 Hello, my name is Kevin Hood, and welcome to my Aerospace Village presentation for DEF CON 29. I'll be discussing how people interested in aerospace cyber security can jump to start their career and some of the resources that are available out there to do it. So before I start, I must add that this presentation represents my opinions alone and not those of my employers. So who am I? So I am a student at Emory Riddle Aeronautical University studying cyber intelligence and security. I'm currently a software security engineering intern at Collins Aerospace. In addition, I'm one of the project managers for the aviation ISAC cyber competition, but overall I'm really passionate about getting people involved in the aerospace cyber security community. So presentation overview. So I'm going to start off by talking about how I prepared myself for aerospace cyber security and going to be touching on undergraduate research programs, the benefits of developing and attending cyber security competitions, and then of course how to get the most out of various conferences. After that, I'm going to focus more than on the technical skills side, which is how can we develop, you know, models and you know, projects to make them make it where we can learn and practice a bunch of technical skills and how can we optimize our learning through this whole process. So undergraduate research. So for people that aren't familiar with undergraduate research, this is where, you know, universities all across the United States have different programs where they'll support research projects. So they may end up, you know, funding, you know, a certain amount of money, you can end up getting paid to do it, but there's a lot to be learned by, you know, participating in these separate projects. So first off is you can learn project management. That's going to be really key. That's going to, you know, help you across, you know, any career path that you're going to choose. Another one is it will enhance your problem-solving skills. Research projects, you know, are just shown that they are really beneficial for problem-solving. And that's the skill that you want to really practice a lot. Another one is practicing, you know, how you can manage research budgets. That's going to be really beneficial as well. And then finally, how you can improve interpersonal skills. That's going to be really good because you're going to, you may be presenting two different audiences. You may have to be writing different papers about it. And most often you'll be working with a team or a lot of experts within the field on the project that you're working on. Another thing is participating in cybersecurity competitions. So there are some, there are a couple of competitions here that I want to touch on that I've found to be really beneficial for people that are just starting out. The first one is the National Cyber League. So this competition is hosted, I believe, in the fall and the spring every year. And it's only about $35 to register for the competition. But you are, you are exposed to a wide variety of topics in cybersecurity and they start off at an entry level. So the benefit here is, you know, maybe if you have some experience or no experience at all, this competition will help really give you exposure to a lot of different topics and start practicing in many different areas. Another one that's a bit more advanced is the Department of Energy Cyber Force competition. So this one is where you are working to secure industrial control systems. But at the meantime, you'll have professional hackers that are trying to break into your system. So that's, you know, a really great one. That's one of my favorites. Another one is the National Collegiate Cyber Defense Competition. This is sponsored by Raytheon Technologies. This is again, a more advanced competition, but a really good one that, you know, you work on with the team. And then finally, the Lockheed Martin Cyber Grand Challenge. This one is similar to the National Cyber League in that it covers a wide variety of cybersecurity topics. It's more of an introduction. It's more for entry-level cybersecurity professionals. But at the same time, it has some more advanced topics later on. And I believe on this competition as well, you know, if you score in the top, you know, 10 players, you can end up getting a job offer or, you know, other benefits from Lockheed Martin. So why am I bringing this up? So why are cybersecurity competitions so beneficial? Well, first, they really boost self-confidence. When you're working with a ton of different, you know, challenges and you're solving more and more over time, that's going to really improve your self-confidence. It'll make you believe, you know, you can actually do cybersecurity. It's not, you know, an impossible task to do and it's a really great way to boost your confidence. Another one is critical thinking. There may be a lot of challenges where you have no idea how to complete it and you're going to really have to think in different ways to really, you know, solve the different problems. Another thing is their hands-on. So hands-on, when you're working on hands-on projects, that is going to be a lot better for retaining what you learn. You're a lot more engaged and that's just overall a lot better. Another thing is in these competitions, they can introduce a ton of different advanced topics but do it in a simplistic manner. So let's say there is some really in-depth network packet analysis that I wanted to get involved in with cybersecurity competitions. You can start at a very little level and slowly build up your experience with that. Another thing is when these competitions are more team-based, you have the ability to really, you know, get more experience of working with a team. That's another critical thing that you're going to do later on in your life in a full-time career. And then finally, you get exposure to a wide variety of topics. So these cybersecurity competitions can be for, you know, tons of different industries. It could be for industrial control systems. It could be automotive. It could be aerospace. Overall, there's just tons of different topics that you can be exposed to and it's really fun in that way. Another thing that I want to touch on is developing cybersecurity competitions. So during my time at Emery Riddle, I have developed two competitions. The first one was the Cyber Aerial Competition back in 2019. This is where it was actually an undergraduate research project that we did. And what the idea was that we wanted to develop an aerospace cybersecurity competition for local Prescott Arizona high schools. So we bring in some of the schools in the area, some of the high school students, and they would be able to compete. But we want to make this competition for pretty much completely entry-level. So none of the people that were attending the competition really had much