Hack the Capitol Conference 2022 highlights issues that ICS community must focus on to enhance cybersecurity posture

Hack the Capitol Conference 2022 highlights issues that ICS community must focus on to enhance cybersecurity posture

The action-packed ICS VILLAGE‘s Hack the Capitol Conference 2022 concluded this week. Designed to educate congressional staffers, scholars, and the press on some of the most critical and prevalent cybersecurity challenges, the day-long, multi-track event turned out to be a tremendous success with over 1,000 registrants and attendees from across the public and private sectors. 

Some of the speakers at the event included Robert Knake, deputy national cyber director for budget and policy, Jen Easterly, CISA director, Matt Duncan, director of Intelligence for North American Electric Reliability Corporation (NERC)’s Electricity Information Sharing and Analysis Center (E-ISAC), and a host of other distinguished thought leaders in the cyber policy space.  

Industrial Cyber contacted some of the speakers to pick up the ‘vibe’ from the ICS VILLAGE’s Hack the Capitol Conference 2022, and put together the key insights and takeaways from the event.

The vibe was big energy, Armando Seay, co-founder and member board of directors at Maryland Institute for Security Innovation (MISI), told Industrial Cyber. “People were glad to be in the same room, not just on a screen,” he added.

“The vibe was very good, due mostly to the quality of speaker lineup and topics being covered.  Not your typical sales event,” John Weiler, executive director and co-founder at the IT Acquisition Advisory Council, told Industrial Cyber. “Attendees were very qualified and interactive during the entire day. I especially like the hands-on workshops,” he added.

“The vibe of Hack the Capitol 2022 I think is ‘better together.’ We see more representation from multidisciplinary tracks – government, industry, academia, etc. – in this event than some of the largest conferences across the globe,” Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, told Industrial Cyber. “The conversations focused on lessons learned from the past that can be realized in the future of our approaches to cyber-physical cybersecurity in theory and practice,” she added. 

“We understand the caveats of IT vs. OT threats, the concerns related to health and human safety, the limits of frameworks and standards, and the relevant sprints to achieve progress on all fronts,” Jablanski said. “There is less focus on admiring the problem, and more focus on doing something about the problems and challenges, even if we don’t explicitly agree on all of them. And there’s an invitation for more people, more input, and more fresh ideas,” she added.

“The attendees, the leaders in the ICS cybersecurity community, were very excited to return to an in-person conference/hybrid format to share our message widely throughout the community and strengthen relationships,” David Brearley, operational technology cybersecurity director at HDR, told Industrial Cyber. 

“Personally, I noted a renewed excitement regarding the current federal administration’s vocal support and focus on cybersecurity,” according to Brearley. “While the audience and presenters included many familiar faces to the community, it was great to see many new to the industry active at a conference including previously under-represented market sectors, university students, and educators,” he added.

“ICS VILLAGE’s Hack the Capitol Conference 2022 was built on an inclusive platform, and I feel that this goal was achieved,” Caitlyn Faught, cybersecurity intern at MISI Dreamport and a speaker at the event, told Industrial Cyber. “Everyone there was excited about the future growth within the field and working together to solve the shortage of individuals coming to work in the cyber field with a diverse and inclusive approach,” she added.

The event provided the ICS community with an opportunity to meet after the SolarWinds attack, Colonial Pipeline incident, the EO 14028, and in the wake of rising geopolitical cyber attacks. Analyzing the key challenges that have to be addressed, as the community works towards tackling rising cybersecurity threats and attacks, Jablanski said that addressing all of the critical infrastructure sectors as monolithic is not a viable strategy for cybersecurity. 

“For decades we have focused on the nature of the problem of more sophisticated threats, more ubiquitous vulnerabilities, and greater reliance on interconnectivity and technological interdependence, but this analysis has not translated into reducing the severity of impacts for each sector’s immediate populations – customers, suppliers, citizens, etc,” according to Jablanski. “The analysis of criticality and the potential fallout from cyber incidents is a quantitative gap in tackling the largest challenges across ICS industries. Nimble partnerships and investment are beginning to answer this call,” she added.

Seay said that the big issues are a failure to imagine and look towards the horizon. “Cybersecurity is broad, critical infrastructure actually has expanded as have its threats. The new race to dominate space, has a cyber workforce gap that does not meet the future pipeline needs.” 

