 Will you guys let me know when to start to noon? And good evening, everybody. Welcome to my talk. Thank you very much for being with me or watching this video. And thank you. Um, I say as well, the charge. Shall I continue? Go for it. Oh, okay. So, for those of you tuning into the ICS Village talk, this is Bryson bought the lead for the ICS Village. We're having some technical difficulties with Marina calling in from Europe. Her, her connection keeps dropping so bear with us. We're trying to work through this. We're not able to successfully pull this off during this hour. We're going to find another time to record a talk with Marina, and we will still share that with you after the conference. Hello, and I am back. I don't know. I'm glad that I managed to get to internet connections for this talk. So now I'm on backup connection so I am a true good. I have good cybersecurity program in here. And so, as I stopped that I used to be this offensive vulnerability researcher and in recent years, the word offensive is kind of have a very negative meaning so that's why I call myself right now a vulnerability researcher. I used to do very like crazy and exotic things I have six accepted in five present presented black hats. I have to do con CCC trooper sauce hack in the box I even can note it at ICS JWG. So I've done offensive stuff. And I used to create this travels for asset owners and plant operators and I believe that my threats are the most important and urging to defend against and I was very opinionated about that. I'm the head manager of the cybersecurity program and I will responsible for keeping my customers plan plan safe and secure. Yes, I still think my past research was cool and very important. But no, I don't think that defending against my cool and very important threat is my priority right now and this is what the stock is about. This was my past life and this is what you see here on the photo it's how I was getting ready for the my black hat USA 2017 talk. And this is somewhere 1am in the night and I gladly spent time with all of my hardware and servers in troubleshooting and it's really was very satisfactory. My life has changed entirely since then. And now I became a consumer of problems I used to create. So my current life is really extraordinary boring, all of those things which all of us typically hate, you know, like agenda is my second later right now. In terms like standards compliance KPI policies procedures, everything has to be very cast effective, and it's all about risks. So, you know, at the beginning I was kind of a little bit upset like, what did I agree to do, like, for this job, and like as my very good cybersecurity friend was research I told me, well congratulations dear you are a manager now so yeah, my life has changed. And yes, some of you will probably argue but Marina you previously work like as a lead and senior cybersecurity consultant and an engineer and a principal threat analyst before you've done this job you did consulted customers about cybersecurity programs, you did a threat assessment you should know all of the things this shouldn't be something new for you. So that is a difference that consultants as a consultant it's your job to actually point to the problems you have to find them and as an analyst you also have to report about problems and then you leave the customer with recommendation, and you actually do not see the larger picture. So you money is not involved because you're not actually remediating or building plans to remediate. You're not really going into the individual circumstances of individual plants, maybe internal politics or relationships and whatnot. So that part is not was not previously present. And now I'm responsible for the entire picture because I'm going to the sales meetings. I then participate in beads and project proposals. I am then participating in the building configuring systems, like entire solutions for the customers networks, and then one the customers operating the new environment for example or upgraded environment or even if it is a brownfield. I also consult on the advanced service or provide advanced services. So, basically when I go already was a sales meeting into the customer I already see in advance, how we will be implementing it and building what will be consulted and I need to consult customer in advance what they might need in the future because they will need. So basically, it's really a big difference between then and now, and maybe the best way to explain is that previously I've seen this local optimum so I was working on one task like for example hey, I just do assessment of one plant and then maybe I even propose mitigation so maybe even prioritize fashion but it's a local optimum now I work for example for building cybersecurity programs for the entire company with multiple plants so now I have to optimize the global optimum. And actually maybe like for me personally this is the best analogies to describe like what I'm doing right now and overall what I need to achieve right now in my new role is the best example is linear programming I don't know how many of you know about that but as an engineer this is what I used to do a lot for engineering problems. And I put the link into the Wikipedia highly recommend to check it out and it's basically every problem you need to solve or optimize, because this problem this linear program is frequently used for operating operational problems and finding the optimizing, for example, profit or something else based on the constraints which needs to be fulfilled, and you then formulate the problem which you need to optimize and you formulate your constraints and then specific applications will try to solve you that optimization problem and sometimes it takes hours and whatnot. So, this is how I actually think about pretty much every problem because I always try you, we always try to find this optimum based on the constraints, we have. And then my new role is just like the optimization equations got longer, and the list of constraints got longer so optimization