DEF  CON   30

Capture the Flags

All times listed in PDT

Friday, Aug. 11 | 10:00 a.m.  — Sunday, Aug. 14 | 3:00 p.m.

Fathom5 SEA-TF Constellation Edition

Contestants will be able to try their hand and compete in a point based Capture the Flag hacking competition based around 3 Maritime consoles. The consoles involved will be Navigation systems, Steering and Propulsion systems, and Ballast systems. These systems provide a relative experience of the actual systems found aboard a naval vessel.

[Register Here]


All times listed in PDT

Sat, Aug.13 | 6:30 p.m. — 10:00 p.m.

ICS Village Charity BBQ [[

ICS Village will be hosting a #unicornchef (check out the show that has included interviews with recipes with folks like Chris Krebs) catered BBQ with a select group of great people in our community. As always, our events adhere to a safe space policy including lots of non-alcoholic options. There will be a pool so bring your swim trunks and a towel! All proceeds go to the ICS Village 501c3 non-profit.

Friday, Aug.12 | 10:00 a.m.  — Sunday, Aug. 14 | 3:00 p.m.

Defense Digital Service - Hack the Microgrid

Microgrids are pretty high maintenance, and like satellites, primarily built for survivability, not security. As the Department of Defense marches toward deploying microgrids at scale to shore up mission resilience in response to the challenges presented by climate change, hackers are gonna hack.

In this lab, you’ll learn the basics of microgrid design – from what they are, how they work, and how they regulate themselves. Then, you’ll be able to use this knowledge to then attempt to take over and shut down a mock microgrid by hacking its weather data system and sensor input network to generate chaos.

Maritime Hacking Boundary Adventure

Have you ever wanted to run your own shipyard? To drive ships? Without permission? Then the Hacking Boundary tabletop role playing game is just for you. Hacking Boundary is a realistic, competitive, game of identifying and exploiting vulnerabilities in ports and ships. The game is designed to allow for you to bring your knowledge, skills, and abilities to the table and use these to compete against your peers. The game will last about 4 hours, and participants will have roles as attackers, defenders, or the mighty US government. Come for the competition, stay for the victory points, but try and not generate a lot of digital exhaust for the cops to find.

- Session 1 Friday August 12: 1:00 pm to 5:00 pm PDT
- Session 2 Saturday August 13: 1:00 pm to 5:00 pm PDT
- Session 3 Sunday August 14: TBD

CISA and Idaho National Lab Escape Room [[Register Your Team Today]]

CISA and Idaho National Lab invite you to participate in an immersive Escape Room adventure to test your cybersecurity and infrastructure protection skills. This Escape Room will challenge you and your Team through a series of traditional time-bound Escape Room challenges mixed with cybersecurity elements. Participant’s skills will be confronted with cybersecurity puzzles involving wireless technologies, Open Source Intelligence (OSINT) analysis, database exploitation, network discovery, industrial control systems, cryptography, Arduino backed puzzles, and more. With the mix of traditional escape room puzzles, there is enough to do for everyone regardless of the level of their cyber skills. Come have fun while learning more about cybersecurity with CISA and Idaho National Lab.

Escape Room Scenario: A disgruntled employee, Bob, has been plotting to bring down the company where he works. In retaliation for his perceived mistreatment, Bob has created an electromagnetic pulse device (EMP) to take out sensitive industrial control systems in the area. Thanks to a few diligent and observant company employees, Bob was taken into custody but not before the timer on the device could be activated! The EMP device has been armed and the clock is ticking. CISA needs your help in protecting our critical infrastructure by following the clues found in Bob’s office to help CISA to disarm the EMP device before it is too late.

Aug 12, 2022 — Friday

All times listed in PDT

10:00 am - 11:00 am
Ohm, how do I get into ICS? [[Panel]]
Dennis Skarr, Josephine Hollandbeck, Kairie Pierce, Erin Cornelius, Christine Reid

The industrial cybersecurity workforce continues to have a significant shortage of professionals within the OT and IT work centers. Traditionally, training pipelines within the utilities sectors tend to focus on bringing outside trained cybersecurity professionals into very specific and specialized work classifications. For example gas and electric employees have years of experience and thousands of hours both on the job and in the field having worked directly with, and seeing first-hand system mechanics and vulnerabilities. A utility apprenticeship provides an established and tested platform on which to build experience towards a cybersecurity role, benefitting the existing employee, employer and customer protections. A strong argument can be made for utilizing FTE’s who have the unique industry knowledge and perspective as subject matter experts. Doing so would provide these employees the additional tools to take their highly skilled existing apprenticeship (relay tech) and enhance their effectiveness by adding the much needed additional skills of a registered cyber security pathway. This panel will discuss how the apprenticeship process is very unique, share lessons learned, and how this program could be replicated.

