Hacking Power Plants and Industrial Control Systems (Scada) // Ukraine Russia Cyberwar
you can find just about anything about anybody okay through osm techniques except yourself except you well hopefully that's true they can track everything you do by your phone you can track the location of the yachts the airplanes cars anything that's giving off a radio signal you are actually doing a lot of the technical stuff that people want to learn not everyone watching is going to agree which is which is normal i firmly believe in what we're doing i think it's the right thing and we will continue [Music] hey everyone david bumble back with occupy the web had a lot of comments on our previous video a lot of great feedback and some negative feedback obviously just to remind you occupy the web is the author of this book and i also got his other book this time so this is another book that he wrote um and he's working on a book about uh network hacking so i have to ask you occupy the web because a lot of people said david you're giving away the name of the author so how can you do that so i mean on the on the book it says occupy the web so i don't think i'm giving away much i saw those comments too like oh david knows his identity yeah he knows his identity as occupy the web i know nothing about you i've never met you don't know what you look like or anything so welcome again it's good to have you back thanks a lot it's good to be back i got a request yesterday from inside of ukraine okay from associates inside ukraine and what they are asking us to do is they've identified about 500 ip addresses of webcams okay within the occupied territories of ukraine and they're asking us to basically break their passwords so that we can watch what's taking place in those occupied territories a lot of these webcams are security cams they are you know in parking lots on buildings what have you and so this is a way for us to hold the russians responsible for the atrocities that they have been committing in ukraine now there are some limitations to this obvious limitations in one hour you got to have electricity to have those cameras online right and many of these parts of ukraine don't have electricity right now and almost all these parts of ukraine don't have internet access so we're going to do our best and try to get as many as we can and be able to see as what we can but we're trying to be an eyeball inside of these occupied territories to be able to record what's actually taking place oh that's great i mean it's it some of the things we we have we say in these interviews are controversial and um i'll just say that i on all my interviews and occupy the web you can confirm this i don't edit what you say um it's raw from you um and it's the same from everyone else who gets interviewed it's the raw uh opinion of the person that i'm interviewing and i don't like to try and edit it all out so um you can say what you want not everyone watching is going to agree which is which is and i and i agree is that not everybody's gonna agree with me but i'm gonna give it to you it's my opinion yeah okay and uh it's hard to hear some of the the comments and read some of the comments but i firmly believe in what we're doing i think it's the right thing and we will continue uh on this effort so from my point of view what is really interesting is you are actually doing a lot of the technical stuff that people want to learn like we gonna talk about a bit about osen now we we've spoken about the cameras i want to talk about scada and um you've you've kind of communicated some of the risks with like power grids stuff like that in our previous interview so i'd like to get like sort of some technical information about what ocean is and how you manage to find those shots almost all modern vehicles give off a radio signal which i'm going to put in a little plug for i have a new course called software defined radio for hackers which i think is really really important so anyway that's out there and this is part of it is that these radio signals you can track the location of the yachts the airplanes cars anything that's giving off a radio signal so that's how the yachts are tracked there's basically there's there's two different ways for the big yachts they actually communicate their location via gps the big ones do like these super yachts and there's also a ais which is a a a signal that's only available near the shore so as they're traveling along the shoreline these signals can be picked up and they can also obviously be picked up in a marina so these all can be tracked so you can track these super yachts where they travel anywhere in the world there's several sites that do this for you and we use marinetraffic.com if you go ahead and put the name of the vehicle in there it'll track it show you its route the issue really in being able to to effectively track these oligarch shots is to find the name okay yeah that's the hard part most of them don't put the yachts in their name they put the yachts in a shell company so you have to trace through these shell companies to find who owns the yachts and then once you have the name of the yacht you can put it into marine traffic or some of these other sites and track its location as soon as the war broke out on february 24th we began to go after the yachts we didn't go after the yachts with the idea of getting them seized we went after to try to get people to go out to the marinas and basically protest and refuse to fuel them and refuse to service them that ended up playing a key role in seizing about a half a dozen of those yachts so we were able to get quite a few of the other seas and we're still working on that project as a matter of fact i just now tweeted out the location of uh a new another yacht that's at uh ensenada mexico it's owned by uh what's it's uh oleg tinkoff his yacht is la dacha and he just moved it in the last couple of days from cabo los cabos and mexico to ensenada which is pretty close to the united states it's getting risky for him but there's a lot of americans and mexicans in ensenada ensenada is just south of the border on the pacific coast of mexico and so i just kind of was encouraging people even though mexico is not gonna seize it um that they should you know they could go out and make him feel uncomfortable make him feel unwelcome in mexico uh maybe refuse to give him fuel or food what have you so that's what we're encouraging people to do if mexico is willing to seize it then that's even better but mexico right now is pretty much staying neutral and probably for good reason i mean mexico doesn't want to get themselves involved you know this kind of conflict they're not they're not a player you know that wants to they can only lose by getting involved in this conflict so apparently tinkoff believes that by keeping his yacht in mexico he's safe but doesn't mean we can't make him feel uncomfortable the others we've gotten probably we've probably gotten six or seven yachts seized um since the war began and