This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Fast Chat with
Leading up to Black Hat USA, hear from Black Hat Review Board Members, Speakers, Trainers and Partners about their contributions to information security and the upcoming Black Hat event.
This week, we chat Marina Krotofil, Black Hat Review Board Member who chaired the Cyber-Physical Systems Track for Black Hat USA about her recent research, research motivations, Track Chair role, pandemic experience and more. Listen or read the transcript below:
Hi Marina! I saw your tweet about not being able to present your research at Black Hat this year. Do you think that you will be able to present later in the year or should the audience expect a longer wait to see the highly anticipated research?
Yeah, thank you for this question! Well you know security research is actually frequently sensitive in nature. I remember in 2017 I had difficulty getting permission to use third-party hardware for my talk and like two weeks before I didn't even know whether I will be able to present. This is where I truly appreciate the leadership and care of the Black Hat team, who always believed I will manage it and they told Marina just take care of the issues we believe in you and will keep your slot and eventually things worked out.
This is a really great research and it received very high scores in the reviews, however sometimes your working relationships may change or the relationship with the affected party. In our case, me and my co-researcher changed jobs and after careful consideration, decided that it was no longer appropriate for us to present this research.
What I find interesting is that my colleagues in the new job, were so excited about this work. They were just like saying you must present it this is so good like the world need to know about this. So, we've written an academic paper about it and we will see later how it goes.
Maybe we will find a sensible way to present this research, not because we need some fame, but because it's a very significant security issue which we identified. Extremely interesting and advanced research. It would be really good to make the ICS security community aware of it, but yeah, we need to find a sensible way to share this, so let's see!
What typically motivates your research or starts you down the path of a particular topic?
Going back to the research in 2017, I identified the security problem already in 2013 and I was really looking for a piece of hardware because I knew that in order to explain the identified issue to the audience, I needed some visual. I'd been really looking for some demo or testbed to help me to visualize my attack concept and I finally discovered that in 2016. So, you see, there is a big gap between when I had the research idea and when I was able to present it.
Same with my Black Hat 2015 talk. I started with a research question. I looked at the chemical plant and I said like how do I even go about hacking it? I want to cause physical damage, what are the steps I need to take? It was genuine research curiosity and it took me one half years until I identified a framework and methodology and then presented it at Black Hat.
It's typically something unknown somebody crashes into. We are typically curious about questions which nobody else has investigated before. Sometimes my research buddies contact me, for example for my Black Hat 2017, Alexander, one of my friends called me and said you know what, I observed this really strange phenomena, when I like tells us equipment like do you think it's of interest and I was just like hell yeah! I immediately could see how you could exploit it, how you could use it and I immediately identified scenarios. Then when we both were convinced that this is a very useful exploitation technique, then we started really to research it in-depth.
That was really one of the hardest research projects for me. Sometimes I felt like I was pushed to the limits of my mental capabilities because we were working on very tiny pieces of microelectronics and it was really difficult. Similarly for this research which we are not able to present this year, my co-researcher mentioned to me one issue which he identified and interestingly, I knew about that but I never actually thought about it long enough to understand whether it's really useful for something and then he again told me about that suddenly I had an idea.
I knew how we can use it and I understand why it is such a critical issue. The more we worked on it, the more we understood how critical it is, how we can exploit this attack vector and how powerful it is.
There is a lot of things going on in our heads - once you go for a walk or do something else, like cooking, suddenly you have this enlightenment. Typically I have many more research ideas than I can handle. I actually because I have so many research ideas. I basically see them almost every day, maybe this is the type of my personality--I am a bits and pieces person. I really like considering things in depth and of course I do not have time for everything, but therefore I sign up for certain conferences because I know that I will make time to investigate and research certain issues.
This year, you chaired the cyber-physical systems track; Can you tell me a bit about your experience with that: What does being a Track chair involve? Why did you decide to lead the Track this year?
This is my third season with Black Hat. I gained experience as I observed the work of other chairs or leads of the tracks. I realized that I really produce very good contributions when selecting the talks, so, this year I decided to chair the track. Clearly this (Cyber-Physical Systems) is my area of expertise - I've been doing this research for more than ten years. I do industrial research and academic research. I review a lot of academic papers, I work in the industry, I work with customers, do hands-on work, so I kind of know this topic from many different angles and perspectives so that is why this I decided to try a leading role this year.
