 Greetings, everyone. I will be covering a variety of interdisciplinary areas from the security point of view in order for us to be able to answer to this question that we really want to live in the cyberpunk world. During the talk, I will be sharing only the actual stuff and their potential implications in terms of the cyber security. Maybe you know them all, but mostly with the details and lack of seeing the bigger picture when we're dealing with the ICS security. Also, I want to point out that these are my own thoughts and my own way of interpretation of the advancements in technology and their correlation with my own experiences. Obviously yours might be different than mine, but I want to raise an awareness about the subjects. And in my opinion, we should not consider these subjects separately or different areas than the ICS world. Before I dive in further to allow me to introduce myself, my name is Max, but you can simply call me Merb can click because I have been known to being able to click from the early ages of my life. I'm a computer engineer with the master's degree in cyber security. I primarily focus on the cyber physical systems as well as the wider networks and the ISP implementations and their security as well. I work as an ICS penetration tester in the barricade cyber security where I get to do a lot of penetration testing to a rich variety of cyber physical systems. So let's quickly define what cyberpunk is so that we are on the same page when it comes to answering our title question. The term cyberpunk was originated back in the 80s as a sci-fi dystopia where the society is dominated by computer technology and big corporations, where everything was interconnected in some way or another. We can describe it as the era of high tech, low life and in the essence of it, we can simply call it like the hacker culture. Back in the 80s, ICS operation and management was considered as an extremely sophisticated and serious area of work, which is true even today. Data was in place and less people had to do the dirty work on the field. What we basically do on the ICS is that we process the inputs and take actions accordingly. It was mostly done by hand from the control center, but hence the term control system implies right. Things were less digital back then there were nixie tubes lots of switches and indicator lights, etc. Nearly all of these components were hardwired right so was quite hard to maintain and troubleshoot in case of an incident. And also because of that the cyber security was not big of a concern other than the physical violations. Also, there weren't many are applications back then, even though there were some examples and RF devices were not big of a security concern because of acquiring an RFP component was not feasible in terms of size and the cost. And also in 1979 Modbus was introduced by Modicom and brought any way of communicating with our ROT devices. And most of these principles are ICS still applies today. So by looking from the 80s to now, maybe we are living in the cyberpunk world. And there was only one way to find out so I would kindly ask you to put on your power gloves and let's have time. All right, 1980s to today. The basic principle for the ICS did not change a lot but the way of implementing it really changed over time. Even though it changed in drastic ways. We still have the Modbus family. We have the Modbus TCP but we get to see it very often on the ICS well and I see security still relies on the physical security and security through up security approach is a must when it comes to the ICS security. This is a rapid transition to the wireless we are planning to convert most of our field devices into a wireless medium and we all know what wireless means it's accessible to anyone. We now have the IOT as well which we will cover soon. And we have some models that we implemented such as per view. But for now, we get to see a newer approach for ICS implementation and it's more cloud oriented architecture. We are planning to carry out our operations and our data to the cloud, as well as any other systems. And also now the ICS world relies on the geographical information systems where we can use the GPS and other technologies that are out there. So let's start with a real life example for the ICS world for those who are not familiar with it. We'll be giving some examples and some possible attack vectors in terms of ICS security. So let's take a look for the gas distribution systems. We try to distribute the gas by going through different steps where we tend to reduce the pressure up to a point where we can use in our household. It's being distributed in really high pressures for to achieve high volumes. And we have to reduce it down to a point where we can use it, which is around 1 to 21 millibar and it starts its journey with the 60 to 75 bars atmospheric pressure. As long as we keep reducing that pressure, the natural gas has this unique property of being cooled down about a half a centigrade degrees Celsius for every atmospheric pressure you reduce it to. We use gas chromatography. That's for to analyze the compounds within the natural gas. It's mostly done in on real time. Obviously the natural gas does not consist of only single compound. It's a mixture of compounds. We have to measure it and most of the, the distribution companies are being charged based on those values and we use flow computers, sensors and all that kind of crazy stuff to achieve that but also comes with the price and we have to use the gas analyzes, which has to be on some kind of embedded operating system, but in my experience I have mostly seen them using windows CE. Also another interesting feature of the natural gas it that is that not contain any order. So you can really detect by smelling the natural gas I know that you know what it smells like but that's not by its default. We have to use some kind of alteration to achieve that and we use some special liquid that is called the THD for to order that natural gas that is being transmitted. But the THD is so potent that only one drop of it can authorize about 2400 meter cubes of gas, which smells awful already. So in order to authorize the natural gas, we obviously use the SCADA system and we have the PLC or RGU, which is connected using the wireless modem. It claims that we should cover it in a safe area but I don't see the definition for the safe. This is for the example with the Florida water supply attack where the hackers were able to manipulate the system of the mixture of the lie on to the water supply and changing the value to 100 to 11,000 parts per million. The same principle can be used to manipulate or use as an attack vector for the authorization technologies as well. As you can see from the data sheets, we use the old hardware, they are connected either using the serial port or some kind of modem and most