Hack the Capitol 6.0 Schedule
Introduction, Security Briefing, and Opening Remarks by Charles Clancy
HtC 6.0 Welcome and Introduction
Keynote - A Fireside Chat with CISA Director Jen Easterly
T1 Session 1 - Balancing National Resiliency and Innovation: How to do Effective Critical Infrastructure Cyber Regulations
Mark R Bristow
There has been a steady drumbeat of cybersecurity incidents, intelligence assessments and press articles bringing into focus threats to the infrastructure that makes our modern way of life possible. Government has taken on new responsibilities and exercising authorities to regulate cybersecurity in many of these infrastructures with mixed reception and application. This panel convenes both government and industry to discuss how we can take a balanced approach to regulation that achieves national security outcomes while allowing for industry innovation to this acute threat.
T1 - Session 2 - VC Perspectives on Cybersecurity Investing
As active investors in early-stage cybersecurity companies in the critical infrastructure space, we'll discuss our views on current funding environment, the types of companies that are fit for venture capital, and our views and predictions on what's to come, before opening the floor to questions.
T1 - Session 3 - Cyber Critical Infrastructure Security and Resilience
Proactive and coordinated efforts are essential to strengthen and maintain a secure and resilient critical infrastructure. This panel will discuss U.S. policy priorities to defend critical infrastructure from cyber threats and how those policy efforts are being implemented across key critical infrastructure sectors.
Keynote - A Fireside Chat with the CISO of NYC Kelly Moan
Closing Remarks and Wrap-up
HtC 6.0 Day 1 Closing Remarks and Wrap-up
HtC 6.0 Welcome and Introduction
Keynote - A Fireside Chat with TSA Administrator David Pekoske
T1 - Session 5 - Cyber Informed Engineering - "Secure by Design" for Critical Infrastructure
The National Cyber Security Strategy's call for "Secure by Design" applies not only to software, but is a key performance factor for all critical infrastructure sectors threatened by cyber vulnerabilities and risk. The National Cyber-Informed Engineering Strategy published in June 2022 for the energy sector is a resource for all critical infrastructure sectors and is being implemented by stakeholders from education, government, national laboratories, manufacturers, installers, and asset owners. The goal is to design and specify cyber protections and mitigations early in new technology development and design as a standard engineering practice, particularly when attacks to operational technologies, including industrial control systems can threaten human safety. Our panel will discuss initiatives and plans to implement this strategy.
T1 - Session 6 - Information Overload! What's Actually Helping, and What Matters Most for OT Defense?
As organizations that own and operate industrial control and operational technology (OT) environments have continued to learn more about threats to their most valued assets, they continue to make significant investments in cybersecurity resources for defending them. The avalanche amount of information coming from governments, media, solutions providers, and internal tools, technologies, and resources is overwhelming. This panel discussion will provide perspectives and insight from individuals in different roles protecting their critical assets. They will share what information and resources are useful in helping defenders turn information and technology into actionable defense.
T1 - Afternoon Session Kickoff - Remarks from Congresswoman Laurel Lee
Remarks from Congresswoman Laurel Lee
T1 - Session 7 - Meet the Press. (The good ones, anyway.)
Three national cyber reporters talk about their process, how they see the industry evolving, and how and why you should (responsibly) speak with the media.
T1 - Session 8 - ICS and IoT: The Convergence
For years, we've been talking about the convergence of IT and OT. Now it's about to be turbo-charged: Welcome to a world where industrial control systems run on the Internet of Things (IoT). As combined systems are increasingly deployed, the gains to society will be profound -- but the cybersecurity threats will multiply. This panel will explore the evolution of IoT security principles, and how ICS digitization increasingly relies on securing not just our OT networks, but the Internet of Things on which they will soon come to rely.
Closing Remarks and Wrap-up
HtC 6.0 Day 2 Closing Remarks and Wrap-up
T2 - Session 1 - The Unlikely Romance: Critical Infrastructure Edition
Casey John Ellis
When most folks hear the word "hacker" their reaction is one of fear, but those responsible for cybersecurity are increasingly understanding the role of the "digital locksmiths" amongst us. While healthcare, power, and other CI verticals have been slower to accept crowdsourcing, adoption is well underway. In this talk, Casey Ellis will unpack the evolution of the unlikely romance between those who hack in good faith and the people who design, develop, deploy, and defend software and hardware intended for critical infrastructure and safety-critical applications.
