 All right everybody. Good afternoon. My name is Ryan Lyrvick. I'm with Grim Cyber Security. So today's talk, this is Pin the Tail on the Cyber Owner. So if you're in the right talk and coming to this one, this is it. So real quick, I'm going to talk about a couple things and then kind of give you a sense for why we're talking about this. First, can everybody hear me okay? It's kind of loud. Volume up. Basically, here's the situation. How many people here actually work in industrial control systems? All right, great. So having done a significant amount of work in the space, what we're realizing is that there's a significant difference between ICS, right, in your normal business corporate network, right, where you have a CSO or somebody who actually owns information security risk, right? So things are changing a little bit in the ICS world, but typically what we're finding is if some of the controller exploits, right, identification of some issues and risks, it's not always clear who the actual owner is, right? So as great as the finding might be that what we discover, we're having a really hard time identifying who the actual owner is, right? Why is that important? Mitigation, right? Prioritization and dealing with the issues so that we can actually mitigate it over the long term, right? Pretty clear. That's why we do what we do sometimes, identify the risk and have somebody that owns it. The problem is it's not always clear, one, or intuitive as to who that is, right? So what we're going to do today to demonstrate that point is play a little game and sort of test our own knowledge about who actually might own certain things and who maybe, what we may be able to do about it, right? Pretty, pretty easy, right? So to demonstrate this, we're literally going to play a game of pin the tail on the cyber owner, who is a unicorn? You may have been thinking a donkey, but no one really wants to be a donkey, especially in this space. So clearly we're doing unicorn. All right, so here are the ground rules, right? We're going to go through and we're actually going to talk about those five different options, right, with another, right? The plant owner, right? The plant manager who's managing the plant. The plant operations manager, sometimes that's different, right? We're aware of this. The head of IT, typically that's the corporate network, right? And then of course, third-party suppliers. Now we all know they're getting more and more into the space in terms of taking home more security role. And so some of these things might wind up in their area, right? So again, the challenge that we're facing here is simply because of some of the plant management and ownership pieces, these are typically different companies too, right? We're aware of this, yeah? So that's the issue that we're sort of, we're teasing out here today. All right, so first and foremost, so we're going to go through and name any one of basically three things, right? Any type of exploited controllers, discovered vulnerabilities, right? Things we come across on a daily basis or weekly basis, depending on where you are. Regulator inquiries, right? And also just some random twists that got to get a sense for it. So pretty clear. All right, so two things. So since this is DEF CON and some people may be here and not really in for the talk and maybe just want to rest, we're not going to be calling on anybody. So we're going to do just a quick display of hands when we peel this off, right? We'll just take a quick note on who might actually be the owner and what you think it is, and then we'll put a tail on the owner. And at the end, we'll sit back and look at, all right, well, how did this actually shake out, right? And what does this mean? So we'll get to that. So hold that in the back of your mind as we're going through this. So also, quick twist. If you know the owner and just want to cut right to the chase, you can jump up, grab a tail from my hard-headed assistant here, Brian. Thank you, Brian. And pin it on yourself and grab any one of the t-shirts that you see fit, right? So if there's something you like, you just go ahead and do that. Does that make sense? Pretty clear. All right, everybody game for this? Yeah? All right, let's peel the first one off. What do we got? All right. So power plan issue, right? Trojanized version of an ICS software, infecting the host systems. Who actually owns this problem? Is it the plant owner? The person who actually owns the plant? Plant manager? Okay, zero. Plant operations manager. Okay, good. Head of IT? Okay. Third party supplier, either the ICS or some skatist supplier, right? This is your Siemens, even a power plant type. None? And other? Anybody have any other thoughts? All right, interesting. So, yeah, yeah, head of IT. But hang on a second. So this is what's interesting. We have to have a discussion about this. So this is an in the ICS system, right? Infecting the host systems. So I'd be interested to hear why would that be a head of IT issue? Please. Okay, so the answer is because it's in the actual IT environment, right? And not in your OT. So interesting. For those that said the plant operations manager, why did we choose plant operations manager? All right. Well, I'm not going to call on you. But so this is the interesting part, right? It's not exactly clear who, right? So the short answer is it actually depends, right? But we're going to go with the IT side because, yes, it's a Trojanized version that's in there. That's in the ICS is infecting host systems, not in the actual controllers, right? Yeah. But again, not obvious, right? But so we start to start, we start to see the development of the problem here, right? Now, let me take a quick step back. This is starting to change, right? There are some, there are organizations that are starting to put in a CISO type, right? Overseeing information security, right? But that's not always the case in all the areas in industry that use industrial control systems, right? Okay. So next up. All right. So now you have somebody that's sustained access on an ICS application host. All right. Does the plant owner own this problem? No. Pretty clear. How about the plant manager? No. Plant operations manager. Okay. Show of hands there. Head of IT. All right. Third party supplier? To the third party supplier? Okay. And how about other? Anything that's not on this list? Okay. So we're going to defer here again. Why plant operations manager? So this