From Concept to Reality: ResetCon and the Future of ICS Security Conferences

Episode 18 July 24, 2024 00:49:21
From Concept to Reality: ResetCon and the Future of ICS Security Conferences
PrOTect It All
From Concept to Reality: ResetCon and the Future of ICS Security Conferences

Jul 24 2024 | 00:49:21

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow dives into critical infrastructure and industrial control systems with special guests Matthew Miller and James Warne. Together, they introduce ResetCon—an upcoming conference to close the gap between technical research and practical applications in cybersecurity.


Our listeners get an exclusive discount for attending ResetCon this year! Visit https://rstcon.org/2024/ and use the code PrOTect to receive a 10% discount on your tickets.

 

The discussion highlights the importance of including cybersecurity in infrastructure design, tackling supply chain attacks, and fostering collaboration among industry experts. With the call for papers closing soon, listeners are encouraged to submit abstracts and join this revolutionary initiative.

Episode 18 promises valuable insights into the intersection of IT, OT, and critical infrastructure cybersecurity. It emphasizes the need for more skilled professionals and community-driven solutions. 

Don’t miss this chance to learn, get inspired, and prepare for ResetCon!

 

Key Moments: 

 

03:32 ResetCon aims to deliver cutting-edge tech talks.

08:47 Debating cause, but the outcome is unchanged.

11:49 Conference seeks to address critical infrastructure issues.

16:06 ICS Village presence at key cybersecurity events vital.

18:34 Sharing industry knowledge and protecting brand integrity.

20:51 Colin O'Flynn presents cutting-edge hardware innovations.

26:05 Diverse audiences at the ponderous conference.

28:34 Understanding same team, goals, critical infrastructure, not experts.

30:37 Submitted on 3rd, some issues, resubmitted 6th.

35:52 High-tech talks, networking, and exploring Savannah.

38:39 Discussing boat transportation as part of long-term goal.

40:38 Collaboration can lead to innovative infrastructure solutions.

44:10 Discussing relevance of Wi-Fi and security measures.

 

About the guests : 

 

James Warne

 

Jay's work in research has affirmed his commitment to technology, security, and computation. His time on and leading high-performing teams codified his desire to enable and support his scientists and engineers. Jay constantly seeks ways to contribute to his field; one may find him testing his theories, reading and sharing papers, problem-solving with industry, arming investors with technical knowledge, coordinating RSTCON, developing instructive/ research presentations, mentoring new industry hopefuls, advising the Cornell Cyber Club, or outdoors.

 

Matthew Miller

 

Matthew spent eight years in the United States Navy and Special Operations as a CNO Operator. After the military, he shifted his career toward security research and software engineering. Recently, Matthew co-founded ResetCon to address growing cybersecurity concerns in critical infrastructure. He's passionate about his family, work, and about giving back to the community

 

Know more about Reset Conference - https://rstcon.org/

Attend ResetCon this year! 

Visit https://rstcon.org/2024/ and use the code PrOTect to receive a 10% discount on your tickets.

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:


To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. [00:00:19] Speaker B: Awesome. Welcome to the show, another show of protected all podcast. This is a special episode. I usually do these one on one, but today I have Matt and Jay with me. Today we're going to talk, talk about a conference that you guys started, but let's just kick it off. Matt, why don't you tell us who you are a little bit about your background, and then Jay will kick it over to you to kind of do the same, and then we'll get into the other fun stuff. [00:00:43] Speaker C: Sure. Yeah. My name is Matthew Miller. I go by Matt or whatever. I'm a veteran of the United States Navy, spent some time with special operations and did a lot of CNO operations. And then when I got out, I switched to be a software developer where I focus on kind of the offensive side of security and also do some vulnerable research as well. And, yeah, recently started a con, but we'll get into that later. [00:01:17] Speaker B: All right. What about you, Jay? [00:01:19] Speaker D: So I kind of had a different path. I started off with a finance education and realized I didn't like any of that. So I had always played, you know, computer games. I was 14 year old managing a team speak server, you know, things like that. So I was like, okay, well, you know, I really liked my computer science classes, the electives I took in college. So I doubled down on all that and ended up doing a little bit of consulting as, like in, like, the risk side of things. So understanding it from the management perspective. I got bored, went to graduate school because I wanted to do research, did defensive operations for a little while, touched a little bit of offensive tooling, and then moved full time into research. So for the last five years or so, I've been doing DARPA style advanced research types of things, and it's just been an absolute blast. So that's kind of where I come from and where I've been. And I ran into Miller somewhere along the way. [00:02:23] Speaker B: I was about to say, like, so how did, how did you guys meet? What is that story? [00:02:28] Speaker C: We were doing contracting for the same customer, and I was mostly remote, but my on sites would travel in to the DC area and got to know Jay. He worked for an adjacent team. And, yeah, I guess competence. Met competence. [00:02:48] Speaker D: Yeah. Well, I remember we would take breaks and go for, like, a walk around the building because that's, you know, that's what you do. So we were taking a break one day, and we're walking around the building, and I think the words, did we just become best friends? Were, were uttered, and that was the hard confirm on something that was already brewing, right? [00:03:13] Speaker B: Yeah, the step brothers. Did we just become best friends? Yeah, I think we just became best friends. So why don't we kick it off next, just, what is resetcon? And kind of walk through high level. What's the focus of it? [00:03:32] Speaker D: So resetcon at a high level is. Matt and I were a little disappointed. We had been going to conferences our entire careers, more or less, and we had noticed a distinct change in the focus of the conferences away from the tech, like the deep research and the stuff that you would hear it like an infiltrate back in the day or early DefcOn, the sky talks. And we would go to these conferences and there'd always be a few really good talks, but a lot of them were defensive oriented or they were management oriented, and they didn't have those really good. Interesting, like, wow, that's so cool. Kind of through lines. And we were like, we want our conference, or we want a conference to deliver that to people so that people have this opportunity to sort of feel that wonder that we felt. And simultaneously, we're existing at a point in time in history where there's a lot of focus being given on operational technology, ics, but not necessarily a lot of defensive focus. Right. So we see things happening across, you know, East Asia, things in, like, the Ukraine area perhaps, where there are a lot of attacks and a lot of things happening that aren't necessarily tailored towards defense, but are instead kind of pointed at the populace. You know, you're preventing people from getting what they need. And that is a tactic to, like, wear down an opposing force. And we're seeing that be used. And I don't know, I can't speak for Matt, but personally, like, the global economy and protecting that for whatever that may mean and the people who are not directly involved seems important. So we're trying to bring both the interest in the research and novel exploitation and then a little bit of focus in this area that's a little under, that doesn't quite get as many eyes as it needs, and we're trying to do that at the same time. [00:05:40] Speaker B: Yeah. Yeah, that makes sense. It's, it's. It's an interesting space. I mean, we, right now, especially this week, right. We're in the middle of a, in the United States. We're in the middle of a presidential election. We just had a. An assassination attempt. We had this big crowdstrike issue that came across, which wasn't exactly a cyber issue, but still, it's an impact in operational technology, and it just really showcases, you know, it. It lifts the curtain for. For the general populace. It's. It's incredible. I was. I was at a fam, a couple of family functions in the last couple of days, and I've been cybersecurity and a technology nerd my entire life, basically. But now all of these normies, the people that are not in this space, right, are coming up to me and asking me all these questions and think it's just like they're. My mother in law is listening to my podcast. Like, it's really weird that my mother in law wants to listen to a cybersecurity focused podcast and is interested in the things because it's getting thrown in everybody's face. So all this stuff is there, and it's more. It's more needed now than ever. It's maybe not more needed. It's probably always been needed. It's just more people understand how needed it is, and then it's getting more and more attacked. So, what I heard you say then is this reset con is really focused on deep dive into the technical aspects of how, when, why, all those things around OT, ics, critical infrastructure, critical manufacturing, et cetera. Is that right? [00:07:08] Speaker D: Exactly. And also, as you mentioned, a lot of these attacks are happening. There's a big intersection between the IT and the cybersecurity space and the OT space, especially with, like, the manufacturing 4.0 push, like, the smart manufacturing and smart devices, autonomous vehicles, all these different things that are now merging the two where one was previously analog and totally separate. Now you have this very tight meshing where previously an IT system might go down. The OT can still run because Jerry the intern's pulling the