so we're just trying to put pressure on the oligarchs you know to say hey you know you got to go talk to putin and and do something about this and i'm hoping that the people who listen to this if it's still an ensenada when you hear this go out there and you know maybe just carry a little a little sign and tell them to you know go away or they're not welcome make sure that these people know that you don't approve of what russia is doing in ukraine and if mexico if you guys you know want to go ahead and seize it then i thought all the better you had an article on your website or a few of them didn't you were you talking about using ocean to find the yachts is that right exactly we started that on the day that the war began and uh we we can take some credit for having uh played a role in probably a half a dozen of them being seized i saw that um someone sunk or did something to one of the yachts and um yeah i know a lot of a lot of european governments have seized yachts i just read today that uh the netherlands has seized uh yachts that are in are getting built or something that's part of the anti-war effort you know is that who knows what's gonna happen if the war would end tomorrow but it puts pressure on the oligarchs and these by the way i don't know how much your listeners understand how these people made their money i mean when you make billions of dollars there's usually there's usually it gives you something a little nefarious in there but in these cases it's particularly nefarious because almost all of these oligarchs have made their money by essentially taking the assets of the old soviet union in the old soviet days all of the assets the mining companies the gold mining the oil the gas were all owned by the state when the soviet union disintegrated in the 90s these assets were basically distributed to people who were close to the kremlin so these people were basically given the assets of the people of russia and that's where their billions comes from it's not because they worked hard and we worked their way up the ladder they basically leveraged their contacts within the kremlin and the kremlin gave them these assets of which they have made their billions of dollars they're basically thieves from the russian people okay the russian people are just as much victims as the ukrainian people are so that's why i want to start off by talking about that you know that's okay i actually wanted to talk about uh scada or scada but um we can talk some ocean first and then talk about skating because you know the um seems to be a big risk sorry go on so let's let's let's talk about oh cent a bit and then we can come back to scada so i i'm done with my little bit about the oligarchs but i also want to start off with another caveat before we go on because i get a lot of comments and i read a lot of the comments from the last interview and i don't know how well you go through them but there's a there's a number of disparaging remarks in there yeah and i get and i get a number of disparaging remarks in twitter what have you and commonly what people will say is you know you you are cia nsa and i want to say right now clearly i am neither nsa or cia okay and the other comment that i get is that well the united states has done all these horrible things in afghanistan iraq what have you and i agree i am an american and i cannot agree with you more that u.s foreign policy has had a horrendous record over well the last hundred years right i mean you can go back well probably longer that the mexican-american war in 1848 was a horrible war where the united states just basically stole half of mexico invaded mexico and stole half of mexico but you know we can go on and on about its record in central and south america say the same about the uk i mean how far back do you want to go you could say same about spain you know i mean we i'm originally from south africa and i mean we can talk about the bull war and how england locked up people in concentration camps i mean it's all right yeah i i can agree that uk has a horrendous record and spain has a horrendous record the u.s has a horrendous record but this
isn't about the us this isn't about spain this isn't about uk this is about ukraine and we need to focus on that we cannot let this break down into a u.s versus putin war ukraine is an innocent victim here and we need to focus on that so don't send me all your comments about the horrors of american foreign policy i know i agree okay but this isn't about american foreign policy this is about ukraine so that i i want to start off by putting that out there do you have like content about ocean or recommendations about like how do you go about this if you if you knew and you just want to try and like either for curiosity or to try and help how would someone stop this there's a whole section on ocean if you go to the the far left tabs there's a ocean tab and you click on that and there's a whole bunch of ocean articles there are various ways of using ocean i also teach a course on ocean ocean is one of those things that you don't have to be all that technically capable there's a lot of websites that'll help you but there's also some tools that you need some some linux skills so some of the tools that we use are linux only and you got to be able to install them and use them in linux to be able to do good ocean but there's you know there's tools like marine traffic that anybody can use it's a it's a simple tool i also use radar box a tool for tracking aircraft and of course you can also set up your own software-defined radio and track aircraft and ships in your local area so if you are in a town that has a marina you can track what ships are in your marina you don't need those websites if you if you have software defined radio and a simple receiver like a 30 dollar receiver you can track all the comings and goings of all the aircraft in your area as well so on the ocean portion of your website that's a great place to start and that can lead like to other roads and other places that people can learn more about you yes yeah that that's a has about i don't know 20 or 30 tutorials of people that people can get started in ocean ocean is a huge field and it's a really rapidly growing field and it's becoming a profession okay i i recently taught the class and we had people who were professional ocean people who work for government just doing ocean and so this is a field that people have overlooked and i think have overlooked as a as a career choice this is a this is a new field that governments and companies are hiring people just to do ocean so for instance there's the obvious ones that we have talked about in tracking assets but what's overlooked i think is there's a financial aspect of ocean too there's an environmental aspect of ocean so economic you can track say what's going on in different businesses by say viewing satellite photographs okay of that particular business you know one of the things i put on i put a tutorial on of looking at a particular i