The minimum requirements for the responsibility is just to make sure that all the reviewers submit their reviews: to encourage them, to hunt them a little bit, chase them, encourage discussions. I went one step further and I actually tried to lead this track by being the first reviewer on every submission on this track.
It's a little bit more difficult to be a first on any talk, because many submissions are incomplete, so you will probably have to ask the submitter/the author some questions (probably several times). Certain things probably will be unclear, so you have to google a lot, to make sure that this submitted issue is relevant or novel. You have to do a lot of extra research and work until you will be able to form your opinion.
Basically, we do those discoveries, we document them so that the next Reviewers already see them and doesn't need to do that work. It's takes a little bit more time and it's also a little bit more responsibility because you are first who is forming the opinion about the talk. Also, the next three viewers might be an expert on the topic and easily review the talks, but the others may not, and they might be in doubt about their opinion about the talk. The previous reviews will help them to understand whether their opinion is correct or not, basically giving them a little bit more confidence about their estimation of the talk, so as such a high responsibility to be this first reviewer. It takes a little bit more time to make sure that your assessment is correct, but I truly enjoyed that this year!
Can you tell me a few of the talks that you're most excited about seeing this year at Black Hat USA? (From any track not just the Cyber-Physical Systems Track)
Oh lots, lots! You know it's such a privilege to be on the Review Board of Black Hat, because we receive so many fantastic submissions. Sometimes, you know, all of us feel so sorry when really amazing talks do not make it through because we have such a limited number of slots and we know that this is amazing research, but we have only like two slots- what do we do?! Even non-accepted talks, all of them are so amazing.
All of them are so amazing:
- The talk about thunderbolt security (When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security) — Its significance is really impressive. Basically, they discovered issues that are so significant that the entire standard about thunderbolt security is becoming invalid.
- Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks— It's an advancement and what about what we know about satellite security. Basically, about eavesdropping satellite communications. I'm really looking forward and if this conference would be face-to-face, the researchers would even bring the equipment to the stage but unfortunately that won't be possible.
- I really enjoyed the talk about the security of Mercedes cars (Security Research on Mercedes-Benz: From Hardware to Car Control)— Because you know I live in Germany. I'm a German citizen and you know how much we all love our Mercedes! Also the authors of the talk tried last year and since last year they have made significant improvements in their research, so I'm really looking forward to that. Also in the white paper they submitted about their research there was really, this great picture of like four Mercedes cars which they were researching, which is was kind of visually very interesting.
- There was a couple of non-technical talks which I was excited about. One of them is about how the Indian female community built their program for nurturing women in InfoSec (Making an Impact from India to the Rest of the World by Building and Nurturing Women Infosec Community by Vandana Verma Sehgal) and the reason why I resonated with the talk is because I lived in India for one and a half years. So I clearly have a lot of Indian friends, but I also witnessed how the entire nation was developing, how females were getting more power and more voice and while the female illiteracy there is still so high, it's really great how they do not complain they are not looking for help they just took control, put themselves in charge, build the communities and started really bringing more females in security, build that trusting ecosystem where females feel comfortable, so I really prize that research, I'm really looking forward to it.
- Another one I also enjoyed reading was a new version or a more advanced version of packet in the packet attack (EtherOops: Exploring Practical Methods to Exploit Ethernet Packet-in-Packet Attacks by Ben Seri & Gregory Vishnepolsky). Not only this is this absolutely fascinating research (it still has of course certain preconditions in which it will work in and which not), but it's about when you put another packet into the packet so it allows to go in through the firewall and all the filtering like traffic filtering devices. Once the layers of the packet will repeal, there will be another packet which will be executed and that is inaudible packet. I was also excited about that because this is the first progression from the first attack of that kind, which was introduced first by Sergey Brazos and Travis Goodspeed so I am extremely looking forward for that one.
