 What I wanted to bring to this scenario today was something slightly different than most of the talks that are being presented, driving a bit away from the idea of basically computers being used only as a matter of privacy, as a matter of data, as a matter of basically how you keep your information from being read or used for different purposes, and driving a bit more of the conversation to how these flows of information actually can also impact in the physical world. So those of you that are familiar with the terms industrial control systems, operational technologies, cyber physical, things like that, you might know already where this is going. And well, the point is also to share a bit of stories. I don't want to bore you only with the theory of what could happen, some ideas, but actually things that have already happened, things that we see in the like threat intelligence community, and also talk to you from a different perspective of threat intelligence as an outsider. So to start this, actually, I thought talking about a bit about personal experience, but in a way that probably is not expected to be seen in here, which is by talking about where I come from. The place where I come from is actually Mexico. So probably you could have guessed with some of these, maybe somewhere in Latin America. And what is not about these countries, the country is well known for food, is well known for happiness, is well known for parties, is well known for culture, a lot of history. But it is not known for playing a huge role in geopolitical games, in terms of conflict, in terms of defining what happens in different regions and whatnot. So coming from this background and from this type of understanding of the world, you can imagine that it was a very big switch when I moved into this world. After my time in Mexico growing, blah, blah, and careers, I ended up moving to United States, studying some time in there, whatever, and eventually got hired for a role in threat intelligence community, particular cyber threat intelligence in the area from Washington, DC, where a lot of the decisions that happen impact the world in different ways. There's much more of this culture surrounding geopolitics, how are we going to influence what's happening in different places, how those things are influencing us, and generally thinking about the world from a very different vision. And within that background, you can get even more specific, which is when you start thinking about precisely threat intelligence. Threat intelligence, all of the ones in here know already, some of it you're pretty much surely familiar, but when you talk with someone outside, just in the street, and it's like, what do you do? And you say, oh, threat intelligence, and they're like, whoa, can you even talk about it? Yeah, of course we can, because threat intelligence has evolved in such a unique way that maybe many years ago it was what we saw in the movies, the guy with the hat and super secret. But recently, it's something that also multiple organizations have to do, you know, like from the private sector, from non-government organizations. Basically, there's a lot more going on in the threat intelligence world. And that is basically how we ended up getting this type of information, trying to help different organizations, different countries, people in general, to remain safe, to remain private, and whatnot. So that being said, threat intelligence is not the only interesting thing in here, but also that the time we're living in is quite particular. These are a series of things that I pulled from Twitter, just random that I find interesting, describing what, it's not an official term, but I always say, it's kind of like being in another Cold War, right? Where you're seeing different states aligning between themselves, basically, trying to push different narratives, engaging on disinformation, engaging on espionage and shading on cyber attacks, different types, you know, including the physical, which I'm going to be switching to in a second. And actually, what you see here is very interesting. I mean, it is fun in a horrible way. But basically, the ones from below are basically the responses that permanently happen between the Twitter of Ukraine and official Twitter in Russia. And basically, they're making this type of jokes permanently. The one on the left, we see it's from Russian accounts saying like, what they do is saying is false, you know, like a funny bear, these are the hackers. And from the United States, we have these, for example, from the US cyber command, where what they are doing is exposing specific campaigns, specific tools that they are running into, and making some sort of a parody, right? So it uses these flows of information that are telling us there is something going on. We are permanently having this type of clashes. And even though on Twitter, it's very fun and we share them and we, you know, we enjoy them, the problem is that there are much bigger implications. And those bigger implications are precisely when you discuss in terms of the evolution of what we consider from cybersecurity. Many years ago, when you thought about a computer, you were permanently thinking about the privacy and then said, well, it's not only privacy, but basically privacy, integrity, availability, data, you know, no one should get access, if they get access to, I don't know, like your personal information, what can they do, the information from your organization, but not, but actually right now what we are seeing more that I believe is a concern that we should be raising more in these communities is the switch towards safety. Safety parenthesis is a term that does not exist in every language. For example, just particularly in Spanish, we say security, which means security, period. Security is everything. In English, they have this separation, for example, safety, security. And the reason to make this differentiation is security means, yeah, when there is someone that, you know, tries to attack to basically