is becoming more and more difficult and challenging and tricky. But that's the beauty about it. So, and maybe the, the situation in which I am right now reminds me a little bit of Carsten Noll's story, because he used to be cybersecurity researcher he's still, and he was a source of troubles and at some point he became a scissor of the richest startup in the world. It's was in India. And basically he became a consumer of own troubles. And he gives insightful talks on how it is impossible to build perfect cybersecurity program, or just security for any application or even with all the money and knowledge in the world. And it's, it's really fascinating talks, which he gives unfortunately there are no recording but I was lucky enough to see it in person a couple of times. But it's interesting was to see that even if you have all the money and all the knowledge, you know, finding this optimal optimizing that equation with so many constraints is impossible you just have to find like basically good enough. So, before I go into jump into the talk couple of disclaimers. This is the least technical talk I've ever gave, still too many slides. I'm still working on trying to have fewer slides for my talks. I think maybe some of the for some of you this talk may be boring. So I'm sorry for that. And I know that many of the professionals in this field, especially who has many years of experience after seeing this talk they would say, Well, I told you so yes I know you did 10 and seven or five years ago, but I was a different person at the time I really agree with you now. So, this talk is based on my own sorts in the consideration so whatever tips and suggestions I provide no warranty they will work for you. And honestly, for my current life phase we are, I work on so many projects at the same time have to switch quickly I realized I really became comfortable that good enough is actually perfect. I used to be such a perfectionist. Basically, like why was in all good times, you know that was my entire world, you know, like, I've been looking for the most weird, difficult exotic ways of exploiting cyber physical systems. I was mostly working at the layer of controllers and physical processes. And the more difficult and challenging problem was the more I was interested and determined to find the solutions and, you know, like I would use to have calls with my security. My researchers friends and bashing about like, Oh my gosh, can you imagine they did not touch that vulnerability how terrible it is. You know we you I used to be all of that person. And now when somebody is telling me like my customers telling me. I just think we need to publish that remote code code execution vulnerability in the some device as I like. Now, if you have some time and money is to spend, please build your demilitarized zone. So, and basically, like if I would try to explain like what suggestions I was previously given this would be example so for example, this picture this cluttered room is basically a good example of how traditional clients look like, like many of them, you know, it's just like, like this cluttered room, you know, like there is everything everywhere there is no really structure nobody knows what way somehow it works. I guess many of my colleagues will understand. And I was saying that like if the context of this cluttered room I was telling that if we would apply some very advanced cybersecurity solutions. For example, an analogy would be to put this beautiful chandelier in this room and it will suddenly this room will become beautiful and organized. And in reality it won't you know like I was trying to tell like like if you put this chandelier room or basically it will transform that room into the Omnia Club in the last few years you know I'm not nostalgic at this point. So obviously when I was recommending like skip the basics, apply some advanced cybersecurity controls and you will be fine. Clearly that was a really wrong recommendation and I am admitting it now. So, and basically now that that I was that person and now like now when I basically my customer come to me and saying like hey this is my cybersecurity budget, and I need to understand how best I spend it. You know, like I have to be pragmatic and cost effective and I have to change the way how I think. And this is how I've learned actually to like secure architectures. For example, we all know how the traditional ICS network would look like we have a corporate network and skater network and somewhere under the bottom of it we have a physical application which we are trying to protect. And basically, typically we built that networks in a layered fashion, you know about that and it's all determined by the data flows at the bottom we have real time. Data exchange and it's become less real time at the top. And in general, this could be basically divided into two parts like process control and monitoring at the bottom and process management in ideally you should build them in such a way that you could always decouple this upper part. So you may lose all of your corporate and layer three, like this process management you should be able to operate. You might not be able to serve your customers like dispatch your chemicals or whatnot, but you still save, and you still can produce and if you're, you know, like vessels are full you may just shut down plant but in a safe manner. And like basically if you look at the entire architecture how it's like the very classic Purdue reference architecture look like and this is looks like this. And actually I previously, I mean of course it always made sense for me from the data processing standpoint but now I started to appreciate it from the organizing and building cybersecurity. And I will explain why. And this is basically it also helps me to explain customers how they should prioritize their expenditure so that I could have a meaningful for conversation which they also this argumentation which they can follow. And at the bottom, we have actually this is where our physical process and this is where the hazards leave