lever. But now, if that system goes down, like you mentioned, with crowdstrike, well, there's a lot of stuff that governs the OT now sitting in that it space. So it isn't just the ICS material, but also those, like, sensors and architectures that are shared across them. [00:08:06] Speaker B: Yeah. [00:08:06] Speaker C: Yeah. Something I'll add to something Jay said a while ago was, in the military, we call this irregular warfare or multi domain warfare, where you leverage, you take advantage of weaknesses in infrastructure or civilian populace in order to soften the target before a conventional invasion. I think we all have seen recent examples of that in many areas. It's kind of funny. We. We call it irregular warfare, but it's becoming more and more regular. [00:08:38] Speaker B: Yeah. [00:08:39] Speaker C: I think this style of conflict is definitely going to become mainstay. [00:08:47] Speaker B: Yeah, 100%. I mean, I see a lot of arguments, even with this crowdstrike or any number of others. Was this a cyber attack? Was this a. Was this. Was this an OT incident? Like, you know, and a lot of the vendors are having those conversations or I. Either side of the coin, but what difference does it make? At the end of the day, all that matters is this stuff went down. Like, was it a bad actor? Maybe, maybe not. But at the end of day, the output, the income, the output, the results was the same. Planes weren't flying. Airports. Airports were closed down, people were stranded. You know, all of those things happened. Like, how it happened. Was it. Was it. Was it a nation state attack or was it just an intern that did something stupid? Who cares? I. I mean, we care. There is. We need to do a root cause on it eventually, but if right now, I need to get it back up and running. [00:09:36] Speaker D: My face. [00:09:37] Speaker C: A bunch of the same questions about the Baltimore Francisco key bridge. [00:09:43] Speaker B: Yeah. [00:09:44] Speaker C: Like the speculation on Twitter. Yeah, the speculation from my family. I mean, speculation everywhere was, you know, always a perfect storm of. And wouldn't it be funny? Maybe. I mean, right, maybe it was just negligence and. And the fact that a company wasn't taking care of their equipment, and then the perfect series of events happened. [00:10:06] Speaker B: Occam's razor. [00:10:07] Speaker D: Yeah, exactly. [00:10:08] Speaker C: To your point, it's the same. It's the same effect. [00:10:10] Speaker B: Yes. [00:10:11] Speaker D: So I mentioned that I did defensive stuff for a little while, and I had a. I had a mentor who I'm not in as good of touch with as I should be. He did a phenomenal job. And one thing that he said early on, when I was still in the defense side of things, was, you know, attribution. Attribution is the most dangerous activity. Right. Because we have all these things to deal with, but everyone wants to think about whodunit and why. Right. And you absolutely get to that at some point, you know, but right now, we have a system that we don't know the status of. We need to be focused on this. We need to get it back, cleaned up, up and running, because what is our deliverable? At the end of the day, our deliverable is systems that people can use. And if you're a large logistics supplier, major shipping, for instance, the last thing you want is to have people spending all this time speculating and pay into that instead of just solving the problem as fast as you can. [00:11:14] Speaker B: Yeah, yeah. And there's all these talking heads. And it's the same thing you see with everything, right, is who's to blame? What was the cause? Again, at the end of the day, these companies only care about getting their thing, like, doing. They want to fly, they want to build their widgets, they want to produce electricity. At the end of day, that's the goal. Right? We can figure out the RCA later. So this is awesome. So how do you guys go from walking around the building to having these conversations to becoming best friends to all of a sudden, let's launch a con? And what. What was that process? [00:11:49] Speaker C: I think the big one was kind of, like you said earlier, it was. It was a couple buddies over beers. Yeah, many beers. Eventually, we kind of just got to the point where we realized that, you know, as we like to call it, critical infrastructure. How is it that critical infrastructure is never represented by more than a village at a conference? And not to say that the village is not any good. It's great. Most of the villages are great. But it's kind of time we started focusing an entire conference on these kind of core issues of addressing the attack surface of an entire nation. And that's really what it came down to, was just a couple buddies having beers, making a great idea, and then having the ability to just say, okay, so how do we do this? And we just started the ball rolling, and it's been a nightmare ever since. [00:12:49] Speaker D: It really has been. And it's. But it. I think Matt phrased it really well. There was kind of this moment of, like, either. Both the technical focus, both the impact focus, we had aired these not grievances, but these wants. Right things that we wanted to. We want to see this more in conferences. This really should be focused on a little bit more. We kept having these once, and we kept seeing the industry basically every year when we had the same conversation moving a little bit further from where we wanted it to start moving. So we looked at each other across our beers, and we're like, well, shoot, I guess it's us. Then we called our own number, and we've regretted it ever since. [00:13:37] Speaker B: Nobody's coming to save you, right? You got to do it yourself, right? If you want it done, it's got to get done. You know, it's the same. Same adage that we see, like, you know, we've got to step up and do something. So, obviously, as you know, I'm big part of ICS Village. I speak at conferences with them. I volunteer all the time. You know, I do podcast episodes with them. Like, there's all sorts. And, and why do I, why do I have a podcast? Why do I do this myself? Like, I, my job is full enough, but doing this is for that exact reason. Right. I want to continue to point that conversation back and do more. Right. Because we need more focus. ICs Village is awesome, to Matt's point earlier, but a lot of times they're in the corner of a conference that is not focused on them right there. You have to come search that out. And it's a small section in this one bigger, larger thing, which is not a bad thing. Again, I'm not, I love, I'm going to blackout. I'm going to Defcon, like RSA and s four. And all these different conferences are great. No shade on them whatsoever. But that's not their focus. Like, you go to black hat. What is black hat? We know black hat is commercial. You know, see whatever the newest thing is and get a bunch of