 Well, hello ICS village. I'm coming to you live from sunny Amsterdam and today I'm going to be talking about critical infrastructure and a presentation that I gave recently at the United Nations, after an invitation at the United Nations Institute for disarmament research. So I hope you enjoy it. If you don't know who I am, that's fine. Certainly not a household name, but my name is Chris Rebecca and I am the CEO of two companies, one in the Netherlands, one in the UK, dealing with cyber warfare and ICS IoT and IT proactive security. I'm also a distinguished non resident fellow at the Middle East Institute and previous to all of this I used to have the information protection group or a Ramco and I was a air crew member and was in space command dealing with command and control systems. One might say I'm also a bit of a reformed hacker, or at least now a reformed an ethical hacker, because I come from it from a slightly different point of view where I started as a kid being a quote unquote black hat hacker. I got busted at the age of 12 doing very, very naughty things. So, why is this particular talk in this topic important. Well, one of the reasons is, we now live in this wonderful digital world, are able to have def con and the ICS village remotely. And we can absolutely on technology. And if we want our modern world to continue, we have to deal with the simple fact that hopefully our technology will not be used to kill us. So the United Nations has been involved a little bit late in the game, and they are very concerned about member states and their responsibilities securing the ICT assets within their own borders. In 2015, I did say they were a little late, a group of governmental experts published a report report h that stated for main facts that every member state is supposed to secure its own country's cyber space that includes it, IOT and ICS security. In addition to that, every single member state should have a computer emergency response team. Fantastic. And also with that, if there is a country where an attack is coming from and then transiting through that, if you are a transit country, say like something coming through the Netherlands, aiming at Austria or the United States, then that transit country and their systems should be able to provide aid and also any member state that's under major attack should be able to exchange information on the incident and also technology, and if at all possible, additional subject matter experts like cert teams to assist in a major attack. Well, this sounds all wonderful. Lovely jubbly. And at the UN, the majority of member states did agree to this particular report and thought that these things were very, very important to have. However, at the UN level, at this global scale, lots of government experts don't actually realize what's really going down on the ground. So, this is one of my favorite quotes, it is never underestimate how dependent you are on your information technology and systems, it's become like oxygen. You think you can live without it but you can't. And this was a quote from the CEO of Saudi or Ramco after the 2012 shaman attacks. What I'm saying here is a picture of one of the events that happened after the attack where there were miles and miles of gasoline trucks that no longer be loaded up because the industrial IOT system in between was no longer functioning, nor were Now, Saudi Ramco experienced the world's worst cyber warfare attack it isn't spoken about too much because I'm currently the only person authorized to actually discuss it in about two hours, 85% of their IT systems were lost. And when I say it systems, this is avoid this is the payment systems this is the HR data, some of the backups white, some of the firewalls were affected and there were two production plants were actually affected. And unfortunately Ramco was unprepared. They believed, you know what barely anybody knows about us, unless you're in the oil and gas industry. So why would we ever be a target. Unfortunately for them around the same time Arab spring was going on, and that had recently encourage and Saudi Arabia in Iran are not very good friends. And because of this lack of understanding their systems both on the IT side, IOT side and ICS side were not very prepared or secure at all. In addition to this the attack affected country wide internet connectivity taking out two of the three mobile providers because actually separate the internet connection and Ramco provided internet connectivity for emergency services, hospitals, schools, police stations, universities, and you see where I'm going with this. It was not a very nice picture. 14 days after the initial attack guitars national oil company razz gas a joint venture between Qatar and Exxon mobile was hit with a different variant. The moon variant for Saudi Ramco had a burning American flag. And what we estimated after the attack of the two companies had actually fallen and could not restore themselves as quickly as possible. We estimated that a barrel of oil could hit as high as $450 per barrel. And if that had happened, it would have caused a domino chain of global economic and supply chain damage. We see COVID right now where it's causing a lot of issues, but imagine if nobody could purchase oil. No cargo ships could purchase oil because would be too expensive. You see where I'm going with this. We treated curiously on the edge of a modern age bronze age collapse due to cyber malicious attack. The reason why I know about this hack in depth was because I was the person requested to help recover international business operations and establish their mature digital security and cyber threat intelligence. So, one of the things we have to understand is the vast majority of critical infrastructure is actually privately owned. And there are limitations to how much a state can regulate legislate and ultimately dictate to the private sector. And there are major costs associated with going, Hey, guess what, you got this legacy stuff. It's not really up to snuff. So you're just going to have to replace it. So then comes into the question, what should water actually cost versus a beautifully near risk free risk free ICS system. And now that we're in the middle of pandemic unfortunately our hospitals going to have to choose between securing their systems, which also includes a lot of medical IT devices, or are they going to have to go ventilator to cure ICT. And I think all of us right now, watching this, we would kind of like those ventilators. When it comes to establishing a computer emergency response team. This is a fantastic step. However, we have to understand that a cert team is a very reactive team they're constantly putting out fires. And usually these teams are not very big. What happens as well as they have to do putting out fires right advisements to constituents advisements to governments, they're doing a whole bunch of stuff and investigations and give training, and especially give training to critical infrastructure. They don't have a lot of time to do a lot