generate something negative, some negative input. But particularly in safety, it matters when it's basically the main thing we care about when we see it from an engineering perspective, from a process that means more like there could be a physical damage to your process, to your person, to your infrastructure. And so to illustrate, like, like, to begin like this illustration of what is going on, I have this quick timeline. This timeline is mainly focused on big incidents, like the ones that catch a lot of attention, take years to study. And then we added a bit of like why it's going more dramatic recently. I'm going to be talking of the three things. So the first one, StocksNet. Is everyone here familiar with StocksNet? Can you raise your hand if you know what it is? Okay, so basically, it seems like most people are familiar for those that didn't raise their hand, just a super summary, an attack against an Iranian nuclear centrifugees. Both seem to be state sponsored and whatnot. And we'll basically delay the program for a long time after they manage to impact the centrifuges and delay the process for years. Then we have this, I'm just going to summarize, with 2011 through 2016, it's an era where you see more researchers disclosing vulnerabilities. You start seeing some different types of attacks. You see a couple of power outages in Ukraine, for example, where basically they turn off the light for a couple of hours. Some using very complex tools, some using less complex ones. And then eventually we get to 2017. This is one of the cases that I'm going to be talking more about. I realize that, for example, most people when talk about control systems and this type of security, they think of StocksNet, but in my opinion Triton is the most interesting question. Could you raise your hand if you're familiar with Triton? A couple. Okay. Well, that is great because I'm going to be giving more of a description of that one, that that's actually also like from basically from the back ends of what we saw and how it took place. But so basically that's one of the most relevant incidents from my perspective. Then we get to 2019 and those are other two things that I'm going to be covering that is moving from the perspective of it has to be a nation state to actually we care about criminals because criminals are generating the same or similar impacts. And then we care also about basically random people. It can be a hacktivist. It can be an individual hacker. It can be a small group of individuals that decide that they want to explore this type of attacks. And then finally, 2022, just because it's the newest, probably they will mention something in the next panel about Ukraine. There was industry version two, basically reuse of tools from 2016 to try to turn off multiple energy facilities in Ukraine. Gladly, it was stopped as much as we can tell. And in controller, which is a big set of tools, not necessarily related to Ukraine, but disclosed around the same time, particularly to impact a couple sets of control systems. I'm going to briefly mention all of those. So to jump into this anthology, how I call it of tales, I will separate it in three parts. Let's go to the first one, which is the nation state one. For the nation state one, the first thing to mention here is this quote, which I love from a report from Siemens a couple years ago. What they were doing is they were reporting about cyber security for oil and gas and they were saying, you know, come with us, our products are good, you know, we were trying, we were focused on security. And then what they highlighted was how organizations in specific sectors are being in the crossfire of different organizations that are trying to impact each other. So what you see is a ton of organizations doing a lot of espionage. Then you see a couple of cyber attacks, the couple big ones that you saw. And the reason why this is so important is because all of these espionage that they do gather information about the processes, how do you generate your product, how do you share your product, what type of network do you have, what type of engineering background do you have, basically who is the people working for you. All of that you need it when you want to go and attack something as not simple as this. And so, having that background, we can go to the first story time, which is Triton, precisely the one I was mentioning. In a nutshell, what Triton is, is basically a state-sponsored attack against energy facility in the Middle East. It happened in 2017 but took at least since, well, the first time we were able to track activity was back to 2014. And what was the most interesting thing in this case is basically how it happened is all of a sudden, they reach out to our organization and they say, you know, we need your help for a response to this incident, something's happening in the facility, it's turning off, they go, they start checking and then they find this super complex situation where the most unique thing was not the full attack, the full cyber attack, the full cycle, but actually the last step, that it was a very complicated, very sophisticated piece of malware that was specifically trying to target something that I hope probably no one has heard about, has anyone here heard about the Triconics safety instrumented system? Two people, great. Well, Triconics safety instrumented system is basically the last line of defense in terms of safety. It's basically once that you modify a process, that you figure out how to modify the process and then you want to turn off this second alarm that says, you know, something's going on, just turn off because, you know, otherwise there's going to be an accident. Well, that is what the safety controller does and then the attacker was already compromising the safety controller, which means they had everything they needed to go all the way through basically, I call it physical attack, but basically destruction. So give an idea of how the attack looks like because I know that beyond, you know, to