is an authority piece, right? And an operational piece. We're saying the plant operations manager is the one who actually has the authority and the management that actually owns the operational piece that they need to be aware of. So this could actually trigger a variety of different things, right? But the key here is they get it to the person who can actually do something about it. So that's where we are. But two quick questions. Any reason why it would have been the third party supplier in some cases? Okay. So the response was maybe they knew about the vulnerability. So this is an interesting piece when you get into the suppliers. Anybody here from the supply? Well, never mind. Won't ask that question. This is part of the issue, right? The broad scale is when you're inside the plant itself. What's your number one priority? Keeping it running. Keeping business operations going, right? So this is why we don't really concern ourselves as much with like attribution or what just the function of identify the problem, solve it, right? Keep the plant, keep the plant running, right? So that's sort of where some of the thinking comes in in terms of, all right, who's actually going to own this problem so they can do it, right? Which kind of defers us back to the plant operations manager. But again, it can depend. So the third party supplier could know about it. Now, they're obligated in many cases to let the plant operations manager or next person in line to know, right? Which is critical, but they may or may not have done that, right? Okay. Let's run through another one. So again, anybody thinks they know the answer right away can come up and grab a tail and put it up. So feel free. All right. Well, this is interesting. Let's say you're poking around and you see the experimentation of an attack on a live production system. Plant owner, plant manager, plant operations manager, head of information technology, third party, any others? We actually have a tie which is interesting between plant operations manager and plant manager. Do we want to have a discussion around this one or just, yeah. And this is it. So it's tough, right? So in my experience, the place that you get the biggest impact is with the plant manager, because they may be aware of the broad situation that may be happening of why that might be actually happening, right? Plant operations manager might not be aware of it. So in this case, it's, you know, you sort of sit back and think, all right, we're dealing with in production systems which would normally default to the plant operations manager. But it goes a little bit higher level than that in terms of the whole entire operation. Why would this be happening? Now, they may or may not know anything about it, in which case you've got a really big problem, right? But at least now, if the problem that you've discovered, you're able to talk to the person, in this case, the plant manager, who would know what to do about it, incident response, start to identify what might be happening, right? Why is somebody messing around? Or might know that it is the plant operations manager. He's actually conducting, she's actually conducting any type, some type of engagement. And then, okay, now things start to unravel a little bit better and a little bit more clearly. But at least now, you know, like, who you can actually, who to address the issue with. Okay, good. Did we put a tail on that one? Oh, plant manager. Yeah, any hardcore disagreements? Okay. Yeah. Are we good? Should we move this along? Okay. Okay. All right. Somebody would like this one. What do we do now? Do we let the plant operator know? All right, for those that can't see it, you have a suspicion engineer dealing with an overflowing toilet. You gonna run up? Yeah. The hops manager. Okay. Any agreements, disagreements, thoughts? Thank you very much. Good point. It actually doesn't really matter, because it's not an IT issue. So it's just one of the things you notice. But it'd be good to let the plant operations manager know or somebody else, like this seems a little suspicious, but I'm going to keep focusing on either the OT or the IT side of the house. All right. That was an easy one. Thanks for the participation. All right. Next. Ah, yes. The OT IT issue. We have a winner. So for those that can't read it, Internet Facing is the network, right? Internet Facing Network on the corporate business network. Yep. Bingo. This is the classic like OT IT issue. Right? Why is it there? What's happening? Right? Who needs access to it? Right? This is in many cases, I'm sure the experience might be the same around the room. Like this is one of the biggest issues that, well, let's put this way. The discoveries that typically lead to very large issues, right? No surprise there. Any thoughts, comments? All right. Next up. Did you get a t-shirt? You got to get a t-shirt. All right. All right. Now you have the remote connection to the corporate network, to the production network. And so there was an answer that there'd be two tails, which so now we start to see this could be an issue, right? So if we have to land on one, you can only tell one person. Who would it be? So we're going with IT. Any, uh, any debaters? You can come up. Plan operations manager. Okay. You want to flip it and grab a t-shirt. So anybody, so this is what's interesting because it could be, in many cases, it could be both, right? In, in this, so there's no real wrong answer here. In this case, it's one of those where you defer to the plan operations manager because you want to know that that is the most authoritative person in this particular case. So we say, all right, again, why does that exist? What's, why is it there? Who actually has access? And now what do we do with it? Right. So we all know the stories of ability to RDP into any, any LOT system and that's a vulnerability that we can, a path to vulnerabilities we can find. We have a question. So interesting question. Could it be other, because it could be an ISP, you know, service provider, somebody else? The short answer is if you discover a connection in, in your corporate network that connects to the production network that's not owned by anybody on the plan and maybe the ISP, everybody on that board should know about it. That's a problem. Yeah. That's a perfect point because these are the issues, right? Who's actually connecting in? Maybe somebody, maybe the ISP provides, look, I've got to be able to take, see