and we are trying to prevent hazardous situation and we have sensors actuators, which are solid units, which are completely trusted. At the moment there is no security controls which we can apply there and it's considered to be trusted there is so basically there is nothing what we can do from the security standpoint there at the moment, but this is where we actually this is a layer which we are trying to protect. And then we have a very gigantic this layer one layer two ways you distributed control system. And here's actually one more disclaimer in that clearly I mostly specializing in chemical pharmaceutical oil and gas so basically large continuous processes so this is a background which I use in my presentation. So this is why I'm talking in the context of distributed control system. And while this is already system with the computers and we could actually apply traditional security controls which we apply in the corporate network. Very difficult in here and this is why I put it's complicated at the moment unfortunately the situation is such that the market is full of really fantastic solutions which we could apply for security and a lot of ITC companies also basically trying to push their solutions into this layer. But at the moment we still did not find the good way how to basically approve and manage and apply this security solutions in this layers. And the point is the truth is also that vendors like a bb and all others whatever you think of like Siemens the most famous your Kogawa Honeywell and so on, each window has to approve specific solutions to be applied. So the customer is pretty much limited to what they can use. And because of the moment there is such a competition and a variety of products they're still not even sure what is the best and what is most cost effective that it's actually very difficult to apply like really implement proper cybersecurity technical cybersecurity controls in this layer. So where we actually left with is our layer 3 and layer and demilitarized zone and this is where you actually can, this is already full flat servers, you can patch them you can use host agent for advanced threat detection you can you can do vulnerability scanning in what not. It's all yours. So this is where you can actually collect the logs from firewalls monitor data flows and whatnot. So this is actually you can implement the full fledged cybersecurity program in here. And basically apply patches and reboot service without interrupting productions. And you would probably argue but Marina we still want to have this defense in depth you know like we should still do something in layer two and level one. And here's where I actually find a good argument why we should still concentrate most of our efforts on demilitarized zone and level three. So when we talk about level one and level two, this is already they are actually part already of the safety protections and I will explain you why. So on this slide you see actually the relationship between security and safety like if you put it like in a temporary temporary fashion. So we have layers of security protections which actually protects us from threats and behind the every status of human is always behind me something intentional. And if that was able to go through the all the layers of security protections we have already security incident and then we say well, this is where we rely on the layers of safety protections. So that the attack will not be able to actually cause a hazard the situation, but here's the point. So when we talk about the DCS. So basically basic process control and alarm and operator interventions. If you, as you can see it on the slide, they are actually already parts of the security layers. These are layers of safety prevention measures. So we basically, it suddenly makes more sense to keep attacker as far away so we basically have to really build a very strong perimeter and make sure basically minimize chances that even the attacker will even approach our layers of safety protections because it's our last line of defense. But there is one more argument. And it goes into the finances. We all know that, you know, like operations, even a small hiccup on the network when maybe packets is not arrived that already may cause process upset and majority of incidents or cyber related incident which happens in the plans. They're not security they're cyber incident where not enough memory not not enough storage network congestion or whatnot, but all of those they already introduced interruptions into the normal operations and actually reduces the efficiency of how we run the process. And this is a really big problem for the operators because they are operating on there. So, yes, the number one priority is safety but their second number two priority is to maintain actually cost effective operations. And if you look at the like on the left you have a slide when we look at the about integrity protection layers free we have alarms in there, and there is even explicitly stated financial alarm, you know, like we're losing money. On the right you see another graph where we still operating may still operating the normal operational and we love we still producing our product, but we already not in profit. We already losing money because we are not producing effectively the product is still up to specification but we are using too much energy, losing too much useful chemicals maybe in the purge or whatnot. So they're not. And this is why you know like we know that pretty much any hiccup on this on the DCS operations may cause this inefficiency in the productions. And this is one second reason why we really want to keep the attack away. We want to minimize chances of attacker, even reaching that level we don't want any random person roaming in our industrial control network. And this is actually to give you an example, like how much money we may lose if the operator will not, for example react on time. So, on the left you see that, for example, when we talk about minor facts something what, you know, just minor it's not even medium