Speaker  

Ladies and gentlemen, please welcome to the stage our top security trends and smart cities panel.


Diana Blass  

Hi, everybody. I'm Diana Blass with current insights. Thanks for joining us today on our panel about security and smart cities. I think we can all agree that as we become more connected, the risks are just growing. You look at cities like Atlanta, I read that New Orleans is facing a million dollars from its cyber security costs. And just this week, we saw Las Vegas had its own compromise. So really, what's the solution here? I'm joined by a panel of experts here. Samir Sharma with Intel, Alyssa night you just started your own company and you are a professional hacker content influencer and me deltan with crumble security. Thanks for joining us. Why don't you first just tell us a little bit about yourselves. Sure, I'll start. Hi, everyone. My name is Sammy Sharma, I'm the global General Manager for smart cities, and intelligent transportation at Intel. It's my team's job to take everything we're doing at Intel in areas of 5g, ai, edge computing, and put it all together with our partners to bring solutions. Everything from smart security cameras to traffic management systems to how do we improve the running of trains? How do we manage airports better? So the idea is take a holistic view, take a view of the infrastructure, not just in terms of the physical implementation, but the


Sameer Sharma  

You know, the digitization of this infrastructure as well. In terms of my own background, I've spent 20 plus years in the tech industry, everything from embedded to network infrastructure to now IoT, and it's been a fascinating journey. I the one thing I would say is, I have never been as excited as I am right now in terms of the tools at our disposal. All we can use those tools to really impact the quality of life for virtually every citizen on this planet.


Alissa Knight  

Cool. Good morning, everyone. I'm Alyssa night. I am a recovering hacker of 20 years and bio, just kidding.


Ami Dotan  

I'm going to turn I'm CEO of grama. Security Forum security focuses on exactly what try and eliminate with Eliza was talking about is embedded cybersecurity and we are focused in the last three and a half years on embedded cybersecurity in IoT devices IoT order morning for us, it's just the same. The way we approach IoT cybersecurity is basically sealing what the vendor is working with the vendors and sealing their code. And we'll talk about it if we have time about technologies and multi layer cybersecurity. But the different approaches to cybersecurity some people look at it as looked at it, at least we thought it was the wrong approach. And I'm trying to be some somewhat provocative in this panel. Not being too polite. But people thinking about IoT devices. The first generation was, we have like a car we have a data center on wheels wrong with talking about platforms that have safety centric, there is no time to deal with anomaly detection and remediation. And what do you do with 80 million new cars and 1.2 billion cars at any given time, as existing inventory on the roads and everything is getting connected. I'll share with you later some slides about different aspects of IoT IoT vulnerabilities that we daily are embedded in, in our lives part of it and we are not even aware how easy it is to compromise those devices. Think about IoT devices and machine in the middle. And the message to the vendors is don't put your customers at risk. And basically, this is what happens if you talk about high volume air conditioners, high rise buildings or generators or, or tanks or any whatever you wants compromise that compromise the acid behind them. And we try and blocked as those attempts to compromise the IoT devices. Okay. Well, Samir, I want to start with you first, because I know that Intel's played a big role in building smart cities and we can even debate you know, what is a smart city today, but how did the security risk become so great as they are today?


