Getting Started in ICS/OT Cyber Security - 20+ Hours - Part 2 (ICS/OT Cyber Security Overview)
FULL TRANSCRIPT
hello and welcome back we'll go ahead
and jump into uh unit two or part two
when we're uh talking about really an
overview of cyber security in industrial
control or OT networks now we had the
introduction the first part where we
just touched on a few different aspects
of you know even why we need cyber
security in OT environment so so
hopefully from the first section that
already started to
make sense and but we're going to dive a
little bit deeper into it in this
section and then also start to look at
how do we start to secure our OT
environments right how do we protect our
power plants and our Railways and our
mines and our manufacturing plants and
Etc so you can see based off of the
outline what we're going to look at is
we're going to first start talking about
the differences between traditional it
Network environments and Industrial
control or OT networks right because
there are some fundamental differences
there's a lot of commonalities between
the two but there's also some some
fundamental differences that we want to
to be able to point out and focus on as
we go throughout our conversation when
we look at the different ways or really
the five main ways on how attackers get
into OT networks that that we'll be
looking on and that's something that
will build on as we go throughout the
rest of the course then we're going to
look at a basic example of what
operational technology is using just the
idea of a a thermostat that you have
potentially in your house or at the
office so it's something that probably
most people are familiar with we just
don't necessarily think of it as OT or
operational technology so we'll also
then evolve that into this idea of well
what's the difference between OT and
then IC industrial Control Systems where
we look at if you want industrial
strength OT systems right those that
work in industrial
environments then we'll get down to the
nitty-gritty and look at really what
we're talking about when we say cyber
security in control system environments
and then we'll also spend some time
looking at the history of different
control system or
OT incidents over the years so there's a
there's a handful that we're going to
focus on primarily in this course and
we'll we'll reference them continually
throughout there's a lot more that that
I could talk on but but there's a a
there probably you know about 10 that we
really want to focus in on especially
there's our top five like when we talk
about things like stocket and Colonial
Pipeline and trisis right those are some
of those top incidents we're going to
continue to refer to and then we'll talk
about uh just how do we secure the
environments at a high level and how do
we work with the business or the owners
and The Operators to make that happen
and then we'll kind of in part three
moving forward that's where we then
really get into the nuts and bolts of
how do we secure our our
networks so I do like to get started
when we start talking about cyber
security in OT environments right this
idea that there is a substantial
difference between it where we're
sitting in a back office right we're
reading emails we're browsing the
internet we're maybe working on a
spreadsheet or we've got an app open or
we're working on a Word document and
we're nice and safe and and sound and
the OT environment especially when we
think of you know if we're out in a
plant it's a completely different type
of environment where there's most
importantly the biggest difference is
there's safety issues that's why we
always talk about the main difference
between it and OT is that in OT safety
is always our primary
consideration it's not is a an attacker
going to come steal our our sensitive
information right or are they going to
be able to manipulate that data right
where it's stored maybe on a file server
or an application server right it's is
is the site safe for for our people
right the people that are at the
location so onsight personnel and and
what about maybe the general public that
could be in the vicinity of that
facility are they safe right that's our
ultimate Mission and priority is to
protect people and keep them
safe so two very different types of
environments one where we're sitting in
the office you know doing work in a nice
safe environment in an OT environment
we're out in that in that plant that
could potentially you have some type of
of danger right that's involved in doing
that job and some of these environments
are very very
dangerous another thing to think about
is in this case we have maybe a chemical
refinery as defined by mid Journey at
least the idea is that you we have our
OT Network that we want to protect right
we want to make in this case attackers
don't come in and take control of the
chemical refinery whether to shut it
down or potentially cause some type of
condition that could lead to a safety
issue so we want to make sure that we
protect the
environment the dangers and the risks
that we really see today is because most
OT networks have an IT Network that
they're connected with that they're
connected with and they're talking
to so the idea is in this case if I'm
actually let's say this is a
manufacturing a certain chemical and
then I'm packaging it to be sold to the
general public at
stores we have to be able to communicate
to the business how much of that
packaged chemical have we created so
they can do things like coordinate
shipping and
Logistics so we have the OT environment
that's creating the the chemical and
then even potentially packaging it up to
be sent you or shipped to different
stores across the country or across the
world but it's the business it's the it
side of the network that coordinates the
logistics for making that that happen
once we've created the the the packages
themselves so we see that it and OT
networks are allowed to talk with each
other and we've already started to touch
on the idea that if you're you're in the
OT environment physically right it's not
a safe place to be right there's always
some type of risk there's always some
type of danger to your physical
safety in the it environment and that's
where we're sitting in the office nice
and safe right and that we have that
communication between it and ot to allow
the business to get what it needs
