Global Thermonuclear Cyberwarfare

so i appreciate for everybody for hanging out for the talk um for those of you that don't know me my name is mike mike holcomb uh i am a director of information security and fellow of cyber security at floor we're one of the world's largest construction and engineering companies so i actually get to interface with a lot of industrial control engineers a lot of top industrial control engineers uh some of the projects that i've been working on uh lately and i'm not giving away any top secrets here but um you know shell is is the by far the the largest client that i've worked directly with uh and we have two of their their largest projects

in the world that we're working with them on uh one is for a new lng plant a liquid natural gas plant up in the far reaches of canada so if you're familiar with like gold rush the tv show or ice road truckers kind of think way way up there so that's that's one of the projects that i get to work with so it's really exciting uh and then also working with them on the um on an offshore oil rig which is a but it's a kind of a different setup so it's interesting and fun as well and a few other things that we'll talk about throughout the the presentation i do have some certifications out there

the big two i listed for this presentation which apparently one i can't spell correctly so are the i have two of the the three sans industrial control related uh certifications which is going to come into play during this conversation because rob lee who actually founded draco's as well as the he also founded the nsa group that hunts and finds other nation states attacking control system environments he actually wrote and topped the grid class that i had attended which was the best class that that i've ever taken uh primarily because of rob and and uh all the information that he shared so he did a phenomenal job i can't can't uh recommend it enough if if you are

interested in industrial controls and and cyber security and and more from that response piece so so a lot of things that we'll talk about is as we go on but and so here's what we're going to be talking about so everything from we talk about well no one likes ics security and we'll get into that but for me you know i i remember and the name of the presentation uh i had looked it up and and somebody had used the name for a ctf machine for for actually uh another event which i thought was was pretty interesting but uh you know for me i think like some people that get into cyber security it's a tv show or

it's a movie or maybe it's a book like cuckoo's egg or sandworm which we're gonna talk about today uh for me it was war games i was probably i think eight um it was it was funny because wargrain's war games wasn't a really you know hugely popular movie i do remember seeing it in the movie theater uh where you know you got matthew broderick right he brings a pretty girl home from from school and and he's he's uh he's dialing into systems and trying to break in and remember he was you know changing grades for for everybody at school and and i just thought that was the the coolest thing and at that point i was hooked um

again it wasn't probably the most popular movie because um the uh empire strikes back actually was released the following week so so nobody was really interested probably in war games uh at that point right but um but that was the one for you know that that really got me interested in in in cyber security and i always always remember that so um i do jokingly say that no one likes industrial control security or sometimes i'll just say control systems because that's how we refer to it at uh at floor uh but we talk about it well almost no one and where this came from was when we did a survey of of all of the isa um

members so there's about 500 folks that are active on the the mailing list that we surveyed and asked you know when if you want to attend some uh training that what subject would you know are you the most interested in and so you can see so so active threat hunting came came up uh incident response and penetration testing you can see all tied for for that top top slot and we also talk about cloud security and bug bounty so all all really interesting topics in in the field uh and then we started going through the list and this so this is the entire list that we were asking everybody um about and that you can see

and i should say well it's not at the very bottom but it's near the bottom so where we uh you know just checking discord real quick all of a sudden so it's also this big pop up in the corner of my eye but you can see that industrial control system security was fourth from the bottom so i i'm sad to see mitre attack isn't as high as it should be i guess no one's worried about security plus and and risk management which really should be at the top of everybody's list but that's a whole other conversation as well right so not everyone is interested in industrial control security but it's one of those to me

that everybody should be interested in industrial controlled security but at the same time i always talk to people in in general i.t and i work with a lot of students like at greenville tech and and and about and talking and working with them in cyber security and and how some of the i.t students could care less about cyber security right and i i can't understand that but so i understand industrial control security is not for everybody but part of the idea behind this presentation and then the uh the free course that i'm doing starting off in in december is really you know why it matters to to all of us especially cyber security professionals and maybe you