Sameer Sharma  

Yeah, maybe I can start with sort of the big picture view. As I said, My role is global. So I spend time with agencies in Singapore, in China and India and Europe, and obviously here in the US and Latin America as well. And we tend to take a macro global view of what's going on. So if you look at the numbers, 3 million people are moving into urban areas every week. That's the population of Chicago. So together as a global community, we are creating 50 new Chicago's every year. We all feel it, right? Lack of parking, traffic congestion, air pollution issues, affordable housing issues. This is a people centric view. So that's what's going on. We're adding urban population, we're going to continue adding urban population. I'm sure you've heard about this during the two days of smart city sessions here. But there is another panel view that we need to take which is what we call a data centric view. When we are bringing all these people in and we are instrumenting infrastructure to accommodate this new urban population, we are also creating a lot more data. And for the first time we instituted a study to say globally, how much data is coming in, and the answer was roughly 16.5 zettabytes. I'll talk a bit about the size of this data in a minute. But before I go there, this is not a 2050 estimate. This is a 2020 estimate. It's going to happen this year. It's already upon us zettabytes. One zettabytes is 10 arrays to the part 21. And sometimes these large numbers lose meaning so an analogy I like to share as if this cup of tea or coffee represents one gigabyte of data which is how we think about storage on our phone, or bandwidth capacity. 16.5 zettabytes of data is enough coffee to fill up the entire Great Wall of China. It is the amount of data you would create. If you're recording non stop for 35,000 hours full high definition. It is the amount of data on 250 billion DVDs. Here is the second thing that's remarkable about what I just shared. This is not the total amount of data. This is the new data, we're layering on this multi layered cake, year after year after year. And the size of this data is going to keep increasing. I'm spending so much time on this data point, pun intended to emphasize that the tsunami of data is already upon us. This is not a future decades from now phenomena. It's already happening. And we have two ways of tackling it. The first one is to keep doing what we've done in the past, which is a brute force method. Or try and be more intelligent use all the tools at our disposal, ai edge computing inference at the edge, 5g connectivity, data center capacity for storage and compute and turn these knobs appropriately. So we are effectively able to the data because ultimately it's about not the data but the insights. We want to know if a traffic congestion is about business. Can we read our traffic? If a parking spot became available, we want to be able to advertise it to people looking for parking in a city. If an accident happened, we want to know how severe was the accident so we can give the appropriate first responders on the scene. What this, how this conversation is relevant to the security discussion is as follows. You've got more data, you've got more systems. And, you know, with fellow panelists, we were discussing the journey from embedded to IoT. Embedded was a wonderful world where we programmed devices, we left them alone, they would sit there for 10 1520 years, the only time you would go and touch them as if they don't work, or if you need to replace a battery. Not so anymore. All of these devices are connected. They have compute capability, which means if you look at the number of people, you look at the number of infrastructure systems, you look at the number of embedded devices and then look at the data. This is creating a very vast potential attack surface security industry parlance. I let my panelists who are much more well versed in security emphasize, you know, what the solutions will look like. But this is something that we think about all the time in conversations with our partners, in conversation with our end customers. And I always encourage them to think about security, not as a bolt on, but security as Belton. You got to think about this on day zero. Right, you know, I mean, they say that security needs to be built in from the start. And I think what's so interesting is that you brought slides along with you that showcase that one of the biggest issues in cyber security rests in the r&d department. So, you know, what's the problem here? Why are we building insecure devices? Yeah, I said, I'm gonna be provocative, but I still want them to be my clients. So it's kind of a oxymoron. No, it's not. Can we present the slides. So everything is connected lot of data is being transferred. And exactly like it was said, used to be numb devices that would sit there for decades. And nothing happens. Now everything is connected. It's connected for functionality for maintenance, for what heavy, even upgrade and updates and things are becoming more and more advanced. It's kind of a use the word tsunami, I'll try and board that from you. It's a tsunami on the r&d people. It's a different design concept. You need to think now about connectivity, not about functionality. Because functionality has been there for decades. We know how to develop controllers or on air conditioners and generators, etc, etc. All of a sudden, it's connected. Is it the same? Is it the same machine? Let's use an example. So, a broad term example because people not all people understand what it was. Foesn't attack looks like how easy it is or difficult it is. So thousands of industrial devices are using BACnet Butler is a building automation and control. So every high rise building probably using that protocol and just using a simple available tool anyone can even Roman use show down and and just start scanning the internet. And guess what you'll find? We I asked one of my engineers do me a favor, just run some scans so I can present something from real cases that was done a couple of days ago. 7000 over 7000 exposed pieces of equipment, different geographies. You see 5000, United States, Canada, etc, etc. The internet is a small village you get everywhere in a click of a button. So this is a device that is based in a high rise building. And it could it is a controller of an emergency generator and it is connected through an IoT device. And that IoT device was exposed by showdown. So that generator we can turn on and what you see here the blurry figures there because we try to mask the IP addresses of those devices and just took one line and he marked the device. Specifically the talks about the emergency general generator for the 11th floor from your living room. showdown IP address compromise Charlotte. This is one example more sensitive. And we have made a disclosure on that. So we can mentioned because if you run down to the lowest part of the slide, it's the IP address belong to a neutral site in Russia. And it's a chiller. I don't know what it's chilly but we hope it's not a chiller of the core. Again exposed the same way we must, we must the IP address. So he's sitting in a living room, you taken ready available to you expose an IP address that you can manipulate or Command because somebody left at the webpage, the username, and the password is not an odd case. So you got everything there. Just use the username, use the password you in. Now you can do whatever you want with the device. And they did that for remote maintenance. I guess and control, but you could do that as well. Guys station, there is an address of that gas station obviously. Within we must that as well. So we scan 9000 gas stations using a tg devices at Jay's automatic time coach, and it's also controls, different alerts. And that particular just one case, you see the master that there is a address behind it. It's an in the United States and our different commands that you can set from afar. To set the level limits to commander overfill, overspill, shut off the controls of the gas inputs to the gas tank. Remotely, you can take it for if we talk about the new age of EV, electric vehicles, everybody's talking about infrastructure. About fast charging, the charging stations, etc, etc. Same thing, remote maintenance. These devices have a number of things that are also on the verge of on the side of privacy as well as causing damages because they're hardly connected. They're hot connected to the, to the electric vehicle. And if if you can put a malicious file on the electric vehicle every time an electric station, every time you charge the car, you can infect the car and start withdrawing information. The first thing that the least one that we feel is stealing credentials, charging cord, credit cards, etc. that it also can cause later on, and I'm sure lies that we'll talk about hacking cars is taking control what's a hack on a car taking control of the car speed and direction. So you can see here number of examples of start with smart cities in everything is smart city because the connected vehicles is part of the Connect of the smart cities. And we want out, I don't know, stuck the heaters at home air conditioners from the car, we want everything to we don't want to waste time. We love those gadget trees that helped make a life easier, more efficient. But connectivity comes with a huge risk. So talking about r&d and executives, awareness, a lot of executives that own those assets don't even know how easy it is to have those assets. So executives should be much more aware. And r&d, there is a paradigm shift for the r&d people before the connectivity and after the connectivity. That's the way they should look at it. It's not another phase of r&d. It has cybersecurity has to be part of the architecture to begin with, and not an add on a lot of time r&d people don't timetable, quarterly quotas, etc, etc. Software drop and the old push back and they will tell you, Okay, next version will add the cyber security wrong because the deployment of the data that is transferred the deployment of millions of units in between quarters, nobody is going to go back on the roof of a of a tower to change a controller that now it is connected but that one is secured. Those controllers don't have over the air updates. So what do you do is huge, huge number of devices and the prediction is 10s of billion I'm sure numbers are keep on piling up. And every every research you read as 20,000,000,035 billion by 2025 and doesn't matter 10s of billions. So r&d people should think different. And basically they should think about other than functionality. Don't put your customer at risk.