don't think it's it's cataloged in that page yet but basically we're looking at a walmart and just looking at counting the cars in the parking lot so say my my task is to determine how this particular store is doing i can use photographs over time okay of a particular location store what have you in this case we're looking at what was you know the effect of the pandemic on this particular store sales based upon counting the number of vehicles in its parking lot osn has been used for a long time for hacking purposes penetration testing you can get people's email addresses you can get your physical address you can find out who owns what car there's almost unlimited number of things that you can learn in osm the osn is really techniques of the modern private detective i mean you can you can find just about anything about anybody okay through osm techniques except you well hopefully that's true i don't know if you saw the comments where um they were saying um you're giving too much information about yourself yes and i'll i'll link that your twitter reply to that below or you can say it now if you want well what i said is that i've been doing this for a while quite a while yeah i've been doing this for a while and i tend to give out false information to take people on false trails because i know i'm an os inc guy right you know i know how to trace people okay that's what i do right and so i give out false information to take you in the wrong direction so if you think i'm giving out too much information that's fine go trace it okay it's not going to take you any place or it'll take you to somebody else okay and that's what i want you've got a twitter account but it's all it's all in occupy the web name um so i just think you know we had a lot of comments on the previous video about stuff like that uh yeah try and do ocean and occupy the web you're probably not going to get very far i welcome people to try i mean a lot of people have and i will i will tell you that i'm not entirely anonymous one national intelligence agency who who came to me a couple years ago and said we know who you are and listen okay but they also said and we won't tell anybody and that was i was nice to them they haven't so what do you think about phones if someone wants to be private do you recommend having a phone or not using a phone or like what kind of phone like a flip phone how would you like kind of hide your stuff if you like well you know i have an article on hackers rise about you know somebody had asked the question can the cia track my every movement by my phone and my answer is yes yes they can track everything you do by your phone which kind of brings me to just before we went on on air one of my colleagues sent me some information about a russian officer that he is tracking in russia his movements via whatsapp i may put that online here a little bit but we're watching him because he seems to be moving towards the border of ukraine he's not in ukraine he's in russia and we're tracing him as he's moving towards russia which may be a prelude to more troops moving to the ukraine but in any case yes i mean intelligence agencies or anybody with your imsi number can trace every place that you move some people say well we can turn off my gps that's great you could turn off your gps but you still have to connect to a cell tower you have to turn the phone off entirely to not be traced because as soon as your phone is turned on it connects to a cell tower that cell tower is giving away your location if you're in a really crowded say urban area those cell towers can be triangulated to down to about your location to about 500 feet if you're in a rural area it can be as much as i was just working with a government agency the other day that they had somebody they were tracing and it was a very rural area and they could only get his location down to about 2 000 square feet which wasn't enough but yeah that gives you some ideas if you're an urban area you're you're they can get you down within about 500 feet if your gps is on they can nail your position within a couple of feet that's crazy so so it's if you want your location to be to be anonymous you know one of the things that's an option in the us are what people refer to as burner phones yeah okay burner phones i know that i think i know in germany and much of the eu burner phones are illegal you probably have a better idea than i do yeah i think they've kind of restricted it and i know in south africa as well it's like you have to to get a sim card you have to be you have to go through a whole and south africa's even more crazy about it you have to go through a whole process to get a sim card right and so that way they know who has the sim card right but in the us you can just go in and buy a little flip phone or would have even a smartphone for less than a hundred dollars some of them are thirty forty dollars and uh and then you pay cash for it no identification required yeah no identification required no no you need that over here and so that that kind of phone makes it you know makes you anonymous if you want to use that and and people do use that i use one okay i have my regular personal phone if i'm doing business you know in in this business i use my burner phone which um is untraceable so do you change your sim card on a regular basis and i wouldn't say what what would you recommend let's put it that way uh or do you just um because you paid cash you got a sim card there's no record um you're okay with that yeah that works that works fine it's it's pretty hard it's not impossible okay nothing's impossible right but it's pretty hard to trace okay so once you've purchased essentially a sim card with cash there's no connection okay to be able to trace that phone to the individual and you use a burner phone that's not like an iphone or fancy android it's like like a basic basic phone is that right yeah it's a base and that's basically what's for sale these burner phones so it has to be off the main carriers right because the main carriers in the us at least they require that you register a person you have to pay for it on an account with a credit card or a bank account what have you so it's all linked to you these smaller carriers you know will allow you to pay cash for everything so there's no there's no way to trace it back to the individual well i'll just give you an example is that um in the u.s we had this insurrection that took place on january 6th of last year and we're now finding that many of the people who participated were using burner phones which makes it very difficult to be traced and it may include the former president [Laughter] he may have been using a burner phone as well there's a big seven hour gap in his phone logs so in any case yeah we will we will we'll avoid that we won't even mention the name because it'll it'll cause problems for on youtube but yeah i know i know what you're saying yeah do you want to say anything else about like how do you stay private because i mean if you