 Hello, and welcome back to the seventh year of the industrial control system village, the ICS village at DEF CON. We're really excited this year because one, we made it. This was a more difficult year for us than past years because all of those ranges, all of that industrial control system equipment that you've seen in the past, we had to figure out how to get it completely virtualized for you. So I want to say thank you to grim, who has been hosting a lot of our equipment for us new this year, besides everything being virtualized for access for our CTF. The last two years are CTF the winner has won a black badge so crossing our fingers we can pull that off for a third time. No guarantees. Is the Department of Homeland Security CISA agency is going to be they have some special range equipment that they have integrated into a part of our CTF. So, there's going to be a lot more fun and a lot more challenges this year. The great lineup of speakers, one of the biggest things that we took advantage of this year with the conference being completely virtual was reaching out to get a lot of international speakers. So the kinds of folks that work in industrial control systems elsewhere in the world. That would not typically be able to make the trip to Vegas so a lot more variety in international representation with the speakers so really looking forward to that logistics for it this year. We're going to talk about everything that's going on discord at Defcon with the ICS Village specific channels around that q&a will be done there. Some speakers will be doing doing q&a for the live sessions so live speaker sessions q&a will be in zoom otherwise you can beat with the speakers and discord and check out and subscribe to our new channels and YouTube and twitch, where we'll be streaming everything live to you. Have a great Defcon. Keynote for this year is the director of CISA Chris Krebs reflecting the continued collaboration between the agency and the village with bringing education and more equipment to the community. This Defcon, we are kicking off the first of many opportunities to bring real ICS to even more hackers to get to work with. So without further ado, Chris Krebs with the ICS Village keynote for Defcon. Hey, hello out there. Welcome to Defcon ICS Village safe mode. My name is Chris Krebs. I am the director of the US cyber and infrastructure security agency today going to tell you a little bit about the things that we've been doing over the last couple years. This is a approach to control systems but more broadly not just our approach to things we're doing working with you and the community to improve control system cyber security out there across this great country and throughout the world. So I think what I want to start with is a tell you a little bit about who we are CISA. Again, the cyber and infrastructure security agency youngest federal agency coming up on our second birthday here and talk to you a little bit about the threat landscape as we see it and tie it to a few actors out there. In improving their capabilities and then stitch that all up into a story of the things that we've identified as important and how we work with you and the rest of the ICS security community to actually achieve these objectives that we're all working day and day out towards. So that yeah CISA almost two years old now we are a part of the Department of Homeland Security we've been around in one way shape or form since the creation of the department but the US Congress gave us the authority to stand up as an separate operational component like the Transportation Security Administration what you normally would have had to deal with if we were in Vegas like last year and ideally next year and FEMA if you're paying attention to COVID or hurricane season. They're out in front so that's where we come in where CISA we are the nation's risk advisor as we style ourselves. But the concept here is to get an understanding of what the risk landscape looks like and how it intersects with the nation's critical infrastructure across a number of different lines of effort, but I tended to steal them down to five. First is traditional info sec. We are the home of us cert and we have been working some aspect of info sec for two plus decades now. The second aspect or discipline is control system security. We are also home to ICS cert and have been in this game for quite some time with varying level levels of investment and capability but we are fully committed to this mission. Third is supply chain security, lots of activity on the supply chain front over the last couple years, particularly since I've been here, and really looking forward to building more capability in site in maturity across the supply chain risk management and the last two pieces insider threat. And this is more about that blending of close access operations, allowing an adversary into your network or into your perimeter that they can then combine with other techniques to get to achieve their their objectives and then lastly physical security. So in this broader cybersecurity and infrastructure security space. We're also out there day and day out conducting physical security assessments of facilities to help protect though things like schools and hospitals right now, and places of worship. Back when sports start up again at larger scale and you can actually go attend the sporting event, assuming you like sports ball. We are out there helping the facility owners and operators understand how to best secure their facilities so that's kind of the disciplines that we focus on. And we have a very different approach, I think to engaging our stakeholders or customers as it were, then you might find another parts of the federal government. They're usually persuasive hooks that agencies have whether it's law enforcement authorities or it's regulatory authorities or they have money, things like that we're in a little bit different spot. We were in the public private partnership business and that's a kind of cliche thing to say, I think, certainly over the last 15 plus years, but I we spend a lot of time listening. So it's not that old tired, you know, we're from the government and we're here here to help. It's more along the lines of we're from the government we're here to listen we want to understand what your problems are what your challenges are, what your gaps are. We have certain advantages where at the end of the day profit and revenue is not our prime objective. We have the ability to overcome places where there's no legitimate