 Hi, I'm Paul DeSousa and I'm the founder and president for the Cyber Security Forum Initiative, also known as CSFI. Today we're going to have an amazing panel with experts on ICS, SCADA, IOT, CTI, and even industry 4.0. So we're here to chat about information sharing from a critical infrastructure point of view. I would like to take the opportunity to obviously thank DEFGON, the ICS Village, the Brazilian Cyber Command, the Republic of Brazil, of course Jeff Moss, Priest, my good friend, the Undertaker, excellent Goon for many years supporting our CSFI mission. So thank you so much for everything that you guys do and let's just get the show on the road. So I will be the moderator for this panel. Our panelists will actually introduce themselves, which is really great. They have an amazing professional background and I know that you guys are going to truly enjoy this panel. At the end of the panel discussion, we're going to have a Q&A session, which will be the opportunity for folks to ask questions. But before we get started, let me just do something, I guess, make a healthy move and replace my Coca-Cola with water. Let's go. So welcome, Max. It's really a pleasure to have you here. Thank you so much. Could you introduce yourself and describe your cybersecurity efforts in Brazil? Hi, Paul and other friends on the panel. First, I would like to emphasize that my participation here reflects the view of an expert. It doesn't represent the institutional position of the border in which I work. Also because the command operated in the cyber defense area with the institutional security office of the presidents of the Republic being responsible for actions aimed at protecting critical infrastructure. However, the command realized early on that in times of peace, it needs to promote actions of integration and collaboration with joint actions. Second, I would like to congratulate the DEF CON coordinator for the great event as always and highlighting my great satisfaction in being able to be here, participating in this panel, talk about two subjects of great research in the area of cybersecurity and defense, which is integration and collaboration. I already had the opportunity to participate in addition of the event in 2020, but I never thought that one day I would be inside the event. Thanks so much, guys. And then I currently work in the cyber defense command in Brazil and the strategic management department of the command. And I'm head of the knowledge management section. And I'm the owner of the cyber guard and exercise coordinator. As far as I know of the only joint exercise held in South American focus on the area of cybersecurity and defense and the involvement national and strategic boards in important sectors of critical infrastructure in the country, such as nuclear and electrical sectors, financial, telecommunication, transportation, among others. Thank you, Max, for your introduction. Much appreciated. I'm really glad that you talked about, you know, cyberguarding, the cyberguarding exercise in Brazil taking place in Brasilia. I've been lucky enough to be an observer to attend the event. It was outstanding. It's just so critical for the national security of Brazil and the security of its allies, including us here in the US. A special thank you to General Amin for supporting CSFI to make this possible so I could be there as an observer. So, right now, let's shift this to Elio. Elio, so would you please introduce yourself and share a little bit of your experience in the field of cybersecurity? Hi, Paul and other friends from the panel. I'm Elio Santana. As Max, I'm glad to participate with you of this initiative. And hereby, I'm only expressing my point of view as a result of my experience of detainment on the last 20 years in the IT industry, working with many clients like government and private clients in cybersecurity. It's a pleasure for me participating on this great event that gathers many renowned specialists and researchers, and for me it's actually a dream coming true. I worked in the institutional cabinet as an advisor and working in the development of many instruments like the national information security policy and the national cybersecurity strategy, which were both challenging efforts to increase the maturity and improving the workforce on cybersecurity here in Brazil. Currently, I'm holding the director of information technology title at the presidency of the Republic, dealing with many security aspects such as safeguarding communications and critical networks around the presidential and ministerial communications. We are implementing for the next month our own cert, which has been called cert plan auto, and it's a mission that congregates what I did in the past years, helping many companies and government agencies to accomplish. And now I'm doing by myself in the heart of the presidency of Brazil. Among many challenges on this accomplishment, I can say that establishing trust and information sharing mechanisms are the key ones to obtain a successful result in many aspects. So, you know, thank you for your comments. Much appreciated. I really truly agree with, you know, with your statement about, you know, trust. I mean, trust is everything when sharing information between countries and organizations. So shifting to John Felker at this point, John, would you please introduce yourself? And then I would like to ask a question as well. So information sharing is an important part of collective defense. So what are some of the effective ways, in your opinion, that information is or should be exchanged? I'm John Felker. I'm a 30 year Coast Guard veteran. I spent the last 10, 10 years or so of my career focused on intelligence, predominantly signals intelligence and cyber issues. I helped to stand up the Coast Guard Cryptologic Group and the Coast Guard Cyber Command. Following my retirement, I worked for Hewlett Packard Enterprise Services as a cyber and intelligence