if you have a fancy iphone or a fancy samsung or whatever you're really worried that you can be tracked um like i think we spoke about it last time about using tall using something else proxy chains well i have a class after as a as a kind of a little pitch is after our last interview it occurred to me that you know i've been doing this for a long time maintaining my anonymity and i take it for granted the things that i do to stay anonymous so i created a class right and i created a class in may on how to stay anonymous and we're going to talk about all the techniques even to the point where when you're online you need to use like different ideally different machines for your business purposes and personal purposes okay different browsers at the very minimum okay because the cookies in your browser are going to identify you so if you're using your you know say mozilla firefox on your personal account okay whether it be facebook or your bank and then you come back and you're using that same browser and doing you know hacking stuff you know you can be traced by the cookies in that browser to your identity so you have to be careful not to use the same browser so those are the kind of things we're going to be working with in this class and i think it's in late may we're going to do a two or three day class on how to stay anonymous give us something give us some teasers sorry these are the things that we're going to be talking about i mean there's the nsa now uses a technique where they actually can identify you by your writing style so what they've done is they've cataloged all of the writing on the internet all right and all the writing on the internet everybody has a slightly different style if they cannot identify somebody they begin to look to match that writing style with their they have a catalog of all the writing styles with all the particular characteristics of that style and try to match those together it's one of the many techniques that nsa uses when they can't identify somebody and they don't like they don't like when they can't identify somebody as a matter of fact i would say all of the intelligence agencies okay not just the nsa okay but all of the intelligence agents they don't like somebody in their playground that they don't know who they are okay they work really hard to identify everybody in their playground because they feel like this is you know the internet is is that's where they work it's where they try to control and they don't like to have anybody in there that they cannot go knocking on their door okay they want to know who these people are and where they live okay because that gives them a lot of power so they use they have multiple techniques to try to identify everybody who's on the internet so i mean like what you could do like would you recommend like having a whole separate physical machine or will a virtual machine running like carly or something be good enough i would recommend that you have an entirely different system but you know a virtual machine some people that's not an option right but if you if you have the resources i would recommend an entirely different system for personal versus professional you know the other thing of course is that your ip address can always be tracked right so whenever you're on the internet your ip address can be tracked unless for instance you're using tor or a proxy okay elon musk's new service the starlink which is what i'm using now all of the ip addresses link to the central office so normally when your ip address can be linked to the city okay to where you live in starlink they only have they have two offices and all the ip addresses linked to those central offices so somebody would have to get into starlink's log files to be able to trace the location so right now they have two locations so all the ip addresses either go back to california where their main office is at or to colorado where they have a regional office there but that just gives another level of of anonymity even if somebody gets you know can trace the ip address they're not even going to get to the proper state and city of where you're at seeing that with the cell phone networks as well in the uk i don't know if it's the same over there the cell network in uk it's it only goes to the regional office no i've just seen that like sometimes when you're on your phone and you do a search for an ip address it'll come up in a different city totally it won't it won't be where you are that's true of all the ip addresses even in you know on land lines or cable because what happens is that they have these blocks of ip addresses right and they'll say okay this block of ip addresses is for this for birmingham england all right but if they have a need in another community they'll just transfer some of them over to theirs but usually it's close okay it's not necessarily precise yeah i've seen landlords are much closer than cell phones but yeah i mean it's i like what you're saying about stalling sorry good one let's start again starlink is different starling doesn't uh doesn't publish where the ip addresses are at when you trace the ip address it goes to the central office so so someone would have to get into their system to know where you are kind of thing exactly to know even you know the state that you're in which was the city um but yeah i've traced them and they go to two different two different locations they go to the main office in a regional office any other quick tips i mean i don't want to take the whole course away because i mean obviously you're going to go in a lot of detail but like any other tips i wanted i want to talk about skater but eddie last tip about like how does tron like hide your identity online uh i think that's probably all i want to talk about for right now but there's one other thing that i i did want to mention before we get in the scada yeah and that you you may have noticed that last week that the russian government put out a threat against all the people who uh who've been working against them on the cyber war and they've threatened us okay so i want people to know that that's out there you know russia is threatening us now that can be scary okay one of the reasons you want to try to stay anonymous but also that means that we're having an impact okay they wouldn't be threatening us and starting to come after us if we weren't actually having an impact on them so i see it as a good thing that they're threatening us that means that we are actually having an impact on this war effort or anti-war efforts okay but yeah be careful all right because um they have said they've identified 17 000 17 000 ip addresses there's a lot more than that that have been participating in this but they are now threatening i have detected some anomalous traffic okay on my network in the last week but i've been able to deflect it they're not russian i.p addresses but i don't expect russia to be attacking me from russian ip addresses right the fact that we'll be able to do this interview is actually a good thing you know this is telling us telling me that i'm still i still can function but i was getting some i was getting some traffic that was worrisome last week and i don't know where that was coming from but i was able to deflect it and uh get back online it is a worry and i mean my advice to anyone is um you have to be really careful what you decide to do with the information that we're sharing um yes yeah you have to be very careful and i commend everybody who has the courage to do the right thing and that is to try to stop russia from basically flattening ukraine and we saw this past week what russia has done where they you know they've left these towns and they've just executed you know hundreds of people and throwing them in mass graves this is the greatest threat to peace and stability in the world in our lifetimes i get all these comments about you know people know that i'm i'm in the u.s i'm an american citizen
