Hack the Capitol is the yearly stand-alone event from ICS Village, a touring industrial security education group most often seen bringing hands-on control systems demonstrations to security conferences. The annual event returns on Tuesday for a virtual presentation, including keynotes from Reps. Robert Whitman, John Katko, Yvette Clark and Ted Lieu, and panelists spanning academia, industry, security, insurance and major industrial equipment manufacturers.
SC Media talked about the event’s significance and its transition to a virtual setup with organizer Bryson Bort, who is also founder of Scythe, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy.
What is ICS Village trying to accomplish with Hack the Capitol?
Bort: The village started about seven, eight years ago as a passion project of a few folks. Our mission is providing education awareness [around] critical infrastructure security, which we do for free, all over the country, at different conferences.
We really see three kinds of folks [in our training]: Lay people, IT professionals and IT security professionasl. We get folks who don’t even know what industrial control systems are and give them an understanding of how they’re actually in an industrial virtual environment whether they realize it or not, with building automation or HVAC. We bridge that gap so that we can get IT security folks interested in helping work with industrial control system security, teaching about those nuances and getting them exposed to platforms that the average person’s not really going be able to get their hands on.
I know you also see a fair number of policy people. You have keynotes by lawmakers from both parties this year. What do the policy people get from the ICS exposure and what do the ICS people get from the policy exposure?
That’s fundamentally what Hack The Capitol is all about. You have policy folks who know how to regulate and right the world, and you have the technical folks who can actually share what is really happening. And so it’s all about connecting those two sides to build those relationships, so that we have that shared learning.There are a lot of tech folks who are interested in learning about policy and certainly all policy folks love to be able to have folks in their Rolodex who know how things actually work. “Can I get an informed opinion before we start progressing this?” And so that’s what we’re just trying to facilitate.
You adapted an event that traditionally involved a lot of hands-on activities to be all virtual. How well does this transition?
Coming up with ways to provide a virtual interface into physical equipment was really critical. We do have a hands-on component with [programmable logic controllers], so people will be getting virtual exposure to how PLCs work. That’s really the only hands-on component of this conference.
But taking advantage of the virtual environment has really, really opened the aperture for international participation. So we have two panels, a Mideast panel and a European panel, that are going to talk about their regional perspectives on critical infrastructure. I come from a military and intelligence, national security background as an American; but when it comes to critical infrastructure, we’re talking about civilians. It doesn’t matter what nationality they are. And so being able to share all those perspectives is important. There will be a Russian perspective on the European panels to bring that to bear. We have six members of Congress that are going to be at the event, speaking, which shows how this issue has started to really boil up and get more attention.
And considering the Florida Oldsmar water hack, we’re going to be doing a demonstration of how that works and what that looks like. So we’ll be doing it with actual physical equipment, simulating a water plant.
Are there particular lessons you hope infosec people will come away with?
You are in an ICS environment whether you know it or not. Your buildings are built off of ICS; they’re run off of ICS. You depend on electricity, you depend on water for cooling. These are all ICS components for critical infrastructure that dictate your business running smoothly and tie into business continuity planning. We’re all in this together, that’s part of what makes critical infrastructure, well, critical.