Tyler I think what you really meant to say was there's no I or o in team anyway so I t OT you have compliance groups you have physical and cyber security they're all separate do you see the need in modern organizations of converged programs or matrix organizations that will tackle operational risk as a whole goodnight no matrix absolutely yes and a lightning round yes yes yes except converge does not mean identical okay conversion so they need to be expertise but you need to matrix us and there better be women there and there better be a whole young the whole point though is that you have to make the right skill set available to the right piece of the organization and we don't do that okay best security program ever seen added a large Oh treating security as a layer of enterprise architecture do you guys agreed you see to expect clear integration of security into architecture models basically or is that just too old-school that yesterday software-defined networks yeah I mean mission our view of the new world segmentation of the control which existed standard framework is no longer applied in the same way writ large just does not go forward so architecture is absolutely key this is the language listen yes okay I'll take that back and I'll put it towards the security and safety culture I think that if you look into that question we have to get to the point where security is thought of just like safety part of the tape all right so it's not architecture it's everything into the engineering and design you talked about getting PHA and heads off so it's really tough you've unbounded the problem amazing how lightning in this is yeah well remember we don't have law lecture to the room you guys don't you laptops but okay I I hope yes architecture but even a bigger yes to culture okay culture really Trump's every culture jobs everything so that's the key to leadership Rob uh one of the strongest security cultures I've seen is at Netflix and by design they handle almost all their securities are monitoring alone I'm still mad at Netflix resplendent Acosta by I can't I can't like this okay uh worst of examples of this placing sniper with discrete electronics in the most critical safety control settings I wrote a paper with Annie Bachmann's in the audience here today called a case for simplicity oh my god I thought the world fell on me when people are like I'm talking about going back to analog which I was not I used a new term called 21st century non-programmable individual devices but give us some examples what do you mean Marty because even I I had to come up invent new terms for that content I don't think there's there's that many concrete examples of people that have done that you know because they're trying to take cyber off the table yeah but I take it all back to you know it's the big red button its button on the wall that if you push it you're in a world of hurt but you want that thing to work when they push it it mean Tyler is it is this something that's important last line of defense conceptually you say nope doesn't support business models keep going north I like it I like it but it's it's a new subject requires rethinking I really like us to focus on what we can do today get it done and move on to something more they're good although in some new digital nuclear power plant designs full digital safety systems and the wreck mission that you really separation is going to do it first anymore there's been some thinking in that domain that was an Elise an application example of saying maybe the fallback rod control for safe shut down is an important is a rope yeah instead of using a gel purpose controller even though it's gone through some good testing regimes that Tyler helped bring into the world Eleni allure the rods well there is a whole new culture of people coming in and I think with it I hope it'll extra in diversity so common message is simplify but lots of risk comes from very cheap simple insecure technologies we'll see that with IOT applications and sensors and instruments how do we effectively move to a cheap simple secure IOT future any quick answers we don't know if anyone tells you what that IOT future looks like it's not been invented yet they're still trying to put the old paradigm on so I think it would be great to have people on the open automation forum security track I don't see now there's two of us yeah yeah like one to do less with big checkbooks on big companies that are facing problems so if you want to sell stuff to us they could drive into this IOT issues I think is that it by the time the thing hits the market they're stopped making it they're making the next one right I mean so they make a hundred thousand or two hundred thousand these things they retool and move on and hasn't even hit the sales stream yet and and so we're seeing just egregious you know hard-coded passwords and telnet you know your DV go go home and try the telnet into your blu-ray player yeah but still probably where that's when these hold back things right so if ever you spending time working with firmware and you look at the firmware supply chain IOT is this it's I'm going to build a device for the market in six months I'm going to reach back six years ago and grab a copy of firmware that was created six years ago and that's what I'm implementing in that device I mean that's and there's no accountability meaning even if there is a problem there's there's no way to go back you know and get you get the folks who worked on and go fix it and there's no interested or business model in doing that I'll poke one of the Tyler's old subjects and say that this is an area that's right for device certification type of conversation minimal security conformance standards right other you don't get a sticker that says you're allowed to plug it in the wall so there's lots of efforts happening tuv and other people who have done safety in tradition ares are starting to bring the regime's to bear is a secure exist is it going to work I mean do you think the environment is going to adopt a dog battle so go back to the sand security controls take the top 20 narrow them down to top 5 for IOT and then tell people if it doesn't meet and pass these 5 conformance tests for these 5 things it doesn't get an ethernet/ip written one of the three things need to get done it's for the audience goes home to their companies and preaches that same message because if you're GE or your shell you have multiple suppliers and people telling you different things so if there's three for one segment environment and 50 for another that's an expensive proposition for us to match you can't have she'll tell you want telling you you want we want five things and BP telling you at 10 I do it and I think it's real