don't work in an industrial control uh environment that's okay it's still important to understand those basics the nice thing is that for experienced cyber security professionals you have to remember that control system engineers they don't have that cyber security knowledge that we traditionally have so we can bring that knowledge to them and help them secure the environments so when we talk about securing those power plants or those water treatment facilities we have the ability to help them secure those networks i actually was talking with one of our engineers i had that i had never met before a gentleman in in india yesterday and he was talking about how interested he is in security and then he um for his home he had actually

created essentially a little iot but you could say an industrial control system setup where he had taken a raspberry pi and spun up a little web server on it put a little coat on there in python and used it to control a solenoid in his garden so when he was away when his wife you know he went on vacation they could remotely control the the solenoid to turn on essentially turn on the sprinklers in the garden right and and he thought that that was really uh that was great and i thought yeah that's really interesting and then i was you know asking well how do you control it he's like oh well it's just a

little web page that's connected to the internet and i can access it from my cell phone we're like can anybody on the internet access it from from anywhere and he's like uh probably and so there's definitely that a lot of control system engineers aren't thinking about cyber security right it's just never been their focus a lot of like a lot of conversations we have around developers right most developers still today and no offense to any developers we have in the crowd but most developers still don't see cyber security as part of their roles and responsibility right it's all about getting that application writing that code getting it out and getting it from production where we're kind of still trying to come

back and say and that's great right and that's what you're here for but we also need to make sure we do this securely and that's the same thing with industrial controls now i'm very lucky in my job because i get to work in brand new environment so it's easy to say yeah let's build in security from the very beginning versus if we go into like a petrochemical facility that's existed for 30 years there's a big difference and i'm jumping ahead a little bit but so sand worm and hopefully there's some avid readers out there um so sandworm's a book written by andy greenberg andy greenberg is the writer for wired magazine so anytime there's a story

related to cyber security especially if industrial control systems is involved then andy is the the person that is writing those articles and sandworm came out and uh talked about this story about this hamburg attack group which is uh not giving anything away at this point right is is a russian nation-state uh sponsored advanced persistent threat group targeting control systems environments and they do some other work as well right um but the whole point is it walks you through the the story of really mostly recent history right it's talking about events that have have happened over um the last couple of years right and and also the history of of industrial control but and really the whole point of the book i

think from from his perspective and not speaking for it but it really comes down to this geopolitical consideration um which you know i as a cyber security defender have always tried to stay away from right if we have an incident or some type of compromise right it's always focused about hey i want to contain it right and eliminate it as quickly as possible right get the attacker off the network prevent them from coming back ever again and move on i don't care where they're coming from i don't care if they're associated with a nation state or not right it's it's all about just protecting the business and yet there are a lot of those conversations to have around these

considerations now especially and the main point and especially the title of the presentation is when do we get to the point where a nation right launches a cyber attack that results in some type of physical response so when does a bomb start dropping in response to that cyber attack and so it's it's that kind of common theme that goes throughout sanwar so it's an incredible book for those of you that have read the cuckoo's egg right which is you know chloe's book from about 30 years ago talking about you know the kind of that novelization of incident response from from his perspective and and ultimately tracking nation state attackers they just weren't so advanced back then

i i always think of sand worm really as the and the the latest and greatest version of of that type of book so if you've enjoyed kuku's egg which i hear from a lot of people um you know sand worm again i see it kind of as this philosophical successor to cuckoo's egg and can't recommend it enough and this is actually the book that we actually read through it in that industrial course that i'm doing industrial control security class in in december so of course who is sand worm right so sand worm for of course the movie is coming out in just a couple of weeks it was my favorite movie um you know uh you know many years ago uh it

was my favorite book oh it still is um but you know the the idea of scene work comes from where anybody want to throw it out in discord there have to be some people right yeah definitely yeah there's a few folks that are throwing it out there yeah so so doom so i'm really excited to see what they do with the new new movie is supposed to be absolutely phenomenal um so so i'm really excited i want to actually hopefully try and get time to read it again before i always think of like paul chalamet as paula tradies but um or jason momoa is i think kirti or um uh duncan so we'll see we'll see i'm

sure it'll be amazing though so but yeah it came from from uh one of the uh analysts that had actually discovered the attackers um um had linked or had found right links to sand worm across multiple companies because the actual attackers used references in their code uh that the references they took from doom so they had different names uh from from doom so like they had arrakis right which is the the home planet or another name for for doom interesting uh side point and uh i'll uh i'll throw out one of our uh prizes uh for for anybody who knows this little bit of trivia so the um solar system in which dune resides is also a solar system

