Are Hackers the Biggest Threat to America’s Critical Infrastructure?

00:01

the critical systems that keep Society

00:02

Running are connected these systems are

00:05

more and more connected to the internet

00:07

quite openly they're just kind of open

00:08

game but it's exposing them to a massive

00:11

security risk if you can access it

00:13

remotely so can everybody else cyber

00:17

attacks are on the rise you don't think

00:19

this is just needless fear markering do

00:20

you I wish it was then I could sleep a

00:23

lot better malware has infected critical

00:26

infrastructure everywhere we've got to

00:28

begin to think about what are the rules

00:30

of War if God forbid you wind up with a

00:32

cyber War well cyber attacks triggering

00:35

all that

00:47

[Music]

00:57

war the industrialized world runs on an

01:00

infrastructure that we take for

01:02

granted when things are running well

01:04

they're pretty easy to forget

01:06

about but critical infrastructure has

01:08

always been a prime target in war

01:11

destroying a power grid or water system

01:13

can paralyze the enemy and as more and

01:15

more of that kind of infrastructure is

01:17

connected to digital networks experts

01:19

are finding it's also vulnerable to

01:21

cyber

01:23

attacks in the control system world if

01:27

something fails it's obvious the lights

01:30

go out a pipe breaks what you don't know

01:35

is did cyber play a role in what

01:38

happened Joe Weiss has been an

01:40

industrial Control Systems engineer for

01:43

almost 40 years Joe took me to a power

01:46

station in California that State's power

01:48

grid was allegedly hacked by China in

01:50

the early

01:51

2000s okay ICS stands for industrial

01:54

Control Systems it's essentially

01:57

ubiquitous term that we're using to

02:01

cover this range of things that monitor

02:05

or control physical processes so like

02:09

what you see over here all of this stuff

02:11

is controlling the Electric System so

02:15

someone from China could effectively

02:17

gain access to a network that's

02:19

controlling something in California yes

02:22

I don't think there is any

02:23

question that there are nation states

02:26

that are

02:28

targeting critical infrastructure

02:31

electric

02:32

water pipelines you name it we've

02:35

already had many years ago documented

02:39

where China did try to meddle with

02:41

things here like this what did they do

02:45

they hacked into What's called the

02:48

California independent system operator

02:50

which is in fome California which is

02:53

what on an overall basis controls this

02:56

and if they had what are the sorts of

02:58

things we could have SE cuz that's

02:59

obviously an attack right that was

03:01

obviously an attack correct and what

03:03

would have been a Fallout if they had

03:05

again depending on what they would have

03:06

done they could have

03:08

affected you know power

03:11

to hundreds of thousands of customers

03:14

shut down California one of the most

03:15

important States well they could have

03:17

certainly played Havoc with the

03:21

grid this attack is just one case the

03:25

real turning point was in 2009 it was a

03:28

sophisticated computer virus called

03:30

stuck net and it infiltrated and

03:32

destroyed nuclear Center fues at a

03:34

controversial uranium enrichment plant

03:36

in Iran observers agreed the attack was

03:39

likely a joint us Israeli operation the

03:42

critical infrastructure war was

03:45

on but I want to know how hackers get

03:47

inside critical infrastructure in the

03:49

first place

03:50

nice pleasure Meredith Patterson is an

03:53

expert in protocols the instructions

03:55

machines use to communicate with each

03:57

other control system is just a system

04:00

that takes some reference value and then

04:04

monitors uh a centrifuge or a turbine or

04:07

a fan any kind of you know device that

04:10

has some property that can be measured

04:12

temperature speed uh Direction whatever

04:15

like a power plant or nuclear power

04:17

plant or completely critical

04:19

infrastructure yeah a dam anything like

04:21

that and are these things

04:23

secure

04:25

well one of the problems with industrial

04:27

Control Systems is that the protocols

04:30

that are used in them are extremely

04:32

complex so if you have systems from

04:35

different vendors that are using

04:36

different implementations you can

04:38

sometimes end up with uh cross talk

04:41

essentially because they're speaking

04:42

different dialects of the same protocol

04:44

and one ends up introducing a mistake

