Cyber Security in Transportation: Agenda Update

UPDATE: Please use the following link for the current agenda. The one in the post is outdated: http://sintixerr.files.wordpress.com/2011/10/cyber-program_1020.pdf

Progress! As you can see below, we’ve confirmed several additional speakers such as Tony Stramella from the NSA and Steve Carmel from Maersk (who was a fantastic speaker last year – he talked about his experiences with maritime piracy and pirates! Did I mention he talked about pirates??).

The Offensive perspective panel (Kevin Finisterre, Ruben Santamarta/Reversemode, and hopefully Josh Wright) is going to rock out with some talented vulnerability researchers and Mark Fabro will do his always brilliant job of improving the discourse. 

We’ll be excited to hear Bryan Sartin discuss the past year’s data breaches and front-line experts in the field let us know how the stuff you’ve heard in the news might apply to you (Scot Terban, Liam from Symantec, and the now-short-haired Adam Meyers). 

Boeing and Darryl Song from Volpe are going to dish on transportation-specific concerns, and the CTO of the CIA will drive home the need for security to be data-centric. 

Mike Murray will be both entertaining and captivating – even if I dont know his talk yet – and Russell Thomas will bring a much needed formal perspective to risk management and cyber security. 

Patrick Gray gives a lightning fast, but insightful presentation on social media, Jack Johnson will help us understand financial issues facing organizations today, and Amit Yoran will talk about…whatever. He’s just a smart guy.

Hope you can make it. If you’re interested in attending, the registration link is here: Invitation.

(Please, if you’re a vendor and plan on selling, we’ll take a pretty dim view of that at this particular conference. )

November 1
Talk	Speaker 1	Speaker 2	Speaker 3	Moderator
Introductory Remarks	Dr. Emma Garrison-Alexander, TSA CIO
Keynote	Anthony Stramella, NSA
Verizon Data Breach Incident Report	Bryan Sartin/ Verizon Business
Break
Industry Case Study 1: Boeing	Mike Garrett/ Boeing
Panel: Offensive Perspectives	Kevin Finisterre	Ruben Santamarta	Josh Wright (Tentative)	Mark Fabro
Lunch
Social Media	Patrick Gray/Cisco
Panel: Maritime	Steve Carmel, Mearsk	RDML Robert Day, USCG	RADM James Watson, USCG	TBD (Speaker)
Break 1B
Panel: Threats in the News	Scot Terban (Anonymous)	Liam O Murchu / Symantec (Stuxnet)	Adam Meyers (APT)	TBD/ Industry
Industry Case Study 2: Transportation Control Systems	Darryl Song/ Volpe
November 2
Talk	Speaker 1	Speaker 2	Speaker 3	Moderator
Introductory Remarks	TBD
Keynote	Vice Admiral Parker/ USCG
DHS CARMA	TBD
Break
Panel: Executive Perspectives	Amit Yoran/ Netwitness	Gus Hunt/CTO of CIA	TBD/ Industry	TBD/ Industry
TSA & DHS Joint Sector Collaboration	TSA Cyber security Awareness & Outreach Branch
Lunch
Users & Awareness	Mike Murray/MAD Security
Industry Case Study 3: TBD	TBD
Break
Panel: Risk Management	Jack Johnson/ PWC	Russell Thomas	TBD/ Industry	Jack Whitsitt
Industry Case Study 4: TBD	TBD

Cyber Security in Transportation Summit

UPDATE: Please see this link for the most current agenda. The one in the post is outdated: http://sintixerr.files.wordpress.com/2011/10/cyber-program_1020.pdf

So, one of the things I get to do as part of my job which has been pretty exciting is to put together the agenda for our 2nd annual Cyber Security in Transportation summit. It’s happening November 1 & 2 this year in the DC area and is going to be full of outstanding talks for all ages and backgrounds. ;) The summit is aimed at executives and decision makers from within the transportation industry who might be effected by cyber security or whos actions may affect the security of their organizations. We’re covering general cyber security themes as well as transportation specific ones. If you’re in the transportation sector – pipeline, aviation, freight rail, mass transit, highway & motor carrier – and want to attend, let me know at sintixerr@gmail.com.

The tentative agenda currently looks like this:

Summit Schedule (Click for Larger)

 

 

 

 

 

 

 

 

 

 

 

 

 

AGENDA DESCRIPTIONS

Industry Case Studies

Four discussions of transportation-specific cyber security concerns and perspectives: Incidents, Best Practices that worked, Lessons Learned, Soap Box Scenarios , etc.