swag and be in Vegas and drink a lot. Right. Parties, vendor support, all that kind of stuff. Yeah. Def Con, the anti conference again, started out being very technical. It's so large now. I don't know how many people are even technical there. Like, some of them are just, they want to go because they want to hang out, which is fine, too. Like, I love Defcon. I'll be Defcon this year. But, but I love the idea of a hyper focused, technical focused ICs industry because it's such a small niche. But it is so by name critical that we, we understand and focus on it. Because I want my lights to work. I want my water to turn on. I want to be able to get on an airplane and know it's safe. I want to be able to go to the airport and get on my plane and not have blue screens of death everywhere that we see. Right. Like, all of these things are super critical. And we know from an insider perspective, there's a single domino that can fall and can have this giant spread again. Crowdstrike. Not to beat up on CrowdStrike, but little things make big impacts in these environments. The consequences are huge, which is why I love the fact that this is dedicated and focused on critical infrastructure. [00:15:58] Speaker D: Well, there are kind of two things that I really like about our approach, just to repeat what you said, but by giving people, you mentioned that you guys, ICS Village, you're at, you know, Defcon, black hat, RSA. And that's super important because without your presence, nobody could see it. There are a lot of people who would never see it and say, oh, wait, what? Like that's actually really cool. You get that first checkpoint, you get that first interest. But now that we also have something that's a little bit more dedicated and a little bit more focused, the people who are coming just to hang out, come on, come show up, because not only will you see, you will get to see what you saw at ICS Village at Defcon. You will also get to see it drilled down at its depths. Come see. How deep does the well go? Come see. Literally come see. Whether it's your area of focus, fantastic contribute, or you're just there to learn, it gives people that sort of that platform to really just be focused on it. And I think that's what we're most excited about. [00:17:07] Speaker B: No, I love that it's so needed. And to your point, right, there aren't enough of people focused on it. In general. We hear all the time where there's a skills gap, there's a need for resources that have the skill. You look at LinkedIn, you looked at job requests, and people are asking for, you know, somebody that's got, you know, the unicorn, somebody that's got 20 years experience and something that hasn't even been around that long. Like, I've been doing critical infrastructure, cybersecurity stuff way longer than it's actually been called that. But there aren't many people that have. Right. And I'm not tooting my own horn, I'm just actually saying why there's gray in my beard. Right. It's because. Exactly. But we need more folks. We need new, new blood. We need to understand. And the more that we. What I love about critical infrastructure, one of the main things I love, and, you know, coming from a power utility and critical manufacturing, the way I generate electricity is not proprietary. Right. You know, from company a to company b, we do it the same. We're not, it's not the secret, you know, recipe for coke. There's, there's no secret here, right. We can share. So there's a lot of sharing that goes on in that industry, in a lot of these critical infrastructures. Because the way I do my water is not this. That's not how they make their money. Their ip is not around how I generate or how I create this thing. It's more just around brand. And I need to go buy and provide, you know, it's more the coverage than it is the ip on it. What that allows us to do is actually share and have some, some conversations where I may not be able to do that between Pepsi and Coke, but even those industries are able to say, here's how I'm protecting my manufacturing without releasing the secret sauce to my recipe, how I create an assembly line. We can share that stuff because there's not as much. And how do I make sure that my brand is okay? And those are the bigger conversations that we can have. And deep dive into the technology side of things, because how do we solve, like, being able to look at the crowdstrike incident, how do we solve that in the future? How do we make sure that that doesn't happen again? It wasn't a cyber issue. It wasn't a nation state attack. But to Matt's point earlier, it could have been. So how do we make sure that isn't used in the future? Because now our adversaries just saw, oh, wow, one. One product just took down all of these critical infrastructures. Hmm. Maybe we should use that as an idea on how we could use that in the future. [00:19:31] Speaker C: Yeah, that's been a huge part of, like, any supply chain attack. You swim far enough upstream and all of a sudden the trickle down effect is massive. [00:19:42] Speaker B: Yeah, absolutely. [00:19:44] Speaker D: One of the things that we really like about the ICS space and the OT space, and one of the reasons I personally am so excited about the conference you mentioned finding the solutions and sharing the solutions. There are a lot of research groups in, like, academia and universities that either know or may not know that some of the work they're doing is, like, critically relevant. [00:20:11] Speaker B: Sure. [00:20:12] Speaker D: And there's kind of a bit of a disconnect at the moment between, like, pure, like, the research that I was doing in DARPA land and, like, applicability in the field. Right. So there's always kind of been a disconnect there. But if we look just in the last year or so of research, we can see that the solutions and some of this sharing it can already go on. There are groups out there that are working on ICS systems that really should probably know about voltage fault injection. What can it do at its in fact, fortunate to have Colin O'Flynn as one of our speakers. You know, kind of one of the granddaddies, not granddaddy, he's not old, but, you know, one of the fathers of this area. And, you know, he's got new ae and. And the chip shouter, Chip whisperer, all that great stuff that he puts out, and he loves his hardware, but, like, you know, the, oops, I glitched it again. Paper that came out. Yeah, it's that came out. And they're performing multiple fault injections on a single trigger. You know, that's that's something that might not be relevant to everybody, but on those people who are using, like, arm trust zone chips. Well, arm's pretty prevalent, so maybe, you know, if those researchers got to sit down with, I don't know, let's. Let's pick a firm, right? Like some large manufacturer who just has a bunch of arms. Well, what are you manufacturing? Well, we're