Root Causes 50: Energy Infrastructure Cyber Attacks

Episode Transcript.

Lightly edited for flow and brevity.

• 

  Tim Callan

  We've talked in the past about some of the cyber activity that appears to be going on or is known to be going on around energy, infrastructure and utilities and there have been a couple incidents in the news just in the last few weeks that echo with this. So, we thought we'd cover them today.

• 

  Jason Soroko

  Yeah. Thanks, Tim. I think there's a couple. There may even be others we don't know about which seems to be another special category of these but the claims of a cyber-attack against Iran's Abadan Oil Refinery I think definitely is worth looking at and going down to, you know, paragraph 10, to see what the root cause may be or who it’s attributed to but the problem there is I don't think we have those details quite yet.

• 

  Tim Callan

  Yeah. So just a little bit of background. The oil refinery had basically had a significant fire that broke out and certainly there was scuttlebutt floating around where people believe that that was a result of a cyber-attack and I think having read about this a little where we come down is, it's hard to tell if it was or if it wasn't. Is that right, Jay?

• 

  Jason Soroko

  Well, yeah, I think that one of the first indicators that had come out was I did see some tweets showing some buildings on fire with people claiming that that that was the building. And I don't know maybe, that would - - maybe if you didn't want to believe it you could claim it was propaganda, but I didn't hear anybody saying that those things were faked. So, I think we can assume that the fire did happen. Beyond that, I think it was a writer story that that kicked it off. What was happening at the time, of course, is that Iran and the United States were doing a lot of international saber rattling at that point in time and as the story went the fire, people were claiming it had been caused by a cyber-attack by nation states, specifically United States against Iran on that oil facility. The article then from Dragos, quickly came out saying, hey, we don't think we completely know that and we don't think we can attribute that and these guys are real experts in understanding industrial control system malware. They've been doing some of the top research on it and they gave a really good comparison to some of the other cyber-attacks within that region over the past year or two. And I think they're getting down to the root cause of that. I don't think we have the full answer.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  So that, you know, we can categorize this one as sounds, you know, if it rhymes and it smells like something maybe that's what it is. Maybe it really is a cyber-attack by a nation state against another. We've seen the United States do that in the past against Iran and the timing sure adds up, Tim. It's just we don't, we just, you know, Iran's not talking about it so we don't have the details.

• 

  Tim Callan

  Right. And you want to be careful about attributing coincidences to, you know, deliberate action when maybe it is a coincidence and that does happen. But I think there are a couple interesting takeaways here even if we don't know what caused this. Number one is the very fact that we're having this conversation means it is credible that something like this could have been the result of a state-sponsored cyber-attack. And, you know, that says a lot about the environment that we're in, especially when you consider some of the conversations we've been having about power grids and when you especially consider, you know, the pretty explicit announcements by nations, including the United States, that, you know, that the ability to disrupt other nations power grids is there and is in place. So, you know, the very fact that everybody sort of says, hmm, I wonder if this was a state-sponsored cyber-attack, I think is important.

• 

  Jason Soroko

  Tim, I that that may be the most important point here which is you and I, on this very podcast series have speculated in the past, that these kinds of attacks were not just possible, but were actively in the pipeline of not just in nation states, but also other, you know, nefarious folks that are out there. There is a perhaps a fallacy of thought these plants have done a lot of security measures, they're safe, and therefore any attack that would happen would have to be something like what's in the movies, it would be some kind of Mission Impossible. And in reality, I think it's the complete flip opposite of that, which is, I think these plants are just at the beginnings of trying to understand how to secure themselves and the bad guys have more than enough, you know, and bad guys and nation states have more than enough technical capability of turning off the lights and setting fires to physical systems. We saw that with Stuxnet all the way to now. And really, Tim, this is the conclusion - the really the only thing that's remarkable here is not the technical prowess to take down a system. That I think is a given. I think what should surprise people is the sheer amount of discipline that the players have, whether it's the nation states or other types of bad guys, whoever they are, the discipline they have to not more actively take out, you know, cyber physical systems such as this, I think is the surprising part. This probably could be happening more often. And the fact that they seem to be timed with specific kinds of events is not, you know, accidental or coincidental. The fact that there were saber rattling, when there was the grids went out, whether it was the Crimean Peninsula, or whether it was some of the other outages that that happened in Texas, or the outage, or the fire that we just saw in Iran. The timing almost seems to be too perfect. And it shows that the unveiling of that discipline and the point at which these people want to strike, it shows they can almost do it at will and that's - - that's my takeaway, even though I have no proof of anything I just said.

