Are Hackers the Biggest Threat to America’s Critical Infrastructure?
Summary
TLDRThe transcript discusses the increasing connectivity of critical systems to the internet, highlighting the significant security risks this poses. It emphasizes the rise in cyber attacks and the potential for these attacks to disrupt essential infrastructure, such as power grids and water systems. The narrative includes insights from experts in the field, illustrating the vulnerabilities of industrial control systems and the potential consequences of cyber warfare. It also touches on the challenges of attributing cyber attacks and the need for robust cybersecurity measures to protect against and respond to such threats.
Takeaways
- 🌐 Critical systems that maintain societal functions are increasingly connected to the internet, creating potential security vulnerabilities.
- 🔍 The rise in cyber attacks is not a baseless fear, as malware has already infected critical infrastructure worldwide.
- 💡 Nation states are targeting critical infrastructure such as electricity and water systems, posing a significant threat.
- 📈 The California power grid was allegedly hacked by China in the early 2000s, highlighting the risk of cyber attacks on industrial control systems (ICS).
- 🛠️ Industrial Control Systems can be exploited due to complex protocols and potential cross-talk between different vendors' systems.
- 🔥 Hackers can manipulate inputs to critical infrastructure systems, causing physical damage such as setting a natural gas plant on fire.
- 🌐 The Internet of Things (IoT) increases the attack surface, as more devices become connected and potentially vulnerable.
- 🏛️ There is ongoing debate about the laws of war in the context of cyber conflicts, especially concerning attacks on critical infrastructure.
- 💥 Cyber attacks on critical infrastructure have real-world consequences, such as the Shamoon virus that caused significant damage to Saudi Aramco's network.
- 🛡️ The US government is investing in cybersecurity, with the Department of Homeland Security actively monitoring and defending against cyber threats.
- 🌍 International deterrence in cyber warfare is challenging due to the difficulty in attributing attacks to specific actors.
Q & A
What is the main concern regarding the increasing connection of critical systems to the internet?
-The main concern is the exposure of these critical systems to massive security risks. As these systems become more connected, they become more vulnerable to cyber attacks, which can have severe consequences, including potential paralysis of essential services.
What does the term 'ICS' stand for, and what does it encompass?
-ICS stands for Industrial Control Systems. It is a term used to describe a range of systems that monitor or control physical processes, such as electric systems, water systems, pipelines, and other critical infrastructure components.
How did the California independent system operator (CAISO) get hacked in the early 2000s?
-The CAISO was allegedly hacked by China. The hackers gained access to the network controlling the power grid in California, which could have potentially led to widespread power outages and significant disruption.
What was the significance of the Stuxnet virus in 2009?
-Stuxnet was a sophisticated computer virus that infiltrated and destroyed nuclear centrifuges at an Iranian uranium enrichment plant. This attack marked a turning point, showing that cyber attacks could have physical destructive capabilities and could be used as a tool in state-sponsored conflicts.
What are some of the challenges in securing Industrial Control Systems?
-One of the main challenges is the complexity of the protocols used in these systems. Different vendors may use different implementations, leading to potential cross-talk and vulnerabilities. Additionally, the software used in critical infrastructure is often based on decades-old code that has not been audited for security, making it prone to exploits.
How do attackers find their targets in critical infrastructure?
-Attackers can use search engines like Shodan, which scans devices connected to the internet, including control systems. These systems may be exposed with no authentication, making it relatively easy for attackers to identify and target them.
What is a Programmable Logic Controller (PLC), and why is it a weak link for hackers to exploit?
-A PLC is a device used to control physical processes in industrial and infrastructure systems. PLCs have been around since the 1960s and are often based on old code that has not been security-audited. This makes them buggy and full of vulnerabilities, which hackers can exploit to gain control over the systems they are a part of.
What is the role of the National Cybersecurity and Communications Integration Center (NCCIC)?
-The NCCIC serves as the Department of Homeland Security's operations center for cybersecurity. It is responsible for monitoring, detecting, and responding to cyber threats across the nation, working with affected companies to mitigate incidents and protect critical infrastructure.