major it's minor. It's when you lose estimated like from 10 K and 100 K. You know if you talk about the budget of 100 K, I think people cannot even imagine such budgets you know like this will be fantastic pentas of the entire corporate network and we fight five years to get that. You know T world, well, we don't even, we care not so much about that loss. And like on the right if you see, for example, basically, when the British decide like what to react to what alarm react first. They basically have to react to emergency alarms first and this is when they have very little if you can see we have very little reaction time five to 15 minutes. And if they will not react within that time, like for example within 15 minutes, the loss could be up to from one to 10 million or even more than 10 million. Imagine just those numbers. So imagine them. We do not really strong build strong perimeter and we say well even if the attacker gets to the control layer. We will still try to detect him in there. But if the attacker will manage to suppress just one stream with one, this critical alarm, if the operator just basically lost his visibility for a few minutes, he fails to react on time and the losses can go up to 10 million. So, as you can see, because of this very short reaction time high losses, we really want to keep all the attackers away from our control environments, and this is why I still argue that we have to introduce as many technical controls in the layers to demilitarize and try to detect. So make sure that the only conduit into your control network has so basically that attack has to go through the demilitarized zone and through layer three. There is no any other way into the control network. So basically that attack has to go there and you try to have maximum maximum to detect an intrusion in those layers. So let's say this is your top priority and for example prioritize spending 80% of your expenditures in those layers. And that means also that you first have to actually the build your proper reference architecture you need to form a proper DMZ zone. You need to properly form your level three and this is very expensive. It's very difficult. It's complex, but this is should be your number one priority and I can't believe in it. I am saying that because two years ago I would not believe that I would be saying something like that. And actually the layer one and two this is where most of your security controls at the moment can take form of policies procedures and common sense prayers, you know, like check karma of your employees and whatnot. So, of course, you know, like, there is also slight deviation, you know, the standards will tell you how they're absolutely ideas, ideal network architecture should look like. And then you know there is a reality because you know it's all about balancing security versus usability and versus cost. Again, we're talking about linear programming optimization. For example, for our a bb control system and I'm saying this is for a bb it might not be applicable to every organization we built for example, slightly. I would not want to say simplified because this is security level for architecture, but it's a little bit more manageable because, for example, for certain operations like for example for antivirus updates and backup. There's no routing of the traffic between DMZ and level two, but that is because the way how we implement those services because we still do them in a very secure very conservative way. And we are very well aware that this is not a risky to do so but it is much more manageable architecture. And that is the point that for every organization that architecture security architecture will look. It might look to video and might look differently it's all about basically implementing all of your data flows and access control and identity management in a secure way. So for example, once you map all of your data flows and file exchange routes and you make sure that all they are very secure, then you are good. So it has to be properly analyzed. And again I'm saying that it might not be looking like a traditional Purdue architecture but it still has to be secure. But once you build the security architecture and unfortunately in this talk I do not even have time to go in all of the zones and conduits and why it is so amazing. But once you have this granular and properly build architecture which capable of managing. Then it is very easily to actually introduce any other service because like I will jump back to the slide we have like layer three where you have operations management this is basically your service layer. So if you have a site with several plans, you may share that level three between multiple slides, you will have multiple level to but then one layer three which will be services for all sites. And again once you build this properly format and you are capable of managing your architecture introducing new services become really plug and play. So as an example, I remove the name of the application but this is one of the bp application advanced service like advanced application for process control. And we already build them and implementing in such a way that it will you just plug and play to your existing infrastructure and integrating the new service and introducing it and configuring is extremely easy. And it's just example of a bb but it's could be any application and any vendor. When I work with a customer so this is exactly the processes and explanations which I'm going through. It's probably sounds for all of you so boring like Marina like ways vulnerability research where CV, but that is my new world right now and I have to break this complex problems into easy arguments so that I could actually implement the fundamentals right so that I can play to build the advanced security controls. So many customers rightfully argue that it's expensive to implement correctly the entire architecture at the beginning. Yes, but in the long term, it's gigantic cost saving factor, and it provides you really very manageable, very high level of security