He also pointed out that “we are slow to focus on other sectors not impacted by a headline attack. Example what about rail cybersecurity? Space cybersecurity? Facilities cyber security? Exec orders flew out, because of Colonial Pipeline and SolarWinds, it’s a reaction, not a structured plan.” 

The bulk of OT assets are housed in private industry and a large segment are small and medium sized businesses, according to Seay. “You can train the community into compliance without enabling action,” he added.

“There are too many challenges frankly, we need to prioritize or fail at everything,” Weiler said. “The areas that need focus however are 1) establishment of a govt wide tech SCRM/cyber resilience strategy and suite of standards, with an eye to coordinating with Five Eyes 2) a standardized approach to certifying COTS products in terms of SCRM. FEDRamp does not address this. 3) Workforce training and mentoring, as there are so few qualified candidates, thus we need to work with what we have,” he added.

“One primary theme I noted during the conference sessions was the general consensus that non-regulated US critical infrastructure owners have significant room for improving their cybersecurity risk posture but should this be handled through incentives or regulation (carrot vs. stick),” Brearley said. 

Recent events have highlighted the critical dependencies between each of critical infrastructure sectors, and supply chain logistics as a whole which has highlighted that a cyber event that affects a single system owner may have a broader impact, according to Brearley. “As one presenter noted, look at Ukraine and how they have slowed the Russian military with attacks on supply chain; and another denoting critical dependencies in supply chain for a hospital that includes manufacturing, power, water and more,” he added.

“The largest challenge within the cyber community is the realization that ‘cyber’ means so many things,” Faught said. “You cannot just focus on your weapons system, your network, etc. as this approach leaves unprotected vectors for adversaries to strike. It is and will increasingly be important to work together to cover all angles,” she added.

Looking into the key highlights of the ICS VILLAGE’s Hack the Capitol Conference 2022, Seay said that the segments on workforce and policy were highlights. “There is so much cyber policy being published, where is the workforce needed to take action? Where is the next generation workforce? How does government recruit, train and retain?” he added. 

“We issue miles of policy but without a workforce we are not going to close the cyber resilience gaps,” according to Seay. “The nation needs to adopt cyber residency or cyberships. We need to include the high school to employment workforce needed to secure downstream aspects of cyber and pair them with the multi-credentialed workforce that are designing the future and doing the high science,” he added.

“The realization that cyber-physical attacks can lead to loss of human life is more top of mind than ever before,” Jablanski said. “This realization has really brought the IT/OT experts, sector experts, and government experts together in the U.S. to reduce the risks of catastrophic impacts in society as a result of threat actors targeting critical infrastructure,” she added.

“There’s an open call for professionals to get more involved in this space, whatever their background may be. We need more awareness raising, hands-on systems, learning, CTFs, pathways, outreach, partnerships, policy work, and government attention,” according to Jablanski. “We have our work cut out for us in determining and spelling out real-world incidents and cascading impacts to predict realistic cyber scenarios and to build in plausibility checks for those scenarios from both the cyber and physical or process perspective,” she further highlighted.

Weiler said that “there were many very valuable sessions with incredible moderators;  starting with Bryson Bort, who is one of the most entertaining tech leaders I have come to know.”

He also added that the ONCD Deputy Robert Knake provided a welcome and refreshing perspective on how his effort will expand public/private partnerships, reaching into a much wider community to include non-profits, standards bodies, and industry groups representing a large number of critical infrastructure owners, large and small. His points around outcome-based cyber were also very refreshing having seen too many compliance schemes fall short while costing a bundle, Weiler added.  

“The Critical Infrastructure and Ransomware panel was super hard hitting and somewhat scary on how effective these tools have been used by state controlled gangs, who are less concerned with stealing our data, but rather holding it hostage until payments are made,” according to Weiler. “Great to hear NSA and external hacker groups are taking action,” he added. 

Weiler also said that his panel on ‘Cyber Workforce and Skills Training/Mentoring’ was surprisingly diverse and very broad in its perspectives. “We all agreed that the government must do much more to recruit, retrain and retain the talent it already has given the huge competition from the private industry,” he added. 

“IT-AAC and MISI have launched mentoring programs that are already helping the current workforce sharpen their digital and cyber skills, including how to be more agile so as to keep up with the fast-paced tech market and ever-changing threat landscape,” Weiler said. “We keep hearing, experience matters most, even more important than a degree,” he added.