How does the US government approach the threat of cyber attacks on critical infrastructure?
-The US government is focused on raising the level of cybersecurity in critical infrastructure. While there is an understanding that it is impossible to prevent all cyber intrusions, efforts are made to deter attacks through the concept of mutual assured destruction and by improving defenses against potential threats.
What is the debate around the laws of war in the context of cyber conflict?
-The debate revolves around defining what constitutes an act of war in the context of cyber attacks. Since cyber attacks can have physical destructive capabilities, there is a need to establish clear rules of engagement to determine when a cyber attack is considered an act of war, especially as nation-states and other actors engage in cyber espionage and preparation for potential conflicts.
What are the potential consequences of a successful cyber attack on critical infrastructure?
-The consequences can be severe, including paralysis of essential services, significant economic damage, and potential loss of life. Such attacks can disrupt transportation, energy, finance, and healthcare, leading to widespread societal and economic impact.
Outlines
🌐 The Vulnerability of Connected Critical Systems
This paragraph discusses the increasing connectivity of critical systems to the internet, highlighting the security risks this poses. It emphasizes the rise of cyber attacks and the potential for malware to infect critical infrastructure. The narrative includes an account of a power station in California allegedly hacked by China in the early 2000s, illustrating the real-world implications of cyber vulnerabilities in industrial control systems. The segment also touches on the broader historical context of targeting critical infrastructure in warfare and the need to consider modern cyber equivalents of traditional warfare rules.
🔍 Exploiting System Vulnerabilities
The focus of this paragraph is on the vulnerabilities of industrial control systems, particularly how differences in system protocols and implementations can lead to security breaches. It explains how attackers can manipulate inputs to cause system failures, using the example of a natural gas plant to illustrate the potential for catastrophic outcomes. The segment also addresses the awareness of government officials regarding these threats and the implications of the Internet of Things, which increases the attack surface for potential cyber attacks on critical infrastructure.
💥 Notorious Cyber Attacks on Critical Infrastructure
This paragraph delves into specific examples of cyber attacks on critical infrastructure, such as the Shamoon virus that caused significant damage to Saudi Aramco's network. It discusses the potential motives behind these attacks, including political tensions and the desire to disrupt business operations. The paragraph also highlights the increasing awareness and curiosity about these attacks, suggesting a growing trend in cyber warfare and the need for better security measures to protect critical systems.
🔎 Identifying and Targeting Critical Systems
The paragraph explores how cyber attackers can identify and target critical infrastructure systems. It introduces Shodan, a search engine for internet-connected devices, which can reveal vulnerable control systems. The segment discusses the ease with which critical systems can be found online and the potential for catastrophic consequences if these systems are compromised. It also touches on the need for better security measures to protect against such vulnerabilities.
🛡️ The Defense Against Cyber Threats
This paragraph examines the efforts to defend against cyber threats to critical infrastructure. It features interviews with security experts and government officials, discussing the challenges of understanding complex system interactions and the potential for unintended consequences from cyber attacks. The segment also addresses the difficulty in attributing cyber attacks and the challenges in establishing a clear deterrent policy due to the ambiguity of identifying the source of an attack.
Mindmap
Keywords
💡Cybersecurity
💡Critical Infrastructure
💡Industrial Control Systems (ICS)
💡Malware
💡Cyber War
💡Vulnerabilities
💡Internet of Things (IoT)
💡Shodan
💡Programmable Logic Controller (PLC)
💡Stuxnet
💡Cyber Pearl Harbor
Highlights
Critical systems that keep society running are increasingly connected to the internet, creating potential security risks.
The rise in cyber attacks is not just fear mongering; it's a real and growing threat to critical infrastructure.
Malware has infected critical infrastructure globally, emphasizing the need to consider cyber warfare strategies.
In the early 2000s, a power station in California was allegedly hacked by China, demonstrating nation-state targeting of infrastructure.
The Stuxnet virus in 2009 marked a turning point by infiltrating and destroying nuclear facility centrifuges in Iran, likely a joint US-Israeli operation.
Hackers can exploit vulnerabilities in industrial control systems by manipulating or falsifying input data.