pressing, like, airplane components. [00:21:59] Speaker B: Right. [00:22:00] Speaker D: That's a big deal. Like, maybe you should be aware, you know? So whether it ends up funding it or. We talked about. I talked about airplane components. So you have can bus, which is how vehicles communicate, you know, who knows that better than Aaron Crow? Yeah. No one, probably. So, you know, they've got this research coming out that's focused on can bus both on, like, using, like, the inner frame spaces to basically, like, create a signature and, like, time trapping of injected attacks with, like, 100%, like, replay attacks with, like, 100% success rate. I think that was ZB scan and then redos or redis that came out. And I'm pretty sure that's like, they keep track of the transmit error counters, and they kind of emulate it, and they use that to inject bits into things that they think are wrong, create a faulty message, put the attacker device into an error state, and then they can scan through and say, okay, here is the device that we think is the problem, talking about attribution and how hard that can be in the ICS space. So this is stuff that came out in the last, like, year, I guess they were pre publication, like, a year ago. There are a lot of groups that could probably use that fund this lab. Go find these guys, email them, talk to them. They did great work, and they can contribute immediately right now maybe not to your in production systems, but to getting this forward and then getting those solutions out. It doesn't have to be a decade. It can be a couple years. [00:23:41] Speaker B: Well, you know, I just spent time at. Yeah, yeah. And I just spent time at Idaho national Labs, and they have their, you know, cyber informed engineering. And that. That's really the idea behind that. Right. Is I need to be thinking about these things and what are my risks and where am I, where are my vulnerabilities? And it's not always a software vulnerability. Right. It's all, you know, it's not software billing materials sometimes it's. It's a lot of different things, and there's a lot of perspectives there. We do really well at designing these systems and critical infrastructure to be reliable, to be available, but we haven't been designing them with the cyber and technology aspect as part of the equation we kind of bolted on after the fact. We try to figure it out, and even when we do that, we're not bringing in the best of the best. We're like, we're making your plumber figure out the electrical. Right? Yeah, he's a smart guy. He can probably figure it out, but that's not what he went to school with. That's not his expertise. Can he do it? He's a super smart guy. He's done it before. Yeah, he probably can, but that's not his job. Like, bring in the electrician, bring in the specialist, the h vac guy. Can your hv. Can your electrician wire your h vac? Yes. But is he as good as the H vac guy? That that's all he does and that's all he's ever done. And he's seen all these different examples and the do's and don'ts, of course not. Like, that's. That's the specialty side of it, and we need to make sure that all those people are at the table. [00:24:59] Speaker C: Yeah, that was one of the goals with reset Con, was to get all these people together, was to get a money from, from vendors, together with the brains behind some of these research projects, together with the offensive security minded people, and just brainstorm solutions to these problems, because you're not going to do it anywhere else unless you have a shop that's got all of those components, you know, in the mixing bowl. So we have to do it at a conference. We have to do it, you know, where, you know, everybody's willing to talk and discuss and. Yeah, so we started reset con. [00:25:34] Speaker B: So who's your ideal audience? Like, who do you want to show up? Obviously, from a vendor perspective, from a speaker, you've already talked about some of the speakers there, but just normal audience, like, who are those ideal folks and what goal do you want to come out of this from them, from an individual as an attendee, but also from a larger community of, hey, this reset con thing, we went away and what can we say? We want to. We want to get, like, in five years, at year five of this thing, what is a good outcome that you're, that you guys are hoping to get to? [00:26:05] Speaker D: We have a couple different audiences, and I think that's why this conference is particularly ponderous. We have the exploit, like the exploiters, like the on keyboard operators who could benefit from understanding, like, oh, there's all that. There's this whole space to play in and your offensive people, your red teamers, those guys. We also have the defensive people who are in the ICS space, who are dedicated security people. Of course, those are our security audiences. But it's more than that, because if you look and you go into actual industry, you have the people who are managing, managing these whole, like an oil platform, right? You have the guys who run that, not necessarily day to day, but the decision makers who can sit down and look at the problems at hand and say, hey, we do lidar sensing there is an attack out that allows called. You can't see me that. Yeah, that explicitly uses lasers to prevent lidar from reflecting back and you can target it. And it's like 92.7% effective at removing 90% of, like, the lidar pillars. [00:27:19] Speaker B: Sure. [00:27:20] Speaker D: That's a lot. That's a problem. So the guy, the cyber people, they can understand and know, like, oh, we can use this to make the car crash, right? But the guy making the car fundamentally has to be aware that this is a possibility. And now that he's aware that it's a possibility, he can go focus on that. So we have also, like, executive level and just like technology decision makers from industry. And those are two very different groups. They're very hard to get together because they don't like the same things. And we're finding that now, you know. [00:27:59] Speaker B: They are different, but they are. At the end of the day, it's one of the things I say a lot is we're on the same team, we have different roles and we have different specialties, but we all want to make sure, again, I said a minute ago, I want to make sure when I turn my light switch on that it works. Most people don't understand the complexity it takes to generate, transmit and distribute electricity or water or gas or our electric system. Like, all of these things, they're just so difficult and complex. Most people just take it for granted. They just, they pay their light bill, they turn their light on, and it just works. Right. And really understanding that, that we're, we're on the same team, we have the same goal. It and ot, we're not on different sides. You know, executives and, and the people, hands on keyboard, we, we have the same goals. Right. You