Diana Blass  

You know, Alyssa, you look at these slides here, and I'm sure that you've hacked into many of these devices. So I'm curious to know, what do you think is, are are the biggest targets in a city today?


Alissa Knight  

My answer might surprise you. But I think it's less about the cameras and less about the actual devices and more about the backend. Over the last year, I've been focusing my vulnerability research on API's. We're now you know, now in this API economy, and that's what a lot of these devices are communicating with. A lot of people don't know this, but they think oh, well, I'm not susceptible to being hacked because not driving around in a Tesla. When a car may not be like 2001 is it you know, as connected to GSM, and it is it is a target? You know, so for my research, I was hacking into cars remotely over the Internet, and actually, you can move the steering wheel, push the brakes, push the gas, and in one particular test accidentally ran the test car to the side of the building. But, you know, it is it is a thing. And, you know, I think I think industrial revolutions are inevitable. We as humans evolve, we innovate. And I think the problem is endemic to the fact that security is an afterthought. And it's not being we need to move to the shift left, sort of mindset where security is put into the development process, instead of secured after it's deployed. But, yeah, to answer your question more, more directly, it's, you know, it really is the back end. That's where all the data is. A lot of the time. So for example, I'll give you guys an example. So I'm a typical Hollywood story. I hacked into a government network in 1997. I was caught, I was arrested, and I went to go work for the US government in cyber warfare. And at the time, you know, hacking was really around defacing websites, you know, like Loki was here, but now it's changed for me is a hacker because it's one thing to deface a website, it's another thing to take remote control of your car that your family is in. And why fly a plane into a building when you can just do it from, you know your cave and and cause it just as much panic through terrorism remotely by taking remote control of it. The fact is, everything's an embedded system now. And I think your first question I'll try to answer as well, I think the attack surface is being created not by the innovation, not by the embedded systems, but by the communication by making it accessible by giving these things that weren't historically connected, an IP address, right, so you can communicate with it now. So our cars, OT equipment I used to do hacking for a lot of the nuclear power plants like San Onofre Nuclear Generating Station, and a lot of these things that were historically not can acted, and we're sneakernet only have IP addresses. So I think that's the attack surface being created.


Diana Blass  

So what's the answer here? You know, you go to RSA and you see a startup after startup appearing and the next year, they're not there. But there's an overwhelming number of companies out there looking to solve the issue here. But is it really something that needs to be done from a federal level? Like, do we need standards? I mean, have countries abroad figured out a way to deal with this? I would love for any of you to pipe in here. Maybe I can start with a couple of examples. Right. First of all, to complete the conversation. I think we focus a lot on the hacking aspect, which is intentional, bad behavior. But when I think about cities, we also need to think about things like natural disasters, so floods, earthquakes, fires, and how to make our cities resilient. Because these things may also happen and they need to be factored in into your system. Do your systems have backup, can they come back up in face of such a natural disaster?