strategist, where we were working on projects to help the US government improve cyber capabilities. And in 2015, I went back into government as the director of the National Cyber Security and Communications Integration Center. And KICK was the clearinghouse of information sharing and exchange for the US government, was also focused on incident response and a number of other left of boom activities, cyber hygiene scanning, policy and governance guidance and so forth. And then CISA was stood up in 2019, and I became the assistant director of CISA responsible for integrated operations. The part of our portfolio included some cyber in the field, physical security, chemical inspections and emergency communications and continuity of communications across the nation. Yeah, I think there are several opportunities for international partners to exchange information. In many cases, in fact, I think in most cases, that sharing of information or information exchange is done on a bidirectional basis. It's important to develop trusted relationships and nurture those relationships over time to allow for that effective exchange. You're not going to share information with people that you don't trust. And often in many cases, particularly at a national level, operation centers will share information, they'll establish regular procedures where they conduct phone calls or email exchanges just to make sure that those communications links are open. And those bidirectional relationships start building trust, even at a watch-to-watch or analyst-to-analyst level. And when you build the trust, the muscle memory is in place so that cyber threat information can be effectively exchanged. In my experience, CISA and Brazil both have shared information, particularly cyber threat information, on a bidirectional basis. That effective sharing of information has been effective, but infrequent, and it'd be my hope that there could be some more information that is routinely shared between the two nations. There are also several multi-level partner organizations such as the IWWN, the International Watch and Warning Network. IWWN was established in 2004 and it fosters international collaboration on a real-time basis. It addresses cyber risk, cyber threat, cyber vulnerability across the spectrum of different national interests. It also provides a mechanism for participating countries to share information and build global situational awareness on a more frequent and regular basis. And it also helps to establish knowledge of each other with respect to capability and incident response effectiveness. I would also suggest another effective way to share information is to become a part of an information sharing and analysis center, if you're in a private sector, vertical, such as the financial sector, the maritime sector, oil and natural gas, electricity, water and so forth. The ISACs provide a very effective way to share information in a light group and they do so across national boundaries. I think the importance that we all need to remember is that cyber criminals don't respect any national boundaries and it's important for us to establish relationships and build on those relationships, regularly exercise those relationships so that when a bad day occurs, we can respond effectively. And even before that, we can share information to prevent bad days from happening. I also think that there are a whole lot of informal opportunities, going to conferences, attending training and so on and so forth, that allow us to establish relationships at all levels, at senior levels, at analyst-analyst levels, at watch-to-watch levels. All of those things are important. They cost time, they cost money, but the establishment of a relationship that allows effective information exchange cannot be discounted. So, Eliu, we know that Brazil has been developing some cybersecurity and defense capabilities. And what are the main efforts that Brazil has developed in recent years and that you consider to be important for increased cybersecurity maturity and how does this contribute to the critical infrastructure sectors? As I said, in recent years, several instruments have been created to establish guidelines for how security and cybersecurity should evolve. The institutional security cabinet, which is the central agency for policy development at the national level, has developed a series of regulations that ranges from the high-level information security management to more technical standards, such as the collection on preservation of cyber evidences, passing through the security use of cloud computing that I have the personal opportunity to act as a deputy coordinator. In addition, important milestones were also established, such as the national security policy, which encompasses all actions that the federal agencies must take to protect not only government institutions, but to provide citizen with secure public service and the protection of the cyber components of critical infrastructure actors. Adding some aspects to the national policy on critical infrastructure that has a more comprehensive view of the sector. Finally, an important milestone in the development of strategies is the cyber sector was the elaboration of the national cybersecurity strategy. This instrument was the result of a collective effort between government and society, which after a benchmarking survey among many nations and their respective instruments, had the participation of several representatives from many sectors of the federal government, academia and the private sector, and so to consolidate the necessary actions to evolve the sector in next years, which involves among many actions the national cyber incident plan, which Max actively participates on, and the development of public policies to promote the sector as well. As I can say, the development of talents to fulfill the cybersecurity gap that we have here in the country. Allie, I agree with you 100%. There's