go a bit beyond just the anecdotal perspective, but like the sophistication of the attack. What you see up on there is basically, well, the attacker came up from IT. Basically, this is how we understand from the control systems operational technology. We understand the world using this diagram-ish that's called a Purdue model and it shows basically that's the corporate network where most of the computers are. Then you start getting more specific. There's the military zone that separates your control systems from IT world and then you get this distributed control system, controls the process, finally this safety instrumented system. What's very interesting here is that the attacker was able to go all through that process and how they were doing it was actually very interesting because the person that was trying to do this series of compromises using tools that are known, others that are not known, making small modifications, they were testing the tools in known malware analysis sandboxes and then they would test the tool, they would deploy. If, you know, a certain number of antivirus organizations caught it, then they would continue testing and when they finally got a zero detection, they go and they deploy and that is how little by little over this period of long period of time eventually they get all the way to the safety instrumented system and there there's a very different story about someone who somehow developed these very sophisticated malware for targeting a type of controller that actually if you want to get access to one now we know you can do it probably from eBay by an old one but normally it's it's not not something you can get access to and there is no public information about the protocol no public information about how to work with these devices it's fairly specific. So the three use cases for here the reason why this was so concerning is because we started analyzing you have like everything that happens and then you say what is it that they want to do with all of this and there were three possible alternatives none of which sounded very happy. The first one was I just stop the process because if I trigger one of the alerts from the safety instrumented system it's going to say a there's something wrong with the process let's stop I don't want to blow up cool okay that that's the easiest. The second one is I'm going to reprogram it so that it like the plant can go to an unsafe state so let's say that if I don't want ever my process to get to I don't know 50 degrees then I'm going to program it so that it allows up to 60 degrees so that if in the future I want to come back and I want to make a modification the safety controller is not going to trigger and then the plant is again going to end up in a bad situation and then the last one which is the most aggressive is you have all the access to the network you have all all the process you have been you basically own the network from the organization so what you could do is actually you reprogram the SIS so that it can be unsafe and also you modify from the control system distributed control system how we called basically just basically how you're interacting with the process you modify the process so you bring it to this unsafe state so you force this type of physical attack and so I know some people don't like attribution some people do there are multiple reasons on my perspective attribution more than a specific state it means basically that that you can group the indicators and have a technical understanding of the author but in this case the reason I bring it up is because it was a very interesting case normally it is a bit more well it is always difficult to do this type of work but in this case there were some mistakes from the actor that were the ones that allowed the researchers to actually go and figure out what happened I'm going to mention the specific mistakes but basically the attack was attributed to a nation-state sponsored laboratory even you know going back to a specific location and whatnot and to do this we had to do all this crazy work I'm actually just going to step in directly this is how it looks like if we wanted to do the equivalent of those pinmaps you know like how you like like like the meme that you just like what is all this it makes no sense well basically there were three lines that we used to get this attribution there's full talks about this but right now I'm just going to give you the summarized version basically one IP address that wasn't really really masked it was directly registered for the organization that was used to connect to multiple other organizations suffering it's in similar type of industries which was used to go and look at our blog post every time we were we were publishing which was also used to deploy the actual attack and was also used by this mysterious person this mysterious person is someone that was involved in doing this testing with the sandboxes and one day by mistake they left a very unique handle in a pdv path and then based on that very unique handle from the path then we were able to identify where the individual was coming from what it was whatever that's that's where you stop as a private organization you know it becomes a word from someone else but then you were able to connect the fact that yes this is who's doing it this is where it's coming from and then you connect with other more opportunists not opportunistic less high quality indicators like basically the languages that are being used and when the activity is taking place based on all of that we were able to connect where it was coming from and well basically make the assessment of yeah to make it's a no-brainer that to make something so complicated you need resources you need a big team and you need to have them working permanently so mowing all the details might take years or maybe are never going to be all known but at least this gave a picture of what it was and just I mean of course this was gladly verified some years later actually this is I believe from