The Internet of Things increases the attack surface, as more devices with connectivity introduce new potential vulnerabilities.
The laws of war in the context of cyber conflict are a subject of debate, especially concerning the use of cyber tools for physical destruction.
Critical infrastructure attacks are not just hypothetical; they are occurring and are recognized by governments as a significant threat.
The Shamoon virus in 2012 was one of the most destructive attacks on the private sector, targeting Saudi Arabia's national oil and gas company.
Nation-state actors, such as Iran and North Korea, are among the primary adversaries in cyber warfare against critical infrastructure.
Programmable Logic Controllers (PLCs) are a weak link in critical infrastructure, often exploitable due to outdated and unsecured code.
The ease of hacking into PLCs is a concern, as these systems were not designed with security in mind and have numerous vulnerabilities.
The US government is actively working to improve cybersecurity, but the complexity of systems and potential for unintended consequences remains a challenge.
The National Cyber Security and Communications Integration Center is a key part of the Department of Homeland Security's efforts to monitor and defend against cyber threats.
Defining what constitutes an act of war in the context of cyber attacks on critical infrastructure is not well-defined and presents challenges for deterrence.
The difficulty in attributing cyber attacks, due to the use of multiple launching points and hijacked computers, complicates the implementation of a clear deterrent policy.
Experts and hackers concur that a new war on critical infrastructure is already underway, with significant implications for national security and global stability.
Transcripts
the critical systems that keep Society
Running are connected these systems are
more and more connected to the internet
quite openly they're just kind of open
game but it's exposing them to a massive
security risk if you can access it
remotely so can everybody else cyber
attacks are on the rise you don't think
this is just needless fear markering do
you I wish it was then I could sleep a
lot better malware has infected critical
infrastructure everywhere we've got to
begin to think about what are the rules
of War if God forbid you wind up with a
cyber War well cyber attacks triggering
all that
[Music]
war the industrialized world runs on an
infrastructure that we take for
granted when things are running well
they're pretty easy to forget
about but critical infrastructure has
always been a prime target in war
destroying a power grid or water system
can paralyze the enemy and as more and
more of that kind of infrastructure is
connected to digital networks experts
are finding it's also vulnerable to
cyber
attacks in the control system world if
something fails it's obvious the lights
go out a pipe breaks what you don't know
is did cyber play a role in what
happened Joe Weiss has been an
industrial Control Systems engineer for
almost 40 years Joe took me to a power
station in California that State's power
grid was allegedly hacked by China in
the early
2000s okay ICS stands for industrial
Control Systems it's essentially
ubiquitous term that we're using to
cover this range of things that monitor
or control physical processes so like
what you see over here all of this stuff
is controlling the Electric System so
someone from China could effectively
gain access to a network that's
controlling something in California yes
I don't think there is any
question that there are nation states
that are
targeting critical infrastructure
electric
water pipelines you name it we've
already had many years ago documented
where China did try to meddle with
things here like this what did they do
they hacked into What's called the
California independent system operator
which is in fome California which is
what on an overall basis controls this
and if they had what are the sorts of
things we could have SE cuz that's
obviously an attack right that was
obviously an attack correct and what
would have been a Fallout if they had
again depending on what they would have
done they could have
affected you know power
to hundreds of thousands of customers
shut down California one of the most
important States well they could have
certainly played Havoc with the
grid this attack is just one case the
real turning point was in 2009 it was a
sophisticated computer virus called
stuck net and it infiltrated and
destroyed nuclear Center fues at a
controversial uranium enrichment plant
in Iran observers agreed the attack was
likely a joint us Israeli operation the
critical infrastructure war was
on but I want to know how hackers get
inside critical infrastructure in the
first place
nice pleasure Meredith Patterson is an
expert in protocols the instructions
machines use to communicate with each
other control system is just a system
that takes some reference value and then
monitors uh a centrifuge or a turbine or
a fan any kind of you know device that
has some property that can be measured
temperature speed uh Direction whatever
like a power plant or nuclear power
plant or completely critical
infrastructure yeah a dam anything like