Sameer Sharma  

On the question about standards, I think there are two levels of which we can think about it. In the US as an example, NIST has a smart city framework with a big cyber security pillar underneath that, that basically talks about some basic hygiene, like authentication, encryption, you know, all those things, right. But it also talks about the end to end solution aspect, because we know, just like for a chain, the strength is reflected by the weakest link. For security, it's about the end to end perspective, it doesn't matter how secure you make different pieces. If the entire end to end data flow is not secure. You are not providing security, it's as simple as that. The other example would be I think there's collaboration between private and other private companies that needs to happen. So what we found was we had some end devices with Intel architecture, but we also had an devices with silicon from our competitors. So we sat down for example with arm who A lot of you may think our other competitors, but we found that if we can together figure what secure device onboarding will look like when a device comes onto the network, it advertises itself. Let's change it to default username and password, these simple things we can collaborate on. So we can compete on innovation, but we can collaborate on creating and moving the market. That is the second perspective that I think I would like to bring into this conversation. I know this is called the consumer like.


Alissa Knight  

But unfortunately, I don't think the shin lies with consumers. I don't think you can really do anything about it. I was being interviewed by Car and Driver magazine yesterday and this question came up, and it's like, it's not like protecting your home Wi Fi, right? You're like, I'm going to go to my local Best Buy and I'm going to buy a firewall. It you can't do that with your car, right? It's not like you're, you're like, Oh, I want that e 300. That Mercedes E 300. And on the way home after I buy it, I'm going to stop by Best Buy and pick up an ECU firewall. Not gonna happen. Unfortunately, the solution is with the vendors. It's with the companies. And unfortunately, I think if we as consumers change the narrative, and when we're looking at cars start to ask questions like, Hey, you know, do you know if there's any ECU firewalls in this model? You know, what, is there a mobile app? And, you know, I think, you know, we've been too focused on Can I Facebook while I drive? You know, I just I think that the questions in the pre sales process need to change so many factors and OEM start to get it that, oh, wait a minute, consumers are making fewer decisions about the stereo system and the speakers in the car, and more basing their decisions on the security of the vehicle. And I think we can help shape that narrative as consumers, but ultimately, the responsibility is up to the the vendors, the manufacturers, the OEMs. So well, your vendor


Ami Dotan  

Are there some ideas subsequently should be in front I mean, think about. I've been told we've been in the automotive industry involved in the automotive industry for the past three and a half years. And you cannot depend on the regulators to do the job for you, you should be aware again, it's the same like C. C level executives should be knowledgeable about the vulnerability that their own equipment may expose their own customers. But as a customer, you you walk into a showroom and you have this rating for safety. Right? And I've been told that 20 years ago, there was a big fight, what is the safety and how many airbags who needs airbag and this seatbelts 30 years ago, and now you walk in and the first thing I at least I do, and I just bought a new car. And the first thing I asked is, I wanted all the gadgetry the lane keeping the emergency stopping the adaptive cruise control because people are distracted and we know that close to 40,000 fatalities in the United States and road accidents are 90 plus percent because of human error. So, you will be looking for these added values, equipment to overcome our destruction. But that was senator Thune at one time when they discussed in the previous government, they discussed the self driving that about what prevents autonomous vehicles to go on the road. And he came with the idea says, if we did we have done it with safety, why don't we raid a car for cyber security? So you walk into you know, stars, you want, oh, three stars, four stars. Obviously, the industry pushed back exactly like I was told that they push back on safety, but it will come. Eventually if consumers are aware that safe cyber security is an issue and it makes a safe platform less safe. They will require that you talk about smart cities infrastructure. Why would you buy a generator? If it doesn't have a controller that is secured? Ask the question. Is it secure? Don't look at the specs. You have so much so many people in the high rising industry that are dealing with a daily, they just need to ask the questions. So knowledge, and we should be educating as much as we can like at this conference, and others is people cyber security, remake actually eliminate safety. And you put residents at risk if it's a high rise building, and neighbors etc, etc. So the awareness, knowledge, ask questions and demand and don't wait for the regulator. Although I think it's a State of California that two months ago, published a regulation saying any IoT device installed in California should be secured. That's the start. That's, I don't know what it means and what's the level of security but Okay, so you start, the first question is, is it secured? I remember three and a half years ago that the car is secured What? Our r&d people put something in place, obviously, but but that's the beginning, you got to start somewhere. So that will improve even that regulation, I see some people saying, so what does it mean? It means that there is awareness, it means that the state of California is going to be on top of it, and eventually will hire the experts to require the right things from vendors that we would eventually would like to sell in the state of California, just like a mission control. Eventually, they're gonna be selling criterias but vendors, it should be a marketing advantage. And now going forward saying ours is secured and differentiate, differentiate yourself from the competitors. That's the beginning. That's, that's kind of an up sale on existing equipment that is better secured. I just want to add one more thing, hire hackers,


