ICS Cyber War Case Study Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 22 minutes
Video Transcription
I see a scout of fundamentals we're going to go through and I see a cyberwar case study which is from the U native cyber warfare exercises in Brussels.
Now, in this case, study this'll particular sub word for exercise was made up by, uh, the European Commission on Foreign Relations. Microsoft myself and what we wanted to do was leverage riel world possibilities
and also using I CS and I see a SCADA systems.
So there's a lot of security challenges when it comes to I. C s and I see a SCADA systems and various different types of control systems. And one thing we have to remember is that there are typically a large number of access points
and sometimes you don't even know where all the assets are. And these means that suddenly ah, very tight, secure network
is actually more like Swiss cheese.
Now, security isn't the easiest thing to do. That's why Sai Buri exists to make it as easy as possible, but in a control network, because these things were not designed originally, four security in mind. It makes it a bigger challenge.
Now, with control networks and control systems, you also typically have a lot of legacy devices, and this means that if you start incorporating a modernizing I t and I o T equipment into these legacy environments, you're actually introducing vulnerabilities
now when I put profit over vulnerabilities, one thing you have to understand is
there are no companies to go out there and go. We're going to build the most expensive product possible and then hope that the market goes. We want to buy the most expensive product possible. So every company and organization has to think about making money.
And the main goal of, say, Siemens and Honeywell and so forth is profit
so many times. Some of these systems when they are built and they may or may not be properly security tested because that actually costs a good deal money.
There's also this assumption that if you are using an exotic protocol on a control network, nobody really knows about it. So it's not going to be a target because the knowledge about it isn't that great.
In addition to that, I've seen many organizations that put up various different types of security devices
and think, Hey, we must be secure. We have a firewall. We have what's called a data die owed one way firewall Fantastic. But many cases those devices air not securely configured at all,
or they may have been at one time. But then there's been a lot of rules inserted, which then just makes the device open sesame.
And another thing is again, these control protocols, like Mont Buzz and Back Net and so forth. Their main goal is availability, not confidentiality and not security. So bolting on security is always going to be way more cumbersome,
and it will not be a secures. It could have been if you were thinking when you
started inventing an engineering, a protocol keeping security in mind at the forefront. Unfortunately, these things are an afterthought.
So when we discussed NATO and the European Union, there are a lot of alliances that we have to consider. For example, in Eastern Europe, there are some countries that align more with Russia. There are some Northern European countries and the United Kingdom that align more with the United States.
In addition to that to ramp up production in Italy, for example, they have been aligning a bit more with China
because of the funding options from China in Italy recently, there has been a trend for more populism in politics across the world. There are a lot of concerns about immigration and also because the European Union and NATO these are
collaborative efforts between lots of different countries
and lots of different languages and lots of different perspectives. So a times the integration amongst members can be a little rough. There's also concerns about foreign and internal interference in those particular governments.
Now this particular exercise with the European Union and NATO members. It involved
the general audience Waas, ministers of foreign affairs, ministers of war, ministers of defense. We also have participation from national terrorism units, in addition to a couple of ambassadors and diplomatic embassy staff.
There were you members being represented by their countries. There were also NATO members.
There were even non NATO and U members and there were quite a few experts in a few think tanks participating
so to warm up
the ministers and all the folks in the room. One thing you have to understand is they need pictures, they do not need technical information because that's not their job. So some of the things that I showed them were
actual issues. I found myself. There was a power plant infected by a remote Access Trojan, an aqueduct and hydro electric dam in Europe which was exposed to the Internet and completely controllable. You could press buttons. That is not what you want for a hydro electric dam at all.
There was also a government funded bank that was infected with the remote Access Trojan.
There was a modern agriculture. And by the way, agriculture also is a control network nowadays, and there was also infected by a rat.
Then what was interesting about the power plant, the government bank and the agriculture that identified was they were all being controlled and infected by the same exact remote Access Trojan. Same exact version,
same exact configuration which was being controlled by someone behind an I S P in Russia called Vimpel I s P.
In addition to that,
I found a train engine somewhere in New York that was directly connected to the Internet. Now, what's interesting about this is trains are now modern trains that is
modern i o t devices, and they're hooked up to the Internet to get all sorts of sensory information and also perhaps being assisted with remote control and other functions.
Now, another piece that I found was in China. There's a lot of critical infrastructure that it's exposed. About 10 or so years ago, the Chinese government mandated that every single
website or email server or what have you that used encryption must also include the Chinese government on the certificate chain. Now it's very difficult to manage keys within a organization for encryption keys.
Now imagine if you had to do that for the entire country of China, it is an impossible task.
And so what's happened is there's a lot of exposure unnecessarily in China.
I then wrapped up by telling the audience that because of the role because of where they were, that there was a pretty high probability that at least one in 10 if not more, of the participants smartphones in their pocket most likely had spyware installed as well. Because smartphones
are also I o T devices.
So to warm them up, this was the European power plant that I was able to find, which was directly connected to the Internet, and for the top portion that's actually a remote access Trojan called Xtreme Rat,
and it shows on the banner exactly the version and proof that it is indeed Xtreme Rat.
And on the bottom, you can see that there is running mod bus again. Mott Bus will take a command from anywhere from anyone, as long as it's formatted correctly and accept that command. So you really don't let ah power plant connected to the Internet.
Now, in addition to that, I've found a Norwegian salmon farm, and agriculture is the backbone of the GDP of a lot of different countries, and these things are now automated.
So finding a salmon farm that was exposed to the Internet and interactive with no authentication is a bad thing
now to make things up because, at least in the United States, ah, part of some states, their GDP is actually being led in, increased by marijuana manufacturing and growing. I was able to find a grow system
for marijuana directly connected to the Internet.
And if you can make out very small print, it says authentication is disabled. There is no user name. There was on Lee a password. So imagine if you were an attacker and you wanted to take out part of the GDP and affect the economics
of a state or country that relies on different types of agriculture.
What if you were able to create a script and get into these different types of systems and turn them off? That would create a huge problem.
In addition to this, the password was very easy to find because the manufacturer actually posted the user manual freely available on the Internet, which had the default password installed.
So what we did was we gave all of the audience participants decisions and gave them kind of a rule book called the Diplomatic Tool Kit.
And they had to decide certain things
are the different exercises meeting the definition or what they believe is a definition of cyber warfare. Now they could decide to do nothing. They could decide to rebuke and say, Hey, we're not putting up with this and go public. They could recall
their diplomatic mission where they could dismiss diplomats
from the possibly attacking country out of their country. They could also declare solidarity. And that really means Hey, if you attack one attack attack, it's all and we're all going to stand up against you
now. An interesting twist is another lands where I live. It's the only country that can legally hack back to any device at any time against anyone or anything. As long as the Dutch prosecutor signs it off,
they can also declare war and say, Hey, we believe that's a cyberwar We're going to declare war. And last but not least, some countries involved are nuclear powers, so they could actually
launch a nuclear bomb.
Now, this was a two day exercise, and on day one we had to smaller exercises.
The 1st 1 was called Cleans Slate. The 2nd 1 Little man on Day One. The last one was dead canary, which was a day long exercise.
So clean slate, we again wanted to warm them up. This was a very interesting scenario where on embassy employee was suffering from stress and burnout. So he started bringing a whole bunch of documents home that happen to be classified in hoarding these documents in his office.
No hay had several Children
and one of the Children and young adult. A young woman decides, Hey, listen, thes can't be classified. Thes must be unclassified, so I'm going to get karma points and upload them to read it and also to four chan.
Now, once you upload certain information to the Internet, it is extremely difficult, if not impossible, to remove it from the Internet.
Up Next