“The cybersecurity community’s commitment to defending US critical infrastructure is strong but many of the traditional roadblocks including funding, return on investment, staffing, and more are continuing,” Brearley said. Collectively the community continued to present a common set of problem statements and a common commitment to collaboration to solve complex challenges, he added.     

Faught said that the Hack the Capitol conference highlighted the “previous short-sightedness of the industry and the realization that there must be a change to move toward an overarching protection of our industrial systems.”

Exploring the key advancements made by the change-resistant ICS community since the last ICS VILLAGE’s Hack the Capitol Conference, Seay identified awareness of some key segments of cybersecurity for critical infrastructure.  “The focus is intensifying, and the understanding/awareness of the problem is increasing,” he added.

Jablanski said that this year was much more tactical – despite the current geopolitical climate. “The sessions were devoted to specific threats, concepts, technologies, partnerships, and more rather than very high-level talks without losing the focus on educating congressional staffers, scholars, and the press on some of the most critical cybersecurity challenges facing our nation today,” she added.

“The clear increase in attacks has made everyone wake up, and move to take specific actions,” Weiler said. “Too many were only looking at the problem over and over again, with few taking leadership roles. This has clearly changed, as seen by the high-caliber leaders coming into NSA, DOD, DHS CISA, FBI, and White House NCD. Leadership experience and top-level commitment have been missing in the past,” he added. 

Brearley said that he did not attend in previous years. “Over the past year I have observed an increase in awareness of ICS Cybersecurity risks to critical infrastructure within the public and system owners which is opening the traditionally change resistant community to a community that is seeking information about the risks, possible mitigations and struggling to prioritize mitigations due to funding limitations,” he added. 

“It is my hope that this increased awareness will have a positive impact on attendance at future events and the collaboration with those system owners/operators,” according to Brearley.

Having not attended the last Hack the Capitol event, Faught said that she “truly felt that everyone appreciated what I had to say representing the future perspective with Derek Eichin. I feel that the propensity to move towards growth and nuance is growing and will only continue to move in that direction,” she added.

Examining the key takeaways for the ICS community from the ICS VILLAGE’s Hack the Capitol Conference 2022, Jablanski highlighted that “threat actors are doing their homework and have surpassed the limitations of ‘security by obscurity’ – they are looking for single points of failure (might be a business or revenue component or a supply chain component or a trusted components in the architecture), extending dwell times, and maximizing the potential to dupe operators into believing their activities are legitimate and authorized,” she added. 

Additionally, Jablanski said that risk mitigation requires a whole of business approach – exercises reveal all of the who, what, where, when and why of crisis control – often including non-technical stakeholders to determine the critical functions for business continuity. “Sectors beyond energy need more attention – elections, food, prisons, hospitals, transportation, etc. all have critical functions that cannot be ignored,” she added.

Weiler said that the top takeaways are – “time for government and industry to stop looking at the problem and take decisive actions to modernize and secure our legacy systems, as we are all vulnerable. Our emerging cyber standards of practice need to be outcome driving vs just compliance,” he added.   

He also said that public/private partnerships and collaboration with industry are critical to the future, and these must become more action-oriented. “Most cyber P3s (ISACs, etc), are policy and threat focused, and not enough are taking on the challenges most agencies and contractors are facing with HOW to secure these systems at a reasonable cost. Almost every panel embraced Public/Private Partnerships that are more inclusive and not just the ‘usual suspects’ or very large companies,” Weiler added.  

Seay said that “a focus on gathering the private/public partnerships in cyber together is needed to help solve the problem. Not for profits.”

“Government and private industry collaboration and information sharing is a key component to success,” Brearley said. “The cyber community (still) does not have accurate statistical data on ICS Cyber incidents. Owner funding for mitigations and appropriate staff to monitor and maintain is continuing to be a challenge,” he added.

Brearley also said that skillset shortages for ICS cyber personnel continue. “The availability and support for ICS Cyber Detection and Defense are continuing to rapidly increase,” he added.

“The key takeaways for the ICS community from the Hack the Capitol Conference were collaboration and inclusivity,” Faught said. “The community must come together to problem solve taking into consideration nuanced ideas and discoveries from other fields, as well as those who are new to the field of cyber,” she added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related