04:46

into the other so if I'm reading this

04:48

correctly you're saying that at times

04:52

the software involved with some of the

04:53

most critical infrastructure we have

04:56

like nuclear power plants um can break

05:00

down can they can the code essentially

05:03

like there's an exploit there's there's

05:05

a vulnerability that's exactly what I'm

05:06

saying um vulnerabilities are driven by

05:10

the inputs that people send into systems

05:13

and so if an attacker has any way to

05:17

control or modify the input that is

05:20

being sent to a system um they could

05:22

send it false inputs um they could send

05:24

it syntactically incorrect inputs it it

05:27

is remarkably easy to just mess with the

05:29

temperature someplace in a natural gas

05:31

plant and catch the entire plant on fire

05:33

I mean really oh yeah like Baytown uh

05:37

near Houston just frequently has

05:38

problems with refiner with you know air

05:40

Refinery catches and you know and the

05:41

entire river goes up for about a day and

05:44

that's something that could be done if

05:46

someone got into the system I mean this

05:47

is something that happens by accident

05:49

already right so if you know so if if

05:51

somebody were to get into the system

05:53

then yes you could totally set the river

05:54

on

05:56

fire that threat is real and the highest

05:59

levels of government know it Michael

06:02

cherof was the Secretary of Homeland

06:03

Security under George W bush he now runs

06:06

a cyber security consulting

06:09

firm what's the biggest threat to

06:12

America's critical infrastructure what's

06:15

what's the thing that that scares you

06:16

the most well you know if you're talking

06:19

about what would cause the greatest

06:20

consequence I would say anything that

06:22

affects Transportation energy or Finance

06:26

or Health Care would be a potentially

06:28

have a very very big impact on the

06:30

United States but here's the dangerous

06:32

thing we are now moving into what they

06:34

call the Internet of Things where

06:35

everything is going to get quote smart

06:38

so as we build out all these you know

06:42

widgets that have connectivity and

06:45

wiress we've got to think to ourselves

06:47

what happens if somebody enters using

06:50

that wireless and begins to affect the

06:52

actual physical operation of the system

06:54

there's also a lot of debate about what

06:56

the laws of war would be if we did have

06:58

a cyber conflict and again that's not

07:00

about stealing information that's

07:02

literally about using cyber tools to

07:05

blow up something like a power plant or

07:08

to kill people by causing an airliner to

07:10

crash and and so that we've got to begin

07:13

to think about how do we what are the

07:14

rules of War if God forbid you wind up

07:17

with a cyber

07:18

War critical infrastructure is clearly a

07:21

Target and attacks against them aren't a

07:23

pip dream they're actually

07:28

happening

07:32

I go to meet someone who knows about

07:33

hacking critical infrastructure and

07:35

works to prevent

07:37

it

07:41

yes Chris Kuca is an independent

07:43

security consultant she says she first

07:45

got into hacking as a kid what' you hack

07:48

into uh the FBI and the Department of

07:50

Justice and how old were you I was 10

07:53

what and I had no idea I was really

07:56

doing much of anything cuz it was really

07:58

easy

08:01

back in August of 2012 mward dub shamon

08:03

infected the network of Saudi Arabia's

08:05

National oil and gas company Saudi

08:09

aramco kuco was hired to assess the

08:12

damage why didn't you tell me what

08:14

shamun is shimun was a piece of uh

08:18

malware that began to randomly wipe over

08:21

35,000 windows-based computers in Saudi

08:24

Arco when it was discovered what was

08:27

going on individuals inside Saudi

08:30

physically pulled plugs to keep it from

08:33

getting further and what was the damage

08:36

uh the damage was about 85% of their it

08:39

systems were knocked out when I say it

08:41

systems it wasn't just your desktop

08:43

computer it was the servers they

08:45

connected to payroll systems databases

08:49

any sort of data that held research and

08:50

development all the way up to the

08:53

Voiceover IP phones did that Target any

08:57

let's say critical infrastructure or

08:59

production yes it appeared that the

09:02

attack was meant to Target the

09:04

production systems to take them down so

09:05

it was actually a critical

09:07

infrastructure attack yes absolutely it

09:09

was targeting it yes who did it

