Kinetic and cyberwarfare: Twins, siblings, or distant relatives?

[Music] [Applause] [Music] um good morning everybody so first of all i really would like to thank the besides team for having me here and uh it's really i am really so happy to be back to israel i absolutely love the country and i am especially pleased of course like that i was given this fantastic opportunity to open this event so thank you very much um so um as you probably have could have guessed so i am from ukraine and this war of course concerns me more like like directly and uh this is where we will talk a little bit about this hybrid war you know a term which existed already like probably for 10 years while

not having a war and is actually for the first time we actually have the hybrid war even though it's in the newspapers has been forever and we will understand so there have been a large anticipation so um that um cyber will have like one of the cardinal or main role in this war and it's just like did not happen so why and this is what i will talk to you about so um you know i left ukraine so i was born i grew up and i spent all of my most of my adult life in ukraine so when i left ukraine in 2005 it became to me painfully i became painfully aware of the times the only one ukrainian on the

international scene so i felt like it was always my maybe a role to explain people who ukrainians are to be you know like a good representative of this nation and you know like you recognize a t-shirt so when i was at the ccc camp in 2019 it was coincide with ukrainian independence day so i've put my t-shirt march through the camp and if you have never been in the ccc camp it's fantastic it's international it's really fantastic place to go it's whole week so just to say like well this country exists and then of course on the uh february 24 the our life has changed and i speak a little bit more like uh how i interacted with ukraine before and

during the war but you know like um i just stopped even putting my makeup because like day by day i was just crying and actually the first six days i was in such a shock i did not sleep i did not eat at all and in barr one of the organizers of the event he told me like marina you know what i really highly recommend you to sleep and to eat i say like i'm fine he says you will craft no and guess what like few days later i just crashed terribly so sometimes i often ask like somewhere from where you are i am in ukraine so that is like i circled it for you

and you know like normally you would not even hear ever those names but now like even the state secretary of the usa know that exactly place why because two days ago or three days ago russia has launched a rocket on the shopping mall uh and it's my native town and two of my relatives one of my relatives like my sister-in-law was on the parking lot as it happened she was just heading toward the shopping mall and my sister was working in the office next to this mall so and as my sister was joking like well that's a mall where we bought your underwear before you uh got back to europe like for great now the state secretary of the usa aware of

the shopping mall where i bought my last pair of the underwear surrealistic so um i always been working closely with ukraine um so i left with then because nothing was really much happening with security in ukraine and then i returned back to ukraine as security started happening so i've been always having strong ties with the government with the industry with the private sector with cyber security companies and this year like i even like signed a contract on them and a lot of governmental projects where right now ukraine is doing really a lot of fantastic work in security and you know like the war and the danger was already in the air so the organized science grids war where i

was allowed to participate as assistant to the teams to help them to play because uh grids war include hacking critical industrial systems so it was beautifully organized even a lot of fun um like really and um so one of the also directions which i was leading is that developing the national ot racial security training so where i wanted to work together with the phoenix contract to create the lab stance and as you can see you ukraine always wanted to be in european union and just you know like sometimes just like as a affirmation like put a flag and maybe someday it will happen and now it did so this is what's like i was planning to build such stands you

know like this is people from whom i've been working in ukraine it was before new year we are all happy my family is happy we had a lot of plans for 2000 for 2022. it was all fun and i even left my pajama and my flip-flops in ukraine because i was supposed to return in january but then i could not because already starting from the middle of january uh it was advised not to fly and basically it was advice for everybody who can leave ukraine to start leaving like especially if you have foreign so and then my sister started sending me pictures as she is hiding from the bombs so now let's go back a little bit now to the

hybrid war warfare yes no is it happening has it been before is it something is it now a new format is it old is it like what it is and the problem is that you know like there is a lot of of course over hype as my very good friend manuel artuc says like this war is conducted on the ppts i say it's conducted in the newspapers you know like we overuse and abuse wrong terms just to create a little bit of more excitement consultants needs to also create a little bit of fun and danger you know so that they can could sell consultancy services vendors need to sell their appliances but the very definition war is intense armed

conflict so anything that we've been experiencing before you can call it political crisis maybe even military crisis but mostly political crisis but it is no war by definition and this is why everything what we've learned before like any any events which was happening in peaceful time it was considered as impactful and maybe unacceptable is actually innocent and negligible in the war and this is why we've got it completely wrong about how this hybrid warfare is actually going to happen when it's really will be uh happening as a military conflict with all of those components which belongs to the hybrid warfare and again now if you look in the definition of hybrid warfare it is a