that and are these things
secure
well one of the problems with industrial
Control Systems is that the protocols
that are used in them are extremely
complex so if you have systems from
different vendors that are using
different implementations you can
sometimes end up with uh cross talk
essentially because they're speaking
different dialects of the same protocol
and one ends up introducing a mistake
into the other so if I'm reading this
correctly you're saying that at times
the software involved with some of the
most critical infrastructure we have
like nuclear power plants um can break
down can they can the code essentially
like there's an exploit there's there's
a vulnerability that's exactly what I'm
saying um vulnerabilities are driven by
the inputs that people send into systems
and so if an attacker has any way to
control or modify the input that is
being sent to a system um they could
send it false inputs um they could send
it syntactically incorrect inputs it it
is remarkably easy to just mess with the
temperature someplace in a natural gas
plant and catch the entire plant on fire
I mean really oh yeah like Baytown uh
near Houston just frequently has
problems with refiner with you know air
Refinery catches and you know and the
entire river goes up for about a day and
that's something that could be done if
someone got into the system I mean this
is something that happens by accident
already right so if you know so if if
somebody were to get into the system
then yes you could totally set the river
on
fire that threat is real and the highest
levels of government know it Michael
cherof was the Secretary of Homeland
Security under George W bush he now runs
a cyber security consulting
firm what's the biggest threat to
America's critical infrastructure what's
what's the thing that that scares you
the most well you know if you're talking
about what would cause the greatest
consequence I would say anything that
affects Transportation energy or Finance
or Health Care would be a potentially
have a very very big impact on the
United States but here's the dangerous
thing we are now moving into what they
call the Internet of Things where
everything is going to get quote smart
so as we build out all these you know
widgets that have connectivity and
wiress we've got to think to ourselves
what happens if somebody enters using
that wireless and begins to affect the
actual physical operation of the system
there's also a lot of debate about what
the laws of war would be if we did have
a cyber conflict and again that's not
about stealing information that's
literally about using cyber tools to
blow up something like a power plant or
to kill people by causing an airliner to
crash and and so that we've got to begin
to think about how do we what are the
rules of War if God forbid you wind up
with a cyber
War critical infrastructure is clearly a
Target and attacks against them aren't a
pip dream they're actually
happening
I go to meet someone who knows about
hacking critical infrastructure and
works to prevent
it
yes Chris Kuca is an independent
security consultant she says she first
got into hacking as a kid what' you hack
into uh the FBI and the Department of
Justice and how old were you I was 10
what and I had no idea I was really
doing much of anything cuz it was really
easy
back in August of 2012 mward dub shamon
infected the network of Saudi Arabia's
National oil and gas company Saudi
aramco kuco was hired to assess the
damage why didn't you tell me what
shamun is shimun was a piece of uh
malware that began to randomly wipe over
35,000 windows-based computers in Saudi
Arco when it was discovered what was
going on individuals inside Saudi
physically pulled plugs to keep it from
getting further and what was the damage
uh the damage was about 85% of their it
systems were knocked out when I say it
systems it wasn't just your desktop
computer it was the servers they
connected to payroll systems databases
any sort of data that held research and
development all the way up to the
Voiceover IP phones did that Target any
let's say critical infrastructure or
production yes it appeared that the
attack was meant to Target the
production systems to take them down so
it was actually a critical
infrastructure attack yes absolutely it
was targeting it yes who did it
according to Saudi ramco they think that
the Iranians did it and would you agree
with that it seemed like it was an
extremely political attack done in a way
that was extremely damaging to Saudi
business culture it seemed
like either it had to do with a group
related to the Saudi Arab Spring or
banian spring which was going on at the
same time or perhaps it was Iranian have
critical infrastructure attacks
increased since stuck net and shamon yes
they have absolutely uh more and more
people are aware of them so now
curiosity is peing and if you went from
just writing code to writing code and
being able to move
things attacks are going to get more and
more as curiosity Peaks and also these
systems are more and more connected to
the internet quite openly they're just
kind of open
game the Shimon virus was probably the
most destructive attack that the private
sector has seen
today after shamun us defense secretary
