 Hi. My name is Tim Yardley. I'm here to talk about Beetlejuice and the lessons that we should have learned for ICS cybersecurity. So, who am I? Well, I'm a principal research scientist at the University of Illinois, Urbana-Champaign. Been in academia for about 14 years, and before that, I was in the industry. My focus is on ICS cybersecurity research in a variety of different ways. So, this presentation is going to be a bit different than many that I give, and it's inspired and leverages content from a website called ScreenRan.com that highlighted the greatest lines from Beetlejuice. I'm going to take those top 15 lines and relate those to the lessons that we should have learned in ICS cybersecurity, but frankly, haven't. So, let's start off with an oldie but a goodie. I know just as much about the supernatural as I do about interior design. Well, experts from other fields are always willing to help us. They're always willing to come into industrial control system security, but they need to be willing to understand the domain that they're operating in, not just the domain that they came from. The consequences in IT systems, as an example, are much different than those in the industrial control system space. So, for instance, in IT systems where business operations may be impacted, in ICS, well, all of civilization could be impacted by a particular attack or outage. Therefore, the mindset that's used by the people that operate in cybersecurity and that are offering solutions, they have to approach the problem differently. Frankly, we don't need people showing off. We don't need the best and brightest from all over the place. What we need are people that are ready to listen and understand the problem space, roll up their sleeves and get to work. Let's turn on the juice and see what shakes loose. Well, here I'm going to relate this to safety versus security. In the industrial control system, safety is a number one priority. Security, however, to many is really an afterthought. Well, you know, in some ways this could be just that it's a realized danger with safety. For instance, blood, people dying, etc. Versus the apparent danger in security where, well, an attacker may compromise something, they may do something bad, but we're probably not going to lose life. We're probably not going to have any real problems overall. There's also this mindset that's conjured up of, well, if it isn't broken, then why bother fixing it? Well, sorry to break this to you, but it is broken. Just haven't realized it yet. So let's not wait for the cyber pearl harbor. Let's get ahead of it by moving forward now. It's showtime. One of my favorite quotes from Beetlejuice. Well, as you may recall from the movie, when you summoned Beetlejuice, he frankly caused more harm than good. So for years, industry has been calling on the government to help. Well, sort of, right? So the government's here now. They have piles of money, but guess what? They expect some fast action. Is that what we really wanted in industrial control systems? Did we want to move fast? Did we need to move fast? It's unclear. Is the government there to help? Yes. Are we getting more help than we need? More regulation, more spotlights, more attention? Maybe. Maybe that's causing more harm than good. Maybe that's a distraction. I'm trying to cut down myself. Well, let's talk about trying to change too late, right? The need for increased cybersecurity has been progressing for a number of years, right? This isn't a problem that just suddenly appeared and popped up and were like caught off guard and have nothing to say for it or do, right? Let's use the electric sector as an example. We've been working in that space for a long time, trying to focus on and build out the cybersecurity provisions, the frameworks, the regulations, etc. To really, truly enforce and improve the cybersecurity posture of that sector. Some sectors like nuclear and the electric sector are quite advanced already in their security awareness, in their security posture, etc. But why are the other domains so far behind? Many of them are not trying to really do anything in security yet. Are they trying to change too late? It's not that the problem is any different for them. It's not like water isn't important. It's not like manufacturing isn't being targeted. So why are they waiting? I've seen the Exorcist about 167 times and it keeps getting funnier every single time I see it. Well, let's continue that quote a little bit more. Now, what do you think? You think I'm qualified? This is Betelgeuse talking to him being summoned as an Exorcist to help in this scenario. Well, guess what? The ICS sector already has what it takes to succeed, what they need to increase their cybersecurity posture to defend their systems. Those people exist. People that are there already need it. Yeah, there's training that's needed. Yeah, change is also needed, right? We have to change how we approach the problem. We have to change how we address things. We have to change how we think about it. But frankly, you can do this. The people in the sector can solve these problems. They just have to put their mind to it. And maybe get a little help on the side too. I'm the ghost with the most, babe. Well, let's talk about that, right? Someone that shows up and spouts buzzwords, makes claims and pitches their solutions as the one all be all silver bullet that you have to have. Guess what? Don't buy into that. There are a lot of steps that you need to do. There is no single silver bullet. There is no one