Public/Private Partnership

Sector Collaboration

Based on outcomes of this summer’s Transportation Cyber Security Exercise

 

Panel: Maritime

Representatives of the Maritime mode will discuss  topics of common interest

 

TBD DHS

 

General Cyber Security Awareness Talks & Panels

Panel: Offensive Perspectives

Non-technical perspectives from well-known offensive researchers

Panel: Threats in the News

Current threats in the news such as APT, Stuxnet, and Anonymous

 

Panel: Executive Perspectives

Concerns and solutions in today’s environments

 

Panel: Risk Management

Cybersecurity impacts on business risk management

 

Verizon Data Breach Incident Report

An empirical overview of current trends

Social Networking

Ups, downs, concerns and impacts of social networking on cyber security

Users and Awareness

Exploration of the most critical aspect of cyber security: Users

 Verizon Data Breach Incident Report: Bryan Sartin/Verizon Business   
Industry Case Study 1: Boeing Mike Garrett/Boeing   
Panel: Offensive Perspectives: Kevin Finisterre Ruben Santamarta  Mark Fabro
Social Media: Patrick Gray/CISCO   
Panel: Maritime Stakeholders  (USCG & Industry)   
Panel: Threats in the News: Scot Terban (Anonymous) Liam O Murchu / Symantec (Stuxnet)  (APT) 
Industry Case Study 2: Transportation Control Systems Darryl Song/Volpe   
Keynote:  Vice Admiral Parker/ USCG   
DHS     
Panel: Executive Perspectives: Amit Yoran/Netwitness Gus Hunt/CTO of CIA  
Sector Collaboration   
Users & Awareness Mike Murray/MAD Security      
Panel: Risk Management Jack Johnson/PWC Russell Thomas  Jack Whitsitt  

NATO-Georgia conference on Emerging Security Challenges : My Talk and Thoughts

Recently, I was invited to speak on a panel in Tbilisi, Georgia at a NATO-Georgia Conference on Emerging Security Challenges put on by the NATO Energy Security Section, Emerging Security Challenges Division.  The topic was Energy Security, including Cyber Threats to Infrastructure (Moderated by Mr. Michael Rühle, Head, Energy Security Section, Emerging Security Challenges Division, NATO).

You can find a copy of my presentation here: http://sintixerr.files.wordpress.com/2011/07/natotbilisiswhitsitt.pptx 

When writing – and delivering the presentation – I found it difficult to support both the scope of the panel as described – Energy Specific SCADA threats/vulnerabilities – while at the same time meeting the audience’s need for a higher level view of the problem.  I definitely need to work more on bridging the gap between the technical realities of what we do and the knowledge/perspective of policy makers…but that was always going to be hard…if it was easy, it would happen more often. :)

As for the rest of the conference, there were a number of presentations given, but I was most impressed by Alexander Klimburg’s take. He spoke about the intersection between attribution difficulties in cyber space and recent talk about kinetic response to attacks by nation states. Policy discussions seem to be moving, according to Alexander, in a direction which results in rapid, somewhat automated, escalation of hostilities between nations in the event of a cyber attack which seems to have come from another nation.  With the confidence in attribution being as low as it is – and with such a high probability of non-state actors being involved – this type of escalation becomes probablematic and ill-advised. Alexander’s talk proposed creating confidence building measures between states and non-state cyber attack actors, building in enough of a policy buffer to allow thoughtful responses to attacks, and having the media “name and shame” attackers where confidence isn’t 100% as a deterrent.

I don’t completely agree with all of the details, but philosophically, I think he was on point. 

What I also found interesting about the conference was that the same conclusions were drawn at the end of this conference that are drawn at the end of every other cyber conference:

• More information sharing is needed
• Public/Private Partnerships are important and difficult
• Cyber is a real threat
• Large organizations can help solve some, but not all problems in cyber security
• There needs to be clearer definition of roles and responsibilities

Someone in the audience rightly asked: “Yes, that all is obvious, but how do we do it?”

That’s a perfect question, and one I ask constantly.  I’ll say again: You can’t just say “cyber security is a problem” and expect to implement a plan to solve it; you can only speculate as to what types of efforts might be involved.  The problem needs to be defined in a much more structured, specific manner than we have so far (in my mind, using threat models which link risks to strategic business objectives from cyber systems to tactical risks to those cyber systems…at some point I’ll post a model for that here).

That all said, the trip was fantastic:

My NATO and Georgian hosts were gracious, professional, and intelligent. The locals were a lo of fun – I spent one evening with three random Tbilisians (one cute bartender, a guy who claimed to be a male model and was explaining the story of the city’s founding in broken english and by waving his arms up and down like a giant bird, and a US expat helping to start a lab). The country was beautiful; I particularly loved some of the crypts on the floor of a church in Mtskheta (the script was beautiful…I suggest checking out Georgian writing).

Thanks to Julijus for inviting me to speak. I was very grateful for the opportunity.

 

(Edit: This is a pretty rough draft of this blog post. It may change significantly and I want to add many more thoughts, but I wanted to get it out before it became OBE.)

Error, Will Robinson, Error: Implications of Rate vs Instance in Cyber Security

(More mature thoughts on RDOSing…)

If you have one error, you fix it and move on.

If you have the same error again, you fix it “better” and move on.

But if you keep having a variety of errors at a steady or increasing rate, you stop looking at the causes of individual errors and look at your basic business practices.

Cyber Security problems are errors. Cyber Security problems are systems or data doing things their owners and society do not with them to do.

Cyber Security errors keep occurring despite being fixed individually.

New types of cyber security errors are occurring over time as new systems are built, as data changes, and as new use cases develop.