in which another popular planet for science fiction resides anybody know yep so actually so uh xeroc you got it yeah so it's actually the same solar system as as a vulcan in uh star trek so i thought that was pretty pretty interesting so pretty funny but i found that actually doing google for wikipedia once upon a time so but sand worm is the the story of you know finding and tracking and learning about this nation-state attack from from russia and so you see eventually we track it down to okay it's unit 7445 in the russia's military intelligence agency the gru so i can't usually equate that to the nsa in the united states right because the nsa is staffed with yes

private citizens but also a lot of folks that come over from from different branches of of the military right they're loaned out like when rob i think he was in the air force right rob lee was in the air force when he went over to um the nsa uh same thing with tim tomes who was in the army when he was looking at edgewayne the nsa so so a lot of those top minds that that come over from from military backgrounds so um so sand worm as a whole right they were responsible they were the group responsible for the blackouts in the ukraine so in 2015 around christmas time right they turned off the power for

hundreds of thousands of citizens in the middle of winter in the middle of night and i could just imagine you know being a father with with you know especially little children and also we lose power and it's the middle of winter it's like what do you do i mean i just mind blowing and then the russians just not to be underdone right they came back almost a year to the day and did it again in 2016. a different entity that they targeted but they still resulted in the blackout few few less victims as well but but still it was a blackout right and all these operators and power generation facilities had to go to manual operation

so they got back up and running right but they couldn't use their automated control systems right it was all back to manual operation so you had people in facilities that weren't 100 safe right so they're in physical danger to some degree you're flipping breakers and flipping switches and manually operating systems and they had to do that for about six months before they knew they could rely once again on their control system there was word that there was actually a third blackout in 2017 where the russians had come back almost a year to the day and killed power off again that one was just kept really hush-hush i think the ukrainians just didn't want want to look any worse from a cyber

defense perspective than they already did right well you talk about and there's malware that that they had used uh at the time so if you heard and i don't even have black energy uh in destroyer crash override from from hackers right uh the movie kill disc was was also their invention which they used to to wipe machines so which is also part these are part tools right that evolve into not ketchup so when we talk about not pecha right that caused over you see a billion dollars in in damages globally it's probably well over two because most companies when they report damages it's usually about half of what actually happened so it's always those interesting

conversations you get to hear behind closed doors it's like well yeah we we lost you know 500 million it's like well it's really closer to a billion or maybe a little bit more right but we had you know some of the largest companies that like maersk right and mayor right the largest one of the largest pharmaceutical manufacturers one of the largest shipping companies in the world right we're shut down for days and and weeks right with global impact right as much as as coved but back then it was a huge train on the supply chain and we saw those those impacts right there's some and again going back to andy greenberg he has some great articles that he wrote

for wired that you can find on on especially not petched and what happened behind the scenes especially at marriage um and how they had one domain controller that was not touched because of a blackout in africa at one of their offices and that was their only backup that they had to be able to restore the entire company so it's a really fascinating story but so then we talk about french election madeleine the winter olympics attack and shadow brokers right are all related in some way shape or form with with sandworm um so and here's some of the folks that are our sandworm right and and they have um some wonderful hacker candles um you know but

the whole point is they're just other people um just like you and i right i imagine like if i'm working for the nsa right i mean this would be me just you know the russians would be looking at my picture like like this and and i also think of you know cyber crime right and cyber criminals like i can you know understand especially if you know i didn't have a job or especially if i i lived in an environment or a country where there weren't a lot of options right i could understand people turning to cyber crime to feed their families right completely so i'm not going to blame anybody for you know especially wanting to to serve their country ever

um and but at the same time yeah they're on the the most wanted list by the fbi now russia is never going to extradite these these um what we would say are you know criminals right because you know they're going to protect their own people and it's interesting to have that conversation because well we do the same thing right who's this and i'm not giving away secrets here but you know who this is he's definitely a big friend of besides acosta

say at least one person typing see all the dots and then they go quiet like one of those bad movies

