In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about how the traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking activity would be increasingly targeted in this direction.
Here’s a transcript of the podcast for your convenience.
Andrew Ginter: Hello everyone and thank you for joining us. I’m Andrew Ginter, the VP of Industrial Security at Waterfall Security Solutions. I’m here with Edward Amoroso, the CEO of TAG Cyber and the former CSO at AT&T. Hello Ed.
Edward Amoroso: Hi Andrew!
Andrew Ginter: So, we are talking here about the five part series we put together on OT security. This is part number two. The topic is threats and attacks. There was a couple of example attacks we talked about, the classic one is Stuxnet. Most people may have heard of Stuxnet at least in passing. This was the attack on the Iran’s uranium enrichment program gas centrifuges. At the time, the Symantec team that analyzed the malware, this was a worm, identified the malware as, or described the malware as, the most sophisticated piece of malware they’d ever seen. And they had I think a three or four man team picking it apart. What it did was, you know the net effect was, that the Atomic Energy inspectors estimated that between a thousand and fifteen hundred of the uranium gas centrifuges at the Natanz site had been destroyed by the worm.
How did it work? Well, the worm was introduced to the site with a USB key, jumped off the USB with a zero-day, moved through the network very aggressively – punching through firewalls with a couple of other zero days. Eventually looking for and finding the machines that interacted directly with the devices that controlled these gas centrifuges. These gas centrifuges are cylinders of aluminum that are spinning right on the ragged edge of the physical strength of the aluminum. You speed them up very much, or you do anything much else to them, vibrate them, and they fly to pieces. What the worm did ultimately was sped up the centrifuges, for I think something like a month, slowed them down for something like a month, so messed with them basically, mess the ability of the centrifuges to enrich uranium. and eventually took them up and down. Nobody knows for sure but the thinking is took them up and down through resonant ranges where the things would start vibrating and because of the destruction observed presumably flew apart. So, this was the Stuxnet worm moved around on Windows, but eventually found the programmable logic controllers that control the physical devices and caused physical destruction. If you’re chiming in you’re on mute.
Edward Amoroso: Take a moment, think about the domain expertise required to plan something like that. I mean that’s not a garden-variety act, that’s not a couple of kids, you know in front of a computer messing with a website, that is some real capable planning, execution. It’s quite an attack and I think for anybody who studies that gives you a glimpse into the types of challenges that the modern CISO has. I mean I would imagine when you first saw the thing that’s pretty chilling, right?
Andrew Ginter: It was very big news. In fact, it was very big news especially early in the day when nobody knew what the target was. The worm was very highly targeted. It caused almost no damage to anything else in the world. The bad news of course is that it infected something like a hundred thousand computers all over the world, many of which were in industrial control systems. Even though it caused no damage, nobody trusts a computer that’s been compromised that way and so people spent enormous effort and money cleaning this infection out of their control systems, just because it’s unacceptable to run a reliability critical system with software, you don’t know what it does.
Edward Amoroso: Yeah, that’s a good point. Whether it’s an intended or unintended consequence it was certainly a consequence. and I’m glad you brought it up because that really does generate operating expense and time and delays for anybody who’s involved in that. So, these things that appear surgical, your point are not always perfectly surgical you know.
Andrew Ginter: The next example I wanted to give though was in a sense the opposite, on the opposite end of the spectrum. It wasn’t surgical at all, there was not a high degree of domain knowledge involved, it’s the attack on the Ukraine electric systems.
Attribution has not been definitively settled, but everybody thinks it was the Russians or a Russian-sponsored group. What happened was, the lights went out for I think 225,000 people for between one and eight hours depending on the subdivisions. What happened was in a sense the opposite of Stuxnet, a bunch of hackers did some spearfishing and stole VPN credentials, remote access credentials, logged into these electric distribution systems, and poked around the IT network, found more credentials, went deeper into the control system network. You know, did the usual – logged into the domain controller once they’d stolen those credentials, created their own accounts so they didn’t need to steal the remote access technicians accounts anymore, and settled in and watched. They watched the main user interface for the control system, they watched the operator operating the control system for the spaces. I think they said something like a month or six weeks.
And then, once they’d learned what all those screens look like, and how the operator manipulated those screens. Once they’d learned all that, they took action. They took over the mouse and the keyboard, they took over the screens, and they started drilling down into the screen that controlled a substation and turned off all the power. While an accomplice logged into the systems in the substation and erased the hard drives. and did this for something like thirty substations, turning off the power to thirty large parts of different cities.
Edward Amoroso: You know Andrew, one of the things you and I have talked about a couple of times is in this narrative that you’re going through, just like a classic APT in an IT context. That is the playbook that we see in IT realized in an OT setting, it’s the same rhythm, same approach, same litany that we see in APTs aimed at the environments with ultimate integration convergence of those approaches, right?
Andrew Ginter: That’s right, and in fact since the articles we produce came out, the Department of Homeland Security in the United States just warned that this kind of attack (again they’re attributing it to Russian actors), that this kind of attack is happening in the North American electric sector and there you know these bad guys are stealing credentials, and logging in, and looking around and doing things. This seems to be, you know Stuxnet got a lot of press, but this seems to be the bread and butter attack we have to deal with today.
Edward Amoroso: I hope people pay attention because the consequences of not doing so in the typical industrial environment can be pretty awful.