know, everybody wants to have a safe environment that their kids can go to school, that, that we can, you know, invest in real estate or invest in stocks or buy, buy whatever we want and do our job and retire and go on vacation and all these types of things and all those things are dependent upon this foundation of critical infrastructure and everything that it works and all the sub components. And we're not asking everyone to understand all of that stuff. You don't need your offensive linemen to necessarily be able to play safety, but they at least need to understand a little bit because we are on the same team. We need to have a general awareness of certain things, especially if it's your job to do whatever that task is, to defend against whatever or to be offensive on it, depending on what your. What your role is. So when did y'all. When did y'all start this thing? Like, how. How. How long ago did you start kicking this off and turn this into something that's tangible? [00:29:44] Speaker C: I think we founded the company that holds the conference 18 months ago. [00:29:51] Speaker B: Oh, wow. [00:29:51] Speaker D: No, a year ago, even less. [00:29:54] Speaker C: Yeah, yeah. [00:29:56] Speaker B: One year. One year. From foundation to the conferences in, you know, a little over a month, month and a half. Two months. [00:30:03] Speaker D: Yeah. So we had been thinking about it before, but our official incorporation date is this month. Like, this is our. This is our year anniversary. [00:30:13] Speaker B: That's epic. [00:30:14] Speaker C: The ball is rolling for about 18 months. Like, officially, though. [00:30:19] Speaker B: Sure. [00:30:19] Speaker D: Yeah. [00:30:20] Speaker C: We're constructing a plan and figuring out a names and getting a logo built and buying domains. About 18 months ago, but, yeah, incorporation is. Yeah, not today, but this month is certainly kind of a monument, I guess. [00:30:37] Speaker D: I think it was actually the 6 July. We had submitted it on the third, but there were, like, some. Some issues with our submitter, so I just had to do it myself a few days later. One of the things, you know, I'd also want to shout out, I don't know how familiar you are with Shmoocon and the Shmoo group, but shout out Heidi Potter. You know, she got on the phone with us at the. At the outset, and we presented her with our timeline and our plans, and she kind of validated and helped us Orient and said, like, well, move this one up here. Change this around. You need at least this much time for. And that kind of guidance, as much as we either succeeded or failed to adhere to, it, was very helpful. So, you know, shout out the Shmoo group. [00:31:23] Speaker B: That's excellent. I've experienced a lot of. Again, going back to that whole, we're all one team, we're not a competition. Like, having more focused and different is not bad. Right? There's a lot of conferences out there, but there's a reason they stood up and there's a reason their purpose, at least when they started. Right. So I'm excited about this. I'm excited to have another opportunity to speak about IC. There is so few that really have any significant focus on critical infrastructure, specifically around, you know, the technology side of things. Right. You know, all of them will have a talk track maybe, or maybe they've got a few speakers there. ICs Village will be there, other villages will be there. But actually having a focus on it. S four obviously focuses on critical infrastructure. But again, even that, you know, it's less on the technical side. I mean, they do definitely have talks. I love s four. It's one of my favorite conferences, but still having one that's even more focused down in the weeds is not a bad thing. And it's good that we have diversity of thought, we have diversity of attendees, and not everybody can go to s four for many reasons. Right. Miami is expensive and all the different things, or I couldn't go this month, right. So having another place that I can go and be able to expand and deeper dive with different people and having the same conversation around different people, I'll have a different outcome of my opinion or maybe even outcome of thought and results, which is incredibly powerful. [00:32:50] Speaker D: Powerful. I'm personally really excited not just about having the focus on ics, but also go in the other direction. One thing that I think gets lost a lot. I was at hack the capital. I got to, you know, I was fortunate to be on Derek Harp's podcast. You know, it was fun to talk to him and, you know, we have a lot. There is some focus in the ICS space, but some of what's missed isn't just the lack of focus directly in the ICS space, it's the cross domain applicability. [00:33:24] Speaker B: Sure. [00:33:24] Speaker D: So consider actually one of our other speakers, Daniel Ginkin. Let me ring the bell. He worked on something last year that was focused on off path USB injection attacks. Well as USB, that's just a pretty general computer. We use it everywhere. [00:33:43] Speaker B: I. [00:33:43] Speaker D: But, you know, where it gets used a lot, air gap systems. So we have, you know, he put together with, you know, not alone. He and like his co authors put together an attack that allows command injection, keystroke injection, and like file rewriting. You plug in that USB, you think you know what's on the files, the configuration that you're uploading into your system, and it writes something totally different. It's issued commands, it's been completely hijacked. And if you're focused entirely purely on operational technology, you might not see that hole in the USB driver. But we have the opportunity, as just generalists and cyber focused people to say, here's the hole in the USB driver. Look where your USB driver is. So I think going the other direction also has a real broadening effect that I think we can see or that I really hope to see come out of reset. [00:34:45] Speaker B: No, that's huge, right? And I've seen this firsthand in nuclear power plants, for instance, where completely air gapped, no network connection whatsoever, and a vendor brings in a drive that's been scanned and all the things and everything looked fine on it, and it gets brought in and it causes an issue. And this was 2010, so that, this is not new. I mean, you look at Stuxnet, air gap system, right? You know, that whole environment, and that's where we get to, we have this false sense of security because of the way that we. We architecture or these systems are, and they're not necessarily there. So what is the day? What can you expect is when you're showing up, like, what are the talks? What are the, what are the hands on? What are the kind of walk us through that expectation of. Of what, when I'm showing up to this place as whatever my role may be in my, in my corporate world. [00:35:41] Speaker C: You want me to take