• 

  Tim Callan

  So, but I think that actually touches on another very important takeaway from this, which is that we may never know. Like cyber-attacks could occur that would be at best questionable or possibly even completely hidden where it doesn't even occur to anybody. And, you know, we've seen, you know, we talked about some massive power outages that have happened in various places earlier this year. And, how do you know? How do you know whether or not it had to do with cyber and it may be that we won't know. Like, if you go back to Stuxnet - - you mentioned Stuxnet earlier, Stuxnet was fouling up the Iranian plutonium refining process for years and they didn't realize that they were under cyber-attack. They just thought it was hard. And it took a long time. It wasn't until Stuxnet kind of broke out and people began to decompile and examine it that it became clear that this thing had been around for a long time. And so there absolutely is a flavor of that, right? Where things don't work right, infrastructure doesn't work right and are we even aware that perhaps it's being sabotaged deliberately?

• 

  Jason Soroko

  Two things there, Tim, I think part of the Stuxnet story is some actual catastrophic action that did happen in Iran. That is part of the narrative that that I've read. But additionally, you're absolutely right in that one of the stories that I heard, you know, just going to conferences and talking to people who are in the know and also actually listening to formal talks, formal presentations at the various White Hat Conferences, there seems to be not just a lot of ransomware taking over operational systems, I know that Maersk suffered that many other many other organizations suffered, you know, from NotPetya and some of the other ransomwares out there, if you want to call it that. But additionally, the story that I heard was there was a major plastics plant that was having it's a mix - - one of the very, very precise mixtures that created a particular plastic alloy was, the mixture was being messed with by just a few percent and it was causing that supplier, that vendor, to not be able to sell that plastic for the maximum price that they could and then apparently they got a phone call or, you know, some sort of message from the bad guy saying, hey, if you if you want us to stop doing this, here's the amount of Bitcoin we're looking for to get us out of the way.

• 

  Tim Callan

  Give us some Bitcoins and you're gonna have a, right, and suddenly you'll make more money. Absolutely. Right. And you know, that's a business model. Right? That's a way that a criminal can make money at this and that's bad because that's motivation for them to keep doing it.

• 

  Jason Soroko

  Yeah, and that's definitely not going to be a nation state. That's going to be a very, very clever black hat actor who's doing this but certainly the financial motivation is there. And Tim, I don't think we're hearing, you know, or we may ever hear about even a small proportion of what may be going on out there. You know, I don't I don't want to say the sky is falling, it's probably not, but it probably is happening.

• 

  Tim Callan

  If it's not happening, it's only a matter of time.

• 

  Jason Soroko

  Yeah, and I have to go back to my original conclusion earlier, the biggest mistake we could make would be to assume that industrial control systems within any of these types of plants have, you know, substantial, totally comprehensive cyber security. The bad guys seem to know how to do this stuff at will. You know, and again, if you read any of the research, Dragos we mentioned earlier has some really good stuff to teach us about Triton and some of the other malware that's out there and some of the other techniques and things that the bad guys are employing. Goodness. I think that that industrial, that industrial sector, which relied on firewalls and perhaps obscurity of its protocols, and the obscurity of some of the, you know, very complex and expensive equipment that it uses to do the industrial things that it does, that's definitely not enough complexity to keep the bad guys out.