assurance. So, of course life would not be boring if it would be easy. You know on one hand, you know like it's so easy to say, well just put in firewall and then you're done you just like have your DMZ. The reality is not so easy because you know such projects so every customer is constrained by the available budgets and sometimes by schedule like hey schedule my downtime on this time and I need to be very quick. And you see like for me in the DMZ, or even just adding a fire extra firewall, if they have already one firewall and we add in like North, they have already North and we add in South. It's not that easy it's not only hardware cost but it's also you know like a lot of I put here on the slide, it's just a snippet an example from our real project where we're building a DMZ it's not complete I hide the details but just give you an idea. How many activities goes into such projects, it all costs money. So eventually it's not just a buying a firewall but executing such project is expensive because a lot of activities goes in there just to configure everything. And, you know, eventually because also building fire, DMZ meaning, you know, like you have to proper build your services or servers and split services to make sure that everything is secure and everything. And then it's suddenly because you still have this amount of budget and it suddenly become the status for adult game. You know you're trying to shuffle this budget like maybe we will remove a little bit in here and do they will remove switch but at the end of the day and so on because you're trying to optimize customer value was available budget. So it's not that easy to build it and this is always you know like the most interesting things are like always in the details. I would argue at this point of my life and in the current role that for me the proper DMZ is a higher priority activity than for example patch and a code execution vulnerability in the control at some lower level you know like. Anyway, you know like at the moment patching controllers is I mean depending of course on the CVE but you know like since most of them do not even have a syndication and you can directly talk to them why even bother patching. But again, probably many of my cyber security researchers don't like what I'm saying right now and we can talk about that reach out on their Twitter. As a pro tip, you know, as I said, a building security architectures is expensive and you know sometimes plant operator experience really difficulties when making those financial decisions whether or not to invest into extra viable extra servants so on. So here's is my pro tip, like how to ease that decision making for the customer conduct a high level simplified risk assessment of specific architecture in hands or data flow and document identify risk, explain risk and potential consequences to the operators. You can find them that ultimately they are responsible for all the risks at their planned and they shall eventually address them by accepting or mitigating and if mitigating they considered this point too expensive they have to be aware that they will have to accept that risk and this is the potential consequences. And typically you know what the simple process makes a decision so much more easy as a. Okay, you know what I don't want to be responsible for that. I said firewall, we have we will find budget. So, you're welcome. And, you know, sometimes also like this is why I learned to like compliance because sometimes you would say well if they're still doubting shall I shall I not you will say hey the standards is telling you or the best practices are telling you and then it's actually makes the decision making also easier for the customer. Well, the second part is how I learned to love standards, which I never done before. So, um, in June, last year, I actually gave a talk about 62443 how it is applied about to this asset, and I actually was bashing about the standard a little bit I. And I was, of course, factual that I kind of expressed like expressed couple of disagreement. And because I have a lot of very good friends who actually build the standard. Like, I never published the slides because I was a little bit ashamed. Like, how could I say some negative things or basically point out to some maybe imperfections in this in the standard and gosh how I'm ashamed of myself because you know like right now. I absolutely love and adore 62443 that's everything for me right now. And he has a point. So why I started liking it so, you know, performing technical cybersecurity plans, audits is not actually very hard. I have genetic like really extensive experience in auditing plants and I've done it for multiple organizations for multiple industries globally so that's something that is practically like skilled and I have no issues with that where it's becoming difficult and complex is when you actually have to build the entire cybersecurity program or build a program for mitigating in prioritized fashion with timeline and cost and suddenly it's becoming a very complex, expensive and time consuming process. In addition to that, you know, because if it is a process and you invest money into it, you need actually to justify to find some measured value to justify the expenditures to the project sponsors sometimes it's government sees or what not. You actually need to measure your progress. And you actually need also to compare, you know, cybersecurity posture and mitigation progress of individual plants which are completely different, different maturity, but you need to compare it in some normalized metrics. And this is where this business risk KPIs all came back into my life and I suddenly it's reminded in all my knowledge from which I got so I have an MBA degree and suddenly all that knowledge came handy to me and I started like basically remembering all of what I've learned in my MBA. And I put it into practice. And here's another thing. So the force principle of economics are 10 of 10 of them. The force one is my favorite people respond and incentives, it means that we do