product that's going to save you. There is no one thing that you can do and all of a sudden you're better, right? You need a broad and comprehensive approach to security. You need solutions that are complementary of each other that integrate together, that work together to have that visibility that you need, that response that you need, the detection that you need, etc. And then most importantly, you need to use those tools in the way that they were intended to be used once you have them. It's not just, oh, install this and everything is better if I never look at it again, right? You have to be able to use and dedicate staff and people to being, to taking these tools and leveraging them to your benefit. Never trust the living. Well, let's talk about trust, right? Consultants, guess what? They can help. The vendors, they can help. The government, they can help. But remember, you run the show. It's not that they are going to dictate what you should do. You need to prioritize things. You need to understand what the implications are. You need to convey to them what your priorities are, what your needs are, what the business risks are, etc. Help yourself commit to doing what you're willing to keep doing, not just what they tell you to do, right? You need to be sustainable in what you implement. You can't just set it and forget it. But you have to trust them too. They're not necessarily going to give you perfectly sound advice. They're not going to, as an example, a vendor is not going to try to sell you some other vendors product, right? They're not going to pitch their stuff. They're going to respond in the way that their capabilities are addressing, right? So look broader. Understand what that is. Take that as input and then decide from there what you want to do with it. Are you the knight of the living dead under there? Well, let's talk about regulation and compliance, right? Many people hide behind this regulation and compliance. Obviously, there's the argument that says, oh, compliance isn't security and security isn't compliance, etc., right? Regulation and compliance doesn't really help you. It does in enforcing or forcing you to do something, but it's not really the end goal, right? It's a stopping point along the way. And let's talk a little bit about attackers, right? The bad guys don't care if you are compliant with XYZ standard, whatever that may be, right? They don't get scared by that. It doesn't deter them. It actually gives them a bit of a roadmap. They know what you're required to implement and, well, they can work around that. They can use that to their advantage in some way, shape, or form. Well, the other thing is, look, even if you are compliant, let's use the electric sector again as an example. The electric sector has regulation called NERC SIP, right? And that's great, but that doesn't mean that just because you are SIP compliant, you are impenetrable by an attacker or that you're not going to be compromised in some way, shape, or form. It doesn't mean that you are secure. It means that you've done some of the best practices. You've done the minimum recommendations that are enforced upon you for regulation, but everything underneath, well, that could still be quite ugly. I'd rather talk about day-o, day-o, right? So let's talk about this and flip it a bit. Let's talk about O-days instead of day-o, right? So the push for finding zero days is, well, interesting, right? I'm all for the efforts that explore and remediate vulnerabilities in systems, right? Be that products, be that platforms, et cetera. But does it really move the needle? Well, let's talk about ICS gear, right? So it has long patch and service lifetimes, right? It's out there in the field for a long time. They don't patch regularly. They can't because it affects the operations of the systems. Not all things either that we discover are fixable industrial control systems. Sometimes the hardware is just physically not capable of being able to implement something more comprehensive than what it does to fix fundamental problems that are inherent in the firmware or the bootloader or the architecture itself. And sometimes these things, well, they can't be fixed. So if we find them and publish about them, what impact is there from that? Well, it identifies a vulnerability. But if that vulnerability can't be fixed in the products, are we really moving forward or are we actually hurting ourselves a bit more? In my opinion, our energy should probably be more focused on layer defenses, on closing attack vectors, on making it so the attacker can't get into the system in the first place to hit those end device targets that you're identifying zero days in, right? The other thing is, well, decreasing the time to detection across the organization, right? So attackers can be on your system forever poking around, prodding, looking for any potential misstep that you may have. What if you could detect them sooner? What if you could stop them way early on and know that they're there and eliminate that from happening to prevent their pivoting from further down into the system so that they don't get to the point where they can exploit those zero days that are being found on systems? Now, I'm not saying that finding zero days is worthless. Finding zero days is very valuable. It's great to have those things fixed in the systems. It's great to identify detection and prevention techniques and filters and other mechanisms by which you can identify these happening in your network, right? But ultimately, you have to be able