yeah earlier this year basically just the department of justice in U.S. issued an indictment for some of the individuals involved in this and other activity basically Triton was one of the big of the big reasons why they they were able to push this and well I mean it just just good to see how the full story closed in basically the full circle was closed now that is in my opinion probably the most impactful in terms of like it is very obvious that you see the well okay that you see that there was this intentionality for you know physical attack that they did something super complex that there are resources getting in place into trying to release attacks such as they happened before in Stucknuts and this one in you know different ones right but then the hot news that I was mentioning were the 2022 cases it just continues happening which is the reason why I believe this is more important right now than ever to start bringing into discussion and to start trying to get more people involved into because yeah we so fairly similarly complicated cases the case you see in there in controller is a full diagram of the attack never took place it's a set of tools and we when we got this willing to add set of tools we decided to place how it would look like in the full attack lifecycle and then this is a full module that targets a very specific again a very specific company very specific controllers very specific processes same for this one this one is Omron for those that are familiar that one was Schneider Electric and then this is for OPC UA which is basically a protocol that we use to communicate all the process data but then when you put all that together these tools actually gave you like like the full capability of doing a similar attack more simple than Triton but actually very beautifully written in such a way that I'm pretty sure Omron was doing it wanted to do something like this which is this is just a module from old malware that was deployed in Ukraine trying to turn off the lights during the beginning of the conflict and then what's very interesting here is when they deploy this tool it basically communicates with a very specific protocol and what they do in here is they go and modify specifically some processes they modify the IP addresses which mean that they already know at least some about the target and where they're going to go and then they try to deploy and then hopefully turn off the power and I repeat it didn't happen but we got a couple of samples in here and that's basically well literally a couple we got one and there is a public one in case you're curious about about this malware and so that is all from the nation state perspective I think that's that's the most serious the most concerning I'll get back to discussing that just like from a high level but I prefer to begin with that just because it's kind of like like a bit lower in yeah I know that it's kind of like a very serious topic so I wanted to jump to show that it is actually more simple than what we're just seeing and even though nation states are involved in that and it's already complicated there are more people who can do it and so this is the story from particularly criminals the main the first time we started thinking about it was ransomware and you're going to be more familiar probably with these stories but now I'm going to tell them just from a different perspective so that you see the implications and how they were analyzed for people in the OT space the first time we ever cared about this is I know the ransomware goes goes even beyond this watch beyond this but the first time that we cared was during the wanna cry then not Petia then you know and the reason why we we cared is because for the first time we saw industrial organizations I say industrial but in this case for example you might be familiar with the big case of MERSC you know the I don't say it basically cargo shipping and whatnot and basically what happened with this type of ransomware is you know it was deployed it started spreading everywhere and then they realized that since they are now using more computers to coordinate all of these processes physical and non-physical then basically nothing was working and then you can't get the trucks in and then you can get them out and then you cannot load the cargo and then you cannot know what is in each container and you know like it made a very big impact it was millions and millions and millions and beyond that basically a bit of course you can't you can't support the service of transferring these goods but then this was just an isolated case and normally ransomware wasn't really wasn't really in our radar it was like oh it matters and some people will be like ah it's boring everyone knows it it's it's it's simple but then we started seeing something different and then it's what this evolution that's known as well it's known as post-compromised ransomware by Mandiant I think Microsoft refers to it as targeted malware something like that sorry targeted ransomware there are different names but basically what we saw is when actors started doing something more more more involvement right that that the actor itself does engage in the full process and it's not something just like a worm that it's going to be spreading and seeing what it can destroy but actually that there's an actor that knows that the most they can damage the process the most they can make life difficult for the victim then the most likely they're going to win and the first time well one of the first times when we saw an organization come out publicly with this it was North Hydro they were super Pacific for under Pacific for I might be inventing a word but basically they were super clear about this in media and whatnot they decided to go fully and say yes we had an attack this is what happened and what happened was mainly that it impacted some of their databases and since they produce aluminum but it goes all over the world it's a ton it's gigantic they don't know where the pieces are they don't