 Hi, everyone. We are about defense and we will make a presentation about Mexico's cybersecurity status. In this presentation, we will talk around industrial cybersecurity footprint, key data perspective, smart production, and sense of security experience honeypot lesson learns and opportunities. Thank you ICI Village, DEFCOM 28, and the cyber colleagues on this opportunity to make a presentation about Mexico's industrial cybersecurity. Talking about Mexico facts and figures. We have in fact in figures in terms of the economy, Mexico's ranking and the position 12 around the world. Manufacturing services, transportation, utilities and spending are the main economic activities in Mexico. In concern of the industrial sector, the manufacturing has an activity of 175 billion US dollars. His object focus on ICI industrial service for this presentation. The top industrial sectors are in Mexico, the automotive industry is the top five world with OEMs and their supply change. Mexico is the second position in Latin America. Behind Brazil are now the 60% more competitive and electronics the sea lighters economical region worldwide. Also Mexico have other industries like oil, electricity, food, textiles, agriculture, chemical services, consumers and furniture, and mean other sectors. More are important that the main manufacturing companies use 55% of insulated PC PLCs inside the ICI area, most are insulated or most not connected to any network 3% of use industrial service at the shop floor and connected to the network. Most of these industrial services are set by the automotive international companies like from Germany or Japan among other ones. Most of the industrial companies are located from the center to the north of Mexico. As an example the automotive industry is located from the center and the north of Mexico. In the case of aerospace and medical industries are situated on the northwest of Mexico. On the network subjects we will see that the strongest future is based more in the north of Mexico. Southern Mexico is more agriculture and other topics. Mexico have around 50.3 million IP address and average of 7.5 megabits. And the cyber attacks around 28 from 9195 countries. So basically the most important in the case of the cyber attacks is mainly in attacks to the government offices and other departments like you know banks and services. In terms of the SWAT, the ICI security, the strengths is the Mexico is growing in the industry 1.0. It's focused to the smart production, smart logistics, and modern enterprises among other ones which require in a short period of time the implementation of the industrial cyber security practices. For the US, Mexico, Canada trade, which was released the first of July 2020 covered the topic on in digital and cyber security rules and process between the countries. It's a major important thing. Because, especially for Mexico, because Mexico needs to follow up and implemented the good practices and lens or lens necessary to accomplish the digital security and internet policies from this trade. In terms of the weakness, Mexico has no deep knowledge and ICS security topics. Also the companies and the owners had no idea even awareness about the industrial cyber security. For those insecure systems, there are insufficient information. There are opportunities as well. The US, Mexico, Canada trade is focused to increase commercial competitiveness region against other markets, Asian markets or European markets. These trades include the specific actions to meet cybersecurity terms as the first one. Trade according to our experience the most attack to industrially is related to ransomware. Especially on the RP systems, as well as you know the internal attacks is not recorded at this time. Based on the automotive industrial sector. Mexico is located. Mexico are located American companies as well European and Japanese companies, which is are located on the supplier change. We are most used at the industrial cyber security architecture, according with the ISO and the improvement performance basis 4.0. The merits of the concept of the data in real time and on real time, the integration and sharing data and connectivity. For the American enterprises, they follow the American industry. They use it as a key merit, real time, no real time integration, share data and connectivity, but as well they use it the protocol boost protocol like a profit boost, model scan internet profanet and the programs like a ladder and other devices with different kind of protocols, which is one of the important things to use for industrial architecture. According with our experience, during the last couple of years, we implemented for the industrial sector and the architecture. A different kind of layers, one of the layers is the sense of integrity that we will see in the next slide. The equipment, the boost data and the network. The word. Industrial is in terms of the smart factor based at this time, using industry 4.0 concept. They set the connectivity between machines and PLCs and other intelligent sensors as well other equipment. So the smart factory is integrated all the elements in the shop floor integrated in one, in one unit. To accomplish and fulfill the strategy, we said that a smart production concept. This is my production sub concept is accomplished to fulfill the strategy that we set for the smart production. The smart production is set in an individual modules which are interconnected to the smart factory. These architecture integrate components from machine sensors PLC network servers database machine learning machine to machine analytics visualization and artificial intelligence among other technology and innovations. For a clean implementation, it was a set additional smart sensors to boost the power and the brains at the shop floor to implement the full smart production. That is the new trend. On the other slide will be talk about the smart sensor service security. One important note on this activity that I want to share with you as experience is the synchronization and the speed process key factor for industrial service security. It means low timing on industrial process is not a problem as we can use and save the cyber security procedures. High speed industrial process which required up and downs information to act for example about or open it open a sector or review a motor less than 500 milliseconds make a major complexity to implement