a massive gap in cyber talent, especially those cyber professionals that understand cybersecurity and ICS or SCADA, IOT, and the ones that actually can see both sides, right? So there's that kind of gap. And that's why exercises like cyber guardian and others can help polish those skills and find the right folks to support Brazil and the US. Now, I have a question for you, Max. So in your case, Max, you act directly as one of the coordinators of the cyber guardian exercise, which this year is in its third version, I believe. So what important results has Brazil been achieving in the context of cybersecurity and defense that have a direct impact on the protection of critical infrastructure? Oh, good question. The cyber guardian exercise is now the story edition this year and is designed to coordinate and integrate intelligence environments covering public and private bodies in Brazil, verify the effectiveness of procedures, apply good cyber practices, simulate incident protection practices and employ information shared tools. Today, one of the main tool that we have in courage, it's using the context of the information shared during the exercise is the beast people. Yes. Our information shared platform, which is used within some companies in the critical infrastructure sector in Brazil. Even last month, the computer science incident responsive center of the Luxembourg team provide extensive training worldwide of online learning issues and best practices in using the platform. I recommend talking, taking a look at the guys website as it has a lot of material available. MISP is a threat information share platform that's free and open source software, a tool that that collect information for partners, their analysis, their tools, normalize correlates and reaches the data. Allows team and communities to collaborate if security tools, automated the protection and output feeds, analyst tools. In addition to using MISP within critical infrastructure sector, the cyber defense command maintains close collaboration with some countries that make up the Ibera American cyber defense forum. Use the MISP platform to exchange and share information. The Ibera America involve the countries as Portugal, Spain, Argentina and other countries. It's also important important to highlight the Brazil keeps in the type of technological park foundation, a project for a Hone and Edge ICS skater that today has generated relevant information attack signatures that has helped the type of either let power plant itself in the structure of more effective security measures and that also be shared with some other partners. The propose for the future is the construction of this security Hone and Edge throughout the country as Brazil is a continual country. Thank you Max for your answer spot on. I like where cyber guardian is going, especially how you're taking this to the next step up the next level up in terms of information sharing and getting the community together, which is just awesome. It's just really what I would like to see. And now I have a question for John Felker, who can give us, you know, help us to, you know, connect the dots in terms of information sharing. So, John, what are some of the ways that these important information sharing relationships can be built and fostered. There are a lot of ways to achieve the needed muscle memory that is so important to effective information exchange from watch to watch or analyst to analyst interaction on a daily basis, whether it's based upon an emerging threat, or simply just to maintain contacts. It is critical to regularly use the communication channels that you have in place to take it to another level, conducting basic operational drills, utilizing players on both sides of an operational relationship is critical. This can enhance the flow of information that's useful for both sides. And it also helps strengthen the bonds of the relationship. One of the best ways to grow relationships is to conduct a full scale exercise with all of the relevant people, including senior leadership. Senior leaders need to know what's expected of them, what's expected of their team, and how they can become more effective in conducting left of boom activities, as well as activities that occur when there is a cyber incident in place. Practicing regular response routines, whether on the keyboard, in front of the media, or in the boardroom is critical to the success, your success in any cyber incident. Thank you, John, for the awesome comment. I fully agree with you about leadership being involved throughout the process and exercises and having this understanding that, you know, they're the leaders. And without their support, it's just really, really hard for things to happen at the tactical level. So we need more leaders with that kind of understanding. So thank you so much for your comment. This question is for Max and Elio. So critical infrastructure and the key resources are important assets for nations. And the more collaborating to protect them, the greater the resilience. In the specific context of information sharing, what actions could support greater collaboration among critical infrastructure sector sectors, or even international collaboration? Oh, thank you for this question. I'm very glad to talk about this. I believe that actions that Brazil and many countries have been taking have been achieved great results for the development of the sector. The instruments that I mentioned before, the critical infrastructure policy, the national cybersecurity policy, establishes across many actions to improve the collaboration between national agents, but international agencies as well. This technical and academic exchange carried out by many Brazilian, American and European institutions, as well as joint actions with development banks, have already presented important results. The national cybersecurity strategy for Brazil is one of these results that I can say. Another one that