know how to continue and since they lost all this information about customers who's paid what are they paying for what are they ordering where is it going and all of this is connected with the actual physical process then basically they were lost and they were like okay well right now we can produce we're going to have a very hard time and well that's basically what happened it was it was another very big case and from here basically this is what we are going to be continuing to see this is nothing that happened once or twice it's something that is happening every time more often and we see it in the news we read there was this new ransomware and then probably from our perspective it means like well yeah just one more it's terrible but actually the impact that it can have and that it is having it's much larger and mainly when you actually combine it also with with you know strategic techniques like like in like in the beginning you know like like with the geopolitics of it so another case maritime advisory again they were starting to learn that this was possible still like like it took years the reason why I bring this up as in years is because even though there are many cases it took years for people in this engineering and an OT type of community to accept that this was actually a threat and it's no wonder because it's two separate worlds that have been getting you know much closer together but you know up until now it was something like you know it's not going to affect me just computers and then this maritime advisory what it was saying is again there was another case we can't get access basically an entirely different case it's just like access to the to the port it's impossible so the process is getting very difficult again we cannot go we cannot continue with our production and you can see many different cases of course you can see this is a very random one Johannesburg city power basically energy for customers all of a sudden you cannot receive energy because they decided to drop the ransomware on the date when you have to pay and then if you can't pay you don't receive energy and your payment is automated via your service and there is no service so basically you can't pay so you lose your energy and the organization didn't know what to do another example Prosegur this was it's a security you have like security type appliances alarms basically again your alarms turn off nothing you can do about it it affected multiple customers this is just to show like like the different type of impacts you know like like it can be as big as lack of energy it can be lack of water it can be in these cases you know something like you can't pay it can be but in the end it's having an impact in your daily life and the bigger one probably this is the last series I have for ransomware is the colonial pipeline it was 2021 that's when they accepted and they said yes right now I have to do something everyone go and look for ransomware and this was basically oil and gas distribution in US the attack didn't actually impact OT or you know like production systems but what it actually did was you know it was it was in such a way that the organization and the incident responders and whatnot considered that it was a good idea to stop the process temporarily to make sure that nothing was going to spread because if it was to spread into the control system the impact would be much more massive it could be a lot of time that users would not get access to gas this was a big impact in US because in the area where this organization was operating well yeah there was basically gas shortage for a period of time and even though this is a United States case you know I mean it could be as a simple earlier this year there were some cases here in ports in Europe which is like from a theoretical perspective you analyze that you have some of the biggest ports in this similar area where you have for example Hamburg you drop two or three ports from there and you know sharing things you know communicating is going to be super difficult anyway but just to keep the note a bit higher I'm just going to say it has gotten worse when they mess up with your beer that's something that we normally do not consider appropriate and also here there was this case back logistic and basically you know we couldn't get cheese in Albertheim so those of you that are from here you might understand the trauma and it was basically because they could not continue with this the distribution of the cheese for a couple of weeks but anyway those are more more like on a happy note but all of these the point is it's not a couple cases we're talking about thousands what we did for this experiment which is actually interesting is it does not depend on the visibility of an organization but what it actually depends on is we went directly to the ransomware shaming sites where they go and they drop the leaks after compromising its organization and then we gather all that information and then that's how we generate this these numbers we filtered specifically for industries that we consider that might be using this type of physical processes and then that's how we got to this number of 2021 around 13 1300 of course we continue seeing more 2022 has been the same or bigger or larger surprise and also we highlight that you know it's not only like small companies because some people believe well if you're small and you don't have budget for security of course you're going to get popped but actually there's also some very large ones here I mean well this is above a thousand above 10,000 employees basically you know all type of organizations are the ones that are being impacted by this type of activity but this is fine I if anyone went to my other talk you already saw this I just love it too much the author gave me allowed to use this in in in this type of environment but yeah the point is is I mean of course this is terrible but yeah I mean all of us are dealing with that and and the point in here is just to bring up about this additional