he was an nsa member that was outed by sanwar yeah so this is actually jake williams and so if you ever go to b sites augusta um you'll see jake talking right super great guy sue super smart as you can imagine he actually teaches the reverse malware engineering and and um most advanced malware authoring class for sams right he owns uh he runs i should say he runs uh radition uh infosec and so you'll see jake like said i mean great guy right he comes to share all the information um with the community i think in this case he was doing a presentation on privilege escalation and at the same time yeah he he was outed

as a member of you know the the taylor to access operations team at the nsa which is also what a lot of outside entities refer to as the equation group right so so we call you know the the sand worm attacker sam we're man they call the the tailored access operations group the equation group and so jake was outed by the shadow brokers on on twitter publicly as a member of the equation group uh potentially an author of stuxnet or related potentially i don't know but the idea is and he mentions he's and there's a great darknet uh diaries episode that features this story he mentions like he found this out right before he was to travel for sans i think

it was singapore and he's like i can no longer travel to singapore because i could be extradited to to russia for crimes against russia for being a member of tailored access operations right so the whole point is i think it's it's just the story of you know it's it's looking at all sides of the story right i always say if you cut me open i i bleed red white and blue right but we have to remember you know the other people that are across the the table from us and and we're all here and we're all trying to serve our country right in in the best way possible well what we find though is and this is you

know a great part of you know sand worm is we see that you know we as private citizens or we as operators of control system facilities like power plants petrochemical facilities water treatment facilities right we're caught in the crossfires the crossfire of of these nation states typically you know most attackers against control system facilities are going to be nation states now we're seeing that start to change so a lot of you probably have heard and maybe we're in fact that are impacted by the colonial pipeline breach that we had in was it march i remember thankfully i was living in lexington for most of the time but i remember coming back to greenville after a week had had gone by the pipeline was

up and running but most gas stations were still out of gas i tried like five or six different qt gas stations and like everybody was was out of gas because of a control system outage now it wasn't an attack against control systems specifically it was just the back office at the the company that runs the pipeline became infected with ransomware just we'll say generic ransomware and that they were afraid that that ransomware would shift into the control system environment so they shut down all the control systems that ran that pipeline so then the pipeline goes down there's one thing you have to remember nowadays is that the vast majority of control systems now and you talk about things like plc's or

data mines right programmable logical logic controllers or human management interfaces or we'll talk about um data historians or um uh translators yeah there's tons of terms we can throw out there at the end of the day the vast majority now they run windows or they run linux right some some flavor a window some flavor of linux and so from a network security perspective right it's just another host on the network with an iep address with listening services and vulnerabilities that we could potentially remotely exploit it just has a different effect so instead of accessing a database server right with sensitive information like credit card numbers or social security numbers right it's maybe a windows machine or a

linux machine that's responsible for turning a large turbine that's used to generate electricity if i can access that system can i shut down the turbine right or can i make it you speed up or slow down right potentially right just depends on how that system is is set up and configured now we also have this idea of industrial internet of things so this is where we take industrial control systems and we connect them to the internet so i think yeah in a simple form right when i was mentioning the floor engineer that took a little solenoid in his garden and connected it via a web page to the internet so he could hit the web page

and turn on his sprinklers in this case think of if i do take that turbine that spins to generate power and put that on the internet and that's a whole other story right so we started to think there's even additional cyber security concerns right when we talk about taking control systems and connecting them to the internet and allowing them to be monitored and potentially controlled from the internet and i'm i'll also mention we have i have a ton of slides in here and it's just mostly for reference material we're obviously not going to get to all this right but in control system security you know in cyber security in general we always talk about confidentiality

integrity and availability already alluded to control system environments the main focus is availability if i am a power plant operator right it's all about making sure that power plant stays up and generating electricity right that's the only thing that matters to me now we've started to see you know operators over the last couple years understand right part of that availability is making sure they're secure so somebody can't bring them down through something as simple as ransomware or a more sophisticated nation-state attack and so cyber security has come into play for a lot of these operators over the last couple of years but again just think that there's still primarily always worried about staying up and running