Leon Panetta sounded the alarm the
collective
result of these kinds of attacks could
be a cyber Pearl
Harbor how would cyber attackers find
their
targets I learned in fact that there's a
search engine called Shodan dedicated to
scanning devices connected to the
internet John mle is its
architect what so what am I looking at
here Shodan is a search engine that
unlike Google which just looks at the
web showan looks at the internet which
can include much more than just web all
these devices are become connected and
showan finds them it can be buildings W
treatment facilities factories webcams
offices everything that you can possibly
imagine if it can have a computer inside
it show ends found it so this is a 3D
Globe where the red dots represent
publicly accessible Control Systems so
these are control systems that are
exposing the Raw protocols there's no
authentication on any of these you just
connect and you have full access America
is just a big red blob yeah that's not
good most connected country in the world
it's not that surprising but yes very
very connected what was one thing you
saw you said to yourself like how the
hell did this get up online there are a
lot of things like
that um a big one was one in France it's
the hydroelectric Dam it generated like
a few megawatts of power it was it was
pretty big and actually I can show it
and this one actually had a web
interface which is unusual that showed a
real-time view of how much power was
being generated and it also had all
sorts of other stuff exposed that's
actually a common theme with IC devices
they will give you serial numbers
they're going to give you firmware
versions because it was meant for
engineers to maintain remotely and if
you're a remote engineer you want to
know what you're working with and then
you look at the history of it and
there's a history of
flooding like there are known flooding
instances of this Dam and it took two
years of poking and prodding for these
guys to secure it do you think something
this vulnerable and this shitty is lying
around in the US somewhere most likely
yes a lot of the guys operating these
things I didn't understand that if you
can access it remotely without logging
in over the Internet so can everybody
else Shodan proves that critical
infrastructure is in danger all over the
world but who else has figured that out
and what are they doing with
it everyone was telling me that critical
infrastructure control systems were not
only outdated but right for an
attack if accessing them could be as
simple as finding them on the Internet
how hard could it be to trigger the
nightmarish damage everyone was warning
about I went to meet Stuart McClure the
founder and owner of a security firm
called silence
he shows me a device called a
programmable logic controller or
PLC plcs have been around since the
1960s but in the digital age they're the
weak link for hackers to
exploit first off why don't you explain
to me what a PLC is yeah PLC is a
programmable logic controller basically
it controls the physical world with by
programming or computers so you
typically find these though in a lot of
critical infrastructure right absolutely
any kind of oil and gas or industrial
Control Systems anything that tries to
control like I said the physical world
or physical elements um for power or oil
and gas Transportation you name it they
all require the use of plc's in some
form of fashion to make them work every
day as I understand it plc's are quite
buggy and easy to exploit are they not
well yeah they're built on 30 40 Years
of code that is really never been
audited for security or very rarely so
they often have a lot of vulnerabilities
and exploits that have yet to be
discovered and of course hackers love
that so you know how to hack a PLC yes
and you're going to show us yes
absolutely let's get to it let's try it
out so what this is is a rig that we
built to represent the physical world
out there that usually has very large
versions of these things this PLC is
hooked up to this air pump and
compressor which is going to allow us to
over pressurize a bottle and make it
explode so and are you going to run any
coat on it is it just am I'm actually
running code that we have in Python
right now first we set our variable to
the IP address of the PLC then overwrite
our memory address here MX 0.0 which is
the area and Ladder logic which allows
us to control the safety disable and
overwrite that which allows us to
control the PLC itself and do anything
we want with it so uh would you like to
do the honors all
right just hit
enter
Judas
Priest that actually sounded like a bomb
now I won't yeah now I won't hear for a
while but that was good why is it so
easy to control a PLC well it's so easy
because the way that these things have
been designed they never really
considered security from the ground up
so when they design them they design
them just to work now what's happening
is more and more of them are getting
hacked up which is requiring
manufacturers to go back and redesign
them and you don't think this is just
needless fear marging do you I wish it
was then I could sleep a lot better you
can make it more difficult you can make
it more challenging uh but at the end of