11:00 am - 11:30 am
Closing a Security Gap in the Industrial Infrastructure Ecosystem: Under-Resourced Organizations
Dawn Cappelli

The lack of OT-specific resources readily available to the industrial infrastructure community creates a serious gap in securing industrial infrastructure. The gap is especially critical among small and medium sized businesses that often have limited expertise and resources to address ICS/OT cybersecurity risks. This presentation details a new free cybersecurity resource: Dragos OT-CERT (Operational Technology - Cyber Emergency Readiness Team). OT-CERT helps industrial asset owners and operators – especially under-resourced organizations - build their OT cybersecurity programs, improve their security postures, and reduce OT risk. Member organizations have free access to OT cybersecurity best practices, cybersecurity maturity assessments, training, workshops, tabletop exercises, webinars, and more. Although OT-CERT focuses on small and medium sized businesses, organizations of all sizes are eligible for OT-CERT membership. Larger organizations will benefit from free resources such as OT best-practices blogs and OT vulnerability disclosures from Dragos’s industry-leading Threat Intelligence team. Dragos OT-CERT will also aid large companies by helping to improve the security posture of smaller organizations in their supply chain that can pose a risk to their business operations.

11:30 am - 12:00 pm
CRITICAL FINDING: Lessons Learned from Dozens of Industrial Network Architecture Reviews
Nate Pelz, Miriam Lorbert

The Professional Services team at Dragos performs dozens of network architecture reviews every year, for industrial facilities ranging from tiny municipal water treatment plants to massive global manufacturing conglomerates. We present to you here the crème de la crème: the top misconfigurations, anti-patterns, and poor practices our team repeatedly discovers which jeopardize the security of the underlying OT network. If your organization can implement protections against these findings within your most critical facilities, your network will be significantly less palatable to attackers, and you will be head and shoulders above many of your peers.

12:00 pm - 1:00 pm
Understanding Modbus TCP and the GRACE Console [[Maritime]]
Dave Burke

Fathom5 will be hosting a number of Grace Maritime Cyber Testbed consoles at the ICS Village to support the SeaTF activity. This "lunchtime tutorial" will discuss the Modbus TCP protocol, which is employed in the Grace Ballast console. Modbus is the de facto industry standard for the interconnection of ICS and OT systems. This mini-tutorial will address the protocol history, architecture, frame format, and operation.

1:00 pm - 2:00 pm
The USCG's Maritime Cybersecurity Strategy [[maritime]]
RADM John Mauger

RADM Mauger will describe and discuss the USCG's Cyber Strategic Outlook (2021) and directions in managing maritime cybersecurity in terms of facilities, ships, and workforce development.

2:00 pm - 3:00 pm
Exposing aberrant network behaviors within ICS environments using a Raspberry Pi
Mike Raggo and Chet Hosmer

Using an Active Cyber Defense framework and combining that with our homegrown ML, we’ve created our own approach to detecting aberrant network behavior through passive network monitoring to discover covert communications with a Raspberry Pi. We will then demo our open source solution, a free Modbus TCP pcap analysis tool, to uncover the risky and potentially very damaging covert channels communicating with the outside world and the types of data that is being harvested along with the new attack surfaces that they offer.

3:00 pm - 3:30 pm
Wind Energy Cybersecurity: Novel Environments facing Increased Threats
Meg Egan

Wind energy cybersecurity made headlines in February 2022 when Russian cyberattacks to disrupt Ukrainian command and control infrastructure resulted in an outage of commercial SATCOM networks, impacting the remote communications of 5800 European wind turbines. Surrounding this high-profile attack were other wind energy sector cyber incidents - ransomware attacks at major turbine manufacturers Vestas and Nordex and a cyberattack on the IT systems of wind farm operator Deutsche Windtechnik. This talk will integrate threat intelligence with unique attributes of control system environments in the wind energy sector to bring to light cybersecurity issues facing one of the fastest growing sources of electricity around the world.

