 So everyone, welcome. This is Jeopardy industrial control systems security style. My name is Mary Brooks, and I am your host today. RIP Trebek, I will not be nearly as good as you. So the rules of the game today are very simple. They're pretty much the same as for a normal game of Jeopardy with a few distinctions. When the question comes up on the screen, you will have the chance to buzz in on your phone. Everyone show me your phone and that you've got the buzzer ready to go. This is not a camera. Do not look at the sticker. After three seconds of waiting, the buzzer is going to unlock and you can shoot your shot by buzzing in to answer the question. I will be reading the question out loud, but you can cut me off if you decide that you know it faster than I could finish speaking. You'll have a further 10 seconds after you buzz in to answer the question before the whole thing cuts off. So it's not a lot of time if you're not good under pressure, but it's plenty of time for it to get really awkward if you don't know the answers to question. That's what we'll be waiting for. Yeah, when you buzz in, you have to finish answering within five seconds. No takebacks. If you start to say an answer, you got to continue with it. If someone answers incorrectly, everyone else gets a chance to buzz in. And there will be two rounds like in regular jeopardy plus a final jeopardy question. There are only three distinctions from regular jeopardy. The first is that double jeopardy is just an automatic doubling of points awarded. I don't know I didn't make the system and no one wanted to create a bespoke jeopardy application for me. So what that's just what we're going to have to do. The next thing is that there is no panel of judges. So if you disagree with me on anything, the only way that you can get the points back is by fighting me for them. So just really angrily respond, you know, present proof say I was there in the room and you're wrong angry angry angry tweet at her. Yes, angry tweets. You guys have better Twitter followings than me. Flip a table. Can we make Twitter the judges can we stand up a live Twitter poll. No, because this is recorded live for now not live for when they play it Christopher. Also if you can get your other teammates on the panel to tell me that I'm wrong. That's extra points but obviously they have an incentive to tell you that you're wrong. You're always wrong. Yeah. You get the point. All right, and then again just a final reminder that the third difference is I do not have to finish reading the question before you can buzz in just go for it. Does that all make sense. Yes, yeah, sure. Awesome. Okay, so let me start by introducing our players today. Please wave when I say your name. The first is Chris the strong. I'm the technical manager at Mandion's ICS OT security consulting team. Chris is prolific on Twitter, where he regularly regularly posts dad jokes as a service under hashtag DJ as give him a follow. He also updates folks regularly on his sock status Chris do you have any socks for us today. I'm wearing flip flops right now so that'd be no deeply disappointing. All right, not after the start there. Then we have Maggie more ganti a product security researcher at Schneider Electric. It is a lesser effect that Maggie was actually raised by a clan of feral engineers and trained under Chris's drunk in bad jokes as a service. So give her a follow on Twitter as well. Chris goes back to his late days of the scientific times from 1819 was it Chris 1890. Excellent. Last but not least Tatiana Bolton. Give us a wave or a hook as it were. She's the former cybersecurity policy lead at the Department of Homeland Security's syssa not syssa syssa always syssa right Tatiana. That's correct. Always syssa. How if I show about it. That's correct. That's correct. That could have been a question. Could have been a question. And before you ask. Yes, she is my boss. And I did offer her a copy of today's questions in exchange for a raise, which she declined. And a policy director at the cyberspace solarium commission. Tatiana loves to ballroom dance, and she has not one, not two, not three, but four children. I think that's one fewer than Chris Krebs. She declined. So you're all on the same playing field. So finally, last thing is the prizes. So behold, here you have first prize. This is the joystick of honor moves in four directions. You can set it on your desk or something. I don't know. It's Chris's face right now. The hard hat of mediocrity with a promise. And then finally, the