that, Matt? [00:35:42] Speaker B: You want to give us that? [00:35:43] Speaker C: Yeah. I mean, so like any, any conference, you're gonna. You're gonna walk in and get registered, you're gonna trade in your, your barcode or your ticket for a badge? [00:35:52] Speaker B: Yep. [00:35:52] Speaker C: And then we'll have, we'll have some opening remarks, some really high technical talks. A couple villages have committed to coming, and it's really just going to be focused, like Jay mentioned, on some really specific research. There's going to be a floor for vendors to advertise for themselves for being at the conference, maybe do some recruiting. And there will be spaces for people to have conversations, get to know each other, socialize. So outside of the conference floor, you know, there's the rest of Savannah to explore, which is a great city, plenty of good food, good drinks, good sightseeing, lots of american history, and there's plenty to do there. But, yeah, I mean, at the conference, it's going to be structured a lot like most other conferences with talks. We have a CTF that we're putting together that's focusing on a lot of industrial control system aspects. We've got some emulated PLC's, some DNP, three stuff for people to attack. There's going to be no shortage of activities, and it's a five year goal of mine to have something really special on the floor. I don't know if it's going to be an aircraft engine or maybe a mock up of maritime control system network. It would be really cool to have, like, a miniature reactor or a mock up of a power plant available on the floor and just, you know, let people go at it. Kind of like the car hacking village started. They put, like, the dash of a car on the floor and said, go nuts. [00:37:50] Speaker B: Have fun. [00:37:51] Speaker C: Yeah, that's kind of. That's. That's kind of my five year goal. I'm hoping we can get there eventually. Savannah is pretty uniquely positioned. There's the port of Savannah nearby. It would be really awesome to get, like, a busload of hackers onto a ship. [00:38:09] Speaker B: Right. [00:38:09] Speaker C: And you can kind of see where that might go. But no, I mean, there's going to be a lot of fun to be had, a lot of learning to be had, a lot of networking to be had, and hopefully get researchers, vendors and hackers thinking along the same lines. And like Jay mentioned earlier, maybe we can get some of this really cool research funded and implemented before it becomes a problem. [00:38:35] Speaker B: Yeah, I love that. Anything to add, Jay? [00:38:39] Speaker D: You know, the only thing I wanted to add was when we were out there having. Having our beers and getting the conference, like, kind of. Kind of walking the grounds, we were going to be. Matt had that idea. He was like, well, what if. What if we just, like, got a boat? And, like, everybody could get on the boat. And I was like, how would that work? And he did, you know, he described the bus, and I was like, well, you know, I guess, like, if they wanted, they could just have sleeping pads and a sleeping bag and they could just sit in there and just go nuts. So long as, like, I don't know, insert shipping company name here was okay with, you know, having something import and then reflashing their systems afterwards. You know, that would be quite the experience. I think that would be an amazing 510 year goal. I think my ultimate goal is, as Matt said, which is to see some of this research, to see some of these labs connect with industry and actually not just for the sake of getting funding, but to actually deliver something. [00:39:40] Speaker B: Yeah. [00:39:40] Speaker C: Imagine a track on your CTF being steal the boat, right? [00:39:48] Speaker B: Not really. [00:39:48] Speaker C: We would have probably, like, exemplar systems that are just physically located on the boat. And being immersed in that environment and being told that you can steal the boat would be incredible. [00:40:01] Speaker B: Yeah, yeah. You know, it's. It brings up something that is near and dear to my heart, and I've built a lot of very large labs for power utilities and others, and they're purpose built. Right. So they have control systems, they've got turbo controls and bounce a plan and. And, you know, the transmission substation environments, all that kind of stuff. But they're. They're special built for those. Whatever they're using them for. Imagine if that was available to this environment, right? So a bunch of people are coming together not to just break stuff because it's fun, but also just find things that nobody else thought of to find fixes, to find solutions, to find new architectures and capabilities. When we put our minds together, it's amazing what we can come up with. But you can't go buy. I don't have the money to go buy a control system or recreate a power plant in my lab. Like, I've got a lab over there that I'll actually be bringing, but it's. It's small and it's. It's. It's a. It's a small use case. But imagine if I had all of the access to an entire environment and those labs exist. Like, again, I've built two or three myself, and that's. That's in public companies, not counting the ones that are in these. These lab environments, like Idaho national Labs and NREL and MxD up in Chicago for manufacturing. A lot of those labs have a lot of these spaces, but. But they don't necessarily have people that are coming in to do this type of thing. So I love the idea. I think more. More insight and visibility into these environments where, unfortunately, up until now, critical infrastructure has kind of been this security by obscurity. I don't know what's going on. That's my security. Don't look behind here. Everything's good. Just trust me. And I think now we're in a space where we know that's not enough, and it's not. It's not going to help us. And we need to get some. We need to get some. Some young blood. We need to get some hackers in here, not because we want them to break stuff, but because by them breaking something, it can help us fix something before that bad thing, before the bus hit or the. The boat hits the bridge, before, you know, the. All the power plants go down, or, you know, that type of attack happens in a bad thing that we don't know how to recover from. I love it, gentlemen. All right, so how. Give us the call to action. How do they. How do people buy tickets? How do they. If I'm a sponsor, how do I reach out to, like, give us all that info? [00:42:20] Speaker C: Yeah. So resetcon, rstcon.org we've got a sponsorship page if you want to sponsor us. All the tiers and information about how to submit to be a sponsor is on that page. Call for papers is open at the CFP page. Again, everything's listed there. We've got a lot of interesting categories and interesting calls for papers. And then the 2024 page is kind of where we're putting all of the. All of our sponsors and our headline speakers. And