3:30 pm - 4:00 pm
Power Flow 101 for hackers and analysts
Stefan Stephenson-Moe

Has this ever happened to you? You get root on an RTU in a transmission substation but have no idea what any of the settings are, or do. Are you an analyst that doesn't understand why someone changing a transformer tap setting might be a bad thing? Are you wondering if you've been hacked because you're equipment is saying you have a ground fault but also that your voltage and current phasors are 120 degrees out of phase? Then come to this talk and learn about Power Fundamentals. We'll go over all the basics no one every taught you, like AC current, phasors, calculating Power Flow, and how transformers work.

4:00 pm - 5:00 pm
Research and Deliverables on Utilizing an Academic Hub and Spoke Model to Create a National Network of ICS Institutes
Casey O'Brien

The Critical Infrastructure Resilience Institute (CIRI) in the Grainger College of Engineering at the University of Illinois Urbana-Champaign was awarded a contract from the DHS Cybersecurity and Infrastructure Security Agency (CISA) to lead the development of a comprehensive plan for developing and managing a nationwide cybersecurity education and training network to address our nation’s chronic and urgent cybersecurity workforce shortage, with particular emphasis on developing and delivering curricula focused on incident response and industrial control systems. This presentation will discuss the research findings, the network, example ICS curriculum, and how interested stakeholders can engage with the project partners.

5:00 pm - 5:30 pm
Why aren’t you automating?
Don C. Weber

When you do something, you’ll want to remember how to do it again. Notes are fine, scripts are better. Automate all the things.

5:30 pm - 6:00 pm
Stop worrying about Nation-States and Zero-Days; let's fix things that have been known for years!
Vivek Ponnada

If you have been following some of the recent news about PLC code injection, or toolkits such as Incontroller, you'd think that these discoveries are 'shocking' or conceptually new, and that Industrial Control Systems are constantly under attack by 'sophisticated' APTs or Nation-States. The reality is that besides due to 'insecure by design' and 'insecure by practice', many of these attack vectors have been documented years ago. Vendors and Integrators alike treated these as 'it's a feature, not a bug', 'we've always done it this way' and at other times 'this is a problem, but we'll just pretend no one will exploit it'. This talk will highlight some of the previously documented instances of the more recent discoveries, and attempt to provide reasonable mitigation or prevention strategies based on best practices, established frameworks and sector-specific guidance.

Aug 13, 2022 — Saturday

All times listed in PDT

10:00 am - 11:00 pm
Industry 4.0 and the MTS of the Future – Convergence, Challenges and Opportunities [[MARITIME]]
Zac Staples

The maritime transportation system (MTS) today is realizing a sea change in the entire ecosystem due to digitalization, a technological leap that is transforming the industry and redefining our sometimes ancient processes. Digitalization is enabled by the integration of advanced computing and sensor technologies, industrial control systems (ICS) and operational technology (OT), digital processing and telecommunications capabilities, and data analytics. These new and improved capabilities will change all aspects of the maritime industry, including enabling partially and fully autonomous vessels and operations. This is the intersection of the MTS and Industry 4.0. With these advances, we see myriad new opportunities for research and study, economic and environmental benefits, industry optimization, and sustainability. Of course, this new capability totally depends upon reliable access to quality information. Without adequate cybersecurity protections, the benefits of this technological convergence implodes and, instead, becomes an existential threat to the industry and every nations' food, energy, economic, and national security.

11:00 am - 11:30 am
Describing Maritime Cyber work roles Using the NICE Framework
Tyson B. Meadors

This presentation provides insights from a recent US government "tiger team" that worked to examine the maritime cybersecurity workforce gaps identified in the 2020 National Maritime Cybersecurity Plan from a National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework perspective in order to identify gaps in the existing framework as well as to develop proposals for new statements describing maritime cyber-specific task, skills, knowledge, and competencies that should be recommended for inclusion into future versions of the framework. In the process of doing so, the interagency group identified five, high-level strategic factors that are going to shape maritime cybersecurity workforce development for years to come.