to stop them. You have to be able to patch them. You have to be able to remediate. There's all sorts of different approaches to this, right? But first step is, well, being able to detect, right? You can't stop something you don't know that's happening. You can't stop somebody that you don't know is there. I myself am strange and unusual. Well, let's talk about that a little bit, right? Everyone always says that, well, we're special. We're different. People don't understand what it is, right? They don't get the domain or their IT. We're OT, right? Well, guess what? You have what it takes to see through the cruft and solve the problems. You don't need to get wrapped around an axle arguing about IT versus OT or whose system is more important or whose policy should be applied, right? And there's a lot of experts out there pushing their views, pushing their opinions. Some of those are well-merited. Some of those are very well-respected. Some of those are well-grounded, but others are not, right? There are also gaps in knowledge, in understanding, and in skills in every sector on both sides of the fence. Attacker methodologies are always changing. Defender methodologies are always changing. What is possible is always changing. But guess what? We can still solve the problem. We can still take steps forward. We can still work on the things that we need to work on. It's okay, right? So you take that input from those experts. You ask the questions that you need to ask, that you're afraid to ask. You ask those questions. You get them to clarify. You explain what your requirements are, what your risks are, the things that you're worried about, the things that keep you up at night, the things you want to protect against in your sector, the threats that you feel you have. And use them as a sounding board. They may come up with novel things. They may not. But then, whatever input they provide you, you need to decide what that means to you, how you want to take that input, how you want to apply it, and how you want to leverage it and use it moving forward. Don't mind her. She's still upset that somebody dropped a house on her sister. Well, guess what? Holding on to the past instead of embracing the future is all throughout industrial control systems across the board. Every domain is digging in their heels in some way, shape, or form and trying to prevent change, right? Change is hard. But guess what? It's inevitable. The sectors themselves are changing. Digitization, modernization, demands changing from users. Let's go to the electric sector. 50 years ago, there was no real things such as distributed energy resources. People didn't have solar cells on their house and wind turbines deployed across the country and generators that were firing up in all sorts of residential neighborhoods to provide power back to the grid, right? It was, you had large generation and it was what it was. But we're seeing that distributed energy resources are changing the composition of the grid and the grid has to adapt. Plugable hybrids, electric vehicles, modern electronics, all sorts of things are causing changes. Even the mix of what generation is. It used to be big spinning wheels with all sorts of momentum and energy built up into that. But now you have peaker plants and you have nuclear power and you have coal and you have natural gas and you have wind turbines and you have solar and you have all sorts of different mixes of generation sources that are all doing different things. Grid, the domain, the operating paradigm, how close you operate towards the peak of efficiency, all of that is changing. The ability to have real-time communications, the quality or complexity of the system itself, right? Let's stop pushing against that change. Let's stop pushing so hard, wasting so much energy on trying to change what's coming to us, trying to push it away, right? And instead we need to embrace it. We need to look at what it can do for us. We need to understand how we need to adjust our mindset, the way we do business, the way we operate to accommodate it because that change is coming. We're not going to stop it, right? And then we have to simplify the approach that we take. We have to take what we look at as this extremely complex and hard problem and break it down into chunks. Simplify the approach, go towards what we can improve, work on the things that we can do, and then go do it, right? Don't just talk about it. Do it. Take a step. Do that one thing that you know will help you, the one thing that you know will move you forward and start there and then go to the next and then go to the next and keep doing that. Thanks. I've been feeling a little flat. Well, you know what? He was run over by a semi, right? He has the right to feel flat. But guess what? We're getting run over by semis every day, right? You've seen in the media, you've seen all sorts of reports and federal spotlights being shined on problems and the discussions about increased regulation, et cetera. None of these are really helping you. They're distractions, right? You know what you need to do. You know you need your systems to be more secure. You know that there are problems. You know where those problems are, right? You've run these systems for years. Stay true to that. Understand what can impact those systems and work towards solving that. And guess what? It's okay not to be perfect, but we have to move forward. We can't just sit there stagnant. We can't dig in our heels. We have to be willing to fix the problem. And so don't worry about what