09:11

according to Saudi ramco they think that

09:13

the Iranians did it and would you agree

09:15

with that it seemed like it was an

09:17

extremely political attack done in a way

09:21

that was extremely damaging to Saudi

09:25

business culture it seemed

09:27

like either it had to do with a group

09:31

related to the Saudi Arab Spring or

09:34

banian spring which was going on at the

09:37

same time or perhaps it was Iranian have

09:40

critical infrastructure attacks

09:42

increased since stuck net and shamon yes

09:45

they have absolutely uh more and more

09:47

people are aware of them so now

09:49

curiosity is peing and if you went from

09:53

just writing code to writing code and

09:55

being able to move

09:58

things attacks are going to get more and

10:00

more as curiosity Peaks and also these

10:04

systems are more and more connected to

10:06

the internet quite openly they're just

10:08

kind of open

10:11

game the Shimon virus was probably the

10:15

most destructive attack that the private

10:18

sector has seen

10:20

today after shamun us defense secretary

10:23

Leon Panetta sounded the alarm the

10:26

collective

10:28

result of these kinds of attacks could

10:32

be a cyber Pearl

10:36

Harbor how would cyber attackers find

10:38

their

10:40

targets I learned in fact that there's a

10:42

search engine called Shodan dedicated to

10:44

scanning devices connected to the

10:46

internet John mle is its

10:49

architect what so what am I looking at

10:51

here Shodan is a search engine that

10:55

unlike Google which just looks at the

10:57

web showan looks at the internet which

10:59

can include much more than just web all

11:01

these devices are become connected and

11:04

showan finds them it can be buildings W

11:07

treatment facilities factories webcams

11:11

offices everything that you can possibly

11:14

imagine if it can have a computer inside

11:16

it show ends found it so this is a 3D

11:19

Globe where the red dots represent

11:22

publicly accessible Control Systems so

11:25

these are control systems that are

11:27

exposing the Raw protocols there's no

11:30

authentication on any of these you just

11:32

connect and you have full access America

11:34

is just a big red blob yeah that's not

11:37

good most connected country in the world

11:39

it's not that surprising but yes very

11:42

very connected what was one thing you

11:44

saw you said to yourself like how the

11:46

hell did this get up online there are a

11:49

lot of things like

11:50

that um a big one was one in France it's

11:53

the hydroelectric Dam it generated like

11:56

a few megawatts of power it was it was

11:57

pretty big and actually I can show it

12:01

and this one actually had a web

12:02

interface which is unusual that showed a

12:05

real-time view of how much power was

12:06

being generated and it also had all

12:08

sorts of other stuff exposed that's

12:10

actually a common theme with IC devices

12:13

they will give you serial numbers

12:14

they're going to give you firmware

12:15

versions because it was meant for

12:17

engineers to maintain remotely and if

12:20

you're a remote engineer you want to

12:21

know what you're working with and then

12:23

you look at the history of it and

12:25

there's a history of

12:26

flooding like there are known flooding

12:28

instances of this Dam and it took two

12:31

years of poking and prodding for these

12:34

guys to secure it do you think something

12:36

this vulnerable and this shitty is lying

12:39

around in the US somewhere most likely

12:41

yes a lot of the guys operating these

12:43

things I didn't understand that if you

12:46

can access it remotely without logging

12:48

in over the Internet so can everybody

12:53

else Shodan proves that critical

12:55

infrastructure is in danger all over the

12:57

world but who else has figured that out

13:00

and what are they doing with

13:06

it everyone was telling me that critical

13:09

infrastructure control systems were not

13:11

only outdated but right for an

13:14

attack if accessing them could be as

13:16

simple as finding them on the Internet

13:18

how hard could it be to trigger the

13:20

nightmarish damage everyone was warning

13:23

about I went to meet Stuart McClure the

13:26

founder and owner of a security firm

13:27

called silence

13:31

he shows me a device called a

13:32

programmable logic controller or

13:35

PLC plcs have been around since the

13:38

1960s but in the digital age they're the

13:40

weak link for hackers to

13:42

exploit first off why don't you explain

13:44

to me what a PLC is yeah PLC is a

13:47