business model for the private sector to chip in and contribute so that's that's kind of a sweet spot for us and of course, there are other aspects here. We have access to classified information and you know when we know what the bad guys are trying to do or oh I don't know actually doing, we're able to distill that down and bring partners into the fight to counter those efforts. So again, we're this public private partnership voluntary effort agency. I'm not going to lie it's tough. When you when you really have to work that extra bit to understand what a partner's challenges are and then go back and craft something that is going to help them. That's that takes a lot more work than I think some of the other authorities that other agencies have. But in a sense, it's also pretty darn easy. If you listen the right way, if you listen to really what the challenges and the gaps are in the critical infrastructure community whether it's on the infosex side or the the OT control system side. Listen really hard, and you isolate the issue, and you address the issue and deliver some value. It's a self fulfilling prophecy in terms of your your ultimate success so we in a certain sensor are like the private sector right we're like an organization that has to develop the capability turn it do the market research. Whether a product lifecycle, have a team to deliver it to customers, and then have feedback and dial it in so we very much have that private sector mentality in that philosophy that approach is in part why I'm here today, wherever here is. That's why I'm here today. It's part of market research is part of engaging a community and understanding what the challenges are and how we can all work together to close out those gaps. And I honestly think, which means I'm not lying to you right now, I guess, that right now, the threat landscape, the bad guys out there doing bad things is as active as I've ever seen it. And that's not to say that the bad guys out there haven't been doing bad things for a long time 2012 2013 dating all the way back. We've seen, particularly in the control system space and the hard infrastructure space really dramatic. Adversary activity so go back and look at the 2019 worldwide threat assessment, there's a very specific piece in there that talks about Chinese capabilities to disrupt pipelines, cause localized out outages. That goes back several years. A couple years ago, the Russians, what we called at the time alien viper, but they absolutely targeted energy infrastructure. They went through the supply chain, they went through contractors construction organizations in this case. They knew where they were wanting to go. And they used a range of capabilities, a range of accesses to get there. Even more recently, we alongside the National Security Agency issued an alert that was pretty clear and pretty stark in the terms of if you have OT systems that touch the internet, you need to get them off line. You need to harden them, you need to protect them, you need to install or implement better email security measures because what we found is flat, unsegmented networks provides the adversary the ability to pivot off the business network into the OT networks. Again, these are very, very active targets for the bad guys. It's only a matter of time as I think Dale Peterson said back in January down at S for an interview I did with him that ransomware will come to the control system space, it's a matter of time. Let's get there before them. So our mindset has been going back to that general philosophy of the agency. How do we understand how do we build a community of practice here. We're not the ones building it to be clear, we want to be able to foster that community of practice. So, year and a half or so ago now, when we came out of a pretty historic not pretty but a historic shutdown of the US federal government, I laid out a series of priorities for this agency. First, half my budget goes if you haven't checked me don't, who looks at the federal government budgets, but half of my budget goes to federal cybersecurity. I have a chunk of money and so that's a top priority for me. What else is a top priority for me election security, looking forward to participating in parts of my team participating in the voting village, defcon voting village as well. We're also doing physical security as I mentioned for crowded places and soft targets. When we were sitting there as a team trying to identify the greatest areas for opportunity, the greatest areas for community progress. Two things immediately jumped to mind, and they're related supply chain supply chain risk management is an untapped area that we were we are putting a significant amount of effort behind but the last piece of course why I'm here today industrial control systems as I mentioned, we are the home of ICS cert it's a game that we've been playing for quite some time. And we are reinvigorating our partnerships we're reinvigorating our investments, bringing and building a fantastic team and our overall objectives is to be able to stitch together. The US government in support of industry and the control system security community. Together, that's it together we're just working on doing this together. And so coming out of that shutdown, I challenge the team said tell me how we're going to do this. And of course, federal government agencies is what we do we build strategies, right. That's why we released our industrial control systems initiative, which is our strategy it says here the things that we are aiming to accomplish here the main thrust of activity. Now, you didn't come here today to hear me talk about strategy about another federal government plan. Another. It's actually pretty tight in terms of page count, but that's not why we're here. But I do need to lay out what our objectives are and how we're going to do that. And then I'm going to tell you about the mechanisms we're using and some of the key implementation priorities and that'll give you a sense of where we were going. Most importantly, how you can participate because together, to me, means one thing. And I mentioned it earlier this year at the industrial control systems, a joint working group that we, we had to do online just like this. Our top line objective is to democratize industrial control systems security efforts. And what that means is making it open for everyone, bringing the community together. It's not about releasing products and tools and services that only a handful can afford. It's not about restricting