Alissa Knight  

Hack your own stuff. One of the things that I think we can do is from several aspects is, you know, and please don't keep my car. There's any developers in the audience. It also starts with the developers like one big mistake, I see a lot of the manufacturers if any of you are manufacturers OEMs you're you're making a mistake by doing just cyber security awareness training for your entire company, but not sending your developers to secure code training. They got a lot of the onus and a lot of the responsibility falls on the developers. A lot of the things that I've seen and you guys some of you may be shocked by what I'm about to say some may not but I'm seeing vulnerabilities now that were a vulnerability 20 years ago. History repeats itself. The problem is, is that we've got these developers who are making these new systems, embedded systems, new applications that are running these OT and, and IoT devices and not realizing that, you know, you need to secure it differently, you know, and it like just really, really just shocking mistakes. Like, let me give me example. So there was a really large fountain, I won't. This is funny. Um, let's see. It was a very large phone. And the fountain was actually communicating with an API server and it was being controlled through through an API and the way it was written the way this fountain the controls for this large fountain was rid of massive fountain and and I found that by just pulling my laptop and actually loading up an application called postman, which has an API client, I could actually manually send commands to the API server, because it basically just was expecting certain configured commands from the fountain from the from the equipment is fountain. And I basically just through whatever command I wanted at it, and it accepted it. This is basic logic issue basic logic flaws, basic vulnerabilities that we were seeing, like 20 years ago. authentication and authorization. That's not happening in OT, that's happening in IoT devices. It's just the I think that's where it needs to start is with the developers it needs to. Don't get me wrong. I love developers. I love you. I couldn't write a line of code if you know my life. Give us a little business. Yeah, you know, so um, but I think it needs to start there. And and you know, I'm working with a great technology. There's a lot of startups in this area, who are creating them. Amazing security solutions for advice like, you know, level tech, that's biometrically, fingerprinting your radio frequencies on your cell phone, to identify you and prevent replay attacks on on cars. There's all this really great tech coming out right now to help with this problem, but unfortunately, it's outside of the hands of consumers. industry needs to get better. So a couple of things to add. I mean, as we're discussing this, this like peeling an onion, right, there's a there's a lot no more no answers to it.

Sameer Sharma  

To summarize the conversation, there are two ways of preventing an attack, you minimize the potential attack surface or you harden it. And I think, you know, reducing the attack surface is all about things like authentication encryption, thinking about data flow. The hardening comes not just from I mean, hiring hackers is certainly an option. But within your development teams create a Red Team Blue team competition, and there are a lot of established security practices that have helped us secure the enterprise. What we need to do is bring those practices out of the enterprise into the world. And I think that's the journey we are on. So certainly from an Intel perspective, we think of this as an ecosystem partnership. You know, we, we work with startups, we work with our solution providers to make sure that we're bringing the best of everything together. Because this is not about a piecemeal siloed solution. That's really good at one time, it's about securing that end to end data flow.

Ami Dotan  

There is great advantage subsequently why there is a great advantage to the IoT sector in terms of hardening, protecting, simplifying the domain, these are single purpose machines, it doesn't matter if it's a controller, no air conditioner, a generator, or an ECU in a car electronic control unit in the car or charging station for that matter. They left the vendor the leave the vendor with a single purpose to function exactly what the design was supposed to do. They're not supposed to be user configurable. So if you take that in mind, and you try and seal and harden at the vendor side that only authorized changes are allowed whatever the means are either hard connect or over the air, then it is easier to protect, and harden. And then in the IT world in the old t gives you that advantage. And that's the philosophy we took. It's a single purpose machine, we work with a vendor. That's the design you want it to be. We don't care if the applications in an MRI machine or air conditioner functionality or evolve to close and open. This is it that's a design, nobody should be able to change it that was as a hack, basically getting into the stack and trying to manipulate the code. And so it's not that far fetched or difficult to get into hardening ot IoT devices and just need to adopt it and and think about it ahead of in the architecture, basically, it's going to end up that's the code. Let's seal it. So I think this is the approach that should be taken by r&d people. And I'm sure you'll agree, I mean, not only should the manufacturers as an OEM of these devices, be breaking their own things, hacking their own things, to secure it, but also security vendors, there have been numerous penetration tests where I actually used the security device to hack the target. So, you know, using the security control to pivot within the system, it's a thing you know, and security vendors unfortunately need to eat their own dog food. Right. And and we need to be we need to be cognizant, we need to be cognizant of that, when even even on the security side, that we're hardening our own devices, security company