experience in cybersecurity. So this allowed them to get really great exposure to that. And then the following year, we started the aviation ISAC competition. So this was hosted at DEF CON 28 last year at the Aerospace Village in addition to their summit. And this one was a lot more advanced. We focused the audience towards college students and of course the audience at DEF CON. And I'm going to dive a little bit deeper into this competition. So for a little bit of background, this was developed by Emery Riddle and has been supported by Intelligenesis or Sidebody Works and is hosted on the Cyber Skyline Platform. So when we were developing this competition, there was a lot of things that we had to think about, you know, what topics we wanted to include. And when you're developing competitions, you get experience in a completely different way. So the development process for this competition. So when we were thinking about it and what we wanted to, how we wanted to develop it, we had to think of, you know, what topics should we introduce. And we wanted to introduce a wide variety of concepts in the best way possible. In addition, we want to see how we can make it most beneficial for the participants. So how can we give them exposure to tons of different skills or tons of different, you know, things that you're going to be using later on in a cybersecurity career. And then finally, we want to make sure that we promote ethical hacking through an instant response scenario. So originally, the competition design was going to be, you know, the participants are going to come in and break into a simulated airport. But instead, we turned that around and made it into an instant response scenario where instead of picking over an airport, you have to regain control and you have to identify who the attackers were. And overall, we found that this process really worked well for the development. Now, another thing I'm going to touch on is attending conferences. So why are conferences so beneficial if you are just starting your career? So the first one I'm going to talk about is the RSA conference, their college day. So RSA and San Francisco, what they do is they offer the last two days free for any college student. And the benefit here is they also have things like their career fair, where you can meet, you know, representatives from Lockheed Martin, Dell Technologies, I think it was Walmart, NBC and a couple others. And that's really beneficial because you have an opportunity there to get insight and, you know, feedback on your resume and just get a lot of, you know, networking opportunities there. And then two others I want to touch on are the ISAC summits. So Aviation Automotive are two that I believe still offer free passes for college students. And this is really beneficial because this is where you're going to be seeing a lot more of the people focused in these different industries. And it was two years ago that I attended the Automotive ISAC summit in Plano, Texas. And I found that that was just an incredible conference in that you were able to learn about tons of different talks and meet experts across, you know, the whole automotive sector. And that was really beneficial. And I believe the Aviation ISAC summit again still does that. But with COVID, of course, we have to double check that. And then the last one I'm going to touch on is CactusCon. So this is just a local conference that goes on in Arizona. And the point that I want to make here is that definitely research in your area what cybersecurity conferences are going on, because that can be really beneficial for one meeting new people, you know, just learning what companies are in the area. And overall, just the ability to attend more talks, that can be really fun as well. So now why are these conferences really beneficial? So the first thing is networking opportunities. So when we're first starting out, it's really beneficial to start building our networks, start meeting a lot of people and start talking to them. That's going to be really critical. Another thing is presentations. So with presentations at conferences, you're able to get exposure to tons of different topics, and you're able to learn things that may be more fascinating to you or things that you don't really want to pursue as a career. That's really beneficial as well. And then finally, you get to learn about a lot of the different cybersecurity products that are out there. Some of the expo floors, you can just talk to the people, learn about what products they have. And that can be really great as well. If maybe you're looking at certain companies that you want to work for, you can learn more about them. And that is really beneficial. Now, one thing that I do want to touch on is a really good networking example that I had at RSA back in March of 2020. So when I was there, I met Matthew Lulan at the ICS Sandbox. So he is the chief executive inventor of Intelligenesis, and he developed the Cyber Body Works platform. So when he was there, he had the Cyber Body Works platform on display for people to interact with, and I decided to ask him about it. So we started discussing Tinkering projects, and I brought up a runway light system project that I worked on that year. In addition, I discussed the aviation ISAC Cyber Competition Development that we're undergoing at Emory Riddle and brought that idea collaborating. Sure enough, we decided to collaborate, and he completely revolutionized the runway light system project into a competition challenge. And I'll be touching more on that in a little bit. But the point that I want to make here is looking back, Matt sets an excellent example for networking. With his abundant knowledge and incredible background, he was willing to chat with a very awkward college student and bounce ideas. I think this is critical because people starting their career are looking for advice, and industry professionals that are willing to share their background and insights can really help us jumpstart our careers. Now that's enough of the conferences and competitions. Now I'm going to be focusing more on how we can develop our technical skills. So with hands-on training I touched on earlier with competitions, there are a lot of benefits when you are participating on these set of projects. So first, you're going to be a lot more engaged with what you're working on, and you're going to retain a lot of the material that you use overall. In addition, you're going to be solving a ton of different problems, and that's going to be really beneficial to translate later on into work. And you're going to really want to improve your troubleshooting skills over time, because that's going to make any job that you have later on easier. So we're going to take a look at an example. So the runway light system project that I touched on earlier was a project developed for the cyber aerial competition back in 2019, and