military strategy so hybrid warfare is simply not applicable to the peaceful times and then you know like so hybrid warfare it has a lot of components political diplomacy influencing masses blah blah blah there is a lot of components so cyber is just one of them and the problem is also that a majority like in in the past like in the peaceful times we mostly when we spoke about cyber warfare mostly people were referencing two to information warfare which is disinformation fake information like fake news and so on but information warfare is a completely separate component it's not even cyber warfare so in the past we completely spoke about these terms wrongly we are overestimating them and this is why

there was anticipation uh about role of cyber and cyber buffet in the military conflict or in real hybrid warfare was overestimated and what got wrong so you maybe think like well who is she like how she even can talk about this topic what does she know about this so this is about a little bit about myself so i'm specializing about on the degradation and destruction of industrial or any basically automation processes or physical equipment by the means of cyber attacks so what you know like about the saboteurs in the um normal like regular army i do the same by the but by the means of the cyber attack so it's basically i'm specializing in offensive

side by physical security and as i was preparing the slides i figured apparently there is even a term for that like cyborgs so i am a cyber terror apparently and i have more than 10 years in in this field so i'm probably can call myself veteran so if you know like there is a book of milk gladwell who says like you become an expert if you put into something like more than 10 10 000 hours so in my field of work i probably put like at least seven times more so as i was like learning and discovering this field and i was pretty much as i started working in this field i was almost pretty much hello nobody

been specializing on this so i've been discovering a lot of different ways or components like which exploits i need to develop what is the difficulty challenges hurdles and so on it was extremely difficult because i have to learn obtain a lot of knowledge which are multidisciplinary and basically so the point which i want to leave you like with this next this slide the next slide is that development of cyber physical exploits and i put in brackets even high precision because typically we have in mind what damage scenario we want to cause uh requires really significant of amount of specialized knowledge and skills so um as i was like working towards like writing like individual exploits for

specific tasks i really came up with this idea but i would like to execute this cyber physical attract attack from start to end like this is a chemical plant i know nothing about it and at the end i need something like a stuxnet a payload uh where it it does what i need with that chemical process and if you remember stuxness was like more than five like around seven years to develop because then they kept it a little bit uh before they deployed so and interestingly enough so i'm celebrating seventh year uni anniversary of this research even though like on the big stage i presented at blackhead in the same year i actually pioneered the talk

here at tel aviv seven years ago at cyber week exactly basically seven years ago and so i presented this cyber physical attack life cycle and it was like really the first time ever anybody spoke about exploitation like this and i received a really giant like feedback from like all kinds of people from all over the world and as i kept specializing in this field i a little bit upgraded my cyber physical attack life cycle i figured out that these two stages feedback and response i need to add them because they're individual stages and i don't know if anybody here a fan of mainly an attack attack life cycle and you think that this looks like it

it does and the reason i i've done it intentionally because i wanted like i.t security professionals to kind of feel a little bit as if it is something familiar just different stages so this is my specialization and so um as january came and it was really became apparent that the war is going to happen so the national security and defense council of ukraine has asked me to conduct a cyber security training for all owners for all people responsible for critical infrastructure in the country which was a difficult task because i needed to put something together very tactical but i also have to teach this training online which is again extremely difficult like sitting all day long

and communicating just with your pc but you know like we already all felt that war is coming and um to be honest atmosphere was like through that computer i could literally feel every heart and i had like heads of security starting from railways national railways to nuclear and everything in between so oops i did something wrong right uh so yeah basically we've been really strategically preparing to so that everybody of them could understand which scenarios are possible what risks their infrastructure having can they quickly prepare for the war what to anticipate and so on and as the war started one of the first tasks which i was asked to assist is that like okay so we have a lot of

critical infrastructure like oil and gas and power and whatnot like what scenarios and i was given a giant list of scenarios which was let's say people in charge let's call them that way were afraid that it could happen to our infrastructures and they wanted to anticipate shall we expect this or happen or not how do they build the rest of the strategies and as i was going through that long list it's just like no that's not possible that's not possible there will be safety there will be precautions that will take a lot of time that is will probably they will be able to execute in three months and for us so as we were going through that list

it became apparent like we shall not be even expecting uh any cyber attacks and especially because uh if you remember there have been those giant waves of attack in 2015 and 16 where they've been executing russia was in security like more than 2 000 attacks like over the course of two months but to execute that amount of volume of attacks they've been preparing the whole year because they need to penetrate or get into the gigantic number of infrastructures they need have persistent foothold they need to be there so that at the time when they needed they will not be kicked out so it takes a lot of time so obviously especially after those attacks now a lot