T2 - Session 2 - What it Will Take to Fix PPD-21
The Biden Administration announced late last year that they will be rewriting PPD-21, the Obama-era policy directive that establishes 16 critical infrastructure sectors, designates specific government agencies to liaison with each sector, and assigns the Department of Homeland Security as the national risk manager. Join Mark Montgomery for a discussion on how the framework has performed over the past decade, what's gone right and what's gone wrong, and what priorities the White House should have as they embark on the interagency policy process.
T2 - Session 3 - The Central Role of Space in Terrestrial Critical Infrastructure Operation and Resiliency
All terrestrial critical infrastructure sectors have direct and indirect dependencies on space-based systems and assets – those dependencies are defined by their Criticality, Velocity and Scope. Those dependencies are also the focus of adversaries who can use both physical and cyber attack vectors to both disrupt and destroy the dependencies to inhibit operations and other activities. This understanding is driving a need to encourage individual owner/operators of CIS systems and assets to develop mitigation strategies to offset these dependencies utilizing a PACE (Primary, Alternate, Contingency, Emergency) concept to offset any loss of satellite capability.
T2 - Session 4 - Stunted Growth: Raising Awareness for Cyber Risks in the Agricultural Sector
"The introduction of automation and data into the agriculture sector is a modern era wonder. Our agricultural industry grows more food with less effort using technology to automate. That automation without management of the cyber risks involved presents a risk to individual entities, the agricultural sector as well as national security. Unpatched Ag Tech machinery, IoT sensors and networks, smart farms and other technologies present risks to the sector. Raising awareness, promoting a framework such as the accessible and adaptable NIST CSF are critical. So may be regulation if awareness and action based on an accepted framework is not enough. "
T2 - Session 5 - What’s Next for the Cyber Safety of National Water Service?
Approximately 52,000 drinking water and 16,000 wastewater systems in the US operate with limited budgets and even more limited cybersecurity personnel and expertise. Recently released mandates by the Environmental Protection Agency requiring States to ensure that public water systems “evaluate the adequacy” of digital defenses through periodic (3-5 years) sanitation surveys have been roundly criticized by water industry and cybersecurity experts as inadequate against rapidly evolving cyberthreats that could range from insider attacks to nation-state hacks. So, now what? What should be implemented to effectively protect the technologies managing our Nation’s water resources? We’ll discuss the current policy and proposed solutions to bring the expertise of the private sector to reduce the compelling risk to human safety.
T2 - Session 6 - The Pineapple on Pizza of IT and OT
From the dawn of the first production line there has always been contention between IT and OT. IT and OT professionals often struggle to work together to keep systems available and secure. This pain point is difficult at best, and destructive at worst. I will discuss the issue at hand, what both do, what they know, what they don’t know, and how to ensure both IT and OT don’t operate in isolation of each other. Lastly, I will discuss how business leaders can use IT to solve OT threats and vulnerabilities without risking availability enabling business success.
T2 - Session 7 - When Everything Is Critical, Nothing Is: ISA and Mitigation Prioritization
Mark R Bristow
Cyber vulnerabilities and weaknesses are everywhere, but what do we need to fix first? Infrastructure Susceptibility Analysis (ISA) is a methodology designed to focus mitigation efforts on the system and architectural weaknesses most likely to be exploited. ISA expands on current threat intelligence approaches, enabling organizations to reduce the risk of an attack to their operational environments.
T2 - Session 8 - Outside the Beltway: Lessons in Cyber Mutual Aid and Collective Defense from NYC
There is no way to defend critical infrastructure but collectively. An initiative started in the City of New York explored how to build collaborative cyber defense using models of mutual aid and assistance. This talk shares lessons from that experience - both for other municipalities and for the federal government. Attendees will get one perspective on how cities view critical services, and how that might change the way we talk about and create cyber resilient critical infrastructure.