of anything, but yet they're expected to do basically everything. So the concept to understand that a lot of computer emergency response teams are not actually capable of doing all of the services that are expected of them, or are not actually mature enough to provide the majority of services. There are still cert teams in various countries that don't even use encryption on their website, and not all certs actually take vulnerability disclosure. So this is feedback for a person who works for a German think tank who's writing a paper right now for the German government. And one of the things she noted was the fact that here I live in the European Union, and we have something called sir do you. It's very puzzled over the fact that nowhere on their website, could you find a link or information on how to actually disclose vulnerability information. And this is a search that, in essence, would provide response for 513 million people. But there are a lot of limitations with certs. Now, one of the things that I proposed to the United Nations was certs. Fantastic. I think that is step one to really taking a look at how member states should really secure their cyberspace, but at the same time I propose to them. If one might pronounce it that way, but a computer emergency prevention team. And I truly believe that member states should have these. So a team that actively looks for any sort of issue, or high probability compromise to systems, whether that's it, it and I CS are exposed to the internet. Look at the supply chain issues, which may allow for exposure and be that kind of like fire alarm and warning system before the fire actually burst into flames and has to be put out. In addition to this, they can also take on the role of the advisement, especially in critical infrastructure, allowing the computer emergency response teams to actually put out the fires when they need to. So I'm a big believer in proactive security. And currently, I am the subject matter expert for part of the European Union, where we're building the world's first exclusively proactive security team. We are looking for high probability compromise systems and detecting compromise as quickly as possible and starting the incident response portion of locking down a system. And determining what the major risks are before the cert team comes in for the incident, the rest of the incident portion. So, we live in this wonderful connected world, and I'm going to give you a new term and a hashtag you're free to use. So, bring your own house. I happen to be in my home. But when we connect up to power plants, or any sort of production, or industrial iot, or even our workplace, which might just be regular it systems. And what has happened in this wonderful pandemic, wonderful at all is the fact that the employees were sent home, and this also includes technicians and engineers, and they're like hey, do your job from home. Okay, great. So I share this network with perhaps my kids perhaps my partner, perhaps I'm stealing the neighbor's Wi-Fi who knows. Their home network is now considered perimeter security in many ways. Now I'm fortunate to have my own commercial grade firewall that cost me about 2500 euro, but most companies are not going to roll that out for their employees. So, perimeter security is now your front door. And when we take a look at how engineers and operators are trying to stay connected. We are going into a very kind of scary area right now, because one of the things I did also preparing for my red team village talk was to do a massive scan across the internet, and try to find some easily found exposed control systems, looking at ICS industrial iot. And unfortunately, I found way too many systems. As you can see, I have this wonderful table that says please hack me. The reason for that is a lot of these systems, either they don't have very much in the way of security like the Modbus protocol you have to be very careful with that one. Even if they've got a more modern control system protocol, it doesn't necessarily mean they're on the newest and greatest firmware, or the fact that a lot of these things now are really industrial iot products. And they've got these wonderful things called web servers. And I like to say, if it looks like a web server, hack it like a web server. So just because the protocols might be wonderfully put together, or say Siemens as seven, if it's got a web server login exposed to the internet, and it hasn't really been tested for security. Then, you know, release the cross site scripting and a bevy of other different types of attacks. So, one of the problems we have is hacking. And when I say hacking, I don't just mean my 10 year old self, or some of the people who deal with offensive security and find certain vulnerabilities. We also have to consider the fact that a lot of nation states are involved. When I say a lot, one of my favorites is actually, Ethiopia has a full flesh offensive security team that is authorized to do various hacks because they've been at war and are involved in various skirmishes with Andrea. So, if Ethiopia has something, lots of other countries have this particular capability. And we also have to take a look at geopolitics and things that are going on. I was chit chatting with Bryson Bort before we started, and I'm currently doing research into cyber guerrilla warfare between Azerbaijan and Armenia, where the Armenian nuclear power plant is actually under threat because Azerbaijan has publicly stated that they want to blow it up. And I don't think that's good for anyone, especially since I live in Europe, and I don't want to like another trouble, not on cancer. So, we have to take the security devices, the way they're put together, the configuration, if they're exposed or not, think about geopolitics, but then also think about the fact that not everybody is a friend. There's a major incident between several countries, even transit countries. Some countries won't necessarily help others. And even if they do help others, they don't necessarily phrase what they need in a proper question so that another country can give proper aid. And one of the other things that we have to think about is, before something major happens, groups actually need to start talking to each other because you don't just pick up the phone to a random country and go, hey, I need this stuff. And they're like, I don't even know you. I've never met you. It's a long way, both with formal and informal networks. And one of the previous speakers had mentioned he was from academia and academia is fantastic. And they can think out of the box in certain ways, but unfortunately, not every person who's in academia, who's studying this topic necessarily has that hacker mentality. And currently there is not enough involvement from the tech community. So, we've got some things that are fantastic that we can use at the indicted nations, and these are existing treaties. I also was given my presentation. One of the other presenters had brought up previous to me that perhaps we need to create