done but also think where the real risk
comes from is the it environment is also
connected to the
internet when they talk about the great
thing about the internet is that it
connects us with everybody in the world
and of course the bad thing with the
Internet is it connects everyone in the
world to us The Good the Bad and and
everything in between so of course the
attackers and whether we talk about the
nation state attackers or ransomware
group operators which are really the top
threat that we see targeting both it and
OT networks
today idea is that remember that in
almost all control system environments
today there's communication between it
and OT and there's communication between
it and the internet so if there's
communication between it and the
internet and there's communication
between it and OT then it stands to
reason an attacker is going to be able
to get into the IT and network we talk
about it's not that question of if it's
just a matter of
when so an attacker is going to get in
into the IT environment so if there's a
path from it into OT then the attacker
will be able to take that and then have
that foothold in the OT Network to then
be able to start to take control over
that
environment so we like to and we're
going to come back and talk more about
this in the next couple sections
especially in part four where we get
into secure network architecture really
is the number one way to protect our OT
environments but in this case right we
have we talked about the OT environment
is let's say creating this this
chemical and that we're going to package
it up and then we're going to need to
ship that off to be
sold so the OT environment right is
creating the chemical even packaging it
and let's say into different say aerosol
cans and then it's going to go ahead and
take those
chemicals and take the data about how
many packages we've created and push it
over to
it the key is the OT environment is
going to send that information it's
going to push that information to it
it's one-way communication so we're
going to take the information about how
much chemical how many packages we've
created and we're going to push that to
it so the business knows well they need
to coordinate Logistics and shipping for
for you how many cases of this chemical
product we've
created we don't want to allow the
reverse where we don't want to allow it
to come in to OT to retrieve that
information as if that path exists in
the network an attacker right we have to
assume an attacker is going to to
eventually get into the IT environment
today tomorrow a week you know a month
down the road years down the road an
attacker is going to get into the IT
environment no anerus about
it so assuming that we know an attacker
is going to get into the IT
environment we have to make
sure that an attacker wouldn't have a
pathway from it to OT the number one way
to protect our OT environments is to not
allow it to talk directly with OT right
we don't allow network communication to
originate from it I'm jumping ahead but
I definitely wanted to stress that right
so the idea is we allow ot to send
information to it so the business has
the information it needs to do the job
it needs to right like coordinating
shipping
Logistics we don't allow it to reach
into the OT Network though because if an
attacker got into the IT Network then
they would have the ability to do the
same to reach into the OT
Network and then they would use that to
be able to move throughout the
environment and take control over it and
we'll talk about some examples of how
that happens as we go on throughout the
course now we also mentioned this idea
right allowing ot to talk with it and
that to prevent it from from reaching
into OT we can place a firewall so that
way that firewall is that physical
ideally physical uh Appliance that's
going to prevent that communication from
taking place and just kind of a
highlight of what we're going to talk
about especially in in part
four again OT can talk with it let OT
send data to it so the business can get
what it needs to get the job done but do
not allow it
to reach into OT unfortunately that's
not possible in all environments but
it's imposs it is possible in
some and it's possible in probably more
than people
think so then we talked a little bit of
it and OT and the different networks
talking to each other we can look at the
five different ways that attackers get
into the OT Network so we already
highlighted one example right think can
they can they can come from the back
office right so what if that firewall is
not there and the idea is if I'm able to
get access to your it environment maybe
I hack into one of the web application
servers that your company is hosting or
I send an employee a fishing email right
we get the employee to we trick them
into clicking on a link or opening up a
infected attachment that infects their
computer in turn and gives the attacker
control over that host that's that in
foothold that once the attacker is on
your it Network it will not take them
long to take control over all of the it
network and to also find that path into
the OT Network so remember that's the
the number one way attackers are going
to get into your OT network is through
the it Network just just because the
fact that it is connected to the
internet and that's the easiest path for
attackers to come
through now now besides coming through
the it Network to get into OT so we talk
about in nerp So nerp is the
certification or standard that's
required for power generation and
transmission facilities in the United
States and Canada so they have this
fancy term called transitory cyber asset
so really what they're talking about are
laptops and USB drives essentially
anything that could store data though
and potential process data right and
that can be brought into the environment
so smartphones would also uh fall under
this as well the idea is that uh we
could have somebody bring in a USB drive
or bring in a
laptop and what if that laptop or USB
drive or phone is infected and if it's
that asset is plugged in or connected to
the OT Network now that
infection is is loose on the network
and then what happens well that that is
a big question right it really depends
on what that infection or that malware
is designed to do so we'll come back and
talk about examples like stuck net right