of them are still operating from the Modbus protocol. So all in all, we mostly use the same principles of hacking when it comes to conducting a PAN test on the critical infrastructure. There are also some hardware related techniques but are mostly overlooked. Security incidents in the past has shown us that the air gap approach of ours is not invulnerable and in my opinion it won't be sufficient in the future as well. It has been known that there are countless possibilities to try if someone with malicious intent ever finds a way into the OT network. Triggering a denial of service on a field device is the least that can be done. There were incidents on the cover distribution line where attackers have access to the infrastructure from a remote location where they made their way up to the OT network and in the end they successfully manipulated the synchro phasers. There are also some sneaky methods for compromising the OT network and air gap. The onboard computer with built-in mobile data implantations can be really hard to detect, especially if you have the network infrastructure is not well established in a security oriented fashion. I have seen folks who are in charge of the OT network made some ignorant claims about that the specific vulnerability won't cause any security problems to their network. These claims based on the trust of the air gap implementation, but as soon as they see a demo about the possible implications of the SPC implant, which I randomly place it on an unexpected field switch and ask them to pinpoint it by physically or off of the network traffic. You get to see the fear in their eyes and how hard it can be to detect such devices if you don't have a fully mature OT network. On top of that, reminding them about the past incidents of insider attacks and the new supply chain attacks, they then tend to grasp the idea of why that MS something something vulnerability needs to be addressed, regardless of the internet connectivity. So most common hardware related techniques is to mess with the firmware and the serial communications on the embedded device itself. There are power logic analyzers bus pirates and any other fancy gadgets to have a full talk on the device itself. When you have an access to devices such as mob us gateways or the media converters, which are also overlooked and are considered crucial most of the times. What do we get to see most CW 259 hard coded passwords. And of that RF comms are causing a greater risk than ever before. Thanks to our strs it is possible to interact with RF comms nearly every portion of the spectrum, depending on your hardware obviously, all we have to do is to set up your str to the desired configuration. Now, we are out of the box radio, which is designed to work under a specific band by the whole help of these devices such as a car, not only we can receive signals, but also we can make transmissions to therefore attacks such as GPS poofing are out there for nearly a decade now. And the RF attacks can cause very devastating outcomes, especially for maritime operational technologies and such. We look for the emerging technologies so that we can see these advancements and their similarities with the ICS security. Tendency to make everything smart is out of control. There is IOT and IOT where an ordinary whereas better pie is being used in heavy duty industrial applications. We use GPSP devices to monitor and monitor our hydrophonic food farms or control our buildings and cities. It's said that being able to grow our food without using any soil and stacking them up like server racks is tempting and cool, but I have doubts about their security implementations too. It's said that there aren't many security precautions in place on those systems, even though they are part of the critical infrastructure as far as I know, we have to be able to keep away the attackers from manipulating the nutrition injection systems by using the GPS as we have seen in the Florida water supply attack. Also, people are now carrying a local area network of interconnected devices right on their bodies. As a result of that internet of medical and internet of health things have emerged. If you were to look for frequency allocation for those medical devices and their telemetry bands, it is clear that they are well within our reach with our SDRs. These are not something new, but they're also being RF enabled in vast amounts. Doctors now can monitor your health data like an ICS operator. They can upgrade your IV MDs firmware or its parameters remotely. Insulin pumps are widely used today. And if you look at the functional diagram, we have RF links, temperature sensors and motor controllers. Many ICS of its own in some sense, but they are designed not to have an air gap to function. And there are the implantable RFID devices, despite the fact that many people purchase and implant them by their own will. I don't see why not that we will be asked to have such devices on us if we ever decided to use the airports where RFID tunnels can check our health and vaccination status in an automated fashion. So by putting all these together, remote health care became more effective. We can simply call it the back room health care. I don't see any obstacles where adversaries are analyzed and make real life correlations with the victims historical heart rate data so that they can design a better spear phishing attacks. Even a read-only data can be used to leverage those types of attacks. Another cool topic, BCI, the brain-computer interfaces, like the human-machine interfaces are here too. They are basically reading your brain activity and decoding them to the signals to operate the desired external device. And there's this non-invasive BCRs are like putting on a hat and you can take it off by any desired, but on the other hand, the invasive applications of the BCI needs electrode implantation directly into the cortex. Wouldn't that be great to operate the SCADA systems without even moving a muscle? So one example of the BCI technology is the open source project called the open BCI. And so this technology can be easily mapped or programmed in a way to allow us to handle certain parts of the ICS operations. And also there are already some products out there where their primary concern is not the health rather to take us one step closer to the cyberpunk world. So just to be clear, these technologies are promising for sure. I don't want to sound like I'm against them, but potential vulnerabilities that might affect these kind of technologies and their implications are kind of scary. All I'm trying to explain is that ICS operators or people who are in charge of critical operations may have these kind of interconnected devices on them. Therefore, their IVMDs could be used as a pivot point to compromise our critical infrastructure. And when we are going to put this possibility of