you know they're not worried about is your data encrypted right or are we verifying signatures for for data that we're importing from a remote system for the vast majority of these operators it doesn't matter right it's all about keeping the plan up and running so it's our job as cyber security professionals to help them understand how they can secure the environment just like again we can help developers that don't understand security we can help them understand how to write secure code and so we talk about there's a lot of risk that we talk about in industrial control environments and we talk about different types of attackers and there's really nation states and some some you

know random groups like ransomware operators that have the option to be able to um you know impact the environment we talk about cyber warfare which again is a big focus of this presentation because again we're getting caught in the middle i don't work for the military i've worked with the military before i got to spend time with the marines i actually practically grew up on camp pendleton because of my grandfather i got to work with the the navy seals for about two years which was really exciting uh but i've never been in in the military right so but we as private citizens and private public organizations are getting caught in the crossfire right and we can talk about the history

right and get sandworm does a great job of covering the highlights where the big one i want to talk about though is stuxnet so probably most of you have heard of stuxnet right which is where nation states going to cyber war really started so when we look at stuxnet right it was created and it was used by who there were two countries that used it to target iran right what were the two countries that targeted iran with stuxnet yeah was the united states and israel and so that's really and it goes back to it's one of the main points in the book is stuxnet was the first point in history where a one nation state at least was known

right to target another nation state and of course the united states and israelis their idea was they wanted us to to delay the iranians in developing a nuclear bomb and so stuxnet was developed to intra the centrifuges that the iranians were using at the natanz facility in iran to enrich uranium and so the americans have had discussions about do we drop bombs where we could potentially kill people and have collateral damage or hey why don't we take this cyber approach and we can do this without dropping the bombs and without killing anybody so i like that idea right that's that's great i mean we're not killing you know innocent civilians and scientists but at the same time once it was

discovered this is where other countries like russia and like china and other countries around the world really took note and said you know one was hey the united states right nothing happened to the united states or the israelis for stocks now right there were no repercussions so it's like well if you can do it well then i could do it too and then at the same time i think it was showing that the other groups like china and in russia that that wow that was actually some pretty impressive code right stuxnet actually used four zero days and not only that but did target specific industrial control environments like cement and so it they really started to step up

their game at that point and it was really it was just that that escalation where everybody was off to the races so for a lot of us being in the united states right we actually started all of this to to some degree right and there's a lot of nuances in that conversation but at a high level we're the ones that picked the fight and now we look at where we're at today where again that's where san worm is great because and if you get the latest edition right it's fairly updated so no it doesn't cover anything that's happened over the last year or two because i remember the last time i did this presentation at the isa group and

this was i think in february so in then literally the next day there was an article about biden talking about physical response to cyber attacks so i do want to mention if you want to learn more about control system uh cyber security the best place you can go to is drago's dragos does their year in review report so you can think of this as the the verizon data breach investigation report right the dvir but for control system environments right dragos is run by rob lee or they go rob emily because he teaches the sans uh grid class it's incident response in industrial control environments and and you know like i said phenomenal class he's a phenomenal person um and does

some amazing work with with dragos and and sans around control system and cyber security right but they talk about here's all the and i again here's here's all of this this whole timeline that that just from 2020 right everything that happened where was targeting control system environments what all this amounts to is there's new groups that are continually coming out right targeting control system environments and whether they're nation states or now we're seeing ransomware operators actually building in code to target specific industrial control environments so it's not just the nation states any long right that they're breaking in and access information and we still see groups like sand worm out there and of course we wrapped up 2020 last

year with the solarwinds breach which was devastating when you talk about a foreign entity having access to every email message in the pentagon or the department of treasury or able to yeah read the windows source code right because they were in microsoft for months as well amazing right that's amazing where i have to admire it from a technical capability perspective but draco's also in their year in review right they talk about some of the issues that they have and that they see and you can see that that second point i talk about 88 of their pen test engagements they easily get into the control system environment from the back office wow that's really concerning you see 50

or 54 percent of networks had shared credentials between the back office where everybody sits and they browse the internet and work on spreadsheets and read their email and then the control system that's pretty concerning as well right so your username and password work in the control or the back office where most attackers start and they find a path into the control systems which is almost always there as well then they can use those same credentials in the control system environment and so a lot of control system environments again they're not built with security a lot of them are 20 30 40 50 years old i think of some of the nuclear power plants that we have