T2 - Session 9 - DOE Technology, Tools, and Funding for ICS Cybersecurity
Speakers will describe current technology, tools, and programs funded by the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER). We will describe the Rural and Municipal Utility Cybersecurity (RMUC) Program, focused on improving the cybersecurity posture of rural, municipal, and small investor-owned electric utilities, and discuss opportunities for cybersecurity training through CESER’s CyberStrike and OT Defenders programs. Initiatives to improve cybersecurity threat information sharing and assess cybersecurity risks will be presented, along with information on how CESER works with states, local governments, tribes, and territories.
T2 - Session 10 - Inside an OEM Supply Chain Security program
OEMs are expected to deliver secure products and services using secure development and supply chains. The NIST, CISA, and MITRE frameworks and practices are just the start. Cassie Crossley, Vice President – Supply Chain Security at Schneider Electric, describes the practical approaches for over a dozen initiatives including R&D security, source code governance, secure development, software assurance, software bill of materials, vulnerability management, cyber defense, third party risk management, as well as field and project services security. You’ll leave the session with a fresh perspective of how OEMs are addressing the critical topic of supply chain security.
T2 - Session 11 - Cybersecurity Regulation: When Does it Make Sense and When Doesn't it?
The National Cybersecurity Strategy is a regulation-forward strategy and the administration is looking to leverage existing regulations and develop additional authorities to place mandates and elevate confidence on the security of critical infrastructure, the safety of core technologies, and the overall resilience of the digital ecosystem. Regulations by definition need to have more benefits than costs. Where is that likely to be true in cybersecurity? How do policymakers evaluate that? How should they?
T2 - Session 12 - No Going It Alone - Critical Infrastructure Lessons from Recent Conflicts
Much ink has been spilled concerning the most recent phase of Russia's decade-long invasion of Ukraine, yet lost in discussions of "cyberwarfare" and similar are the roles, responsibilities, and actions of "non-combatants" within broader operations. In this discussion, we will explore how a vast network of organizations, from private tech companies through electric utilities, have impacted events over the years, with an overarching lesson: no one entering a modern conflict should expect success absent significant private sector cooperation and coordination.
T2 - Session 13 - IoT Cybersecurity For Federal Agencies (And Everybody Else)
The spectacular proliferation of connected devices and products across the internet with the IoT Federal Working Group considering the benefits in their report to Congress, along with significant risks including cybersecurity as identified in the National Cyber Strategy. In response to policy drivers such as EO14028, and the IoT Improvement Act of 2020, NIST has developed guidance on IoT cybersecurity which Federal law requires agencies to follow when procuring IoT. Efforts are also underway to implement a cybersecurity labeling program for IoT in response to E.O. 14028 with basis the NIST report to the APNSA and NIST criteria. This presentation provides an overview of the NIST work, along with a broader view of the IoT cybersecurity landscape, and federal efforts to promote the use of IoT.
T2 - Session 14 - Regulating critical infrastructure security
"For years, many critical infrastructure sectors had loose or largely voluntary cybersecurity rules, despite their fundamental relationship to health, safety, and national security. The National Strategy declared an end to this approach, announcing it would seek to regulate critical infrastructure cybersecurity where possible, and agencies have begun to issue sectoral rules. This presentation starts with the basics – laying out what is critical infrastructure, how it’s regulated (or not), and the current state of play in critical infrastructure cybersecurity regulation. The presentation will recommend an approach to critical infrastructure security regulation that takes into account the unique characteristics of operational technology, and will propose a Policy Hackathon to draft a joint solution. "
T2 - Session 15 - Tip of the Spear: Understanding the Operating Environment of Government Contractors
From the threat environment, operating environment and regulatory requirements, US government contractors have many challenges and opportunity that impact their business, from M&A to SOC management, we will discuss some of the challenges and opportunities in the government contracting area, including legal and technical issues.
T2 - Session 16 - The Most Critical of Critical Infrastructure
The US approach to Critical Infrastructure isn't keeping pace with adversaries or consequential failures. I got an up close look at what is and is not working while driving the CISA COVID Task Force - and have spent the subsequent year plus seeking to better prioritize, reframe, and improve US strategy, policy, and resilience of our most sensitive national critical functions. Without multi-sector, multi-disciplinary coordination, people die. The government is listening – and wants to makes some changes. Let’s dig into some fresh re-imagining and critical thinking about critical infrastructure.