access. It's about diversity. It's about inclusion. It's about democratizing security. That's what's behind our strategy. So real quick, the philosophy behind the strategy is about empowering you empowering vendors and owners operators and integrators to make better risk management decisions. It's about informing your investments. It's about integrating the US government, CISA, and our partners in the intelligence community Department of Defense and FBI to it, integrating our efforts into yours. It's about moving to a proactive industrial control systems posture. And lastly, it's about driving towards a sustainable, long lasting control systems security community. That's the top line. All right. How are we doing this pillars, we got four pillars every strategies got to have pillars, we have four pillars. First pillar is asking more of the community, but doing more for the community from the federal government perspective as well. Second is advancing technology in the ability to secure our systems, not just tomorrow systems, but we have to figure out how to continue to defend today's deployments while thinking through the next generation and having more security baked in secure by design by deployment. The third piece is developing deep data capabilities to better put our understanding of risks against the current deployments and think building frameworks building resources and approaches that take advantage of just this wealth of information we all have, pull it all together and putting into meaningful frameworks. MITRE continues to lead in this space with the industrial control systems framework. Those are the types of activities and approaches that we look to be a part of, not necessarily invent, not own, we just want to be a part of this effort. And lastly, increasing that risk understanding of the interdependencies that are out there. So that we can drive smarter investments, smarter solutions, smarter engagements between the government and industry to get to that objective of democratizing control system security and making the environment safer and more secure. So it's those four pillars that drive our approaches. So what the heck are our approaches? Okay, this is the part that matters. The strategy is about what we're trying to do. Our approaches are how you can work with us to achieve these objectives. So got a few things that are worth talking about here. I already talked about one of them. And that's the industrial control system joint working group. This is what is now a twice a year. That's by annual twice a year. Now a virtual event, but it provides a free opportunity for anyone that's either getting into the control systems game, or is in a jurisdiction that doesn't have travel funds, because those are always a challenge with, you know, the old days conferences. How do you get the money to go to Vegas? How do you get the money to go to Miami? The ICS JWG is about opening up a more inclusive environment so everyone can come together and learn something even if it's at the 101 level, or the 10 whatever remedial is the 100 level doesn't matter. The point is, we have the opportunity to bring more people into this community. And that's what we're working towards with the ICS JWG. We had our most recent one in, I don't know, it was a month or so ago. We've got another one coming up in the fall. So that's point one ICS JWG. So back to that kind of integrating the federal government with the community. We also have an effort called the control systems interagency working group, the sissy wig. Now, it says interagency, but don't take from that that it's just government again. This is about bringing the executive leadership of the federal agencies that play in control systems together with leaders from industry from the research community from the vendor space, and everybody together and figuring out, okay, what are our opportunities are threats it's really in part we're doing a SWAT analysis. How are we strong together where are we weak together what are our opportunities to work together. And then what are the threats. Now, out of the last year or so work of the CS the control systems interagency working group. Well, we figured a few things out. One is, the government needs to be more coordinated together. Everybody does some part of this game. How do we do it in a more coordinated fashion. Well, one place we can really achieve I think some alignment and advancements is in standards. All of the federal government players together on standards and working towards the same common purpose we can really drive the advancements we're looking for. Also, we can help work to build the workforce of the future. Rather than doing bits and pieces here and there. Let's have a collective approach to workforce and a lot of credit to nest in their efforts and and we're also doing subcoding, creating clarity and messaging clarity and hiring practices. So we have an opportunity there. And also on the investment alignment. So R&D, lots of different R&D efforts across the federal government. We should have a more unified R&D agenda that can get better uses out of our investments. I think some duplication or redundancy and efforts. Always a good thing, maybe put those save dollars towards another effort. And then lastly, working towards a more unified streamline coherent and value added incident response approach within the USG. And in part, what we want to do with this is make sure that we're taking the relevant information out of an incident response effort and sharing that information back out in a protected way for the victim. We're not in the business of revictimizing a victim, but to the extent that we can extract insights from single or multiple incident responses. That's a good thing. And that's something that we've done recently. In fact, in a natural gas, in the natural oil and natural gas sector, we issued an alert earlier this year. Now, we're not perfect yet. We're still working at this. But your feedback on all of our control systems products is always welcome. So go to sysa.gov, cisa.gov, check out our control systems page, and all of the products we have there, the alerts, the guidance, the advisories. Let us know where we're hitting the mark. Let us know what else we need to do. And then work with us through the industrial control systems joint working group. There are a few other things that are worth highlighting, particularly since we're doing this DEF CON safe mode thing, something you'll hear about. And that got kicked off last year, or rather earlier this