our security policy equations, I don't know, but if so, let's say we decided to do that, what are we going to do? Ask for an API key to their IVMDs so that we can include them in our pentesting scope. Anyway, moving on, simplest form of attack against such devices is battery drain attacks. You can consider them as denial of service, but for IVMDs. All you have to do is simply trigger the RF module over and over again, as if you were about to communicate with them. The case study and well-detailed post was published recently. It's a great example for capturing and decoding an RF signal that is being transmitted off of an ingested capsule that is being used to measure and record the pH levels inside the body. The utilization of autonomous vehicles are also under rise for both public and industrial use and certain, in some certain industrial areas, they are being used as a part of the production line. Therefore, in my opinion, EVs should also be included in the overall evaluation of those processes. Not so long ago, we have witnessed a drone attack targeting the Saudi Aramco's old processing facilities. This may be categorized as a matter of national security and not the responsibility of the ICS governors. But in the same time, custom-built drones with autonomous flight capabilities can be used to attack our facilities and drone jammers won't be able to intercept them, even if we decided to place them in our infrastructure as it was like an OT equipment. Yet I can't see any possible prevention mechanism and that we can use other than the offensive approaches, which is a whole other discussion to make. I think we won't be able to hide behind the air gaps false sense of security anymore because we are transitioning into a phase where our most critical equipments are being hyper-connected more and more every single day. There are millions of people with medical implantations and one of those people might be working in your infrastructure without even you knowing it. His or her device might have some vulnerabilities and if you get to think about that, these devices have all sorts of reprogrammable components like microcontrollers and FPGAs, right? So even today we see a lot of Windows XP and Windows 7s with very old vulnerabilities on them inside our ICS networks and companies who are not willing to reinvest millions of dollars just to eradicate those potential security flaws and keep on running the process and risk acceptance, right? So there is no way of knowing that your operator might be used as a gateway to exploit those systems as well and attackers won't have to find a zero day to further penetrating to the OT infrastructure because they are vulnerable already. Let's look at this issue from different perspective. What if that vulnerability of IBM D device is simply unupgradable and you know the hardware is not sufficient enough to have that new firmware and the health insurance won't pay for the new surgery and that operator of ours might accept the risk personally but wouldn't that decision will also put our ICS into risk as well? So that's a question that we need to consider and also I'm almost certain that we will get to see ransomware issues on medical implants, the cloud infrastructures that operators of ours might have been hospitalized and desperately waiting for ransom to be paid so that he can get his insulin pump working again. And as I mentioned earlier, I think there are huge similarities between the OT and these technologies that I have been explaining and these technologies are not designed in a security oriented fashion. My point is that we should and must actually put our security considerations at top priority if you are going to interconnect everything. So basically we simply cannot deny these facts are here. One last concern that I have is how are we going to train more cybersecurity experts who are capable of tackling these challenges? You know, ICS security is one of those areas where there is lack of lab environment. It's not as easy to train qualified workforce for the ICS as it is in IT pen testing. There are definitely some great examples of ICS exercise testbeds, but you have to be in the vicinity of those environments to be able to work with them most of the time. And if you get to think about many of us bragging to the cybersecurity field, mainly as a result of our curiosity, you know, we break things and to make things and more young people will feel the same curiosity too. When we made a mistake back then the worst case scenario was having a blue screen of that, BSOD, but that potential hacker of ours might get tempted by neighbor's sons IVMD and unintentionally cause reversal problems. Okay, now for the last part, the future, I will briefly talk about what we might end up seeing when you put all these technologies together and, you know, hyperconnect everything together. And the beginning would be transhumanism or human 2.0. This is where most of the sci-fi dystopias are born, augmentations are like upgrades for the humans. So, you know, you can consider them like what steroids are today. Not only the people with medical needs will buy them but people are expected to use augmentations just to be more superior by using the technologies that are already here and trying to guess which direction they're headed. I don't see why not people and their augmentations could be manipulated in a way that they have not intended themselves. It could be as simple as pushing a button in the skater room, which they shouldn't or turning off any clear power plan, which they are in charge of. And, you know, what they say hackers going to hack and cyberpunk world. If it ever happens, my opinion, which is already happening will be a new area for the cyber criminals. Thus, we need to be prepared. And we need to start working our way up to executing security measures for those subjects to come. We definitely are not in those good old days where there were no mass data collection was in place. But the last amount of data that is being collected now also includes a very personal and real time details about us. And in my opinion, like the possibility of these data could ultimately affect our way of doing things in terms of ICS cyber security. I hope I'm not hacking too much time. This talk wasn't about, you know, creating a debate about these subjects but just sharing my thoughts. And I'm simply and kindly asking you to open your eyes because those stuff are not far away from now. Most of them are here already so be prepared and we need to get ready for them. Obviously, there will be some denial phase. It's understandable, but it's the first step towards the acceptance. You needed the references and I would like to thank you all for your time and attention. And do send me an email about the, do we really want to live in the cyberpunk world question and hope to see you in the void.