the day it's built so foundationally
insecure that it it makes it incredibly
easy for attackers to gain
access all the experts I've spoken to
say our critical infrastructure is
vulnerable and I wonder what Washington
is doing about it the best guy to ask
that question is Michael Daniel he
advises President Obama on cyber
security
issues so what's the attack that keeps
you up at night I would say it's one
that is focused uh on our critical
infrastructure that um has some
unintended consequences uh that's the
one that really I think worries me
because we don't really actually
understand how these incredibly complex
systems actually interact with each
other so you fear that another
superpower might infiltrate critical
infrastructure and set off an unneeded
conflict so that is certainly a concern
although I would actually say that I'm
less worried about uh that than I am
other actors that have less interest in
the overall U sort of
international Uh current you know status
quo who are these adversaries so you
know uh the Director of National
Intelligence has talked about them and
his testimony so Iran and North Korea
certainly top uh the list although we
are not unconcerned about uh terrorists
um and other uh actors who don't build
themselves so much as terrorists but
certainly cyber activists uh and others
everything's crackable you cannot
prevent all uh cyber uh intrusions
that's just impossible um you'll never
be able to prevent all of them
everything is penetrat
eventually everyone's told me that no
critical infrastructure system is
bulletproof and one US government agency
is trying to keep track of the cyber
attacks happening across the
[Music]
country wrot to meet with Martin Edwards
who's the guy tasked by Homeland
Security at IC C to protect us critical
infrastructure against a Cyber
attack Edwards is somebody who knows is
the Cyber tax being lobbed at America's
critical infrastructure this uh this
room looks a lot like Enemy of the State
or something so what you're in is you're
in the National cyber security and
Communications integration Center which
is a more or less the DHS operations
center for cyber these are where all the
different analysts from icert user are
actively defending the country's
networks in 2015 alone the Department of
Homeland Security spent 1.25 billion on
cyber
security you know we've uh We've cleaned
up the place a little bit for you to
come in but it's uh it's definitely a
very uh High highly active uh
environment all the time Edwards has
Declassified the control room so we
won't see any real-time threats but it
still gives us a rare look into their
Nationwide monitoring
system and how does icert protect the
United States yeah it's tough it's tough
It's a big problem if there is an
incident either criminal or nation state
level you we'll send an instant response
team to those companies to work hand
inand with them to clean up mitigate the
event do you see it an awful lot of
nation state actors going after critical
infrastructure I would say we see the
whole spectrum they all look different
and we save the word attack for
something that you know is is purposeful
and intentional uh with an intentional
consequence uh a lot of what we see is
uh sort of reconnaissance and then of
course yes we do see the the nation
state level actors uh either in the
Espionage uh business or prepping the
battlefield type of perspective right so
you're trying to understand the
infrastructure for some future unknown
use so if most threats Homeland Security
see or about Espionage at what point do
a Cyber attack cross the
line at what point does the
administration consider a critical
infrastructure attack an act of War so
that is not something that is well
defined
um fortunately we haven't seen uh one of
those events here in the United States
in a way that would uh you know probably
Crush that threshold and so therefore I
think that we focus on you know really
raising the level of cyber security in
our in our critical infrastructure it's
one of the areas that we've worked very
hard on uh over the course of this
Administration even as the US tries to
shore up its cyber defenses there's
little incentive not to attack you know
Mutual truly assured destruction is
another way of describing deterrence if
you attack me I will fight back and
therefore it's not in your interest to
attack me in the first place and that's
where the difficulty of proving who
actually launched an attack becomes a
major issue because it's very rare for a
nation state or a criminal group to go
directly from the server at controls at
the Target they will often launch from
around the world they may hop multiple
points they may enlist uh computers at
they've hijacked as being the spears
basically that they throw at the Target
I mean you're painting a pretty dark
picture then when you get attacked even
if it's major infrastructure the first
question is how sure am I that I know
the country that either caused it or
allowed it to happen and that ambiguity
and that uncertainty is one of the
obstacles to having a very clear
deterrent
policy experts and hackers agree that a
new war on critical infrastructure has
not only begun it's well underway
[Music]
all
Browse More Related Video
5.0 / 5 (0 votes)