important to realize much like we talked about convergence between IT OT and maybe et whatever that's going to be IOT is coming whether we like it or not and so we have to find a way through the culture of we can't adopt this we can't put it into our plants we can't plug them in because we don't trust them the same way you know we'll always find new ways to hurt people and refinery somehow that happens but yet we find better ways of making certain that we don't hurt you I mean safety today is way better than it was 20 years ago that's cultural have to get the cold and dry let's talk about people because cultures will be the last question that will go into closing comments about 30 40 seconds each who should leave the ICS security team where should it sit when you're looking at assets should it be should be technology leaders like CIO CTO should be plant managers should it be ICS do we use this new unicorn and say there's an ICS security director Tyler you you fit that bill you're in that role what is this success factor to that winning team and obviously you Tyler you very brought out the idea and you're absolutely right Sansa has been working very hard the last couple years to try to tackle a diversity problem bringing new minds in different perspectives adding to the teams that exist not just using you know kind of the same old you know accepting that today as the so how do we answer that question where does it report how does it best delete it and what type of people I'm going to go first is I'm on the end absolutely I would say number one you need a champion so I don't necessarily think it matters you know where it sits but it has to record a high level into the organization because these are significant decisions that affect you know the c-suite bottom line I think then once you have that champion you have the matrix in a variety of skill sets I don't think you can do it with just IT or just ot or even if you had ETB mam you know I think that you have to be flexible enough to bring the right people to the table to inform that individual him he or she in that championship position and I think it's also different in different sectors or segments I mean the vendor community I think is going to attack it different that's a manufacturing sort of organization then you know uh oil and gas John Tyler big complex company up in misery and downstream if you think it's a sequence problem so governance is your first problem deal with that and don't do anything else until you get it established and and we had a very complex model of deal with so our engine our refining business was driven by IT our upstream was written by engineering it doesn't really matter it reports up to the same place eventually and we didn't really have a top-down approach we just said document your governance structure then look at it and figure out how you're going to sustain and cost this out because these people who you just put onto a piece of paper as part of a responsibility matrix don't have it in their budget don't have it entertaining don't have it in your skills so figure out that operationalize that integrated at wherever you need to but define it run it and then start bolting on okay so big enterprise bi and Rob okay right that time yeah keep it quick I've seen it done successfully operationally to date so no new roles IT working with the OT operators because the OT guys you know you're respectful he's going to tell you what can be updated when and what kind of changes can be made when and they're probably going to err with that yes or she or a millennial will tell you and when you can or cannot update simple ability will do it to three o'clock and then they have to go home so okay I'm sorry you [Music]
Original Description
Register for the 2018 SANS ICS Security Summit & Training: http://www.sans.org/u/yzD
Awareness campaigns, frameworks, community, public-private partnerships. We should be patting ourselves on the back for all the hard work we’ve been doing to advance the state of cybersecurity. Right? But wait! Why is ransomware flourishing? Why are IoT devices the scourge of security? How come the internet seems to be getting more dangerous?
Moderator: Mike Assante, Industrials & Infrastructure Practice, ICS/SCADA Lead, SANS Institute
Panelists:
- Dr. Art Conklin, Director – Center for Information Security Research & Education, University of Houston
- Marty Edwards, Director of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Dept. of Homeland Security
- Rob Putnam, Cyber Commercial Leader, GE Power
-Tyler Williams, Global Technology Leader, Shell
Join the forum http://ics-community.sans.org and follow us on Twitter @SANSICS.
For all upcoming SANS ICS courses, click here https://ics.sans.org/u/rYr.
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from SANS Institute · SANS Institute · 19 of 60
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
▶
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
SANS Institute UK Cyber Academy
SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
SANS NetWars
SANS Institute
SANS DFIR NetWars
SANS Institute
Hack The Drone - SANS Cyber Academy UK
SANS Institute
SANS VetSuccess Immersion Academy
SANS Institute
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
The 2015 SANS Holiday Hack Challenge
SANS Institute
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
SANS VetSuccess Academy Overview
SANS Institute
SANS ICS Security Summit & Training 2017
SANS Institute
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
WannaCry recap, patches, and analysis
SANS Institute
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
SANS Data Breach Summit & Training 2017
SANS Institute
SANS Secure DevOps Summit & Training 2017
SANS Institute
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
SANS Institute
SANS Institute
ICS515: ICS Active Defense and Incident Response
SANS Institute
SANS Institute
SANS Institute
Introducing the NEW SANS Pen Test Poster
SANS Institute
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
SANS ICS Security Training, Munich, Germany
SANS Institute
SANS Automotive Summit Webcast
SANS Institute
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
SANS Security Operations Summit & Training 2018
SANS Institute
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
A Sneak Peak at the New ICS410
SANS Institute
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
Introduction to Linux
SANS Institute
Introduction to Malware Analysis
SANS Institute
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
SANS Webcast - Zero Trust Architecture
SANS Institute
SANS STX Cyber Range
SANS Institute
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute
More on: Security Basics
View skill →
🎓
Tutor Explanation
DeepCamp AI