• 

  Tim Callan

  Yeah. And—and--and we just had another - - so this ties into the other incident and this is from reported October 30, 2019. So just two weeks later, there was the - I'm going to massacre this - the Kudankulam Nuclear Power Plant, which is located somewhere in India, I don't know exactly where, reported that it was breached by North Korean APT malware.

• 

  Jason Soroko

  Right. And kind of interestingly, right, the initial headlines, and you got to love journalists, because they know their business was, you know, nuclear plant in India hacked. Period. You know, why would you even need to read further just run and scream because that's the, you know, that's the sky is falling story.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  The thing is, of course, the initial reports were that the nuclear plant in India denied it up and down and said there's absolutely no way that that's even possible. And no, it's not been hacked. But again, it didn't take too long before, I think it was on October 30 when the story started to become clearer, and the people, the administrators of that plant said, oh, yeah, we, in fact, we found remote access Trojans and they were doing things such as keylogging in our administrative systems and that's just not something you want to see anywhere near a nuclear plant, never mind, even if it's just say the HR department or finance department or something like that.

• 

  Tim Callan

  Right. So, it wasn't it wasn't an IoT attack, per se, right? They weren't causing industrial control systems to behave incorrectly or to give false readings or do some of the other things that we could imagine ultimately resulting in a kind of scenario. But, they were gathering intel, right? They were keylogging and what's the next step? So, there's no reason to assume that that kind of disruptive activity wasn't an intention for occurring down the road.

• 

  Jason Soroko

  Oh, for sure. You can imagine that that would be a beachhead for anybody wanting to try to find a hole into the operational system. So, it's not - - it's not shocking. And, in fact, you know, reading through what is available publicly the attribution is to North Korea through their group called the Lazarus group, which I think is fairly, you know, has become notorious and was apparently a custom version of a malware called Dtrack. Talking about tracking, I can't keep track of all the different names of all the different malware out there. Suffice to say, this thing was a remote access Trojan for keylogging, retrieving browser history and I'm reading from a ZDNet article, running, you know, listing all running processes, listing all files and available disk volumes. So, if you're running a Trojan that's just looking for information, it's not hard to imagine that they were perhaps, you know, not looking to sabotage, you know, the HR department or trying to just get, you know, employee information they probably were looking for sensitive operational systems. It's not a hard leap to try to imagine that.

• 

  Tim Callan

  Yeah, I mean, it I guess it's possible nuclear power plants have employees too and I guess stealing their Tax IDs is valuable to but, you think that there are other things you can do. And especially, you know, these North Korean APTs are really about financial gain, right? They're out there doing ransomware and things like that trying to get money. It's one of the ways that the country gets money. And so, you can imagine what you might do, right? You don't really want to blow up the power plant because blowing up the power plant doesn't make you any money but you could stop the power plant from working or stop it from working efficiently. And then, you know, give me these Bitcoins and I'm going to buzz off and let you let you run your power plant. Right? That seems like probably the more likely path that they would be going down.

• 

  Jason Soroko

  Yeah, it's not hard to imagine. But again, at this point, it really is just - - it is just imagining because the initial response from the nuclear plant was we're not hacked and then all of a sudden well, yeah, we are, but it's not quite what the initial headlines were. But interesting enough, it really - - I think, Tim, it really does show everything seems to be a target right now if it has any kind of valuable asset. At the nation state level or at the fraud level everything is at some level of interest and whether it's a legacy IT system, or an IoT system or say perhaps something new infrastructure, such as DevOps - we've talked about that in the past - every one of these things is just another way in and the bad guys seem to be trying to be using all of it.

• 

  Tim Callan

  Right. And we've touched this in the past, right, that there are critical systems and critical infrastructure that has a lot of longevity, that was around long before our current methods or our current digital systems were in place. So, you think how long have we had nuclear power plants? Right?

• 

  Jason Soroko

  Yeah.

• 

  Tim Callan

  And so therefore, these sort of old legacy systems that we still depend on wind up being oftentimes vulnerable soft targets because they were put together in a day when we weren't even thinking about it. We didn't even have the concepts of the attacks that we have now.