i don't necessarily agree with u.s foreign policy okay but one of the thing i want to say is that i've been a student of russian history for a long time and i understand russia's need for a buffer okay they've that's always been important to them okay throughout the last 300 years they've always wanted a buffer of states around them because they've been attacked by the west multiple times all right so let's just be clear on this okay russia has been attacked by the west many many times okay 1917 1943 4445 and you can go all the way back to catherine the greats time so i understand that that need for a buffer but that doesn't give russia the right to basically turn ukraine into rubble okay that doesn't give them the right i understand it but you can't that's not that's not acceptable maybe there is a an acceptable way to give them the security guarantees they need without basically flattening ukraine and i would i would be in favor of that i understand their concern um so that having been said we can move on to scada no that's fine i mean just um i think it's it's important that and this is why i want you to say your piece if you like or say the reason why you do this because everyone has a reason for why they do things it's important that you you know share why you why you're doing this and why you believe in what you're doing and i want to give you that opportunity to do that so thank you on the last video or interview we we discussed the nuclear option as you put it about attacking industrial systems if i understand correctly we get that's about scada and like uh the systems controlled by skaters all right yeah i what i've been saying is that scada industrial control systems okay scada supervisory control and data access and ics is industrial control systems these are the systems that run everything in our industrial lives whether it be water systems manufacturing systems electrical systems all these things that we're so dependent upon are all digital and they are targets in a cyber war i consider that the nuclear option now we should point out that russia has used that nuclear option against ukraine in multiple occasions in the last few years we need to step back a little bit and understand that although this ground war started on february 24th there has been an ongoing war against ukraine for almost 10 years by russia it has included the occupation of some territory in the east in crimea but it also has involved a cyber war that they've been they have been constantly incessantly harassing the ukrainians with attacks against their infrastructure they have they knocked out the lights the electrical system in kiev in 2014 okay in 2015. all right they've done the nuclear option against ukraine okay they used black energy three it was a piece of malware that they developed it was fairly sophisticated okay but the way that they got into the system was not sophisticated it was a social engineering attack where they they got into the into the corporate network so in in the scada world the ics world companies are encouraged for or best practice is to keep the corporate network and the scada network separate okay so that if your corporate network gets attacked the attacker can't access the industrial part of your network the russians in this case got into the corporate network through social engineering and then were able to get into the scada network of the electrical grid and turned off the lights in keeve they have already implemented scada attacks they've also used another piece of malware called crash override to attack the electrical grid in ukraine um gosh there's been a number of attacks that they have used but so they have already begun using scada ics attacks against ukraine right now we have not seen okay since february 24th we have not seen a successful attack against ukraine's infrastructure nor have we seen a successful attack against the west in scada ics i think that that is because russia knows that if they do that that literally will be the nuclear option even though russia has gone to great lengths to secure their industrial systems they know that they're not totally secure and that hackers around the world could turn off their lights turn off their industrial systems turn off their water systems and they could be plunged into darkness and crush their economy their economy is already in difficult states but so far we haven't seen that kind of attack from russia i'm worried that if the war continues to go badly for russia that they will trigger that nuclear option there have been warnings but they should also understand and i think they do understand that if they do that the west will respond in kind and it will not it'll be very ugly okay and i think those in the west should be prepared okay and should be vigilant for these types of attacks coming from russia and on our side we are preparing okay for the day when those attacks are unleashed and we will unleash attacks against them and that's why you call it the nuclear option because it becomes like this thing where i'll destroy your economy you'll destroy my economy and no one wins is that kind of exactly the idea yeah and right now it's kind of the idea the old nuclear mutually assured destruction right remember the mad doctrine so that if i use a nuclear weapon you'll use nuclear weapon we both are dead all right and and that's why i refer to this as the nuclear option if one side uses a nuclear option the other side knows that the other team the other side has the option as well and then everybody's in the dark all right and the economies in our modern economies nothing can run without digital systems right everything has digital systems for those of you who aren't familiar with scada ics probably say in the industrialized world that every industrial system okay no matter what it is no matter what you're making you're making chemicals you're making widgets you have an oil refinery a chemical plant you have what are called programmable logic controllers these are small simple relatively simple computers okay that control the process