supply vest of, you know, sadness, shame. On it at the very end, it says, I will. So the hard head of mediocrity is probably preferable. Don't be last. All right, any questions. No bonus points if we were either of the last two during a real life compliance audit and take a picture. Yes, you will have to resend that you'll have to submit it retroactively to Twitter and then I will automate automatically make you win. So it doesn't matter if it's like a year or two years from now, you'll automatically win. If you never participate in an onsite audit, then what? Then you got to go in front of CSS headquarters with it. Oh God. That's equally bad. Fair, fair. All right. All right, without further ado. We begin. I don't know Chris Maggie rock paper scissors for who starts rock paper scissors shoot. You guys. Oh, this is terrible. Make us guess the number or something. Okay, okay. Guess the number between one and three. That's the worst three. Mary. One. Tatiana. Two. Oh, it was two. Yeah. All right. So Tatiana, you started off. I'll pick out of the city for 400. All right. A D X stands for what? Analog digital converter. Dang it. It's actually ADC, but. Tatiana. Automated detection settings. No, but you're a lot closer. Maggie anything. She's going to keep zero dollars. That's fair. She's going to actually like. Automation and data exchange. Telephone PBX, ADX. Gotcha. So I realized I did completely neglect to introduce our categories. My sincere apologies, and we will start with that. So first category. ICS in the Middle East give me the industrial control system related. Vulnerability or event that happened somewhere in the region. If only it were that easy. You will tell me the simple solution to fix all your ICS problems. Third is alphabet city. You are going to give me the full phrase of the abbreviation or acronym. Fourth is colonial pipeline in the USG. That may or may not be Tatiana's. Soul category, depending on NDA restrictions by our other two players. And finally, the last is Dune. Apparently it's mandatory to read this book. If you care about industrial control systems, is that true? Never read it. Never read it. I read it. Oh, all right. All right. Well, here it goes. Tatiana. Why don't you say the next one? Oh God, I picked so well on the first one. All right. Well, let's go. Colonial pipeline in the USG for 200. What is the answer to that? The ransomware targeted Colonials. It is believed this trend in which business computers are linked into control systems that contributed to the pipeline shutdown. It's really easy. Yeah, I know. What is. IT OT convergence. She got the answers in advance. She got the answers in advance. I told you I held it hostage for a raise and she didn't give it to me. So I can't buy shoes and she can't answer the questions. Works out. Tatiana next to you. I'll go. Colonial pipeline of the USG for 300 police. New guidance was issued following the Colonial Pipeline hack. To whom in the federal government are pipeline operators required to report a breach. I don't know. Yeah. Oh, Mary. I did this card. Yeah. Sorry. That's sad. That's sad. That's definitely going to say. So if you were going to definitely going to say it, Tatiana, well, why don't you pick the next. To be fair, if there is an error, it goes back to the previous person picking. I will go Colonial Pipeline in the USG for 400, please. The Colonial Pipeline had not implemented this login verification system for its accounts when it was breached, leaving some in Congress to criticize it harshly. For those with NDA's reporting reports. That it had not done this. Tatiana. What is to financial authentication. First. That's bad. Must speak. Must remain silent. Oh, no. Okay. What is, if only it were that easy. For 200. This term is a measure of how quickly a system can be brought back online following an incident. Chris. So is it a term or an abbreviation? Can I ask that question? It was a term, but if it's correct. It's a. Main time between failure. MTBF. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. I think you're right. But it's really simple. Can you, can you extend? I mean. Yeah. I think. Resilience just bringing it back all night. What? No one uses that term. Yeah. I think you should. That's fair. Chris's answer is correct. Resilient. Resilient. I mean it would never fail in the first place. Yeah. That's true. You feel better when I thought the ADX for alphabet city. I thought it was supposed to be airports and air airport code. Yeah. I was sitting there like. All right. I'm negative 200. All right. Let's. Let's do it. If only were that easy for 500. All right. Here it goes. I'm going to look at me. This practice warrants certain scanning software to skip it. Chris. What is antivirus antivirus. Exclusion. Exclusion list. Okay. Same thing. Well, you put that in the do not scan folder. Yeah. All right. Um, if only were that easy 400. Yeah. This has warned against this practice explaining that system security should not depend on the secrecy of the implementation or its components. Security by obscurity. To you, Maggie. I am going to do. We'll keep rolling. I've only were that easy for 300. If only were that easy for 100. Just blank. It doesn't really work in ICS. Maggie. Um, patch. Sorry. I thought just blanket and I clicked because I was like, it can only be patch or air gap. Maggie. Next question. If only were that easy for 100. Maggie for double the points. Can you do it? Yes. Do you. Well, do you dune for 500 just because I like being. Completely clueless. It's actually really hard. I don't know. I've never been. Oh, good. The first draft of dude actually came out of a nonfiction magazine article written by the author about what. Tatiana. What is the non hierarchical hyperlinked. Virtualized watching. That. It's a wild answer. The field college try. Was she incorrect? Yeah. Definitely incorrect. Distinctly. It was about sand dunes. He learned about a sand dune experiment and he thought, let me write a whole book about a sand dune. All right. To you, Maggie. Let's go. I see us in the Middle East for 100. Do you guys have security. A worm discovered in 2010 is believed to have been targeted. This. Chris. What is Natanz? You ran him in Richmond. You facility. Thing. And to you again. Okay. So. Let's do. I see us in. No, no, alphabet city 500. What does match lab. Chris. I've never known what it is, but I'm going to guess what is math laboratory. So close. Any other takers. I don't want to wear the vest of shame. Yeah. I'll be here. Matrix laboratory. So close. I never had to use it. I use math cad. So should have asked that one instead. All right, back to you, Chris. Oh, even though I lost. Yeah. All right, fine off bed, say for 300. I'm hearing it. Supervisory. What is supervisory control and data acquisition? Oh. Chris, to you. On white on rice. Let's see. Oh, I'm above board. All right. What is alphabet city 200. DCS. Chris, what is distributed control system. And to you again. Alphabet city 100. He'll say. Going as fast as I can go. What is programmable logic controller. All right. Coming for you, Max, coming for you, Max. I'm like hitting as fast as I can. I know. So was I. Yeah, I have a gigabit. I'm over here. I have a pirate book. You're hitting. I'm just. All right, let's go for ICS in Middle East 500. And I'm not even sure I can answer this question, depending on what it is. I'm not sure. I'm not sure. I'm not sure. I'm not sure. I'm not sure. I'm not sure. I'm not sure. I'm not sure. What is triconics. Damn. We don't have any. Yeah. Yeah. Did you know it though? Of course she knew it. Yeah. I mean. They never let us forget. Let's just keep going. Down the road. Let's see. ICS in Middle East 400. 2012 cyber attack against this company. Reportedly. Chris. It is a. What is, it was a ransomware attack called. Oh, come on. Five seconds up. Yeah. My brain just lost it. My brain. How do you Ramco? Well, that was the company that was a ransomware. The company. I thought it was asking for the ransomware name. Maggie has no qualms about sliding and taking that one. I'm going to go with ICS in the Middle East for 300. 2020 Iranian hikers repeatedly breached the HMI of several water facilities in this Middle Eastern country. Chris. What is Israel. And to you again. All right. I see us in the Middle East 200. Portedly hackers who breached Iran's nuclear facilities in 2009 and 10 blared the fun. The song thunder struck by this Australian rock band Maggie. Do you see, do you see. Any other Australian rock band worth mentioning. I didn't read the question. All right. You've got the board. I've also got a lead. Nurture that. So I can. We're coming for you. I'm going to go. And pray with colonial pipeline for 100. You would have. 2002. This sub agency. The Department of Homeland Security. Tatiana. What is the TSA. So smart. So smart. To you pirate hook boss. Not me, but the plan. No. What is the colonial pipeline of the USG for 500. This entity in the department of the treasury prevents ransomware payments to any entities sanctioned. Chris. This entity in, oh, it's