implication that we have from the physical world as to see how we can work together to see how you can solve it from a physical and from an IT perspective all of this I think I should have placed this earlier but the point is just the reason why it's getting so complicated as well if for those that are not as into the this specific world is how it's getting more complex for for all of these groups basically the fact that that you don't have a single individual or a single group doing it this type of ransomware deployment anymore but rather different cells it might be some people doing initial access offering it selling it distributing someone else develops this panel so that you can go and charge for the money and communicate with the victim some other group might be doing moving across organization network using the same techniques that the nation state actors used for deploying Triton or what not so that is actually another big point that if you can see what these actors are able to do right now well it should be a big alert because they are super close to the point where they can generate again willingly or unwillingly the type of impact that we don't want in the physical world but that is all from from ransomware again I'm going to go another layer a bit more more simple just you know to go from the from the worst to a place where we can chill a bit and so I have a couple more stories these ones go on the on the layer of other type of actors not nation states not organized criminals just a random individual it could be any one of us in here it could be our friends it could be our acquaintances hopefully not but it could and then we have this what we call low sophistication type of attacks this one is interesting because it happened a couple a couple of weeks ago and basically it was apparently this actor claimed on Twitter to have popped this Iranian steel production facility they shared some videos that's actually if you go you can find it probably I don't know if they took it down but for a while it was there and then that's a video of what the impact happened actually in the in the facility here there are some machine interfaces of how you interact actually with the process and they the point in here was to say like hey you know we want to show that we are terrible we want to show that we hate you so we go and we do this to your facility they were super nice to say that they do it carefully not to impact any individual who knows and we can't even verify they actually did this or not because obviously it's a bit more obscure to get this type of information but you know there is like like the type of thing that it can happen from less sophisticated actors this is another one this is Florida Oldsmout, Florida a case where an attacker gained access to a water treatment facility and basically what they did was modify the chemicals in the water so that it would become basically dangerous for the for the individual the attacker wasn't very skillful what they did wasn't you know super calculated and whatever but they got access and literally they modified the chemicals up to the top which means that obviously there are going to be alarms and there's going to be people looking at what's going on but the attacker wasn't aware of this so very quickly the operator fixed it no one died no problem but just for the fun of figuring out what could have happened we have this exercise this is a chemistry exercise for students in college based on this that what it said is like let's calculate what happened with the ph of the water if this had succeeded and basically it moves from from around the I believe it should be around here like seven nine that you can drink it was all the way to 13 so what you what can happen to your stomach if that happens basically I encourage you to look for it in Google if you don't want to sleep tonight it's really horrible but it just it basically can be super damaging for an individual but the point is when you go with these actors that are not as you know experience and whatever it doesn't have to be that serious we also have a couple a couple of fun stories and this is the first one I don't know if anyone here is familiar with if I say a gas system and I ask is anyone here familiar with what a gas system is I'm glad because who knows right I mean a gas system could be whatever well these guys just apologize and they said we compromise this gas system in Israel and it is because we basically hate them whatever they are doing to people but not and then we're gonna make we're gonna make everything burn we started looking at this and what we did a different approach is just look what is it that they actually had access to because it's it's very relevant if they're actually doing it by looking a bit into this it was very funny but we just started looking some keywords like dampers I don't know if anyone dumpers system or damper or we started looking also for the IP more or less the location things like that and basically it turned up to be a kitchen this was a kitchen appliance it was basically you know age back for a kitchen but you know I mean it's interesting that they are getting access to these things but also you know gladly it's not so simple yet a second case was this one which is an actor saying I have access to a rail system from Germany which sounds fairly concerning but then when we go and look into it basically by doing our immersed image look up into this it turned out to be a model train a toy it sounded very concerning obviously it wasn't it's interesting that it was connected to internet they could have you know modified the toy train but definitely much less concerning more like an interesting story and then the last case that I have for this one is refinery these groups just drop these interfaces and then they drop basically the list of what the service is what is it that they are doing what they do is they look for this protocol B and C they look what panels are controlled and basically they say we have a refinery