T3 - Session 1 - Cyber Mutual Assistance – Response and Recovery is a Team Sport
Owners and operators of the electric grid in the United States are facing an unprecedented number of physical and cyber security risk. This session will discuss the methods that electric utilities are using to address the wide variety of risks, with special focus on a new program call “Cyber Mutual Assistance” Based on lessons learned from major destructive cyber incidents overseas, and from exercises in North America, the Cyber Mutual Assistance program was developed. It is an extension of the electric power industry’s longstanding approach of sharing critical personnel and equipment when responding to emergencies. David Batz will be providing information about the Cyber Mutual Assistance program which refers to a series of industry initiatives developed by the Electricity Subsector Coordinating Council (ESCC) to provide cyber assistance to entities in the electricity sector.
T3 - Session 2 - Why Big Data Is Not Enough - The Value of Little Data
Mollie Caroline Breen
Many OT efforts today focus on generating better big data analytics, e.g. utilization or performance. However, improving tracking little data, like location and warranties, is getting left behind.
T3 - Session 3 - Dodging the Prevention Silver Bullet
As we build more security systems into ICS it is inevitable that we will have to answer a difficult question: if we can detect it, why should we not prevent it? It can be easy to dismiss prevention as a bad and dangerous idea with our current level of technology, but as long as it is desirable it will be attempted. We must guide that impulse. This talk breaks down the different prevention strategies we could use, what detection mechanisms are best suited to prevention, what attacks we can reasonably prevent, and how an attacker might circumvent a prevention system.
T3 - Session 4 - Tactical Risk Reduction in ICS/OT Environments
Don C Weber
ICS/OT environments are production environments that are closely monitored and maintained by personnel experienced in that process. Their job is not to think like the bad-guy or to be a cyber security expert. However, a little bit of knowledge goes a long way to protecting these production assets and the processes they support. This presentation will outline the key areas to review to gather actionable intelligence for making practical risk reduction prioritizations. We will also outline how to do a security assessment of these active production environments to collect this information safely.
T3 - Session 5 - Hack-A-Sat: Connecting Space And Cyber Resiliency Stimulated Through Competition
As our lives become increasingly dependent on technologies that lie in space, it is imperative to take action on securing our space domain. The Department of the Air Force, in collaboration with the security research community, are hosting the Space Security Challenge Hack Sat-4 in an effort to enable security researchers of all levels to focus their skills and creativity in solving cyber security challenges on space systems to incentivize innovation in securing these systems. Hack-A-Sat 4 will be the first hacking competition to include challenges on an on-orbit space system.
T3 - Session 6 - From Steam Engines to Cyber threats: An Introduction to Railroad OT Systems and Threats
Railroads are a critical component of the US transportation system, moving one-third of all U.S. exports and roughly 40% of long-distance freight volume. Unfortunately, this space is not well understood outside of the sector. This presentation will cover an introduction to some of the operational systems that are commonly used by railroads and identify threats and cyber risk to those systems. Specifically, we will focus on the Interlocking and signaling systems that align the tracks and provide vital information to the train’s crew and the Positive Train Control (PTC) system designed to prevent collisions.
T3 - Session 7 - 10 years of OT Cybersecurity; what's established, and what to look forward to in the next decade!
The past decade has seen several purpose-built security solutions for OT. Many of them leverage passive network sniffing, aid in asset detection & vulnerability management besides analyzing traffic for malware, threats and anomalies. However, these tools & methodologies are evolving due to newer standards and regulations, adding more machine-learning capabilities, include wireless monitoring, user behavior and other host-based correlations, and overall integrate better into cloud-native platforms as part of digital transformation. The goal of this presentation is to provide contextual information for the decision-makers who need to consider every investment, including security technology, through the lens of a business-enabler.
T3 - Session 8 - Tying Security Architecture into Control Room Operations
This talk will describe a security design allowing the continued use of legacy protocols (such as Modbus, IEC61850). Many products require legacy protocols and will not support encryption due to hardware or other limitations. Power Monitoring and SCADA systems contain data that can be utilized to dynamically configure network security devices (firewalls, IPS) to protect critical infrastructure. In short, the industry can’t wait for secure protocols to be deployed across critical infrastructure. Certain strategies can be used to substantially improve the security posture of systems while supporting existing legacy communication. This talk describes an innovative approach of doing just that.