in the department. I don't know. I just lost points. Who says you can't send money to terrorists. That's a lot of points to lose. I'm not going to guess. I don't care. Kids. Those are internet points. One of us is going to have to wear the best. Hey, Chris. Oh fact. Oh yeah. I've heard of it. It's okay. Most people. Try to stay clear of it. So I think. Tatiana, you're guessing. What is June for 400. Trebek please. Publishing the Dune series. Author Frank Herbert spent time working in this role on several political campaigns. Tatiana. What is speech writer. Yes. Oh, this don't have anything to do with control systems. I don't have anything to do with Dune. No, you know, blame for this whole category. Things we can blame John Hulquist for. Yeah, that's true. We're blaming John. Well, continue to ask questions and perhaps that will become increasingly. Permanent to the categories. Dune for 300. Black energy. In December, 2015, the APT stand where. Maggie. Black energy. Which. Oh, it's not just black energy. I know, but I knew that's what they had. We're going for basic here. Extra points, Maggie. Come on. You know, we're going for basic. 233. Oh, well, that would have, we would have accepted that too. All right. Dune for 200. This one's Maggie. That's Maggie. Yeah. Dune for 200. Arguably the most iconic creatures from the series are the sandworms. Sandworm is the colloquial name. Chris. APT 28. Which is. Oh, Russia. I have the book right there. Dune 100 is the only choice. In the Dune series of this is the universe's most valuable commodity, Chris. The spice must flow. You haven't read the book. I've seen the movie. I was going to say water. So we have a first half winner is Maggie. And now we have a second winner. And now we copy me is over because the date, the game does not allow you to do two at once. So we. Call this our commercial break. All right. So I've now re entered your points. So right now in the first half of the game, Maggie is winning with 1800 fictional points. Chris following. And a decent leg behind her with 700 and Tatiana with a royal 200 points cruising for the best of shame. She's on the beach. She's a pirate already. Are. This might be what we call cashing it in. All right. We'll allow the person with the fewest amount of points to lead off. Tatiana. What would you like to pick? Oh, sorry. I should announce them actually. Yes, please. So we've got the OG, the Aurora project, which fun fact has been declassified. No worries there team. Number two, going boom. I take, I tell you the victim and you tell me the type of attack. And if it was malware, I'm going to need the specific type of malware. And we've got whose country is it anyway? Top level domain version. The cyber apocalypse in which rich, wealthy men tend to tell us about all the disasters that new technologies will bring. And framework potpourri in case anyone's a lawyer and just really, really likes government frameworks. So Tatiana, it's to you. I will go with the cyber apocalypse for 200. Former NSA director Michael Hayden had blamed this infamous weaker of classified information for lighting the fuse of the destruction of the modern internet Tatiana. Who is Edward Snowden. Yeah. To you again. The cyber apocalypse for 300, please. When Elon Musk warned that scientists were summoning the demon and said he feared human extinction. Tatiana. Was AI. You've got machine learning. Right. Am I the only one. Okay. Cyber apocalypse for 400, please. It's going to be my only category. This phenomenon was described by Albert Einstein as spooky action at a distance. I'm touching it. Quantum entanglement. Oh, quantum entanglement. I should go. All right. Tatiana. Cyber apocalypse for. 500, please. This NASA scientists warned that space pollution could trigger a cascading series of collisions and low earth orbit rendering satellites unusable for generations. The effect is named after him. And to you again, Tatiana. And go for same category 100. This individual claims to get hacked. You need someone with 197 IQ and he needs Maggie. I remember that because that was the day I learned I was smart. Always good to have one of those days. All right, you've got control of the board. Okay. Let's go whose countries and anyways for 100. All right. So remember this is a top level domain version, but so this will all have to do with Tlds. This American nonprofit coordinates and manages the domain name system. I knew it was. I knew the abbreviation. I just couldn't. It's okay. We accept them because honestly, whoever knows