it was later adopted for the aviation ISAC competition where Matt from CyberBodyworks was able to completely rebuild it and make it into an incredible competition challenge. So the idea here is that it is connected to a Raspberry Pi and it has a bunch of LEDs, and that's how we simulate the idea of a runway light system. So what is the architecture? So prior to Matt taking over the project, so the initial architecture was a web-based dashboard to manage the lights. We utilized the open PLC software. It was running on a Raspberry Pi and we just had several LEDs connected to various GPIO pins. So that side of it was pretty simple, but then let's go into the development stage. So why are developing these types of projects really beneficial? So when you're developing them, you're going to get to work with things like Python, HTML, logic ladders, or any other things that you want to work with. In this case, we worked with Apache web server. We implemented various networking and firewall rules. We did a bit of Linux administration and then of course OS hardening, but when you create a product like this, you now have a platform that you can use for pen testing. So now you can see how different security configurations that you put onto that system can then hold up to various attacks that you can try out later on. And this is going to be really beneficial as well because you can now practice tons of security tools and see how your project, you can see how those tools affect various configurations in the project. And most of all, since this is, you know, not anything within the industry, this is not something you have to worry about any, you know, legal implications. So you can kind of just go crazy with it. That's a really nice aspect of it. So let's look at how I recommend designing a project. So I'd say the first thing you want to do is take a look at some of the technical skills that you want to train. So maybe you want to get more, you know, well-versed in a certain topic. Maybe you want to get more experience in C or, you know, Python and so on that. I mean, that's what you want to make. You want to make a list of all the different technical skills. And then you want to research some aerospace infrastructure. So in this case, take a look at what infrastructure, you know, is in the industry at the moment and see how you can use your skills to then simulate it. So what I'm getting at here is create a model that represents something in the aerospace infrastructure and develop that model using the skills that you want to train. And then of course, at the end, you're going to select the hardware components that you want to use. And that's how you can make it be a product that's more on a budget. So let's look at an example. So in this case, let's say I want to, you know, get more well-versed in signal security, GPS, the IoT lower radio. Maybe I want to do some stuff in bed systems. And in addition to that, I'm going to do some 3D printing. So with that, those are the technical skills I have. Now I'm going to research in aerospace infrastructure. So in this hypothetical scenario, let's say we want to make it where we can track the various aircraft tows around a terminal. So we want to log the location history and then see where, you know, they are at any given time. So this is just a, you know, again, a very simple use case for it. Then let's develop the model. So let's say we want to use lower nodes with GPS and make them all trans transmit their, you know, location and information back to the centralized lower wind gateway. And this diagram we see we have several tugs just all spread around a terminal. And then they're transmitting their GPS location to a centralized lower wind gateway. Then we're going to select the hardware. So on a budget, you know, you can just go on Amazon, find some very simple development boards. So in this case, I chose maker focus lower GPS module, two of them for 30 bucks isn't two of them for 60 bucks isn't too bad. In addition, you can get the lower wind gateway hat for Raspberry Pi. That's about $140 a little bit more expensive, but still not too bad. And then of course a Raspberry Pi that's going to be connected to the lower wind gateway. And the final thing is a optional 3d printer. So let's say you want to make enclosures for some of these, you know, embedded systems, then you can get a 3d printer. Now those are a little bit more expensive, but you could do that and, you know, take it even further. So the one thing I want to say as well is when you're developing these projects, you want to share about right about it on LinkedIn, share about it with various cybersecurity experts that you are able to connect with. And they'll like to and people like to, you know, learn about these different projects. Another thing is you can create a personal website. That's where you can go in a lot more detail about the projects. And you can have a more long term, you know, place where you can store all that stuff. In addition, you can even get back to the community where you can turn the project into a kit and then share it on a website like Instructables where other people can recreate what you work on. And so what are the benefits? So why am I even bringing up this part? So the big thing is when you're doing these projects, you're able to improve those technical skills that you set out in the beginning. In addition, you now have a penetration testing platform where you can really see how various pen tests affect your different configurations. In addition, you now have experience that is applicable to future engineering jobs. So for instance, like troubleshooting and problem solving, that's going to be really beneficial later on. And then of course, let's say as an entry level, you may not have a lot of material on your resume. You can now put these projects on your resume and, you know, really bring them up at interviews. And that can be really beneficial as well. So that's pretty much it in terms of those team green projects. Now I do want to touch on really briefly the next project that I'm planning to work on, which will be a large scale model of a cyber airport. So the idea here is I'm going to make a diorama where we have an airport where people can plug in their laptops and start pen testing at various, you know, aerospace infrastructure. And what I want to do with this project is work along with the aerospace village and, you know, put it at maybe conferences or at colleges where people can, you know, just take a look at it and get some exposure to what the aerospace security industry has to offer. So this is something that I'm going to be sharing a lot on my LinkedIn. And I hope to be developing more and more in the future. And that's about it for that. So thank you very much for attending my talk. If you guys have any questions, please reach out to me at Robin Hood on the Aerospace Village Discord.