certain actions and make decisions based all their perceived value to us, it could be also negative it could be positive value. And this is a fun story when I had a meeting with a season of a very large industrial organization. And I will keep telling them about our success stories where we've done fantastic projects for our customers and then I told him like, Hey, we built for a large LNG plant as a security program where we matured customer from quadrant five to 1111 it's kind of highly recommended for oil and gas industry so basically security level three maturity level three. And, and his immediate question was, and where we are now, you know, like people are competitive, you know, like they want to compare themselves, and I was just like, Well, let's build your KPIs about those and let's explain you how you can get from some lower to higher quadrant. And the, what I like about 62443 that it provides a lot of logical and meaningful ways to build your KPIs when building cybersecurity programs. So for example, even I must admit I previously was skeptical about the security levels and how they are described. Right now I like them because they really helped me to. For example, when we talk about security architectures, you know, like we need to perform risk assessment of every system, like fire and gas and emergency shutdown and process control and safety and whatnot. And then we need to assign security levels based on the criticality risk criticality and also sign those security levels to conduit and then we need to meet those requirements. And right now, I really like it because it gives me something tangible to work with. And we know that different plants are have different maturity so some of them terribly legacy some of them make sure of legacy new some very new. And the standards is also provided was with additional metrics so that you can for example measure capability security level like well like legacy system will not be very capable. The target security level is, let's say your capability level is one and your target is three, then the standard will tell, well you can use compensating controls and see whether to achieve the target level and then you measure your progress with this achieved security level you probably will go from level one to levels two and level three. So all of the security levels in the standard they provided a really a way to build very nice KPIs to measure the effectiveness of your program. And then of course you need to measure also how well you're doing. And then standard has a maturity levels and this is what actually forms those quadrants it's basically like which security level you were able to achieve you in maintaining that security. So security controls and and I what I like about this maturity levels so for example if you already have so level one is just like you have a security control and level two if you basically build your documented process about that, you're already in level two it's so easy to progress in those quadrants and level three is actually if you are practicing so for example, you have antivirus level two you have a documented process how to update an antivirus and level three you actually updating that antivirus and you already so basically you can use the squadrons for pretty much every security controls and that will help you to actually monitor and measure the progress, your mitigations progress, which for any quadrants will make very fantastic numbers and of course you can build much more smarter and more interesting KPI but this could be building your very fantastic foundation. So, this is something that I can work with and I'm so easy to explain to the customer, and it seems like an achievable process. So, and this is an interesting that's interesting thing that I used to hate even the word policies and procedure. I used to teach isles 2701, the university, and was the least my favorite topics, I would have an allergy for the word policy and procedure. And now this is my number one to go. So when I start working as a customer it says like well we've never done anything with the security and now we understand it's an important part. Government wants it. We understand that the risks are higher the moment you want to build the cyber security program. So the number one what I need from them is like guys we need to establish policies and procedures policies will tell you what I want in terms of security, your all security goals need to be described in the policy it's very high level very in short sentences and procedures will actually tell you how you're going to implement it even if you talk about the backup there is thousands of way to implement the backup. We need to describe procedure will tell you how what is acceptable level of way of implementing backups in this specific organization which is based on their network architecture based on the risk assessment or perceived risk or acceptable risk personal preferences. And if this is not this documents do not exist, we will always be unsure, but what is a good way of implementing your backup. So first to formulate the procedures, and then the beauty beauty part of the procedures is that you number one you have rules and responsibilities. People will be assigned like a responsibility for specific tasks, and they will put their signature, and as soon as people put their signature they feel responsible things will start happening. If nothing is described, nothing is defined, nobody's responsible there is no cybersecurity program and for me the number one, working for a step when working with the organization, developing policies and procedures, assigning roles and responsibilities trains those who are responsible and then on top we can suddenly start building a program, because somebody is responsible. And I hate, I remember how much I hate the word Russia this responsibility assignment metrics and now I love it. Well, and then, basically, the last tip is basically it's my. So how do you, because when I'm asked by the customer, please build me the cybersecurity program that number one