05-05-2022
Pipedream: Hacking Industrial Control Networks
Jonathan talks about the Pipedream attack and the implications of hacking industrial control networks. Can VPNs increase vulnerabilities, and how vulnerable are industrial control networks generally? Christian and Jonathan discuss.Christian Whiton (00:09):Welcome to Cyber Context, the podcast featuring Jonathan Moore, the Chief Technology Officer of SpiderOak. Jonathan, the Ukraine war is going on and revealing more and more about our cyber capabilities and cyber defenses and Russian and other bad actors and their cyber capabilities against us. It seems in the past week, the US government has become concerned. It appears to have gotten the upper hand on this one incident, but something called Pipedream, which I gather was a compromise that was directed at LNG. So natural gas facilities here in the United States.Christian Whiton (00:48):So not a 100% sure it came from Russia, whether it was the Russian government or other actors, but probably knowing what's going on in the world and with the target being gas that's kind of interesting. Of course, that's the one thing Europe seems still to have to buy from Russia if they want to keep the lights on the price has gone up. Maybe Russia wants it to go higher. Still, maybe Russia doesn't like the idea of Europeans buying our natural gas instead of getting it from there or getting it from Cutter. What does this tell us? This is sort of an interesting and different attack targeting critical energy infrastructure?Jonathan Moore (01:26):Yeah. Well, I think if I recall correctly, this has been attributed to Sandworm, which is the same threat actor that attacked the Ukraine power system in the past. Shutting power off to Kyiv in two different events and I mean, the Pipedream is a tool kit piece of malware. So it's a piece of software or collection of software and tools used to cause temporary or permanent loss of capability in these industrial control systems. So, I think it's interesting and there's several interesting things about it. So one I want to think that it's, I think we have a good belief that this is a real incident and not just sort of propaganda and trying to show yet again, we've got the better of Russia either through intelligence or having better capabilities it's actually been commented on.Jonathan Moore (02:28):And apparently the original research and reverse engineering was done by Dragos who's really the premier security company in these industrial control systems in the US. So, it is really interesting. And it does show if this was something that Russia meant to use that they were trying to escalate and bring some of the conflict directly back to us domestically, which I think it would be an interesting shift if we saw it stop. We've heard the government warning us for months now that, "Hey, Russia's coming and we haven't seen them yet." So if it is an attack that we thwarted that they meant to follow through on that is really interesting. And I wonder, what else we are defending against successfully? I think I'm super interested too, whether this was a detection that we caught early and stopped them by hard work and luck, or whether this is tipped off by espionage. Since apparently we've got some great espionage capabilities in Russia, as we've repeatedly called out what their plans of the next week were to their frustration. So, it is a very interesting event.Christian Whiton (03:47):Yeah. I'd like to talk more about the vulnerability of these industrial control networks, but maybe before we get there, another recent attack on US energy related infrastructure of course, was Colonial Pipeline. It sounds like this potentially was much more sophisticated because it wasn't Colonial Pipeline. I mean, didn't that come down to a password that one of their senior officers said was really complicated, but nonetheless was discovered and it was an attack on a billing system. Am I right? Is what we're talking about here more sophisticated than that one?Jonathan Moore (04:19):Well, I think I'm not sure... Sophisticated may or may not be the right language to use, but I think that the right way to think about it is what the goal of the adversary was. So yes, Colonial Pipeline shut down because they couldn't do billing and they didn't want to give away energy for free. But the goal of those adversaries was to shake down Colonial Pipeline. To get money in return where the apparent goal of these adversaries was to shut down capability as a form of attack as a tool of politics and military, not as a way to make more money. So it was not a financially motivated attack it was a politically motivated attack. So that I think is really the big difference to see in terms of framework. I mean, without having these various things in hand and we do not, I do not have this in hand and if there is a report that's available, I haven't read it myself.Jonathan Moore (05:19):I can't really speak to the actual level of complexity, but if it was targeted industrial control systems generally the goal in those systems is meant to overcome the safety controls in those systems that keeps the plant both available and safe for people in the vicinity. So, all of these kind of systems work in control loops. Where you have some kind of actuator and you need to keep some process within some safety balance. And you have a series of controls that allow you to keep that and you probably have redundant controls. Like you might have a pipe that it's rated up to some pressure and you have some sensor test checking what the pressure is. And if it's a process of the heater, you have some heater control modulating the temperature to keep the pressure safe.Jonathan Moore (06:08):And maybe you have another pressure release valve. So you have this whole set of systems and you need to keep everything within the safety envelope. And what we've seen that these attempts have been historically is to subvert the safety systems, to allow things to go out of the range of safe, to cause temporary or permanent damage to the facility and lack of capability. So it's meant to deny capability in a political or military context rather than again, to temporarily deny capability as a way to ransom money out of somebody. So I think it's more important than sophistication is the goal of the attack.Christian Whiton (06:47):Interesting with... I mean, how interconnected are these systems, I guess sort of you think the sum of all fears would be a cyber attack on a nuclear plant where you yank all the control rods out, the reactor is prompts critical, maybe the fuel all melts, maybe the reactor itself explodes. I mean, is that sort of the apex thread and is that unlikely or is that actually within the realm of theoretically possible?Jonathan Moore (07:13):Well, I mean, I think it really depends. Well, I mean, theoretically possible. I mean, I believe it was in Bhopal India, where there was a large chemical accident that killed thousands of people. And so I think if you want to look at the extreme of what's theoretically possible, those kind of things are possible. Now a well designed system should that should not be possible in. That incident was to multiple failures largely at the administrative level, as well as the personnel level. There were where there were safe, redundant safety systems that had failed and hadn't been maintained. There was instant staffing and all that kind of stuff. So, should a cyber only attack be able to cause that kind of large damage? I hope not in systems, but I got to be clear. I am not an expert in industrial control systems.Jonathan Moore (08:07):I mean, I've got a little bit of knowledge, maybe just enough to be dangerous, but I don't want anybody to take anything I say as correct. But it's merely as something to inform more research. But so I think the most likely thing we would look at...