everyone is yelling at you, right? They're not telling you anything that you don't already know. You just have to react. You have to move forward. You have to work on those problems. So stay on course. Work towards those goals that you have. Evaluate and assess the goals you've set and make sure they're set correctly, right? It's the worst thing in the world to be heading towards a destination, and that destination isn't even there when you get there, right? So stay on course, but evaluate where you're going. Understand that the world is changing and make sure that you are working towards addressing that, right? And if you're not on course, guess what? Adapt and adjust based on your priorities, on your needs, on your plans, on where your domain, your sector is going. So what about the government, right? They're dumping a bunch of money into this. Well, guess what? They want to remodel, right? They want to change things. A little gasoline, a blowtorch. Got it. No problem, right? So big spending is coming to quickly solve the problem, but is that what we need? Do we need big spending? Do we need a ton of money? Well, yes. Cybersecurity isn't cheap. Some of these changes are not cheap, right? But we don't need to tear the whole system down to be more secure. We can't just adopt all these brand new shiny objects that are out there that are going to solve all of our problems, right? Just adopting that isn't going to be secure. We're not going to fix the problem by that. We'll just change the understanding of the problem more than likely, right? So improvement does come with time, right? And while there is a time and a place where we tear things out and we say, look, I'm putting in this with bang new gadget, it's going to solve all my problems. Critical infrastructure really isn't that, right? We have to make incremental improvement. We have to use layered defenses. We have to move forward in a variety of ways. And it's not rip and replace, right? Rip and replace is not the solution here. We're not going to knock down all the walls. We're not going to change everything, right? We're going to build upon what we have and we're going to do it in a smart and intelligent and deliberate way. What's the good of being a ghost if you can't frighten people away? Well, guess what? The hackers don't care about your military grade encryption, your compliance with XYZ standards, et cetera, right? Using those big buzzwords, putting out press releases about all the cybersecurity work you've done, et cetera, isn't going to help you. It's not going to scare them away either, right? Some may take it as a challenge. Be like, oh, you think you're hot? Well, guess what? I took you down, right? So let's talk about what people use for reasoning, right? Cybersecurity frameworks are a good example. They're useful, right? But they're only useful when they're used in the way they were intended. They aren't solutions. And really, what they are is just scaffolding, right? It helps you decide what you want to build, how you want to go about it, but you still have to do it. Same thing with other frameworks out there that were reused to reason about what attackers are doing or how we respond to them, things like MITRE's attack framework, et cetera. Look, if you protect against everything in MITRE's attack framework, are you going to be in a good position? Probably, right? But there's all sorts of things that aren't captured there yet. There are all sorts of things that could affect you, et cetera. And is it the best way to go about saying, oh, well, let's reason about what an attacker can do and prevent it? Maybe, right? You can also look at INL, CCE. You can look at all hazards approaches. You can look at EPRI's approach. You can look at all sorts of different approaches to the problem. But really, what matters in the end is what are you scared of? What impacts your business? What impacts your domain the most? What is your worst nightmare, right? And how do you make sure that that worst nightmare doesn't happen? And then once you know that that one won't happen, let's move on to what's the next worst thing, right? Logic will prevail, right? We don't need to just invest in whiz-bang gadgets to invest in whiz-bang gadgets. We need to understand what our risks are. We need to reason about those risks. And that's where the frameworks help, right? They allow you to think about this in a scaffolding. Minor attack is a framework, right? It is not a solution. Cybersecurity framework is a framework, not a solution. $662, you know, I don't know, $800-53, all the different standards that are out there, ISA 99, et cetera, they're going to help you be in a better position. But they're not your solutions. You have to do that. You have to build it. The other thing, well, guess what? Go ahead. Make my millennium. Come after me, right? Bragging about how secure you are and you weren't affected by acts, et cetera, that's only encouraging those that want to target you. I guarantee you are vulnerable. You will be taken down. You will be compromised if you are properly targeted. The question is, in the end, how do you respond when you're on the ground? When you get punched in the face and you're down, do you get back up? Do you improve or do you, well, sulk off and fight, right? Or ask somebody to help you or beg for assistance, right? So go ahead. Make my millennium. Move forward. Thank you. If you want to reach out again, I'm Tim Yardley. Yardleyatillinois.edu. And let's summon some Beetlejuice. Beetlejuice. Beetlejuice. Thanks.