this brand new treaty to tackle these issues. And my response was, guess what, we have stuff that we can use to expand on existing conventions, but if we're going to be doing a new treaty, it's going to take years and years and years. And it even gets a certain level of consensus from other member states inside the United Nations, and incidents don't wait years and years. Incidents want attention now, and they need it now. So we can use the Buddha Pesh convention. There's also existing counterterrorism legislation and relationships between countries they also can be utilized. If there's a major attack that is happening. It's going through countries or hitting particular countries critical infrastructure. So, when it deals to comes to preparation. One of the things that we have to remember is practice practice practice, right. And I think we've heard this and many different discussions, whether it's critical infrastructure or other areas. And the way that you get very good at something is to practice it and obviously not every incident is going to be exactly the same because everyone is, everyone is unique and different. But we talked about exercises they're still kind of lacking, especially at the UN level for different things like this. A few years ago, I had the opportunity to work with the European Center for Foreign Relations on building NATO and EU member exercises for diplomats and ministers. And I was the only tech person who was a subject matter expert who was not an academic. And I noticed that this was really, really lacking, because we need to get certain people involved in this to a good exercise, accept team team members, as well as ministerial advisors because a minister and an ambassador do not make decisions all by themselves. They have advisors. We also have to involve the public and private sector. Obviously, grab some academics as well because they can share a lot of different research. But also consider us a lot of the people who are watching this talk right now in the tech community subject matter experts who actually dealt with some of these things. Reformed nice hackers, so to speak, who can think in a way that they can misuse systems and even information that nobody else can really think about within the other groups. So, one of the major things that I proposed to the United Nations was, we need to get security researchers involved. One of the biggest reasons is, when you get the tech community involved, I'll give you a good for instance, there's a CTI lead which was set up subject matter expert tech community folks, and they volunteer to protect hospitals and medical personnel and medical devices, and they work extremely quickly. They also interface with computer emergency response teams, your poll and other law enforcement, so that hospitals have some sort of advantage in this game. A few months ago, I was contacted by a particular government because 15 of their hospitals went down on a Friday night, because it was a cyber attack. And that particular country came out publicly saying, this country who did these attacks, stop attacking our hospitals. But defending and realizing that there are some exploitable systems out there, if you've got the tech community involved, they can go ahead and interface like that, like the snap of your fingers. Unfortunately, when you're dealing with diplomats and countries on that much higher level, those formal networks are kind of slow. Now, another thing that I brought up to the United Nations is the fact that the majority of ICT vulnerabilities, but it it ICS areas, they're still discovered by good hackers like us, attending DEF CON safe mode. And this is fantastic because a lot of us do this, maybe for a t-shirt, stickers sometimes, but really because we want these systems protected so we can use them when we say go to a hospital. And unfortunately, we still face a lot of legal barriers. As I mentioned before, not all certs actually will take vulnerability disclosures. And sometimes if you contact a company or power plant or a hospital or whatever. They might have the reaction of, who the heck are you? Are you trying to extort us for money? Are you some sort of criminal? Are you some legal barriers? And sometimes you have to deal with very strange laws, like in the Netherlands, you're not allowed to ping a computer system. That's written in our cyber law, even computer systems you own. Which is still kind of odd, but depending on the country or the laws, you could actually be arrested for reporting some of these sites. Another issue is who to contact. Here you've got this dangerous thing and you want to be able to contact people as quickly as possible. And as your manner, but who do you contact using the certEU example, I have no idea. And neither does the person writing the paper for Germany. What we have to realize is, as we all plainly know right now, we live in this digital world. And we are absolutely as dependent on ICT systems as we are to oxygen in this modern world. So my closing recommendation to the United Nations was that the UN and member states should lead the effort in establishing computer emergency prevention teams. Because it is much easier, cheaper, quicker to prevent a major attack against critical infrastructure than it is to try to put out a fire. So I have some references which I can copy and paste somehow and put into discord or both can take screenshots. The first one is the UN group of governmental experts report each from July 2015. There will be a new report coming out from my presentation and other people's presentations that we gave at the United Nations last year. Excuse me last month. And also if you want to take a look at a very, very good convention that actually deals with cybercrime that can be utilized for information sharing technology sharing subject matter expert sharing, etc. When a major incident occurs, the Budapest Convention of Cybercrime is excellent. And last but not least, thank you very much ICS Village and doing the safe mode. I know it took a lot of work and was price import for inviting me to do this talk. And if you want to know more about me, I'm available on Twitter. You take DMs just just know where pictures please. And also, we're doing a lot of work we have just started the cyber portion of the Middle East Institute. The first distinguished non resident fellow and person coming in as a non resident coming into the Middle East Institute, specifically for cyber to look at these particular issues. So that ends my presentation. And what I'll do is I will look on this discord. And hopefully there are some questions. And there doesn't seem to be that many questions, but that's okay. Do as the ICS Village have any questions, or I'll just dance. After midnight and I'm still here. Since no one has any more questions. Thank you very much everyone. And hopefully the United Nations will take some of my recommendations on how to secure their individual member state cyberspace specifically critical infrastructure, a lot better in the near future. Thank you.