year, down in Miami, ICS for ICS, industrial control systems for incident command system. Not sure if everybody knows what the incident command system is, but it's what the physical emergency responders use to coordinate their efforts, whether it's a hurricane or wildfire, it's actually the firefighters out in California, the fire service are the ones that develop the incident command system. But it's got great application for physical disasters. But I bet if we ever have one of those big time larger scale physical or cyber enabled physical event, guess who's going to show up the fire department, the emergency managers, state and local officials. There's absolutely a role in control system security in its response for state locals. But they also recognize we recognize that their roles for the security community. So what we've got to be able to do is develop those frameworks, develop the frameworks that put everybody together, clarity of roles and responsibilities. So a lot of credit to Megan Stanford for her work there and ICS for ICS and looking forward to continuing to contribute to that effort. And of course, the best for last here, ICS Village. This year, we were proud to partner with the ICS Village, a lot of credit and thanks goes to Bryson board for his efforts. But the idea is, we can do more together. That's why we're here. That's why you're seeing the feds show up at DEF CON even if it's virtually we were there last year. But we look forward to really growing out this and building out this partnership with the ICS Village and other villages. We're doing that in a couple ways. This year, we've got our control environment laboratory resource or seller that is going to give simulated environments so that everybody can walk through a couple different scenarios. Work on your blue team skills and run some incident response. This is an effort that we think again place to that democratizing incident, rather industrial control systems. It's been a long day. Industrial control systems security again democratizing making it more open. If we can pull more resources out of the national capital region out of specific locations out west and then make them broadly available virtually good for everyone. If we can put things on wheels and drive them around. To various parts of the country. Again, these are good things that's what we're trying to accomplish here a control systems ecosystem security ecosystem that is open and accessible to everyone, whether you're in the private sector or your municipal water facility. Everyone's got requirements. We have to be able to do this together. So last thing I'll talk about for wrapping this one up is our role in vulnerability management. This has been hell year, I think, for the vulnerability managers out there. Six months of week after week of big bone after big bone. I was thinking at some point it's almost a race to the bottom, because think about it you drop one vulnerability and somebody's probably going to drop one next week. And so you got tops of seven days in the new cycle. But it's really stressing the teams that historically we haven't invested too much in the vulnerability management side is one of the most important. Teams within any organization. We play a key role here in coordinating vulnerability disclosure. We fund in support the cert coordination center cert CC up a Carnegie Mellon. We also fund the national vulnerability database. And next, so between the cert CC CVE process and the national vulnerability database, two key resources for any network defender, any vulnerability manager of understanding what's new what's coming and how do you defend against it. We also play a role again through that cert CC process where the private sector or security researcher rather, if they identify something. We can help facilitate the conversation between the appropriate vendor. Now, sometimes we don't need to play a role. In fact, we encourage programs we encourage vendors to have vulnerability disclosure programs to have as needed but bug bounty programs again have a healthy vibrant ability to engage with the security researcher where you don't need the government. Even if it's just fostering or facilitating a protected conversation, but that's not always how things are right now. That's not where some organizations are in their maturity of their own vulnerability disclosure practices so we play a vital role last year calendar year 19. We process and manage through our CVE process 11,500 plus vulnerabilities. I think based on this year, we're probably going to exceed that. But that's a role we are happy to play. Again, we are going to continue to issue advice and guidance to organizations of all sizes and stripes. So we have some guidance on there on how they can set up their own vulnerability disclosure programs just last week. We issued some guidance to our partners in the state local election community about how they can set up vulnerability disclosure programs for their systems and it's so it's not just about the code that the software they're coding or whatever. It's their implementations. But if you find that vulnerability in a voter registration database, please, you know, first off, if you own that database, you need a process. But if you find that vulnerability, you need a way to report it in a coordinated manner so it can get closed out so that it's closed out for the bad guys get there. So vulnerability management is exactly where we are going to continue investing more broadly in the infosex space. A little known fact. This was supposed to be the year of vulnerability management. That was a theme we had little did we know that it was again it was going to be volume management hell here. But here we are we're here we're part of the team. Let us know what help you need. So I'm going to wrap this one up right now. Again, CISA is here as an advisor as a partner is a friend our objective again top line democratizing industrial control system security at all levels. I don't care where you are. We want to work with you. We are here to provide support resources technical assistance. This is the kind of organization you need to be able to protect your systems, but ultimately, it's not just about defending today's deployments. We've got to make sure that tomorrow's deployments are secure by design secure by deployment. So that we're going to wrap up these remarks, and I'm going to jump in a time machine, and I'm going to have a costume change and all that and think we're going to do some live q amp a. Thank you.