what the full word is anyways. Wow. That's in the last round. We had to know that. That's true. We have to know what the full word is. So this is a top level domain version. I mean, I would certainly reserve the right to change my opinion at a moment's notice. Rest in peace. Dan Kaminsky. He was one of the key holders. Yeah. Maggie back to you. We'll do going boom for 100. The 2018 winter Olympics in South Korea. Name them. Don't think too hard. No, it's. Maggie to you again. Same for $200. Riviera Beach Water Utility. The type of hack we'll do here. You don't have to get specific. ransomware. To you again. Same for $300. Bowman Avenue Dam in Ryan in New York. It's just a scanning, I think. Yeah. Basically, reconnaissance. Yeah. Okay. Chris. All right. Going boom for 400. Please. If you get this one right. Maggie won't be twice as far ahead as you. The Ukrainian power grid. Chris. This is known by two names. Crash override or end destroyer. Either one had done it. And to you again. 500, please. Same category. Have a drink. Your services and how McEleucid canal, Chris. Insider threat or disgruntled employee. All right. I'm just here. I should have a drink. You should have a drink. There's no reason you can't have drinks. I only have a cup. Although maybe there's alcohol out there somewhere. Have water. We'll have to save the. The other beverages for later. We'll have to save the. The other beverages for later. All right. Yeah. Have a box somewhere. All right. Aurora. Aurora project for 100, please. Researchers at this location famously blew up the 27 time. Maggie. I don't know National lab. Do you work there or something? No. I worked at Oak Ridge. Tennessee, right? Yeah. 10,000 art. 2,000 art. That there's this. 200. This is the year that the Aurora project occurred. Chris. 2007. Or a project for 300, please. In 2014, Aurora was accidentally declassified. Chris. Freedom of information act. Yes. Boy a mix up. Yeah. Great times. We enjoyed reading the results, so thank you, Micah Sante. Rest in peace. A rural project for number 400. Yeah. All right, 400. The number of lines of code that were used in Aurora to blow up the generator. Chris. I think it was 19. Nope. Dang it. Maggie 27. Nope. Tatiana. I'm not losing 100 points. It was none. Well, you might find one, but ask the next one. They had to reprogram the sweatshirt engineering labs relay. To fix that, right? To make it go bad. Anyway, that is. All right. 500. Aurora. What type of vulnerability that was weaponized? Well, there could be two answers. It had default passwords in the relay. Or also the, uh, the vulnerabilities. Uh, was. Being able to change. The settings with no authentication. I mean, with. A little more. Default credentials. Or a password. I actually don't know if that was an additional one. I was looking for something slightly different. Um, if you can Google it and show me that I will. Okay. Well, um, the other vulnerability was, is, uh, It was had to do with electrical engineering. So it was closing a breaker out of, out of sync. But that reason we said it had no lines of code because it was just closing it out of sync. So, uh, Yeah, they had to change the code in the. In the. In the, uh, in the, in the relay. Okay. So we'll give you guys both points back for that. She's such a. No, I'm just not going to fight with people who may have. Oh, we just saw, uh, at the time I was at the power counter, we had to go change all of our passwords. Oh. And yank all remote access. Probably a good thing. So long ago. Um, what country is it anyway for 200? TLG for this country is abbreviated.CN. Maggie. No, Chris. Sorry. What is China? Extra points. Decide you. That was a really good one. Really good. Yeah. Yeah. What, what whose country is it anyway for 300? The TLG for the British Indian Ocean territory is this abbreviation. Very, very popular with boutique companies. Tatiana. Dot. IO. It does not stand for input output. To you pirate hook. Whose country is it anyway? For 400. The TLG. AQ covers the region south of latitude, 60 degrees south. There's like only one thing. South. 