programmable logic controller basically

13:49

it controls the physical world with by

13:52

programming or computers so you

13:54

typically find these though in a lot of

13:55

critical infrastructure right absolutely

13:57

any kind of oil and gas or industrial

13:59

Control Systems anything that tries to

14:01

control like I said the physical world

14:04

or physical elements um for power or oil

14:07

and gas Transportation you name it they

14:10

all require the use of plc's in some

14:12

form of fashion to make them work every

14:14

day as I understand it plc's are quite

14:16

buggy and easy to exploit are they not

14:19

well yeah they're built on 30 40 Years

14:21

of code that is really never been

14:23

audited for security or very rarely so

14:26

they often have a lot of vulnerabilities

14:27

and exploits that have yet to be

14:29

discovered and of course hackers love

14:31

that so you know how to hack a PLC yes

14:34

and you're going to show us yes

14:35

absolutely let's get to it let's try it

14:37

out so what this is is a rig that we

14:40

built to represent the physical world

14:42

out there that usually has very large

14:44

versions of these things this PLC is

14:47

hooked up to this air pump and

14:50

compressor which is going to allow us to

14:53

over pressurize a bottle and make it

14:55

explode so and are you going to run any

14:58

coat on it is it just am I'm actually

14:59

running code that we have in Python

15:02

right now first we set our variable to

15:04

the IP address of the PLC then overwrite

15:07

our memory address here MX 0.0 which is

15:10

the area and Ladder logic which allows

15:12

us to control the safety disable and

15:16

overwrite that which allows us to

15:17

control the PLC itself and do anything

15:20

we want with it so uh would you like to

15:22

do the honors all

15:25

right just hit

15:27

enter

15:41

Judas

15:42

Priest that actually sounded like a bomb

15:44

now I won't yeah now I won't hear for a

15:46

while but that was good why is it so

15:48

easy to control a PLC well it's so easy

15:52

because the way that these things have

15:53

been designed they never really

15:55

considered security from the ground up

15:57

so when they design them they design

15:58

them just to work now what's happening

16:00

is more and more of them are getting

16:01

hacked up which is requiring

16:03

manufacturers to go back and redesign

16:05

them and you don't think this is just

16:07

needless fear marging do you I wish it

16:09

was then I could sleep a lot better you

16:12

can make it more difficult you can make

16:14

it more challenging uh but at the end of

16:16

the day it's built so foundationally

16:18

insecure that it it makes it incredibly

16:20

easy for attackers to gain

16:24

access all the experts I've spoken to

16:26

say our critical infrastructure is

16:27

vulnerable and I wonder what Washington

16:29

is doing about it the best guy to ask

16:32

that question is Michael Daniel he

16:35

advises President Obama on cyber

16:37

security

16:38

issues so what's the attack that keeps

16:40

you up at night I would say it's one

16:43

that is focused uh on our critical

16:46

infrastructure that um has some

16:49

unintended consequences uh that's the

16:51

one that really I think worries me

16:53

because we don't really actually

16:54

understand how these incredibly complex

16:57

systems actually interact with each

17:00

other so you fear that another

17:02

superpower might infiltrate critical

17:04

infrastructure and set off an unneeded

17:06

conflict so that is certainly a concern

17:09

although I would actually say that I'm

17:12

less worried about uh that than I am

17:15

other actors that have less interest in

17:17

the overall U sort of

17:19

international Uh current you know status

17:22

quo who are these adversaries so you

17:25

know uh the Director of National

17:26

Intelligence has talked about them and

17:28

his testimony so Iran and North Korea

17:30

certainly top uh the list although we

17:32

are not unconcerned about uh terrorists

17:35

um and other uh actors who don't build

17:38

themselves so much as terrorists but

17:39

certainly cyber activists uh and others

17:42

everything's crackable you cannot

17:44

prevent all uh cyber uh intrusions

17:47

that's just impossible um you'll never

17:49

be able to prevent all of them

17:51

everything is penetrat

17:56

eventually everyone's told me that no

17:58

critical infrastructure system is

18:00

bulletproof and one US government agency

18:03

is trying to keep track of the cyber

18:05

attacks happening across the

18:07

[Music]