Alissa Knight  

are becoming victims to you know, we seen that recently where the security company or the security solution was hacked, and it was used to pivot. And then one other thing I want to I do want to say is, you can't protect what you don't know you have. So if there's anyone in the audience who's responsible for security in your city, one of the the most systemic problems that I've found in my career is a lot of Cecil's don't know what's out there. They don't have asset catalogs. They don't know how many CCTV cameras are out there. They don't know who's responsible for patching them. That's a huge problem. You know, usually it's the security team pointing at infrastructure and infrastructure pointing their fingers at security, and no one took responsibility for patching. So there are all these unpatched CCTV cameras out there. So you know, know what you've got. So you can secure it, right? The most common response from Cecil's is, oh, that we didn't know about that server. You know, it was out there, no one was patching it. We don't even use it. But it was hot. And and it's still your fault because why didn't you know it existed? That's your job to know what's out there on the network. So, yeah.


Diana Blass  

Okay, well, we have about 16 minutes left. Does anybody have any questions that they would like to ask some of the members? The speakers up here? If not, I'll just keep asking questions. Okay, well, in the meantime, I got some, and you know, something that strikes me we're saying how the power really lies in the consumer for driving the market change here. But at the same time, you have misinformation out there, you know, this week with the Las Vegas compromise. I even mistakenly called it a hack. And I remember the director of it was like, No, no, the word hack the word hacked, it was a compromise. And I'm just wondering how, you know, how does that impact the public perception out there is it as bad of a storm as we're seeing in the news, in your opinion, I you know,


Alissa Knight  

I'm sure you guys have some input on this. But I mean, coming from a breaker side, I can tell you that there is a lot of Fudd. That's fear, uncertainty and doubt created out there. Unfortunately, we were just having this conversation. Social media is a great thing. But unfortunately, it gives a microphone to everybody. And, you know, so it's very easy for misinformation to get spread out there about something, and it really is become kind of like guilty until proven innocent, you know, and with cyber. It's already a labyrinthine thing for a you know, a Joe consumer on Main Street to understand and wrap their brains around. And unfortunately, it is a problem. You know, misinformation? I'm trying not to say fake news, but okay. Well, you said it was so yeah, so I mean, it is a problem and and unfortunately, what needs to happen is you guys need to rely on things like dark reading. You know, Twitter isn't necessarily an accurate news source for everything. You know, you've got dark reading, you've got these, you know, news outlets that are that responsible journalism to make sure that okay, the facts around this case. We're we're not what you thought they were, you know, happened with the whole bank hack with AWS, you guys read about that, you know, there was misinformation spread about the fact that she was the hacker was, well, she had access because she was an employee of AWS. Right. And that's how she was able to hack the banks as three buckets. But you know, they're just misinformation. It's very important to make sure that we're communicating facts and we as practitioners have a huge responsibility here to make sure that what's being put out there is accurate, especially vendors. Yeah, I mean, to complement what Alyssa shared, I think


Sameer Sharma  

I'm certainly an engineer at heart and so we tend to follow the logic path when it comes to sharing information, updating our constituents in a city on what happened, what did not happen. The reality is it's more of an emotional conversation. Which means if you are talking to your constituents for the first time when an incident happened, you're already at a big disadvantage. Your trust with people living in the city has to start way before that. And you have little things like, whatever one recommendation I give to city agencies is, you should always, you know, take the first step forward and publish what I would call a data Manifesto. A data manifesto is a simple one pager that basically says, Here is the data we are collecting here is the data we are managing. And here is what will be used for. It's not a 15 page document that even a lawyer can barely understand, right. It's something that everybody can understand. And the reason this is important as our human brains have evolved in a way where when we don't have information we assume the worst. It's an evolutionary trait and our brains so we need to make sure that we are creating trust. And we are giving people information and they are buying into what you're doing with the infrastructure with the data way ahead of when a potential incident happened. And if you have done that three due diligence, when an incident happens, and you put out a tweet or an update, people will believe you. Otherwise, somebody who's spreading misinformation, or misinterpreting intentionally or unintentionally will already would have created an impression. And then you have to do under that impression, and that get your story out. So this communication, this trust, this engagement with the constituents is absolutely critical. And it's as important as all the technical aspects that we just talked about. Okay, great. Well, we have one question over there. Good morning. My name is Marcus Harvey from secure apps. had a question for the panel. I wanted to know what type of metrics or KPI sheets cities use to kind of measure and manage their security level or or disaster recovery or result.