of infrastructures are monitored so we've seen nothing in the telemetry so we knew that they don't have even that excess so we have a very good anticipation which was exactly right so i predicted correctly that there will be uh the infrastructure will be destroyed physically and uh here this is where it's important to understand like um that in general you see again so just because in the news of writer when we find some piece of script of malware which is maybe related to the ot it's immediately predicted oh my god we have like something like stuxnet and tomorrow like i don't know blackout is happening no first of all to begin with even to deliver the payload you need

actually to reach the assets where you need to deploy your payload and it's a gigantic lengthy process to move laterally those assets are so far away on the network segment so like i bring you here an example on the case where i wasn't the incident response and forensic the triton attack on the middle east just to get to the needed assets to the safety systems it took the attacker 12 months not only because it's a gigantic network which you need to discover and i'm sure this this audience knows very well what i'm talking about but also you need to stay silent like you need to stay uh stealth so that you will not be discovered so it

took them 12 months even to get to the assets and then even though like when i was doing the forensic i could see the frustration of the god of the guy he does not understand why his exploit is not working he has like 100 percent expectation it should it just does not and he's just trying to make it and he was debugging his implant on the live controller so and this is where uh as you can see uh as he was debugging the payload so he failed the plan so it went to shutdowns eventually they were discovered so all of that multi-month effort which is can you imagine how expensive it is also to keep those people busy it was just

simply wasted so um and the point is also that even if you successfully uh find the damage scenario which will allow you to achieve maybe some prolonged effect on the equipment and you even successfully cyber executed it's not necessarily that physics of the process will allow you to achieve what you want you can try so if you remember they've been last year i think it was a attack on the water plant in florida the attacker just got in just press couple of buttons on the hmi game it was over hype oh my gosh all the attackers can poison us no that was absolutely new sense so i've decided like to show like okay if you

really want to have like for example if you take again war in mind and you want to have a prolonged uh disruption of the water supply you really need some smart scenario and the smartest scenario would be of course you need to damage water filters because without water filters you can't produce the water so i really wanted to implement the scenario i got access to the realistic like complete like one-to-one replica of the water treatment facility and now i will just jump through them a lot of slides because you know the whole network was of course complex it took a lot of time blah blah blah blah blah so if i jump it even in a

simplified form uh and it is this is also presented in a simplified form eventually so um so filter is uh get damaged if you uh reach the overpressure on the membrane membrane of the uh inside of the filter and the damage is is happening if the pressure is exceeding two bars so it doesn't matter what you do as much as you only if you use every possibility to rise pressure in that with a lot of tricks and gimmicks to raise the pressure in that filter you still the only pressure which we were able to achieve is was one bar which is not even nearly enough to damage the filter so imagine if the attacker is having this

anticipation there is a war they need to interrupt water they maybe have already persistent foothold they know exactly what to do they've already studied the control logic and everything the moment has come they execute it like oops and it's not damaging so and this is the point that we still did not learn how to strategically sum the reliability so they only can there is no way for them to learn this information what pressures they will be able to achieve unless trying it on a live process no documentation will tell you if they try to try to learn it on the live process before the war or let's say before the tactical moment they run into risk to be discovered and

if they try to do this during their tactical moment when they need it they run into risks not to achieve effect what they need so here's the point so several points which i want to just basically leave you with is that in the war when we talk about the kinetic war we have strategy and tactics we have very time time constant you know like you sometimes like make a decision in the next five minutes you have you need to uh you need to have an effect so cyber because of the lower reliability because of the long time to execute it does not work very well with those expected uh needs in the normal like uh

kinetic warfare and um even if you try to like even if you will be developing exploit for the same industry let's say we take water and it will be completely different uh water facilities you need completely different sets of engineers different sets of exploits because there will be different uh equipment different sensor signal will have different noise and so on tuning those exploits sometimes you know simply to get processing of the sensor noise and get all the like parameterize your payload sometimes i test up to two three months and that is valid only for a specific facility so time to delivery time to execute for cyber um let's say warfare or exploits is very very long

and you can never know in advance whether it will be successful or not too many edge cases and in addition the problem with the cyber of course that it is one time use weapon once you show how you like a strategy how you ex like exploit certain piece of equipment you can protect it even if you try to execute an attack for example in an energy sector you know every facility in the energy sector will start immediately threat hunting they will try to find them somebody in the networks so cyber so you basically really need to use cyber sparsely and it's expensive to develop such capabilities really expensive in terms of it takes a lot of