then there's a couple different places to buy tickets on the 2024 page. On the tickets page, you can reach out to us directly for group rates. If there's a big group that wants to come and you want a group rate, and then also there's. There's student pricing available. So, yeah, students just get a flat 50% off, so it's a $100 for a student to show up. [00:43:26] Speaker B: Awesome. [00:43:27] Speaker C: Yeah. [00:43:30] Speaker D: Our CFP, it is still open. We have some really good talks lined up already. But I want to impress upon people that the thing that they're working on at home might be more applicable than they think. I referred to the USB thing, talked about Lidar automated patching in main memory. Maybe you're doing something that's on a RISC V system. Those show. Those are everywhere. There's a lot of RTO stuff, there's a lot of embedded stuff that is now in all of these industries that wasn't necessarily before. So don't be gun shy just because you're like, well, you know, I did this thing, but it's. It's really just focused on. On, like, Wi Fi or like, this zigbee or a TL's connection, you know, it's probably relevant. You'd be surprised how much overlap there is. And every time I sit down with a student or a professor, I've had some opportunities recently to talk with industrial and systems engineering groups. And sometimes they're like, yeah, well, we're working on optimization, right? That's relevant to us. And like, well, how is optimization relevant to you guys? They say, well, Daniel Groose, another one of our speakers, he's bringing suit, which is a. He and Jonas Eufinger are bringing and discussing suit, which is like, they did a whole attack based on undervolting, right? We talked about fault injection before undervolting, you know, and they've realized while they were undervolting, that a lot of these things run more efficiently, or they run just as efficient. They run just as correctly at lower voltages. And you, as a manufacturer or as an embedded system user, can actually undervolt things to a certain threshold. Make sure you test it first and save on your power bill by like double digit percents. So, optimization, it might not seem relevant. It is relevant. So please, even if it's just an abstract, our submission is not that ponderous. Just send it out there. It could end up being big. [00:45:48] Speaker B: Go for it. [00:45:48] Speaker C: The other thing I'll mention about the CFP is there are timelines on there, but us being a new conference, still trying to figure out schedules and all that stuff, even if you have something that's a little bit late, just get us an abstract and we can help work with you on getting the rest of the research done and figuring it out. Our timeline, at least for the CFP, is pretty soft. So even if it's, even if it's, you know, a week late, we'd still love to hear from you. [00:46:20] Speaker B: Sure. [00:46:20] Speaker C: As it stands now, the CFP is due to close on August 1. We, we plan to leave the page up there. So again, if it's, if it's a couple weeks, a week or two, three weeks late, still, still shoot us a spot or an email and we'll see what we can do. [00:46:39] Speaker D: Yeah. What's the worst that can happen, you know? Well, it'll take some, it'll take a time. It'll take time to review everything. So while I'm reviewing everything, you might as well slide one in the stack. It's fine, right? [00:46:49] Speaker B: Exactly. That's awesome. Well, I'll definitely make sure all the, all the details are in the show notes, folks. So definitely look there for all the details around those links. Definitely get in your CFP. It's a great opportunity for your career, for networking, presenting, even if you're uncomfortable, I highly recommend it. Doing, doing podcasts and speaking, there's a soft skill that goes to that, that is important. It doesn't matter how smart you are, if you can't convince others and explain it to others, then it doesn't matter. And part of that is presenting abstracts, presenting papers, getting up and talking to a group of your peers. We've all been there. Nobody's expecting it to be perfect. It doesn't have to be polished. It's better to get the content out there and trip and say, um, or, you know, be sweaty and, and not know what to do with your hands and, and that kind of stuff. Who cares? Get out there. Like take the risk. It can greatly impact your career, but beyond that, it can greatly impact this whole critical infrastructure thing. The knowledge that you guys have is what matters. And if it's in your head and you can't get it out there, then it's not helping. We need it out there so that we can do something about it and we can get it. You know, you have a knowledge, and then you tell to Jay, and then me, Jay, and Matt, and we're all sitting there like, oh, wow. Now we can do this other thing that none of us have thought of, because now that we have this new information, so it's super important and powerful to get that knowledge out there. Well, thank you, gentlemen. I appreciate it. I'm looking forward. I'm definitely going to be there. Ben. I'm actually going to be representing ICS Village, so I'll be bringing this. It's actually in a little bit of construction right now, but the case I have behind me, so definitely come out. It's got plc and kind of some secure remote access and some fun stuff that people can actually put hands on. And we'll have a lot of information around ICs Village if people want to volunteer all that kind of stuff. So definitely excited to be there and, you know, obviously be at the conference and hear the other speaking and all that kind of stuff. So definitely come out, sign up and get there, and it's going to be a lot of fun. [00:48:49] Speaker D: We'll make sure you're not in the corner of this one. [00:48:51] Speaker B: There we go. Thank you, gentlemen. [00:48:55] Speaker D: Take care. [00:48:56] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
Previous Episode
Next Episode

Other Episodes

Episode 7

March 14, 2024 00:42:26
Episode Cover

Securing OT: Strategies for Prioritizing Vulnerabilities

In this conversation, Bryson Bort discusses his background and the creation of Scythe, an offensive security platform. He also talks about the ICS Village...

Listen

Episode 11

June 10, 2024 00:52:31
Episode Cover

Cybersecurity and Safety Risks of Modern Vehicles: Understanding Vulnerabilities and Solutions with Kevin Walter

In this episode, host Aaron Crow interviews Kevin Walter, an expert in vehicle security, about the growing cybersecurity and safety risks in modern vehicles....

Listen

Episode 13

June 24, 2024 01:00:58
Episode Cover

Unlocking the Future: Hands-On Learning and AI's Role in Cybersecurity Education with Philip Huff

Welcome to Episode 13 of Protect It All! This episode features Philip Huff, a professor at UA Little Rock and a cybersecurity expert. He...

Listen