Alissa Knight  

UT I guess I'll take that first I KPIs This is an amazing question. I love this question. We there's actually a lot of great work being put into establishing KPIs for cyber security. One of the things that I like to track are, what's the meantime to detection? Right? So remember, it's 2020. You know, it's not if you're going to get hacked, it's when so when people need to stop freaking out, when somebody gets up, it's like, oh, my God, they got hacked. Yeah, it's gonna happen. But how quickly can you detect that adversary on the network once it happens? So tracking that meantime to detection, lowering that dwell time, right? dwell time is how long was the adversary on the system or on the network before they were they were detected? The next thing you should want to track? How quickly do you patch vulnerabilities as soon as they're, they're published, right? So you know if, especially for the cyber security folks out there, you know, you have the third advisor. You You guys saw that whole Iran thing that happened over the weekend where Ron was making the cyber attack threats that notice when how quickly you know, did you become vigilant when notices like that come out when a new patch is released? When a new patch when a new version of your CCTV camera, new firmware comes out for your embedded system, how quick are you to update and patch them? Right. So there's the the release of a vulnerability or announcement of a vulnerability, the time it takes for people to weaponize that vulnerability. Right. Then there's the patch, I mean, the time it takes for the manufacturer to make a patch, I hopefully the zero days are the zero day exploits or whatever they may be. You know, that those come after the patch. But sometimes it doesn't always happen that way with responsible disclosure. Sometimes. vulnerabilities are weaponized and active exploitation happens before the manufacturer can even make a new firmware update. So you know, tracking that that that time to update your devices once new new releases are made.


Sameer Sharma  

So a couple of pointers. One is I refer to the NIST standard around smart cities, I think it's got a checklist on cyber security, that's always a great point to, you know, start, it's easy to access. So I would recommend looking at that. The other area, which is a bit of work in progress is, as we are thinking about our infrastructure and physical and digital terms in power, I think we have to think about physical security and cyber security in a similar manner. I don't think this has been well understood, you know, who has physical access through badge card reader into certain area is as important as who can hack remotely into a particular machine. And I think, partly and this is not a this is not a technology issue. I think it's a people issue. The folks who are well versed in physical security are typically not well versed in digital security and vice versa. So I think what we need to do is as an ecosystem, we need to figure out how to bring those minds together and find some best and breed practices and hopefully over time checklists and KPIs. It's not done yet. I think we're the start of the journey. One thing I'm sorry one thing I would like to add Sorry, I'm like hijacking this panel. So nothing when I had is like one huge problem I'm seeing a lot of cities do is putting everything on one flat network, please stop doing that. Like it's not 1990 anymore, okay, like, one of the things that you'll notice is that when when a city or network is flat if you hack one of the devices, the adversary has free rein to pivot to everything right. segment your network use microsegmentation your CCTV cameras should not be on the same network as the other mission critical devices right all at Target did we not remember what happened with target like each back systems on the same network as point of sale systems, like stop

Alissa Knight  

The flat network thing. That's a huge recommendation I can make you as every pen test. So I've done about 200 penetration tests in my career. And it was successful in every single instance. But one of the things that I was able that I can tell you is that I pivot, the first thing I do is I get a foothold on the network. And I try I scan for everything. I start up a sniffer I see what's talking to what, and I scan and look for devices. If you segment your network and make sure that you just have a network for the cameras, you just have a network for your h back you just have a network for your AC or whatever systems are your bad Raiders. You're limiting how far I can actually pivot in the network. So microsegmentation

 

Diana Blass  

Okay, great. I mean, how do you see the the security landscape just further involving for cities I mean, as more technology comes into play, and we're kind of review removing the human interface in a way with artificial intelligence


Sameer Sharma  

Presume we see a worsening security landscape? Is that fair to say? I think there are two ways of looking at it. First, as we've watched this movie before, right, I talked about the security challenges in the enterprise and how we've gone through it. And we've found answers, I'm pretty confident we will find the answers to these thorny issues. But it's going to be a bit of a journey. You made a very important point about subtle point, which is, as technology evolves, the next phase of technology will fade into the background. I think, in the first phase, we have increased our interaction with the technology, it's been a learning experience. If I want to find that information, I get on the phone, I click on something and get that information. The next phase of development is technology working in the background, certainly using artificial intelligence, but minimizing explicit interaction which means security becomes even more Paramount because you are not actively interacting with everything. You may not be notified if something goes wrong. So I think we have some best known methods from enterprise security that we can certainly leverage. And when I look at the upside of what we are bringing to the community to the society using all these devices, I think the popular opinion will be that I need more of this, not less of this. And then if I go back to the enterprise, initially, when people wanted to, you know, the CIOs would say, I don't need you to bring your own device into the my network right into the enterprise. And then what happened? People started uploading files into Dropbox. And the CIOs realized they need to not just secure they need to secure to enable. And I think we'll have to take the same mindset with IoT devices and cities to say, we need to secure to enable because not enabling is not an option. There is far too much upside. There are far too big challenges. We outline the data challenges, the urbanization, challenges, and I think this will become a political issue over time, and I think this will get the attention it deserves. But to me the is very clear, there are some bumps along the way that we need to be mentally prepared for, you know, some examples you gave what happens when those things happen in outages happen or hacks happen, we need to be prepared for them. We need to be prepared to respond to them quickly. But what we don't need to do is slow down. We cannot afford to slow down the innovation, because the downside of that far outweighs so some of the risks that are coming up, I think cities are going to sort of get rid of get rid of the whole electricity thing. I think cities are going to just stop using electricity. And I'm kidding. homing pigeons. Now I look, security is not a technology problem. It's a human problem. Right. I don't think technology is the issue. I don't think IP addresses are the issue. I don't think any of that is the issue. I think we are the issue. And I think what needs to happen is we need to change how technology is developed. The sdlc and and dev ops sec dev sec ops.