I can say from my own experience is the content that we are having with the OAS. And in the course of the establishment of our CERT, we will establish with the OES and CERT Americas an information sharing channel that we think that will be vital to our success in protecting the presidency of the Republic. Likewise, I had the opportunity to participate in the George C. Marshall Center, the program named Program on Cybersecurity Studies that is lead by the Marine retired Colonel Philip Lark. It is an American initiative and conjunction with the German government that annually trains hundreds of professionals at the executive level who go to their nations to develop and improve national instruments and international cooperation on cybersecurity. This collaboration is essential for increasing the cyber maturity in our nations and establishing more reliable channels of trust to share information, especially when it comes to consolidate channels to communicate with critical infrastructure actors. But it also allows an alliance of many actors to join forces to act again, increasingly sophisticated and present-day cyber threats. Thank you very much. Oh, over the years, I have participated in events and training at the ICS environment. One of the things I take serious today is understanding the environment and getting close to the operation professionals and having a dialogue close to the speed. And one of the training that caught my attention the most was the SANS one, the ICS 505 given by Robert Emily, who is also the founder and CEO of Drago's company. In the SANS material itself, we have a chapter dedicated to information-shared threat intelligence. It's clear that the challenge today ahead will be much greater with the development of the new exploits, malware services, fragility in the supply chain, vulnerability in the IoT environment among the others. And if you represent a particular automation company, if you are not the target of the time, you may suffer from the side effects and then seeking to increase the capillarity of an information exchange and share information will only contribute to seek it to be one step ahead of possible threats. In this way, I believe that cooperation agreements at the national and international level for this type of approach will make all the difference in seeking measures to avoid possible impacts and compromise, mainly for those focused on critical infrastructure. Thank you, Max. And thank you, Aleu. Great response. I think that, you know, this question now will kind of tie everything together. You know, obviously, Brazil is a cyber powerhouse in South America. And having this relationship between the US and Brazil in terms of information-sharing, especially when you think about cyber threat intelligence and IOCs and how fast we can exchange this kind of information, you know, and how precise the information is, you know, the fidelity of all this stuff. All this must obviously improve with the proper leadership in place and the proper knowledge in place. But I would like to ask John Felker a question that, like I said, I think it's going to tie these things. So as systems evolve, more and more interaction between IT and OT takes place. That's the reality, folks. So what are some things to think about in these circumstances, in particular, information exchange between Brazil and the US? Go, John. When one device or control system is compromised, it can impact many others. Control systems are effectively systems of systems that are increasingly more interconnected with business systems, the IT OT connection. There are many, many incidents that occur in control systems, probably on a daily basis, that just don't break squelch. Control system cyber incidents affect all industries, manufacturing, buildings, transportation, electricity, water, to name a few. I think a close review of these cases would indicate that malicious incidents make up a significant percentage of control system cyber incidents in terms of numbers and impacts. As I mentioned earlier, sharing incident information between partners is one way to address these potentially vulnerable interconnections. I think also that participation in focused OT training, like that provided by CISA at Idaho Falls, would be a benefit to many of the cyber professionals that have for years focused on IT only. And they don't understand the IT OT connection and the potential vulnerabilities that exist as a result of that. I think also using training and exercises to build relationships between Brazilian and US partners in government and in the private sector is critical to effective information exchange. So the ICS Village simulates ICS environments and they're really truly unique in what they do. Tom Van Norman is the actual co-founder of this awesome ICS Lab and non-profit organization. I'm sure you've seen them at DEF CON. It's just such an amazing village and the opportunity to learn about ICS through the ICS Village is quite incredible. So I have a question for Tom. So Tom, would you please tell us how you envision the ICS Village supporting Brazilian and American national security in terms of information sharing? Please, thank you. All ICS Village's mission is to provide industrial control system security and awareness through community engagement and information sharing by advocating for the sharing of information between governments, companies, organizations, or among individuals. Everyone's security posture will be greatly increased. However, when information is shared, it also has to be in a format that is easily understood by the receiving party. So the ICS Village is the education indicator to compromise our IOCs, tactics, tools, and procedures, or TTPs, intel reports, and any other relevant information. If you were an operator of a critical infrastructure asset and were compromised in the same way another asset owner was, wouldn't you have liked to know the IOCs or TTPs ahead of time?