time and a lot of people specialize people and actually um during this armed conflict the international institute of strategic studies also published a paper where they studied they actually studied the knowledge what different national state nations are thinking about cyber their cyber capabilities and it is it's basically not the even like conclusions of the analyst but this is what nation state think about their sub capabilities and i highlighted you a couple of words that at the moment they still don't they don't have enough knowledge about the strategic potential of cyber weapons because they just don't have enough knowledge about their potential and just you know like in the military you conduct a lot of drills you continuously shoot the

bombs you study the radius time impact of the air and so on in cyber we just have not tried enough so yes so what has happened at ukraine eventually very simple uh all the critical infrastructure was destroyed physically and especially they've been looking so for example if russia was especially interested in specific region not like only destroyed like all the let's say civilian housing but they were specifically looking for the like gas supply water supply electricity a heat supply to destroy all together in one district so that you have a really full-fledged humanitarian crisis so they've been always looking for that and um of course like all the oil infrastructure oil depose and oil refineries were destroyed pretty

much at the beginning of the war however like we know how the rockets and bombs flies you know the radius and everything you still need coordinates so the only way you still very much the uncertainty of using the kinetic weapon is you need coordinates and especially if it is a small objects like you know like a small substation or a small um uh water treatment facility you really need exact coordinates with like decimals and so on and this is where they heavily relied on the army of saboteurs having on the ground some of them they imported long time like basically they sent or they sent from russia recruited long time before the war or the actively recruiting them even

right now and this is where russia did not fail they made a lot of mistakes in the war we all see them uh but this is where the where they really succeeded because they really put a lot of effort is having a very reliable very extensive army of saboteurs which would help them with coordinates and with reconnaissance on the ground so they've been using a lot of different marking methods and even like big small devices with beacon so that the rocket could know where to fly and maybe that quick i'm coming to the end and one of the interesting um maybe examples where that cyber does not work and we need really physical destruction is

railvol and bella russia so belarusian partisans were really putting a lot of effort too because russia was using uh bella russia railway to actually get equipment close to ukraine and because ukraine and belarus has a gigantic uh joint border so they've been conducting a large volumes of cyber attacks to disrupt you know like support and business processes you know like scheduling all the wagons or locomotives and so on but you know like okay yeah the business process doesn't work anymore you have to do manual work but the rails are still there the signaling equipment is still there the trains are going it does not work yes in the sight in a peaceful time that annoyance would be really very

annoying in the military time nobody cares we're still going so the next stage which they tried to execute they they started to do physical sabotage so they basically started to uh destroy and signal in equipment along the railway and this is where so that also actually did not help why because well the railways uh now trains can only go slowly they can't go fast but they still can go so eventually what has helped literally they have to destroy physically the rails between two countries and this is where this is also interesting point that when we talk about is its physical or cyber sabotage in the in the war times uh civilians you know like is considered to be a legitimate target

for actually for physical destruction and this is where civilian in a large disadvantage compare it to military because they don't have training so they can't plan their operation they don't know how to execute its celsius so somebody else for example in this case were caught and shooting the knees and yes and actually uh according to the italian manual of war uh hackers if they are identified and attributed they are legitimate target for physical disruption as well so yeah ukraine is actually eventually switched and started doing the same physical sabotage on the russian soil so they started basically conducted similar sabotage especially on the oil related facilities in the russia and one of the interesting scenarios was of

course latest is usage of drone which you just basically use some explosive drive it into the facility that explodes so uh i really need to speed up and uh if anybody of you know this topic you would probably remember well but there was in destroyer too they've tried to place it planted into the one of the substations well it was really super poor uh attempt firstly they were discovered very early secondly there was no smartness the only reason why they've tried to execute the attack because in that specific facility they discovered that there was a um scada system which they used in the previous case of the industrial one so they just found something familiar they

just opportunistically tried to use the same payload in that facility they were discovered nothing has happened it just was truly opportunistic really nothing strategic or nothing dangerous whatever newspapers are writing so and then maybe the last case which i found extremely interesting is that how digital data was evacuated before the war uh because it was expected that uh there will be a large volume of the attacks so a lot of critical data was it was decided like well let's upload them into the cloud because we probably can uh protect the data better uh but then oh well but now somebody can drop a bomb on our data center so the servers from the data service needed

to be able created to save that data so digital data have to be saved twice so answering the question in my title twin siblings or distant relatives well i think it's none of those they're probably partners so cyber is a supporting function and it's only useful as this short term tactical advantage like to gain of it and yeah as a probably like hopefully you got from this uh from my uh from my presentation the tactical efficiency of cyber warfare is still need to be figured out thank you very much for your attention [Music] [Applause]