11:30 am - 12:00 pm
Taking MITRE ATT&CK for ICS to Sea
Tyson B. Meadors

The existing MITRE ATT&CK for ICS Framework largely describes the range of TTPs that could be leveraged against ships. Consequently, it has the potential to be an effective starting point for those charged with assessing the risks and potential detection and mitigation methodologies associated with mitigating those risks. That said, recent attempts at applying ATT&CK for ICS for shipboard cyber assessments has identified several key gaps and potential amplifications needed to more comprehensively cover the range of TTPs that can be leveraged by adversary actors against shipboard systems and networks. The presenter is currently collaborating with MITRE to add maritime specific TTPs and existing TTP applications into the upcoming release of the MITRE ATT&CK for ICS Framework.

12:00 pm - 1:00 pm
Understanding AIS Protocols and the GRACE Console [[Maritime]]
Gary Kessler

Fathom5 will be hosting a number of Grace Maritime Cyber Testbed consoles at the ICS Village to support the SeaTF activity. This "lunchtime tutorial" will discuss the protocols associated with the Automatic Identification System (AIS), the widely-used maritime situational awareness system and part of the Grace Navigation console. This mini-tutorial will describe the AIS protocol and transmission format used between vessels using radio transmission.

1:00 pm - 1:30 pm
We Promise Not to Brick It... But If We Do...
Marissa Costa and Todd Keller

There is an ongoing industry stigma that you cannot, or should not, penetration testing in OT environments. Looking back, it took over a decade to normalize IT penetration testing as a valuable proof of vulnerability and detectability. However, while asset owners sit back and wait, the offensive community is already full steam ahead at developing exploitation tools to use within these environments. We hope to use 2-3 OT relevant examples of what can be done and what we believe should be done within OT environments to better understand how to defend and detect within them.

1:30 pm - 2:00 pm
Cyber Physical Lab Environment for Maritime Cyber Security
Wesley Andrews

This will be a discussion about the Cyber-SHIP lab, a Cyber-Physical lab environment and hardware testbed, currently being developed at the University of Plymouth to help prevent Maritime Cyber-attacks. The talk will focus on the facilities capabilities, research aims and current development progress, as well as some details on current research projects.

2:00 pm - 3:00 pm
Keeping Beer Cold: Attackers, ICS and Cross-Sector Defense
John Bryk, Jaquar Harris, Tim Chase

Enterprise IT face a huge number of threats while ICS face fewer. But within that threat environment, nation-states will often test or reuse attack vectors which makes cross-sector visibility even more important. Cybersecurity leaders from threat information sharing communities will draw back the curtain on intelligence, actions and processes surrounding ICS threats and vulnerabilities. The discussion will set the stage for the question of what you as attendees would target and how enterprises and sharing communities should react to stop you.

3:00 pm - 4:00 pm
The Perfect Storm: Deception, Manipulation, and Obfuscation on the High Seas
Rae Baker

Using real-world examples, we will walk through the exciting and often illicit maritime space. We will learn the techniques being used for evading sanctions, moving illegal goods, manipulating identities, and intimidation; as well as the OSINT tactics used to uncover these activities.

4:00 pm - 5:00 am
The Geopolitical Implications of the Escalation and Weaponization of GPS and AIS Spoofing [[MARITIME]]
Gary Kessler, Tyson B. Meadors, Dr. Diane Maye Zorri

Maritime transit relies on the set of global navigation satellite systems (GNSS); the position, navigation, and timing (PNT) systems they enable are crucial for traversing narrow straits and littoral waters. GNSS also facilitates the Automatic Identification System (AIS) for situational awareness; AIS tracings also provide the log of a ship’s movement. The Global Positioning System (GPS) and AIS contain a host of vulnerabilities, however, and vessels around the world, from the Black Sea to the Port of Shanghai, have been spoofed. Both AIS and GPS spoofing have escalated in their seriousness in the last five year, to the point where spoofing has become weaponized. These disruptions are provocative; adversary nations can create false AIS tracks to support virulent narratives, countering the interests of U.S. and our allies. Because of grave danger these threats entail, it is essential that policymakers and maritime operators understand the risks, mitigation techniques, and implications of GPS and AIS spoofing.