and these small simple computers are vulnerable to attack and by getting inside these systems okay say an oil refinery and you can access these plc's of which there may be hundreds of them thousands of them in a big plant you can control the switches you can control the valves you can control everything that goes on inside that plant if you can do that then you can shut the plant down or even worse make the plant into a weapon one of the famous ones was the colonial pipeline wasn't it recently in the u.s what was 2021 yeah may 2021 what happened in may 2021 was that you know we don't know that it was russian state hackers sometimes it's hard to distinguish between russian state hackers and then the freelancers in russia but you know that's the same true of the west too the the nsa for instance contracts a lot of their hacking out to private companies and everybody does this in the west russia does it too right there is the state hackers and then there are the contractors and the contractors sometimes are just as efficient and effective as the state hackers so in russia there's a number of different hacker groups some of them are state sponsored some of them are kind of contractors to the state but somebody hit the colonial pipeline with ransomware in may 2021 so that's not even a year ago and they hit the rams hit with ransomware and eventually um colonial pipeline paid the ransom uh and it was able to get the line back on it's a major pipeline between the refineries in the gulf coast of the united states and the population centers in the east coast and so what happened it became major shortages of gasoline in the major population centers the price spiked it only lasted for a few days but you can imagine a case where you know say a nation-state actor hit all of your pipelines in a country and there was no gas and no no gasoline no natural gas no oil you could bring an economy to a screeching halt i like the analogy that you um use that it's kind of like nuclear because if people start doing this people can die i think you've got this great article where you say that the key difference is between security of scada and traditional ids i.t systems and the
audience that watches this are mainly i.t people i would say um have more experience with computer networks so perhaps you can give us like a a quick overview of like from an i.t person's point of view like what's the difference difference between a scada system and like a traditional i.t system there's a number of things that make it distinctively different than our traditional tcp based systems probably the most important thing is that in a scada system you are protecting the process you're not necessarily protecting the data so we're used to this idea of you know confidentiality protecting our data okay but in a scada system you're protecting a process because if the process goes awry then the whole plant could blow up for instance if it's a if it's a refinery if if one switch one valve isn't open properly for proper amount of time the whole plant could blow up a good example that was we had a situation in texas where an entire two billion dollar refinery blew up a few years back because of malfunction of a single valve it wasn't a cyber attack it was just a malfunction of a single valve the whole plant blew up killed 50 people but it could have been much worse if it had been near a large population center that's what i was talking about in that the scada attack can turn an industrial process into a weapon literally where people lose their lives all right so we're not protecting data we're not protecting social security numbers and identities right or ip intellectual property protecting a process and that's really different the other thing that makes it really distinctly different is that we're used to the whole tcpip suite in scada systems we have over 200 different protocols okay that are running these systems the most common of those is modbus and it was the first protocol these are serial protocols so these are protocols that were developed you know before we really had proliferation of the tcpi suite in the 80s 90s so these are serial protocols they're meant to communicate serially kind of like the old connection between the old serial ports on old pcs that would communicate between your printer and your pc that had limitations on speed and limitations on how many devices could be on it this is what these protocols run they run under a serial protocol modbus is the most common but you also have things like profinet which is used by siemens you have opc which is opc is kind of like a universal protocol crash override the attack against the electrical grid in the u in ukraine one of the things that was interesting about that attack is that they actually used opc opc is kind of a universal protocol that allows different protocols to speak to each other so the rush the russian-made malware used opc so that it could communicate to the different elements within that particular industrial plant but it's one of the challenges of being able to write malware for scada is that you have all these protocols you can't just use tcpip to be able to launch an attack you have to first understand who the manufacturer is what plcs are in there what protocols they're using okay and then map out actually the commands that are being used within the plant and that's a big job it's not easy to do i'll give you an example is probably the really first scada attack we ever saw was stuxnet yeah okay it's a fabulous one just for the everyone who's young can you can you give us a quick overview of it stuck for them i mean they attacked the iranian nuclear facility the enrichment facility what they did is they took actually took years to develop a very sophisticated piece of malware and what they did is they tracked the siemens plc siemens the german company who makes many things including programmable logic controllers they tracked those programmable logic controllers to iran and then they began to develop malware that would control those programmable logic controllers within the natanz facility natanz is a city in iran where they enrich uranium so they have a big centrifuge their centrifuges to enrich uranium which then can be used for either weapon purposes or peaceful purposes depends upon how much you enrich it in any case the what they did is they built this malware that he got into an air gap system it got into an air gap system right that's that's one of the big mysteries about that that whole piece of malware is how did it get into the facility that was air gapped the speculation that it might have been brought in on a thumb drive or there may have been a you know a double agent inside of the facility what have you but in any case once it got in to the facility it then rewrote the code that controlled the centrifuges so it made the centrifuges spin at rpms that either destroyed the centrifuges or just weren't able weren't capable of upgrading uranium to a level that would be useful to the