- The last one which is kind of sad is the talk about the opioid crisis (The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis by Mitchell Parker). It was recently in the news that the specific medical software was manipulated in such a way that it was providing a wrong recommendation of what medicine is needed to cure the specific diseases. This is how a lot of people were prescribed this opioid medication and became addicted to it and it's actually caused high mortality in the USA. So it's a sad talk, I wish we did not have it but it's very useful because it's an awareness talk and I hope that such incidents will never happen in the future.
With the Black Hat Europe Call for Papers open, do you have any advice for people interested in submitting?
I actually started writing yet another recommendation on how to submit a useful talk, but there are already several recommendations out there. Again, and again, each year probably like 70% of submissions are incomplete. This is a big issue because the workload for the reviewers is extremely high and when the submission is incomplete it makes us chase the submitters.
When we are starting the reviewing, we maybe have additional time to ask questions, but the closer we get, the less time and patience we have. We no longer have time to chase the authors with extra questions.
I have a super recommendation: First of all, yes the Black Hat submission form is lengthy, but there is a reason for all of those questions and sections. We evaluate based on all of them and all of them are critical to our understanding and evaluation of the submission.
To provide a reference, I spent one week writing my Black Hat submission for this year. One week and I am experienced, I already have five Black Hat submissions, I'm an experienced academic writer, I know how to write, but still, perfecting the submission takes time. I do several rounds, I improve, make it more clear, more convincing, I am trying to ease the work of the reviewer as much is possible.
Sometimes, when you look at the submission, you can see that they spent like 30 minutes or maximum an hour on it and they just didn't even have patience to fill in all the fields. So, this is the point: exceptionally good submissions, good research, clearly written, they most likely will be accepted exceptionally bad submissions, will be clearly rejected.
When the Review Board has let's say 600 talks of approximately the same score, how do we select those which are worse? This is where the quality of your submission will literally allow you to be selected. We remember clear talks, we remember talks which we understood very well, or maybe which were witty a little bit, exciting, because in the end we look also at the quality of the language in the submission. It tells us whether the author will be able to deliver a good talk.
For example, if you look at two submissions, the same quality, good research, but one is clearly, much better written, better language, more convincing of clear expression, then probably that submission will make it through, so therefore perfecting and cleaning the submission is really worth the effort, because it really significantly increases the chance of being selected and standing out from all of those talks with approximately the same score.
How would you say that the pandemic has affected your time? Have you been able to focus on any new hobbies or projects during quarantine?
This is not an easy question for me! The pandemic has caught me in a very interesting time, because I got a new job in the UK and I made a perfect plan: my belongings were collected by the logistics company, I was supposed to travel the world, enjoy life in April, and then the pandemic happens. Not only do I not have my apartment anymore, my belongings are in storage and the borders are closed and I am literally on the street - so it was just like really such a bad timing! While I made a perfect plan for this moment.
I basically had to stay with friends until I was able to relocate to the UK. We made three attempts to actually bring me here, BUT actually I really had a fantastic April! I did not really do much work and I really was able to relax and enjoy a little bit. It's kind of also helped me a little bit to reevaluate the amount of time I spend for work because I truly got a taste for enjoying and doing any other activities especially cooking, like literally playing board games with friends, so yeah I'm definitely after especially this April and pandemic, I definitely now have a much better life work balance.
I basically what I did I actually became more effective in doing my work. I make proper planning, I set clear priorities in the morning: What I want to do or what is important to do during the day so that like I really have evenings and weekends like basically for myself and for other things which are important to me.
Marina Krotofil is a security researcher with a decade of experiences in advanced methods for securing Industrial Control Systems (ICS). She specializes in the discovery of new attack vectors and exploitation techniques, incident response, forensic investigations, ICS malware analysis and design of novel defense methods. Previously, Marina worked as a Senior Security Engineer at BASF (Germany), Principal Analyst and Subject Matter Expert (SME) in the Cyber-Physical Security Group at FireEye (USA), Lead Cyber Security Researcher at Honeywell (USA) and a Senior Security Consultant at the European Network for Cyber Security (Netherlands). She authored more than 25 academic articles and book chapters on ICS Security and is a regular speaker at the leading conference stages worldwide. Marina holds MBA in Technology Management, MSc in Telecommunications and MSc in Information and Communication Systems.