5:00 pm - 6:00 pm
Thrice Is Nice: Evaluating the Ukrainian Power Events from BlackEnergy to Industroyer2
Joe Slowik

The only publicly known electric system disruption events to ever take place have all impacted Ukraine. In 2015, 2016, and again in 2022, Ukrainian system operators experienced cyber-nexus disruptive events targeting various aspects of electric system operations. While each event has been explored individually, various technical and operational details exist that link these incidents and highlight how the adversary behind them effectively learned and adjusted offensive actions over time. In this presentation, we will explore these three incidents (and some intermediate events) in wider context to show both how the perpetrators adjusted operations in response to impacts as well as what lessons critical infrastructure and industrial asset owners and operators should learn from events.

Aug 14, 2022 — Sunday

All times listed in PDT

10:00 am - 11:00 am
Tales from the trenches - why organizations struggle to get even the basics of OT asset visibility & detection right.
Vivek Ponnada

Whether it's due to increasing awareness or due to Board/Compliance requirements, most OT Security programs start with a preliminary risk assessment. One of the initial steps is to get a list of OT assets, which used to be a rudimentary spreadsheet exercise. With the wide availability of passive OT asset discovery tools, many go down that path via a Proof of Concept to generate Asset Inventory. This talk focus on lessons learnt from the trenches performing the proof of concepts, and covers challenges including availability of infrastructure (span ports/tap, routing, bandwidth),  archaic protocol implementations, organizational policies for network flows, risk appetite for active probing on low traffic networks, OT & IT personnel knowledge of each other's domains, and finally budgeting.

11:00 am - 12:00 am
kapOT: Revisiting a decade of OT insecure-by-design practices
Jos Wetzels

More than a decade ago, Project Basecamp highlighted how many OT devices and protocols were insecure-by-design. Ever since, the absence of basic security controls has continued to complicate OT security programs. While the past decade has seen the advent of standards-driven hardening efforts at the component and system level, it has also seen impactful real-world OT incidents abusing insecure-by-design functionality, which has left many defenders wondering just how much has changed. In this talk, we will present dozens of previously undisclosed issues in products from almost 20 vendors deployed in a wide range of industry verticals. We will provide a quantitative overview of these issues and illustrate how the opaque and proprietary nature of the systems has resulted in insecure-by-design products achieving security certification as well as complicating vulnerability management. In addition, we will take a technical deep-dive into several RCE vulnerabilities on level 1 devices (ab)using nothing but legitimate functionality and present quantitative insights into our research process in order to provide the audience with some hard numbers on the resources required to develop basic offensive capabilities for the issues discussed and its potential implications for the relevant threat landscape.

12:00 am - 1:00 pm
Understanding CAN Bus and the GRACE Console [[Maritime]]
Dave Burke

Fathom5 will be hosting a number of Grace Maritime Cyber Testbed consoles at the ICS Village to support the SeaTF activity. This "lunchtime tutorial" will discuss the Controller Area Network (CAN) Bus protocol, which is employed in the Grace Steering and Propulsion console. CAN Bus is an industry standard for the interconnection of embedded microcontrollers using a distributed control architecture. This mini-tutorial will address the protocol history, architecture, frame format, and operation.

1:00 pm - 2:00 pm
Spear Vishing, VoIP Poisoning, and Hostile SBCs: Weaponizing Voice
Travis Juhr

Discussion of the underlying functionality of the PSTN integration into modern SIP/VoIP platforms and the inherent security flaws of those integrations. This will be a heavy focus on end user experience, particularly for remote users (land and sea), when a SIP trunk is used by an Enterprise and using the PTSN as a backdoor for targeted vishing attacks of which I am dubbing "Spear Vishing" or "VoIP Poisoning". This is when an attacker calls a victim using a number that is well known to the victim to have the underlying system (Cell phone, SIP soft client, or hard phone) populate the rest of the data to legitimize the phone call and use known problems with remote calling such as call quality variability and lack of physical presence to verify the caller as a vector for sewing chaos or social engineering.

2:00 pm - 2:30 pm
Navigating the High Seas When Dealing with Cybersecurity Attack
Daniel Garrie

Discussion of the interplay of admiralty law and cyber attacks on the high seas. Most individuals do not realize that admiralty law has not evolved since the 1800s and plays a role in managing and responding to cyber attacks that happen at sea.  The presentation will discuss why cyber folks should care and how they may need to change their approach to avoid violating admiralty law or taking on personal and company risk.  The presentation will also touch on how and where the current playbook cyber incident responders use in responding to an incident may need to be tweaked when the hack is happening at sea.