what's happening here for a variety of different reasons. I'm going to leave remote connections there. Well, now you've really got a problem because that is another commercial entity that has access to your operation network, which is effectively, you know, keys to the assets to, to bring things down, which is the concern here, right, that the power plant would not be running. So good question, but thanks. Okay. We're good with this one because this is, that was the hard one, right? Maybe. So let's see what else shows up. Oh, interesting. Didn't expect that. Self-executing game of solitaire on your RDP client. Was the ISP involved? Maybe. Okay. Yeah. Maybe it's the plant owner. Just to see if people are paying attention. That's a very smart plant owner. All right. So plant manager, anyone? All right. Plant operations manager, plant operations manager, head of IT, head of IT. Okay. Third party supplier. Yeah. No. Any others? All right. Interesting. So head of IT won in this one. Some of the thinking behind this was we would let the plant manager know simply because it's a global, it's a global issue, right? That could potentially impact the entire organization. And maybe if you go to the head of IT, maybe he's the one that's put it there for some reason. So the idea is to go up maybe another level to get some broad or purview and maybe some executive oversight, right? Like leadership oversight that, so if you've identified a problem that somebody in the IT department probably should have caught, right? Maybe you go up another level to say, all right, I'm going to bring this to the attention of somebody else. Exactly. So the point here was like, immediately when you find this, start doing your forensics, right? Figure out when it came in, what it's actually doing. If you can identify who, I mean, this is where you can start tying things in with like, okay, we're going to tie in the physical, if you still have the tapes or the backup, so the physical stuff to see who actually did it or the remote connections and you have the logs and you can actually peel off the logs and find out what actually happened. Start doing the forensics, find out why it's there because that's just not good, right? Fair enough? Yeah. So, plant manager. Thanks, Brian, keeping me on time. All right. Got a few more left. Can anyone guess what the next one might be? Yeah, sorry, it starts to get a little bit... Oh, interesting. Fairy of a safety system affecting human life. Yeah. Especially if you're VPP compliant, right? Here we go. Plant operations manager, perfect. Any other thoughts? The plant owner? So that would be, yeah, if it's going to affect, so that's a good point. This is a failure of a system to protect human life. If it actually, if somebody were actually hurt, yeah, the plant owner would need to know, but that would kick off the, it's not an instant response play, I'm not that familiar with this part of it, like the VPP compliance and others, like there's a process to actually go through in order to identify this. So you would start with the plant operations manager and then, because they'd be effectively ground zero for this and then move on from there. Yeah. Okay. At that point, everybody needs to know, right? But then it gets into containment and understanding what happened. And then there are some regulations and rules that you have to move around to actually like lock that down, right? Because not good. But this is the failure, the system, there's a failure that would affect human life. Yeah. Okay. Two more. Sure. This is what I'm going to defer to another expert here in the room. So that's actually a really interesting point. Like, so from a legal perspective, the lawyers are going to sort that out, right? I mean, I can't speculate that, but from a operational standpoint, so somebody always says, well, I'm not going to say this out loud, but it's always to take a step back and take, do the actual lessons, learn and see like what actually happened can actually heighten your awareness for these things in the future to ensure that safety systems, you know, are in place and followed in the future, right? So this is where like the protection programs and others start to kick in, but from the legal side, find out, right? Okay. Two more. All right. Successful process attack. I can't read the whole thing. Oh, from a discoverable, okay. Discoverable equipment effects. All right. So you've had a process attack. Successful. What do you do? Who's the first person you need to talk to in the plant perspective? Plant manager. That's exactly right because immediately you've got to kick off your incident response plan, right? This is an actual successful attack. So anybody down the chain that would have identified this would need to go up the chain, like, all right, we're going to kick off an incident response plan because that's going to start to affect operations immediately. All right. Last one and then we'll wrap it up. So now you have a total system failure. Who needs to know? Plant everybody, right? So everybody gets a tail because everyone's going to own that. At the end of the day, the plant owner is the one that's going to need to know it'll start with the plant manager, right? They're going to go up and down up to the plant owner. So plant owner, yep, and then yeah, plant manager rather because this is where things start to matter. In power production plans, this can cost millions of dollars a minute. Yeah. It could destroy the entire business in a matter of a couple hours. So this is where the incident response kicks off. All right. So we're going to wrap it up. We've got about two minutes left. So what did we learn today? Why do we even do this? Why'd you come to a talk called pin the tail on the unicorn, right? We're demonstrating the impact of not having a one single owner for a security problem inside of our environments. Now that's changing over time, right? We're starting to see a CISO move into the mix, especially in power and utilities. But that's not always the case, right? So from here, the key is if you're in the security business, right? You're a researcher or you're inside the plant in security and you're identifying issues, the key is to identify who actually owns this, who they can do something about it, right? Or push for a security individual that is the lead for either OT, IT or the broad scale plant in this case, right? That's it guys. Thanks for coming. Thanks for playing.