is that they know how it is expensive. And the stakeholders and the seasons they want to know. Are we doing well, like, was it even budgeting, just spending that budget was justified and we know that with the security it's difficult to measure because you know like, if nothing is happening. People believe that why do we need that security we are not detecting even anything. And this is why I measure the effectiveness differently. So what I do I take the corporate risk metrics, and I tell them that you know what, in order to make sure that you are socially responsible that you're minimizing your potential business risk, you want to basically in terms of cybersecurity risk you want to be in quadrant like in those green area. And if we bring like if we implement security controls and we conduct all of this risk assessments and specific documented way on which we all agree. And we believe that with implemented security controls we minimize risks to acceptable level. And then that program was justified and then when the government will knock your door or who not, they will, you will show, hey, I'm managing my risk, I am responsible. And if you talk about the same things with a plan to a person, use a word license to operate, because they will understand what it means. And when we talk about the safety, you know, if you did not minimize your safety risks to gain this acceptable level so you never would be allowed to leave red. So it has to be at least amber and green. You will not get your license to operate. This is the same with security tell them they were the fly since to pray that now your cybersecurity risks are minimized to the level which is acceptable and they will then understand or then we did a good job. So you see, the work which I'm doing right now and my current responsibility sounds a little bit so boring high level, but in reality it's so complex and I need really like kind of have to also think hard how to break this complex problems in a manageable and achievable steps. So, and now that basically how I wrote in the, like in my abstract but yeah Marina but still people like you exist and there are advanced attacks like do you think your current approach, like basically concentrate a lot of your security controls in the process is effective against advanced attacks, and I wanted to give you an example. So, for many years I was dreaming to do something like killing them. What a filter in the utility for the utility and last year. I was lucky enough that I work with a trust research center in Singapore and their team has nice kindly assisted me in the experiment we are like trying to kill this ultra filtration filter in the water utility. It looks like that. And of course when we try to cause a physical damage to a specific piece of equipment it's all have to start how that that things can be damaged like what is harmful to it. So you have basically have to read the manual and see what are the harmful conditions and on one hand you can kill it if you have like too many impurities in water like oil or grease it will basically damage the membrane but I don't know how to implement it how will they introduce oil into the closed system remotely. But the second condition is that is what will damage the membrane is high pressure. So for example in this specific model it's a two bar. And in overall a prolonged operation on the very peak load which is basically close to two bar will kill that filter. So okay we need to build the pressure in the pipe. So for that we need now to steal the process documentation. And this is there are two things that are two ways how the attacker can find it and it's again it's all of course individual. If the entire process was built and programmed and designed in the company, you actually need to infiltrate the company and steal this documentation, but very frequently and it's like really very frequently. So the designs and actually programming of the PLC is done by the subcontractor so you need actually to find the subcontractor of the company which is of interest to you and basically and the typically smaller company is not so well protected. And then you have to steal basically the documentation isn't in there. And this is why in your cybersecurity policy, it has to be there that you need to require your third party providers to achieve posture in their organization and we know that for example that is the requirement in NERC SIP. So let's assume like I, as an attacker I identify the suppliers I got the documentation I now know that there are two data flows go into this file filtering basically I can do it via the HMI screens or PIND diagram and because the second flow is go from backwash I probably need to take a look what's happening in the backwash and how things are working in there. And I will understand basically which PLCs and which control logic I need to enter and which equipment I need to compromise to actually implement this attack. But then I still, you know, like I don't understand which conditions will trigger basically because I want two flows to flow simultaneously and I don't know how to do that I need to find the conditions. And this actually guided in the state machine in the PLC and this is something that I already won't find on any diagram I actually need the PLC code. So for example, the PLC was programmed in the organization. I need actually already to penetrate the organization and this is where you should really try to prevent me from doing that because I need to steal the PLC code and read it in order to identify those conditions. And basically, then I need to manipulate the PLC logic or packets on the network depending really how things are implemented but let's assume that I found the way to actually pull off this attack and this is specific cases. Like in the context of this process I needed basically to implement attacks on two PLCs I need to compromise two different PLC into different parts of the process so it was stage three and stage four. So they are basically a lot of things for me to compromise. And so basically let's