18:15

country wrot to meet with Martin Edwards

18:17

who's the guy tasked by Homeland

18:19

Security at IC C to protect us critical

18:23

infrastructure against a Cyber

18:26

attack Edwards is somebody who knows is

18:29

the Cyber tax being lobbed at America's

18:30

critical infrastructure this uh this

18:33

room looks a lot like Enemy of the State

18:35

or something so what you're in is you're

18:37

in the National cyber security and

18:39

Communications integration Center which

18:41

is a more or less the DHS operations

18:44

center for cyber these are where all the

18:46

different analysts from icert user are

18:48

actively defending the country's

18:50

networks in 2015 alone the Department of

18:53

Homeland Security spent 1.25 billion on

18:56

cyber

18:57

security you know we've uh We've cleaned

19:00

up the place a little bit for you to

19:02

come in but it's uh it's definitely a

19:04

very uh High highly active uh

19:07

environment all the time Edwards has

19:10

Declassified the control room so we

19:11

won't see any real-time threats but it

19:14

still gives us a rare look into their

19:15

Nationwide monitoring

19:19

system and how does icert protect the

19:22

United States yeah it's tough it's tough

19:24

It's a big problem if there is an

19:26

incident either criminal or nation state

19:28

level you we'll send an instant response

19:30

team to those companies to work hand

19:32

inand with them to clean up mitigate the

19:35

event do you see it an awful lot of

19:37

nation state actors going after critical

19:40

infrastructure I would say we see the

19:41

whole spectrum they all look different

19:43

and we save the word attack for

19:45

something that you know is is purposeful

19:48

and intentional uh with an intentional

19:51

consequence uh a lot of what we see is

19:55

uh sort of reconnaissance and then of

19:57

course yes we do see the the nation

19:59

state level actors uh either in the

20:01

Espionage uh business or prepping the

20:04

battlefield type of perspective right so

20:06

you're trying to understand the

20:08

infrastructure for some future unknown

20:11

use so if most threats Homeland Security

20:14

see or about Espionage at what point do

20:16

a Cyber attack cross the

20:18

line at what point does the

20:21

administration consider a critical

20:23

infrastructure attack an act of War so

20:26

that is not something that is well

20:27

defined

20:29

um fortunately we haven't seen uh one of

20:32

those events here in the United States

20:34

in a way that would uh you know probably

20:36

Crush that threshold and so therefore I

20:39

think that we focus on you know really

20:42

raising the level of cyber security in

20:44

our in our critical infrastructure it's

20:46

one of the areas that we've worked very

20:48

hard on uh over the course of this

20:51

Administration even as the US tries to

20:53

shore up its cyber defenses there's

20:55

little incentive not to attack you know

20:58

Mutual truly assured destruction is

21:00

another way of describing deterrence if

21:02

you attack me I will fight back and

21:05

therefore it's not in your interest to

21:06

attack me in the first place and that's

21:08

where the difficulty of proving who

21:11

actually launched an attack becomes a

21:13

major issue because it's very rare for a

21:15

nation state or a criminal group to go

21:18

directly from the server at controls at

21:20

the Target they will often launch from

21:23

around the world they may hop multiple

21:25

points they may enlist uh computers at

21:28

they've hijacked as being the spears

21:30

basically that they throw at the Target

21:32

I mean you're painting a pretty dark

21:33

picture then when you get attacked even

21:35

if it's major infrastructure the first

21:37

question is how sure am I that I know

21:39

the country that either caused it or

21:41

allowed it to happen and that ambiguity

21:44

and that uncertainty is one of the

21:46

obstacles to having a very clear

21:48

deterrent

21:51

policy experts and hackers agree that a

21:53

new war on critical infrastructure has

21:55

not only begun it's well underway

22:03

[Music]

22:24

all