By the time we fix our past errors, we’ve created new ones.

Let’s stop focusing national and organizational programs on fixing individual cyber security errors  – or even fixing common classes of cyber security errors.

Instead, let’s focus on reducing cyber security error rates in general.

To reduce the rate of cyber security errors, non-cyber specific business practices must be evaluated to determine where cyber security errors are being introduced.

Hmm. This sounds a lot like business management and quality control, not cyber.

Yes, it does.

Tackling individual cyber security errors in our critical infrastructure without reducing error rates will assure failure.

Tackling error rates will create long term, sustainable success by freeing up the vast, unnecessary number of resources we’ve allocated to individual problems to better use through the reduction of the number of errors which have to be dealt with in the first place.

Stop wasting so many resources. :)

Why Normal People Skip Cyber Security Talks & How to Make Them Better

Some friends of mine were recently speaking on a cyber security panel at a non-computer-geek conference. While they got a higher than expected number of attendees, it was still lower than they would have liked. While watching some of the other panelists crash, burn, and then bury themselves at the center of the earth, they came up with a list of pointers for making cyber security talks more palatable based on specific failures they saw (whether humorous or serious). They were off-the-cuff, but I thought they make up a good list. This is part 1. Comments? Thoughts? Additions? :)

1. Talking over your audience’s head is mean.  No one cares how smart you are unless you can make them just as smart on your topic in 20 minutes or less.
2. Speaking of 20 minutes. Stay on the time clock. Wasting 15 minutes of someone else’s time is presumptuous and rude.
3. Having a Slide Extravaganza doesn’t make you a good presenter.  Slides are talking points, nothing more. By the 98^th slide, your audience will hate you.
4. Engage. If people opt to read their horoscope on their l33t Droids rather than watching you in person, your presentation sucks.
5. Tone. If you have a terrible voice, amplifying it on a  microphone is just plain mean. Record yourself ahead of time and listen to it. Adjust accordingly.
6. Hair Matters.
7. Thanking everyone for thanking the thank you people gets redundant. Appreciation is one thing – but it’s not the academy awards.    
8. Pick one point. Maybe two. Not 438. Your audience is not Neo. They will not be able to learn Kung Fu
9. Relevance. Know the audience and have a backup plan if no one can relate to what you’re talking about. Otherwise, you’re just filling space.
10. Smile. If it’s supposed to be a joke and you frown, your audience might not get the cue to laugh
11. If you smile while you make a joke, and the audience still doesn’t laugh, see “know the audience” (or “talking over your audience’s head”).
12. Look nice. There are enough cave trolls in the audience. Give people something better to look at.
13. Be a wingman. If one of your colleagues is getting ogled by above-mentioned cave troll – be sure to intervene on her behalf. Especially if the cave troll is of unspecified gender
14. Don’t let friends sit in the back row and make you laugh unless they’re part of your shtick. Especially on a panel when it’s not your turn.
15. Bring pillows. If you’re going to put people to sleep, they may as well be comfortable.
        

Follow-up: Ender’s Shadow Describes RDoS’ing

Growing up, a lot of my sci-fi reading focused on old classic works by Asimov, Clarke, Heinlein, Campbell, Pohl, etc. For some reason, I missed the 80′s almost completely. Specifically, I missed Ender’s Game until just this past month. So, I’ve been catching up. As of tonight, I’ve just finished “Ender’s Shadow”. My thoughts on the book (and series) overall are beyond the scope of this blog, but there was a series of passages early on that I think resonate closely with my last post here, and with my overall feeling that we need a real strategy for changing the odds on the cyber security playing field altogether instead of just building up defenses linearly. Let me know if you agree?

“He could come from anywhere – from anywhere all at once. So we run into the classic problem of defense, cubed. The farther out you deploy your defenses, the more of them you have to have, and if your resources are limited, you soon have more fortifications than you can man. What good are based on moons, Jupiter, or Saturn, or Neptune, when the enemy doesn’t even have to come in on the plane of the ecliptic? He can bypass all our fortifications. The way Nimitz and MacArthur used two-dimensional island-hopping against the defense in depth of the Japanese in WWII. Only our enemy can work in three dimensions. Therefore we cannot possibly maintain defense in depth..”

“So even if we intercept 99 of 100 attacking squadrons, he only has to get one squadron through to cause terrible destruction.  We saw how much territory a single ship could scour when they first showed up.  Get ten ships to us for a single day, and if they spread us out enough, they’d have a lot more than a day and they would wipe out our most important centers. “

“I don’t think there is a solution. There is no point in trying to defend at all. So the only strategy that makes any sense at all is an all-out attack.”

I’ll let you all think through the implications of these passages and get back to me.

On another, related, topic, I have a question: A lot of us are quick to reference Sun Tzu’s Art of War in cyber security, but I havent seen (or havent recognized – I  might just be ignorant here) many attempts to use known historic, strategic war/battle thinkers in our industry much beyond Sun. Is there anything else – or anyone else – we should be looking at from a classic “war” perspective that we’re not already? Who? Why? Who/What am I missing? Is it relevant to ask?