assume that from the cyber perspective, I was able to implement it and now the water from two flows, which never should fall simultaneously it flows gushing through the filter. And I now want to see how much because I still don't know whether I will be able to reach the pressure, which I need so I'm basically need to measure. So I was able to achieve two bars. And we run those that experiment and it turned out that the maximum differential pressure we were able to achieve in the filter was just one bar. So it's not enough for breakage. So as you can see, the attack is not almighty. And the most important point in here that there is no way I can ever figure out this, what the pressure can achieve like for example one bar without actually interacting with the actual physical process. And I might have this fantastic idea this is what I'm saying that the attack is not almighty. The successful implementation of a damage scenario and its cyber execution will not necessarily result in successful attack because certain things I will only be able to measure on the live process. And this is what the point which I'm saying that many targeted damage attacks. This is the scenarios where I mostly work in I enjoy working. It's useful to conduct such research but the point is that such targeted damage attacks require prolonged access to the process equipment. And this is what I'm saying limit or eliminate such option for the attacker. If the attacker don't have that option they will not be able to execute it or maybe they may try to guess like well I feel like if I will do that implement that attack and they will try to create an autonomous malware. And no they will be successful if it's only one bar, you're not damaging anything. So, on the other hand, like myself in my core researchers we recently came up with a really worrisome and wave compiling completely automated and very targeted payloads for industrial processes. So I accepted with this talk for black hat but we had to withdraw because me and my core researchers we received new job roles and we felt it was inappropriate if you'll be talking about basically offensive research. So we have to withdraw. But nevertheless, again, the number of scenarios you will be able to implement with such autonomous payloads is much more limited in comparison so that's why I'm saying, make sure that every conduit, which leads to the control equipment and physical through demilitarized zone and level three and monitor for the attack of that look for him in there, limit or eliminate his ways for each having persistent access. And this is where, so for example, yes, if we talk about defense in depth. We cannot of course guarantee that that I cannot get those persistent access or continuous access to the process so focus on protecting and monitoring high criticality events data flows when for example something in the, especially at the time of the emergency alarms and the reaction time five to 15 minutes, maybe have a redundancy so that I can manage to spoof or suppress alarm or drop the packet I don't know with this alert. Make a redundancy for every critical alarm that it goes maybe to communication path is so that the operator will not miss it. I guess, so that was pretty much it from me. So as you can see, basically the way how I'm building the cybersecurity program right now is kind of good to actually make life of the advance attackers like myself. It might have, I mean we know that the security no guarantees but it's really make life so much more difficult. And I don't have really smart afterwards, as I say this was not a very technical talk it was just my confessions, how about how I think differently right now when I'm working in a different role. And, as I said, building enterprise plant, or plant by cybersecurity program is not simple but it can be broken into the simplest steps which makes you easier decisions, make your decision making process easier and maybe more transparent and more prioritized fashion basically applying this how do you eat an elephant principle and in this talk I shared you how I broke down that for myself. Focus on establishing the foundation first, even if it is extremely boring and, you know, like I can't believe like a couple years ago I would not believe that I would say something like that but I'm saying that. It's in process control because you know like, if you remember I told that we don't want even the attacker be in our control system not even messing up but even be there it's a such a sensitive system it's just like thinking about like a belly of the cat. It's something soft we need to build a very hard shell around it we just won't don't want anybody going be even being there and the success of our security program is about minimizing chances of anybody reaching those layers. And yes, of course I'm missing my cyber security vulnerability research. So if I have a couple of minutes and I guess I have, I would take a couple of questions. Hi, can you hear me. Yes. Okay, so we don't have any questions yet but I do want to share some feedback that happened because there were multiple times in your, your talk that you were saying this. For the record, this is not boring at all. It's really good to see the higher level view, long term strategy, etc. Somebody else I concur. This is a more realistic topic for asset owners and integrators. In my opinion, there's a large gap between academia, government research, security researchers, and the reality of real operational technology environments. I'm, I'm very glad that people enjoy the talk. I'm really glad that somebody found it useful. I also informed everybody on the deaf con discord channel that you would be trying to join there. If you were able to. So we are not live anymore. We are still live. Okay. So I, I, I thank everybody for the attention and for being here. That was like also good feedback on the Twitter so thank you very much and I will try my best to join this, the channel on the DevCon right now. Okay, well thank you very much for joining us Marina. Thank you for having me.