60. There's one thing south. Chris. What is Antarctica? Good job. I was thinking that, but I didn't want to risk my 400 points. I risked it. All right. Whose country is it anyway. I don't know. I don't know. How well do you know? I hope there's a, I hope there's a third round. AI programmers. The TLG dot AI belongs to this territory. This is one I have to answer. No, you don't have to answer it, but no one else. You get first dibs. Doesn't he first have to pick how many points? No, it's for a, it's for a thousand. If you read the screen. Oh, sorry. I can't read or answer questions. Maggie, can we get a pet cameo? Oh, it's a baby. Good boy. All right. No takers on this one. Do I get extra points for the pet cameo? Yeah, I think so. Here you go. Turns out a sanguilla. Sure. Yeah. We all knew that, right? We all knew that. Yeah. If I saw my controls was trying to talk to that. Tld, I'd be worried. Oh, look, you were in a new look. What's a new look? Probably like a beach, right? Nice. I probably got substations. Maybe somebody's on vacation. And they're remoting in. It's not, you know, China. I mean, how many times though, have you logged on to a site that's got the.ai extension? I don't know. Oh, I see them all the time. They're getting increasingly popular. It's like a little boutique stamp of might be hacked, Mary. Run the companies. She might be a. She might not even be real. This might be all. It's a deep fake. Just right in the R street.ai was my. Oh, so I get to. Let's see this. I guess it's still my turn. It's your turn. This is going to be a super fun one. Framework. Potpourri for 100. Arguably the most popular security framework. This government driven setup has a framework for. Cyber security framework. Hi, next. It's proprietary framework models the behavior of cyber adversaries. Chris. The minor attack. I'm primarily for 300. It's 2002 act updated in 2014 gives DHS official authority over the federal government's IT practices. It's like job. I want to guess but I'm not going to put. I mean, I don't want to. No. Sure. Go for it. The, I don't know the DHS act. That's not that was a 2003 the cyber security. Is my, the federal security management act is my. All right, Chris to your framework, appropriate for 400. A set of standards focused on protecting the bulk power grid. Chris. It's going to be an upset. And the last one. 100. International series of standards for industrial control systems. Chris. Is a 6443. Well deserved 500 points. All right, so it is the final jeopardy time. AKA final factor because apparently they don't have the rights to jeopardy. So you can either enter your wager on your own device or you can tell me and I will enter it myself. Chris, we're waiting on you. I know I'm doing some math here. Go ahead. Oh, oh, oh. Oh, oh, oh. That's better would say. All right, you have 30 seconds for this question. This security model, which happens to be a homophone with a major chicken processing company includes one or more demilitarized zones in its architecture and defines different levels of critical infrastructure. I start with you. I think that's just a locked in. Just tell me what you said. I have to reveal it. Oh, I said that you got it right. I just hit click see answer is Tyson. We'll fix that in a minute. All right. Baggie, what did you say? I do model. That is correct. You wager 2300. And Chris. Purdue model as well. I mean, Chris. So overcoming the adversity of the NDAs. Come back. Impressive. Impressive. Cheers to you, sir. Really heroic. I might have to read it. There's supposed to be a new movie. Maybe just watch the movies and days in it. Yeah. Yeah. That's all you have to do. All right. So Chris wins with 7200 magic points. I'll go to the next one. Okay. I'll give you a little preview of this. I'll give you a preview. It's 46 and talk to you on. I will hand deliver you. The vest. That's actually, I'm actually very excited for this hat. Yeah, cause you talked about blockchain in your research. Oh. And I have to wear the best of sadness and. Very well. I need that controller. What do I get to control with it though? Um, so you bought out of china though. So i'm probably controlling something around the world check it before you plug it into your industrial control system somewhere but um barbecue pit what i'm gonna hook it up to my barbecue pit there's a you could turn them you flip the ribs isn't it nice are we invited sure come on down the barbecue sachet there's a direct flight from dc to to jackson i'll come for barbecue there's no good barbecue in dc none oh they've got good barbecue they've got barbecue there you if you drive out to persilville it's called mugs barbecue and it is amazing mugs with two g's no mugs like oh like m o n k s okay super super super good all right well this concludes our industrial control systems jeopardy that kind of turned into regular it jeopardy um and thank you again to our players chris maggie and tatiana stay safe out there y'all and have a great day