• 

  Jason Soroko

  Yeah, Tim, and let me put it into slightly different words. I think as well, the bad guys have really, really proven to us and sometimes I lump when I say bad guys, nation states who, what the heck, maybe they're working on for a benevolent reason depending on which side you're on, the fact the fact remains the automotive industry was saying, well, no, the you know, the infotainment system and the CAN bus are not really connected. So, there's no way through. Well, Charlie Miller proved you wrong. Right? Chris Valasek. Keen Labs proved Tesla wrong. And you know, for industrial control systems well, a uranium enrichment plant isn't even connected to the internet so, how could we be hacked? Well, Stuxnet prove that wrong.

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  And just we see this over and over and over again where the white hat community and the black hat community has proven every single assumption about security to be wrong. And I guess, Tim, maybe that's the proper way to conclude this is, you know, when you're reading these articles and whether it's hey, the sky is falling type article, which actually has a different conclusion than you think, or another type of sky is falling article, which may come down to, hey, we don't really know anything about it but boy, the timing was interesting,

• 

  Tim Callan

  Right.

• 

  Jason Soroko

  I think it comes down to these things are really, really are possible and that's what makes our imaginations go. But additionally, it's so possible, it really is just so possible - - it’s so in the realm of possibility that anytime you hear somebody from operations, who doesn't come from the security background, say things like, oh, that's air gapped it'll never be hacked, you kind of just have to have a chuckle to yourself.

• 

  Tim Callan

  Yeah, and that probably is the biggest takeaway is, again, we look at these incidents and one of them is a maybe and the other one is, yeah, but it's kind of minor, but maybe it was leading or is leading to something bigger. But, to your point, you can't be ever be sure that there isn't something darker that’s sitting under the surface that we don't get to see.

• 

  Jason Soroko

  It's not difficult to imagine a world where just about every critical infrastructure has been mapped out by adversaries of various kinds and people are just waiting to pull the trigger on whatever is necessary. You know, I, again, I really don't want to come off as the sky is falling or a doomsday scenario type of guy, but I do believe that the potential is there that, you know, that whole concept of mutually assured destruction of everybody owns everybody else's systems, it goes down back to something that I think the Atlantic Society actually said a while back, a think tank, which is the world that we're living in and I think it was even General Hayden who had stated something like this as well, which is the world that we're living in is kind of like all offense, very little defense. You know, we try our best with defense, there's no question about it. Absolutely no question about it. We can make the bad guys’ life difficult in certain areas but in reality, most operational systems that are critical, it's almost all offense no defense. And think of world like that, that's kind of the wild, wild west scenario. And I think it was General Hayden who called it, you know, the wild west scenario, which is, you know, as long as you have the biggest posse, you're in good shape, because you can inflict bigger damage on the bad guy but you better expect to take damage yourself because nobody really has much defense.

• 

  Tim Callan

  Ok, well, that's - - -And that's, I think that's borne out like, if we look at what we've been seeing, that certainly feels like what the situation is today.

• 

  Jason Soroko

  For any of you who were scratching your head like you probably should be, which is, hey, I just don't, you know, my lights don't go out and I'm not really worried about this well, I'm not so sure that you should feel so comfortable. That's all I'm saying.

• 

  Tim Callan

  Yeah. So, when the lights come back on, tune into our podcast and we will tell you what happened.

• 

  Jason Soroko

  Yeah, we will be reporting from the rubble pile wherever we can plug in and get some internet.

• 

  Tim Callan

  Absolutely. Alright, so probably a good place to leave it today. Clearly, this is a story that's been developing over the course of 2019 and I don't see any reason to believe it won't keep developing. I don't think it's all played out yet. So, we'll keep tracking it and we'll stay on top of it as it develops.

• 

  Jason Soroko

  Yes, we will, Tim. Thanks.

• 

  Tim Callan

  All right. This has been Root Causes.