Why we started RSTCON
TL;DR
- Offensive effects on Critical Industries are catastrophic
- Nation-states are now targeting critical industries with effects on the civilian populace
- Critical industries need to engage with cutting-edge research not because they can stop the attacks but to develop countermeasures
WHAT DO? Either develop in-house research reading and effect planning teams or engage with existing groups. Read below for information, suggestions, and personal enjoyment.
Article
Security as a field is a game of one-upmanship. The Monarch of cult classic The Venture Bros would say the offensive and defensive sides of the house have “been engaged in a deadly game of cat and also-cat for years” (The Venture Brothers, S1E3). The offensive and research-minded ilk have fundamental advantages. I personally enjoy these advantages and don’t generally feel like sharing; it would be giving away the game. Similar to The Monarch in “The Saphrax Protocol,” however, many of us have ethical limits. Compromise of critical industries, especially by the particularly pernicious nation-state actors that would target them, have the potential to severely impact the civilian populace supported by the targeted organization. In the last three years, I have spent personal time exploring technologies within critical industries like manufacturing, logistics & transportation, power & energy, oil & gas, utilities, and beyond. I have seen the earnest and dogged efforts of the defensive security varietal as they seek to drag their organizations and industries, kicking and screaming, up to snuff with security practices. They have succeeded in raising the floor and can, in many cases, prevent or mitigate impacts from criminal enterprise. Another step is needed; we have seen critical industries fall in the cross-hairs of nation-state actors. Critical industries will not be able to stop these sophisticated and determined adversaries, but by being aware of what advanced research and high-level adversaries are examining, they can forecast and devise mitigation plans surrounding the failure of those systems. Whether enterprise-grade or cartoonishly simple, these plans must be informed. This means either building an internal program of engineers and scientists consuming papers from academic journals or engaging a forum of experts.
Consuming research papers on vital subjects and building expertise is a strong way to keep informed. Building internal expertise by creating a team that reads papers and engages directly with experts takes time. Resources like Arxiv, IEEE, and academic journals aggregate cutting-edge research content. Looking forward to what is coming and getting a team involved and consuming information will build expertise within an organization while keeping them briefed on novel developments and help prepare for emerging focus areas and types of vulnerabilities. A multi-disciplinary team brings multiple perspectives and enriches their output. Early on, the team may need help, but authors are often responsive to clarifying questions on their work.
Engagement could be done by directly connecting with labs or by attending relevant conferences. Consider partnering with Universities. Professors often run labs that specialize in a particular area of their field. Their graduate students aid with research resulting in a focused group with deep knowledge on both current advancements and developing theories. Another approach could be a deeply technical conference. USENIX hosts several in the security space. RSTCON seeks to add to this ecosystem by covering industrial controls, embedded systems, and operational technology. It focuses on cutting-edge research, exploitation, and tradecraft targeting the sensors, systems, and architectures utilized by critical industries such as manufacturing, energy and power, transportation and logistics, utilities, oil and gas, and defense. RSTCON’s inaugural year will run from Sept 13th - 15th, 2024 in Savannah, Georgia.
Time to share some alarming numbers that I discovered on my sojourn through this space. In a survey of security personnel covering critical industries, 51% state that “manufacturing…continues to struggle the most with segmentation, compared to other industrial sectors.” Transportation organizations are “having a hard time implementing a network defense that prevents intruders from moving across systems and environments” (Register 2024).
In 2022, Russia implemented “an aggressive new strain of malware known as HermeticWiper. This malware infects a system’s master boot record, corrupting every physical drive and partition until the system is unusable and its data is irretrievable. Russia-based hackers have already launched HermeticWiper attacks against strategic governmental, industrial, and infrastructural organizations within Ukraine” (Arctic Fox 2022).
In February 2021, Texas suffered a massive power outage due to inclement weather, making their power and gas shut off almost immediately. The cities were unprepared for this type of state-wide deficit, especially since Texas is a gas-run state. “[N]early half of the state’s natural gas production has screeched to a halt due to the extremely low temperatures, while freezing components at natural gas-fired power plants have forced some operators to shut down” (Texas Tribune 2021). In a follow-on report by the Texas Tribune, the resulting death toll from leaving 4.5 million homes and businesses without power was 246, with some sources counting closer to 700, making it “one of the worst natural disasters in the state’s history” (Texas Tribune 2022). While this wasn’t an attack, it illustrates the potential for impact; By the time the problem was apparent, the damage was already done.
No article on the subject matter is complete without an obligatory Stuxnet paragraph. Known as the “World’s First Digital Weapon,” Stuxnet was a malware attack that occurred in 2009. “Stuxnet reportedly destroyed numerous centrifuges in Iran’s Natanz uranium enrichment facility by causing them to burn themselves out. Over time, other groups modified the virus to target facilities including water treatment plants, power plants, and gas lines” (Trellix). This attack was different from others. “While extortion is a common goal of virus makers, the Stuxnet family of viruses appears to be more interested in attacking infrastructure” (Trellix). Rather than demanding ransom or retrieving data, Stuxnet was working on attacking the machinery itself. It was initially meant to test for a one-time use expiring in 2012. By modifying Stuxnet, it persevered through nearly a decade of morphing due to fixes.
Jay Warne | Co-Founder https://rstcon.org