the smart factory with industrial cyber security. Also, the lesser lens about the synchronization topic give it two strategies recommendation and according with our experience. One refers to set the PLC responsibility at it was designed at a long time means that the devices was to control dedicate process and machines, only that we will not recommended that the PLC is doing extended activities that means doing everything. That's why everybody can say that the PLC and share and tell you that the PLC make everything. This is not true. This is a dangerous situation. The second one is to reduce or eliminate PLC connectivity into industrial boost network. That means that the PLC has to do his own job. And of course, if we put it the PLC on the network is to reduce the potential vulnerability. And the second one is to reduce the issue on the synchronization on the process and the boost network. One of the topics to confirm that we have experienced that is difficult to set a service security industrial service security for the smart sensors and service security strategy that we set as six, you know, which means the as is a sensor. The sensor integrity, the C is for connectivity and the as for this security, this concept that we are implemented, we use it, we divide it in three blocks. One is related to the sensor integrity, the sensor connectivity and the sensor service security as mentioned, the sensor integrity includes physical and functionality layers. The physical take the sensor damage, which is common sometimes that people can damage during the process at the show floor, or could be in not intentional to damage the sensor. So the cybersecurity protection tell us that the damage is made on the sensor and then we have to be replaced or make an action immediately. And also the cycle life of the sensor is important because the cycle of the sensor when the sensor is used by a resistance to review on sense the level of the water that can be changed immediately when we see that the response of the information is not quite right. So we're using this information and review as a status control to be that the cycle life of the center is okay. Similarly, as well, in terms of the functionality, the views of the sensor as well the software the program there are making important things. The software and the program they can be used that it could be as well adopted term in terms of the somebody can have and connected with our C to 35 or another boost communication they can make it and change the software and the program. We also well we set on this strategy as you know the actions and the roadblocks and the firewall that nobody can change the software and the program. And then by the sensor community connectivity, everybody knows profibus motherboard so this topic I will not to be in detail. And the, and the subject of sensor cybersecurity, the status control give it also the opportunity to review that the physical and functionality this the sensor is okay. I show self detection and sense assessment is provide as well that the system as well the protocols of the software program and communication are okay. We put an outside on this process the cryptography code, because according with the mentioned in the last slides the synchronization on the latency of the process in terms of the high performance processes is not quite okay. We set as well an additional alert console that means that this process the alert console process, we said a different boost communication is not in the same protocol that we send it as the information that ascended to the, to the, to the system is sending and then another and another channel, and as well another kind of information, which that tell us exactly if the, this is the sensors integrity physical and functionality. In terms of the essential of the sensors have a security. We show in really two blocks, one and three blocks one is outside of the system, which is a data interface and the other ones are connected. The detection search of which is called it on the left block. Now, we call it a dummy, because this is essential just one thermal power or just a resistance that they move according to the level of the water. We call them a dummy, a dummy sensor. It is dummy sensor connected P and I squared C protocol. This protocol has four modes, the standard mode is usually with a speed of 0.1 megabits per second. The information is digital, digitalized and then used to the perform on the program with a specific language, the program with with this has an algorithm and make the action and perform the activities that which is both programming. The program is to send the information via standard protocol to outside of the world, which means that to send information to the PLC of the model boost, or another kind of communication to the data interface, which is important, because the different kind of net protocols, it was difficult to make a service security performance. That means that experience that we have is that synchronization is a very key factor. The topic is in reference of the ice square C protocol, sensing information in some processes a critical element, especially with the high performance process process with production and security information can be lost information, only because the process of the boost communication synchronization is not aligned with the process synchronization and the PLC if it has a timer and a time in delay, if it's possible to miss key information of the process. That means on the case that let latency, less than 500 milliseconds and using a crack to code on this communication can be a put an endangered situation the entire system. So we saw this issue using new security pads and the entire architecture. It's clear that integrated capital code as we know from the sensor to outside to the boost note is not visible, according to our experience today, based on the total boost and the process synchronization. Both things are important and important to do the cybersecurity, industrial cybersecurity activities. The opportunities that we have a nice cybersecurity is in terms of the monitoring monitor is a sense of integrity that we saw the equipment safely and they will security as main architecture visibility and central management. Defense detections in terms of the boost protocol and the peripheral devices evaluation, the threat detection as a sensor equipment are the malicious code as well. The