T3 - Session 9 - Security in Energy Distribution: It Ain’t Easy Being Green
The distribution grid is the fundamental connection between the lights being on in your home, and the Bulk Power System. The high penetration of distributed energy resources (DER) and increase in interactive, interdependent capabilities will significantly enlarge the role that distribution systems can play in the bulk transmission system. There is no one solution that will secure this transition, and even if there was, it would likely increase energy costs to a level unattainable by large swathes of the population. This talk will discuss how we evaluate that cost, breaking R+D silos across disciplines, along with pathways to securing our future.
T3 - Session 10 - Open-Source ICS Cybersecurity Tools for Small and Medium-Sized Asset Owners
Abstract: Industrial Control Systems (ICS) are critical for the operation of many industries, and cybersecurity for ICS is important because cyber-attacks can cause physical damage, disrupt operations, and put human lives at risk. Open Source ICS Cybersecurity tools can provide affordable and flexible solutions for securing ICS, especially for small and medium-sized Asset owners who may have limited resources. This presentation covers some of the key Open-Source ICS Cybersecurity tools, including the ICS Advisory Project and MALCOM, and how they can benefit small and medium-sized Asset owners. The Cybersecurity and Infrastructure Security Agency (CISA) has identified several free Open-Source ICS Cybersecurity tools that can help small and medium-sized Asset owners improve their Cybersecurity posture. While Open-Source ICS Cybersecurity tools can provide many benefits, there are also challenges and risks that need to be considered. This presentation provides best practices for using Open-Source ICS Cybersecurity tools and outlines the challenges and risks that small and medium-sized Asset owners need to be aware of when implementing Open-Source ICS Cybersecurity tools in their environments.
T3 - Session 11 - XRVillage: The Road to Securing Every Version of Your Reality
Augmented reality (AR), virtual reality (VR), collectively referred to extended reality (XR) technologies have the potential to revolutionize the way we interact with the world around us. However, as with any new technology, there are security and privacy concerns that must be addressed. We must act now to ensure users of these technologies can find safety, security, and privacy. The XRVillage is a nonpartisan nonprofit focused on bringing global Policy, Technology, and Legal entities, along with developers of XR technologies together to achieve this.
T3 - Session 13 - Use This One Weird Trick To Hack Smart Meters
Can you make a meter explode by hacking it remotely? Can you cause a grid collapse by hacking meters? With over 100 million advanced meters are deployed in the US, the security of these systems is important, and cybersecurity researchers have studied meters and advanced metering infrastructure. While some excellent work has been done in this area, there have also been some outrageous and unsupported claims. This talk explains some real meter hacking techniques, sorts fact from fiction, and describes some simple and low-cost methods equipment manufacturers could and should do to make meters more secure.
T3 - Session 14 - Is OT Cyber Repeating IT Cyber Mistakes?
Like any new endeavor, the cybersecurity industry, as a community and industry, made some mistakes in the decades since "cybersecurity" became A Thing, such as overly focusing on compliance, believing (or at least marketing) that products such as firewalls would protect you, and becoming entrenched in the cybersecurity silo instead of integrating into the larger business or organization. It is often said that ICS/OT Cybersecurity is a decade or more behind IT Cybersecurity. So is the ICS/OT Cybersecurity industry repeating the same mistakes? Or learning from them? Or maybe making their own, novel mistakes? And how can we do better?
T3 - Session 15 - Flight Delayed: Mitigating Air Travel Cybersecurity Risks
Recent technology outages continue to cause delays in our air travel transportation system, grounding passengers and transportation logistics. This talk will look at several recent examples of aviation technology service disruptions and analyze where different frameworks would have mitigated the impact or where we first need to prioritize improvement upgrades before applying frameworks.
T3 - Session 16 - From Compliance to Continuity: How Deeper OT Asset Data Enables Maturity in Cybersecurity for Resilience, Safety, and Performance
Critical infrastructure operators need to go beyond simply knowing what operational technology (OT) assets they have in their environment – they need to take the next step in understanding what cyber risks actually lie within those devices. Asset identification is an important step, but it’s not enough. You can’t just check the box on security with basic visibility, even if it meets a compliance requirement. The practice of collecting richer OT asset data to enable stronger security can be likened to "eating your vegetables” – not always the most exciting to implement, but fundamental to increasing the resiliency of our nation’s critical infrastructure.