so of course we go and validate and their refinery was a peak feeder well you can choose your animal insults of our horses and would not but basically much more simple than it could have been so the point with this third with this third set of stories is more about the fact that there are actors actually learning about this while this is not very impactful most of the times probably in the first one not on the others there is people that is trying to learn how to do this that does not require as many resources as the nation state or as a criminal and in the end that's how they began there's actually another report that we have from from a nation state asking for information a full research from a consultancy of how do you do this type of minor attacks which also shows basically you know like this appetite for learning how to do them but that being said those were the stories in general like to share a bit of what we're seeing from the physical world from this connection the type of threats type of concerns we are we are sharing the type of things we want to encourage you to go and also look into but just to discuss the high level implications like what does this mean what we want to take first of all on a high level where is this coming from for many years we have had this idea that technology is basically the more we incorporate computers the more we incorporate the clever things the more we make things as smart and what not you know the best we're going to we're going to be a society the more problems we're going to solve this goes in hand for example for with like United Nations pushes all these theories on digital inclusion let's get everyone to a computer then everyone's going to be better and what not all of this is true it's perfectly true but the problem is that we should also be considering about what might be the implications when you connect these computers to the physical processes that before used to run you know directly from from from an engineering perspective then you need to start thinking about what are the implications and then we need to also start thinking about different ways and we we which we can make this these connections clever because it is going to happen the vendors are going to do it but we need to think actually what are the implications and what can we do about it and that is you know where there's our role if we don't do that which is the reason why I bring also the scary cases well several things can happen because there is interest from states from criminals and from random people to try to play with these systems that control physical processes and sometimes as you saw it can be model train it can be you're hitting it can be something you know very very small arguably but it can also be something extremely concerning like in the case of these energy facilities like in the case of a water facility like those are things that basically you do not want people messing up with be it state be it individual be it crime and that's something that is not really being as explored as it should and the final thing is there is definitely a lot of interest in trying to stop this type of activity but where I'm seeing it the most where I'm seeing the most interest is at different levels more like like a big organizations the governments and whatnot that they say we should stop feel there your favorite nation state your favorite organization from developing attacks for physical infrastructure but I do not see actually you know from more on the individual community how are we going to solve this type of challenge what ideas do we have how can we bring this into into the community you know beyond of this high level government type of perspective and that is the reason why yeah just to wrap up and finish this presentation the last thing I have is what you can do what I'm encouraging what I'm asking for to make it very clear is first of all I share this just out of interest it's it has been very interesting to learn about all these things actually build a lot of that there's very few people that start getting visibility into these until it gets public all of this is public and verifiable but I mean it has been also very interesting and then it's very nice to share it but also we definitely want to get more people involved we definitely want your interest if you're working with web security well what about thinking about web security for industrial controllers like would you be willing to play with us for a bit and see how we can make those work better if you're playing with you know basically whatever you're playing with I think that if you have a bit of knowledge in this area if you're curious if you want to start playing we would definitely love it and yeah you know basically it's an open field there's a lot of people involved in it and yeah that's all on my side thanks for everything I bring this back up well thank you Daniel for this amazing talk it was super interesting I learned so many new things if anyone has any questions there are microphones in the path in the middle so if you have any questions walk up to those and Daniel can answer them two questions one is this microphone on yes it is yeah thank you have you read at least the intro to Red Storm Rising by Tom Clancy no no not really I recommend that you read it because that really sets out the path to this whole thing okay well what was the name to share the recommendation because the microphone is a bit low aha it's not working Red Storm Rising by Tom Clancy okay recommendation to read Red Storm Rising Rising apparently it's very good for this and also to return with another one there's another one called Sandworm Sandworm that the book it's also very interesting very good it's not particularly cyber physical but it includes some big sections of how this began and and when not but also yeah thanks for the recommendation I'm definitely gonna go for it thanks for the recommendation if anyone has any questions no no well then give another big applause for Daniel thank you