prevention as an incident response and services, and as well the equipment risk assessment, which mean to review the peripheral devices, the service equipment and the network devices. During the process and in terms of the IC industrial cybersecurity opportunities we said that the section exercise. We said that honeypot lesson lens and the training that my friend and colleague of this entire venture which with Alfonso as well. We will see in the next presentation from Victor. Well guys, thank you for your time. I'm glad to be here. And well, as you know, there are many experiments that produce publications about honeypots. We apply it for this work on two areas that could be joined it in a small footprint. I mean a small footprint to detect internal internal events and incidents. Well, the first one is the training to learn core concepts from previous incidents and learn beyond those words and click baits over security to be new because we thought we think that this could be overwhelming for many of us. The second one is to be productive. I mean, to get productive data that allow us to have enough evidence to resolve an incident. To implement this, there are previous conditions, previous steps that are important to be known by the by the network owners, like a correct networking solution, a legal review and patents to see results and focus it on ICS systems versus general malware and they the honeypots as idea and philosophy is very attractive because it's a good way to see a to see an attack in real time and what you can learn from it and also help helps to replicate various attacks. In some moments, cybersecurity could be overwhelming. For some people, there are too much to learn, but basically previous attacks that we saw, they are core concepts that could be studied. These concepts are covered by the major corporation matrixes. And this gave us a structured way to do it. And the second one is well how to handle incident. This could be learned to and also the ICS architecture concepts are important to give a general path. And finally, the idea of this experiment or honeypot is that could be installed by power users and not only by cybersecurity people and learning through analyzing attacks. Well, obviously is the first option, but there is another game. A honeypot could give productive data in a in a traceable way. There are three main sources to start the first one, the windows host from the multiple layers of the ICS and enterprise network. The second one, the network in the different layers too. And finally, the relation of the services and well, all of these in the internal network. The first component in our architecture is the windows host that are being used in different layers. And the first for simple components and tricks that could give us important data about malware. And well, with this setup. We got multiple samples. For example, with the fine system trick. We got multiple, multiple samples. And also, from the network traffic. We saw that the most popular a war mobile ports are being used it too. And now regarding lateral movement and ransomware cases, we saw that the biggest analysis exploits are being used it as first option. And from the network side, the another component in the architecture, a, or ideas to keep all the metadata possible as first priority, and the road data from the multiple sites, a second objective. This could be achieved it using sick and moloch this open source tools, but to implement these tools, the Malcolm project, help us a lot to to make a quick day setup in a productive environment. In this setup, we were able to investigate multiple network movements from the multiple layers of the network, and also to detect dual home pieces and about about the DMC. And as I mentioned in the in the in the first slides, or idea is to make an investigation in the internal network. However, as you know, the DMC setup was analyzed multiple times in previous in previous investigations. And as you know, the detection is very noisy, and also is a high risk. So for that reason, we focus on internal networks, but some setups was exposed in a in a short time, using a Mexican IPs. There are two important details that that works to be mentioned. The first one is the timing of the attack. There is a correlation between the exposition of the IP on a network passing sensing service, versus no 90 non indexed IPs. And finally, there is a game if multiple protocols are being used instead of only one. And finally, to mimic services, a simple setup was performed to a on the on the on the on these four sites. The first one is a network emulation. In this, we, we found that there are many, many pieces of servers that allows you to emulate any in any port to replicate any port and copy the this kind of behavior. The second one is about the file servers on the shop floor. For this, the use of honey files where the option. And for the web replication from the front end, front end, a web admin consoles, we use social engineer toolkit, and also hhtt track. And well, finally, the most important component is combat. As you know, combat is a very popular piece of software to deploy honeypots. And we use this with with with some physical components. And to make a quick setup for the power users. We use tipot as a main platform with this, the use of a tipot was the fastest way to make an implementation by the power users. And that's it guys. Thank you for your time. As a remarks, we saw these points. The USM CA trade is an opportunity to improve the cyber security. And the second one will make sick with some discovered market for the ICS, ICS cyber security. As Octavio mentioned, there are good numbers, good numbers that prove this. And there's an opportunity to, to, to train, to train people in this, in this topic, in all the industrial servers in the, in all the industrial networks. We found that there are a lot of talent people that that could learn in a very, in a very fast way. And there is a passionate about this. And the honeypot technology and the use of the ATT-CQ metrics for, for ICS as part of the formal training and trade detection is a good trick too. And finally, the speed of the network is not a speed of the process talking about cyber security. Thank you for your time. And if you have questions, please drop us a line. We will be on the ICS Village Discord channel. So thank you for your time. Have a good day. Thank you.