Alissa Knight  

DevOps, you know, nice. Basically, I really feel like we need to start placing more emphasis on the secure coding, training. You know, I've talked to so many CEOs where, you know, it was a budget issue, you know, like, how can you not have a budget, you know, you probably spend more on toilet paper, you know, then to train your developers on how to write secure code. And and I think the vulnerabilities are not being created by the IP addresses and the connectivity in the embedded system. The vulnerabilities are being created by us where the vulnerability where the problem


Ami Dotan  

I don't think state of mind should be that fun abilities will always be there and not not overruling the dt, that education on the better job by r&d people be aware of vulnerabilities and I can throw numbers on 100 million lines of code in a in a car nowadays and there is a rule of thumb every 1800 lines of code there is a vulnerability embedded. If, if the state of mind is let's try and eliminate, you're going to be in a in a 10 chance situation which was going to overrun you. If it if the state of mind is no we know vulnerabilities are there. And zero day attacks will exploit them try and decouple the ability to get into those vulnerabilities harder than the vulnerabilities with the good code from being compromised and exploited. If this is a state of mind, you're probably going to be more successful in every device at the end of the day. It's the last controller that gets into differentiate between a successful attack or unsuccessful attack to over take over command or those devices behind the controllers, vulnerabilities are there will be there forever, no matter what people will do, because hackers will find a way in, not this way the other way. So try and decouple, trying to eliminate and it's not a firewall, try to harden the existing code with the vulnerabilities from being exploited. Great. Okay. Well, we actually only have about a minute left, but I do see we have a question over here. He can get it out fast. Question. So just to kind of follow up on, which said a minute ago about network segmentation. Typically, what I've seen is that segmentation goes on when companies trying to do more compliance, like a PCI compliance or HIPAA compliance, and then they'll bring the pen testing in. Outside of that, have you seen any best practices where cities can say or organizations can say, Hey, we're going to do the segmentation because it's the best thing to do as opposed to just being compliant.


Alissa Knight  

Driven? Or is it possible that there are trends for heavy compliance? Just for best practice for your environment? Mark my words compliance is not security. And I'm always saying that right? compliance is not security. Have I seen it? Very little. The The fact of the matter is, there's been a lot of innovation and network segmentation for you how to do it at the switch level. Now, their software based microsegmentation hit me up offline, if anyone wants to know more about that. Great.


Diana Blass  

Okay, well, anyways, our clock just finished here. And I think our what our live stream is done as well. But thank you, everyone, for joining us today. Honestly, one thing I took away from this is that cities really need to invest in micro segmentation for their networks, and that attacks are going to happen, it's just how you prepare for it, and how you deal with the aftermath. Thanks for your time. Thank you. Thank you. Thank you. Thanks.


Alissa Knight  

I am the managing partner of knighting. What I do is I blend hacking with content creation and influencer marketing. So cyber security vendors will come to me and have me write content for them. And I'll prove the advocacy of their technology by blowing stuff up hacking things. And what's unique about my content is it's written from the perspective of an adversary so it's very adversarial analysis to prove the technology that the technology actually does what it says it does. And that's pretty much me I'm I used to live in Stuttgart, Germany, working for some of the largest automotive makers, hacking connected cars. I am My focus historically has been in embedded systems. Case in point, cyber security vendor called sent no one came to me and said, Hey, you know what, write a paper for us on IoT security products there, you know, embedded systems are a huge attack surface. And I thought, Well, how about I, you know, drive my car into the parking lot of a bank, hack the CCTV cameras in the parking lot from my car, and then pivot into the bank and show how your technology could have prevented it. And that's exactly what I did. So that's the style of writing the kind of things that I do. And yes, I'm a chick girls hack to

CTATECH-PROD1