iranians so that's a that's a really really sophisticated we've never seen anything quite that sophisticated we've seen a number of different scada malware coming out of russia that is pretty sophisticated okay we've seen the triton came out a couple years ago and that came out of russia and it it targets the safety systems on refineries and other petrochemical plants so schneider electric is a french-based company they almost all of their plc's run on modbus one of the things that they build are systems that are kind of like fail-safe systems so that if something goes wrong it automatically will shut the plant down make sure that the plant doesn't blow up so tritenex goes by different names uh known by different names actually basically disables those safety systems okay yeah so essentially then the refinery becomes a weapon is it wise that companies whatever are connecting these scada systems to the internet i mean why on earth are they doing that if it's such a high risk because i believe i mean you can correct me if i'm wrong but modbus is not encrypted is it no almost none of these are encrypted that's that's one of the problems because you have serial connections inside the plan right in the media can't handle a lot of data so you know really lightweight protocols and so you you have these systems that one don't have the processing power to encrypt and they don't have the media to carry encrypted data almost all of them don't use encryption so that's you know that's a big problem right there is that you've got all these these communication in these systems it's all unencrypted now some modern systems that have been built in the last few years do have encryption they're basically been added into the system now but most of these plants have been built in the last 50 years right yeah and you can't you can't take a 50 year old refinery and go ahead and take out all the plc's and and and and go ahead and put in new systems i mean you could but it's very expensive and people don't we've got these systems around from the 70s and the 80s that you know they are very vulnerable to attack modbus in its native form is not encrypted now schneider electric does sell a a version of modbus that is encrypted okay so that is out there but most of the modbus is not encrypted so you were asking why do they connect them to the internet well that's a really good question i mean the the answer is is for convenience right is that they need to monitor these systems right they can't or they don't want to or choose not to having somebody 24 7 inside the facility managing and monitoring them i should tell you that i've worked with a group who manages some major um dams those types of facilities and they have chosen not to put them online all right thank goodness yes yeah because i mean that those when we talk about industrial control systems a dam okay a lock those are all industrial control systems and they all have these plc's in them and so this one group that i was working with they've chosen to not put them online because there's no way that they could make them safe so they manage everything internally okay on site 24 7. these plants all over the world could do the same but it's an inconvenient it's expensive right so almost all of these facilities are online so they're they're serial connections inside the plant and then there's tcpip at the gateway you can actually communicate via tcpip into the plant okay through whatever port they're communicating on in case of modbus it's port 502 in the case of it depends upon what protocol they're using there's a whole range i said there's about 200 protocols there's probably about 10 that are widely used on your website you you use the specific tool you're using google docs and then this application to identify skater systems online and you could actually view it is that right so could you talk about that yeah i mean you could use google dorks or you can use showdown i mean i use showed in shodan works really well or census and there's a number of others it used to be one of my favorite tools was one called spice um that's also an osn tool but spice just went down yesterday it's located in ukraine so they're offline but they had a really good tool hopefully they'll come back after the war but these are tools that basically scan the entire internet looking for various characteristics that they then put into a database that you can search showdan's probably the simplest to use so for showdown you could just simply go into showdown and say hey i want to find all the systems in the world that have used port 502 port 502 is modbus it'll show you all those systems there's a lot of them there's thousands and thousands i think in russia we found 366 okay and i published those ip addresses on hacker's rise and you can download the list of all the ip addresses that use modbus in russia and they're all vulnerable you can communicate through port 502 to those systems um depending upon you know how secure the system is it wasn't just a few years ago you could go in there and actually send commands into these systems from anywhere in the world yeah it was crazy okay if you really look hard on hackers arrives you'll see a tutorial i did in 2016 where i went into a skater plant and took root access took control of the whole plant okay in 2016. yeah and then when i did that tonight it was a schneider electric plant i published it online and schneider uh got very upset with me can you imagine yeah i got lots of nasty emails from schneider but the the the good part about that is that after i published it they immediately fixed the problem right so i was able to get inside get root access on their system i i was capable also of putting myself in as a user of course i have root access right so i can do anything but i was able to put myself in as a user on that system in that plant and if i wanted to i could still have a user access probably there today but i didn't i just went in to do it to show the world how how susceptible these plants are to this type of attack and thank goodness that schneider was alerted to it what happened is that the voice of america did an article right after i published it voice of america did an article on how susceptible scada plants are and they used my article as an example of how easy it is to take over a scada facility that's what got schneider very upset with me and they eventually sent out a patch but they had known about this they had known about the vulnerability before i exploited it they didn't do anything about it so it took me showing the world that i could take over an entire plant in just a couple of minutes okay and have root access and control over everything for them to do anything about it so some people might condemn me for having done that but quite frankly i believe it's a safer world because i did it sounds like the days of bug barney before bug boney was a thing i mean they should be thanking you for doing that they should be paying me for that exactly exactly and all those