how long they've existed a lot of our power plants just in general have existed and so there's a lot of concern so we have to work to again this is where we as cyber security professionals i don't have to understand how a control system works now it's great and you should have a basic understanding that's the whole point of why i put together the industrial control class and i'm doing it for free to help you understand because then you can take your cyber security knowledge and bring it into industrial control environments i work in a 50 billion with a b you know liquid natural gas facility we're building for one of the largest energy companies

in the world and i don't do anything special that i wouldn't do for a small company with 10 computers realistically it's all the same basics believe it or not so a lot of people i understand aren't interested in control system security because control systems can seem very just like this very almost abstract saying that we don't understand and at the same day at the same time those systems are just other computers now control system engineers hate it when you say that but you know what it's got a processor it's got memory it's got a you know network interface probably has an ip address now probably running a web server right it's running windows or linux

essentially or some other operating system and so it can it's if you're even remotely interested in control system right environments right the world needs you right we need you to bring that cyber security experience to the table and help these environments understand how to secure them and don't be intimidated by plcs and hmis and all the acronyms that are out there because you can learn those and you can understand again they're just other systems with ip addresses on the network running windows and running linux so again there's a lot of great information of course in the slides for reference a lot of this comes from the the draco's years the year in review so go to their website and access the

report it's all free they do again an amazing work um when they put those together so again why are we here right and we're getting caught in the crossfire right if i'm an administrator for america mayors right or the hospital where they actually had to turn away ambulances and patients because all their systems were down because it was infected by not touching where everything got white we're getting caught in the crossfire with russia going after the ukraine which is what not pecha was or what if it is russia going after the united states or the united states going after russia or china or right a lot of interesting conversations i have that i have to be careful about when i do

presentations for our employees in russia and china and all this other country what is the impact to critical infrastructure now most environments especially in the united states are very resilient they're not perfect but you're not going to have a total blackout because of a cyber attack you're not going to have a nuclear power plant explode into a mushroom cloud because of a cyber attack because there's lots of there's physical controls that are also engineered into the design so it's simply not possible to have that can certain damages occur yes could somebody get hurt locally or die yes but it's very limited but those still all horrible consequences so again the geopolitical the military considerations right when does physical

war right become that escalation point to a cyber attack so and then where we go right solar winds right when that hit i mean that was huge and we're i think still even finding out a lot of the repercussions right there but it's damaged so just a lot to think about but again if you're interested in control system environments even in the littlest right again don't be intimidated right learn as much as you can but bring your skills to the table to help these other control system engineers secure their environments that's what i mentioned in a couple upcoming classes right we're doing the uh the two-day free workshop for pen testing on november fourth fifth uh the

one day incident response which is uh ninety nine dollars with all the proceeds going to ice mb size and the intro to industrial control systems so we'll actually talk about what is a plc what is an hmi right why are they what's a data historian why are these important and then how we secure them and what you'll see if you're familiar with how to secure general environments we use the same tactics and techniques so hopefully everybody enjoyed the presentation oh thanks chris for putting the uh the link out there so i i appreciate that so and not to keep anybody over because i know we got uh a couple minutes just until uh the uh next presentation so but uh

and then chris is actually up next but i'll uh go and take com uh questions for uh the next uh minute or two if anybody has any other ones um i say and shane makes a great point right when we talk about industrial control systems i can think of big turbines that you are are turned to to power you know hundreds of thousands of homes and at the same time we also think of other automated systems like hvac right so technically when you think of even a thermostat right or a system that that can control that heating and that ac unit right that is a industrial control system right we were actually looking at in my

greenville tech class we were actually doing showdown research uh and seeing what types of systems we could find out there and finding control system systems that are connected to the internet we actually found it was actually the hvac system for the the president of furman university so it actually is just funny and we were just randomly looking around the world and actually saw greenville south carolina pop up it was like what's this and then it actually was the yeah the hvac system for the the president's house and furman and it was even labeled they have a special name for the house um what was it you don't remember oh my girlfriend went to winterferressa she knew what it was back then she

forgot alright but but yeah it was that was the name so uh so it was kind of kind of funny to to see that