and all those facilities who are safer now should send me at least a thank you card exactly i mean can you i mean if you hadn't done that and um we in today's world i mean anyone could do that then yes anybody could do it and it's it's pretty simple it was a pretty simple attack and there's a number of other attacks that are pretty simple against these facilities i mean you can get into really sophisticated attacks against these facilities but there's also some really simple attacks that work against many of these facilities not all of them because one of the things that scada ics is marked by is is so much different they're so they're all different so you have to the attack has to be pretty much targeted to that facility or facilities similar to it and with 200 different protocols and at least 50 companies making plcs you kind of got to know you got to do your research to be able to understand what is involved in attacking that particular facility but in a scada you know ics cyber war you've got some really talented people on both sides who are willing to invest the time and money into doing it just like the us did against iran i mean that was a really they've invested millions of dollars many millions of dollars of research into developing that stuxnet in some cases like in the one that i demonstrated in 2016 that was pretty simple right as security's gotten as these systems got more secure the attacks are going to have to be more sophisticated and they are but there's still this huge risk is that right i think there's a huge risk i i will not be surprised if we don't see facilities being knocked out in this war i would be surprised if we do not see facilities knocked out in this war both in the west and in russia i hope we don't i think that putin is not willing to lose this war okay and you know as he has threatened to use literally literally use nuclear weapons he may very well choose first to use this nuclear option against these industrial facilities if if he went and had and for instance you know turned out the lights in poland right now that would make it pretty hard on the polish people would that trigger article 5 of nato we don't know the answer to that question for those who aren't familiar nato has an agreement all the nations you know agreed to to that attack against one is again attack against all and that's article five so is a cyber attack against a nato country you know is that gonna trigger article five where it brings in all of nato i don't know i will tell you that i'm really worried about poland because i know that the polish systems are very vulnerable i scan the systems of the world all the time and you know i've watched russia get more and more secure in their scada systems i've watched the west get more secure not quite as secure as those in russia mostly because you know the russians mandate security in the west almost all the scada systems are owned by private companies and the private companies choose to either you know spend the money to be more secure or not right and that that creates a problem right it's hired in the west to say everybody must do this okay to make your systems more secure in russia they can do that they say everybody must do this and so their scada systems have gotten very secure in recent years i worried about poland because poland is not secure okay there's a lot of vulnerable systems in poland and so if i were the russians and i'm not and i'm not advising it but that's where i see the greatest weakness and vulnerability in nato okay is poland poland still hasn't brought up their security up to what it should be on these systems and i'm sure that russia already knows this i'm not telling anybody telling them anything they don't know already so you know it's one thing to steal someone's credit card data it's a different story to blow up a oil refinery or something exactly it's quite a big difference in scale you blow up an oil refinery you not only kill thousands of people but you also disable the economy and you don't build an oil refinery overnight if you steal somebody's credit card information you know you can disable the credit card get a new credit card somebody steals your password you change your password use two-factor authentication you blow up a oil refinery we're talking about a five-year project to rebuild it europe is already very dependent and maybe in a deficit in energy because of the war so that might very well be the target that russia chooses if they decide to use scada ics attacks so what's the recommendation for companies disconnect their systems from the internet or what can they do ideally they disconnect from the internet but that's not always an option for them i mean i've gone into systems where there should at the very minimum be some sort of authentication there's no authentication so i've been able to go inside a system that have don't have any authentication you could white list ip addresses okay so there's simple things that you could do right you can just say only these ip addresses are allowed in and most of these systems have a white list that you can enable but nobody's enabled them like for instance the the the system that i went into in 2016 built into that system is a white list they could have enacted a white list but they didn't so any ip address could come in so there's no authentication there's no white listing i mean those are minimal things that they need to do those are very minimal things that can help a lot right so if some some actor out there somewhere in the planet comes in with an ip address is trying to enter into the system you know you basically block their ip address it's very simple you've experienced a bunch of the comments on our last video i get these comments all the time i would never do that that's dumb like when you demonstrate some bad security but i mean i'm pretty sure well you can you can say it and tell me if i'm wrong but a lot of systems people don't do what they're supposed to do um yes that's exactly right people don't do what they're supposed to i had a comment from a guy the other day who i published the default passwords on all these systems he goes nobody would ever leave the default password in place exactly and i said go watch my scada ics so i did i taught the class just recently and i was able to get into several systems on on basically default passwords and and have root privileges on them and and i i did it in class and there's video of it so um and it's just randomly chosen i didn't scout out these systems ahead of time we said okay let's try this one out with default password let's try this one out deep and i was able to get into several with default passwords so the answer is is that all of us are short of time all of us meaning all the it professionals all of us who are involved in security we're all wearing multiple hats we all have a million things to do every day and in particularly in smaller companies that are short staffed the the person who's in the seat today o
2022-04-26 10:03