what happens if an infected laptop gets
connected to your OT
Network what happens next so that's the
second way that attackers could get into
the environment they're brought in
physically by USB drive or laptop or
phone
now we've seen especially even just the
last couple weeks several instances that
have been highlighted where we'll say
smaller OT environments like water
authorities have had different systems
exposed directly to the
internet and so for whatever reason
whether somebody thought they were doing
the right thing or they just didn't know
better was the idea that they had a PLC
or an HMI or a Windows Server acting as
a data historian or any OT asset right
any asset or system in the OT network
was connected and exposed directly to
the Internet so anybody on the internet
could reach out and touch
it and they essentially if there is a
vulnerability or some other way to
exploit that system then that person
would have control over that asset from
from over the internet and then they
have that foothold that starting point
on your o
Network so we do see that and it's
something that should shouldn't happen
right we should be monitoring
continually to make sure that we don't
have any Internet facing exposed systems
at least those that shouldn't be there
not in OT in it maybe you host something
like a website and you want that access
accessible by the entire internet right
that's what it's designed to do but you
don't want any of your OT systems
directly exposed to the Internet so
we'll talk a lot more about
that you talk about remote access
capabilities so when you think if I need
somebody to come into a plant and do
maintenance on a piece of equipment
maybe they're going to do a firmware
upgrade on a PLC let's
see the idea is that they could
physically come into the environment but
that's it's going to take time maybe
there's travel cost associated with that
maybe there's a pandemic going on so
with with covid right the the need and
the use for remote access just
skyrocketed but we also had remote
access in the first place in a lot of OT
networks because remember our first
priority in
OT is about physical safety making sure
we keep our people safe so if I can
allow somebody to remotely upgrade the
firmware or programming on a PLC and I
they can do it from home it's a lot
safer
than if they're actually standing in the
middle of a
plant doing that
work so from a safety from a pure safety
perspective you know would we rather
have them working from home or working
in the plant we definitely rather have
them working from
home so that's the idea of yeah remote
access definitely has its place in the
OT world we just have to make sure that
we do it as securely as possible because
attackers will exploit issues with your
remote access configuration and use it
to gain access unauthorized access to
your OT
Network and then finally we talk about
the another way that attackers get into
the OT network is we give them access
they're malicious insiders so they're
somebody that we've hired or maybe
they're a partner or a vendor and we've
given them things like credentials and
access into the environment they're able
to come on site they're able to plug in
to the the network they're able to
remotely
connect and the idea is that they mean
to doess
harm so those are the five ways that
attackers primarily get into OT networks
that we're going to talk about as we go
throughout the
course most importantly right we're
always thinking about that relationship
between it and OT from a network
perspective attackers being able to move
into it from the internet and then if
there's a connection allowed from it to
OT they will find it and they will use
it to get into the OT Network so again
we'll come back and we'll be talking
about that a lot as we go throughout the
the rest of the course so just keep that
in the back of your mind for
now so one question I get asked a lot is
well how you know how mature is cyber
security in OT or how good are we in the
OT world at Cyber
security it's a good question it's one
we don't have a like a ton of metrics
around in the the first section we
talked about the reports like the Drago
year and review where they do a lot of
the work to highlight you know the
issues and and you can use that to get
an idea of well how well are we doing I
would say you know some some people
might say 33% some people might say
50% I supect it's and depending again
how you look at it we're probably maybe
somewhere around there um is it
higher in some AC ways right it's an
interesting question if we're looking at
it across the board I think but at the
end of the day does it really matter how
we're doing as you know overall what
really matters is you know your
organization right how is it doing on
cyber security in its OT Network right
it it could be 0% it could be 100% not
that anything's ever
100% but I think you get idea right it's
just going to depend on your environment
that of course should be the most
important to
you but I would say roughly I probably
maybe
50% from you the the environments that
I've got to see and working and you know
talking with other people outside there
um you know my day job at floor work
with some of the largest providers and
companies in the world and they have
very strong cyber security programs for
OT I get to talk with a lot of other
folks outside of that role and there's a
lot of environments out there even uh
very large environments with very little
to no no cyber security in the OT
networks right so there's there's
definitely a lot of concern there's a
lot of risk right and and we have to
protect our
environments so for those of you coming
from a you probably a more traditional
it or it cyber security background and
even just the idea of operational
technology or what is OT might sound
very strange at at first I can admit
that it was very strange for me to try
to unravel and understand in in the
beginning but the idea is and I like to
use the idea of a
thermostat for this like a thermostat
I'm looking at the one on my wall right
now it's literally right in front of my
face uh that looks almost like this
one and so we have
this computer has memory it has a
processor it has essentially think of an
operating system it has code that it
runs right to help it understand it's
programmed right to do something so it
has code to tell it you how to think and
what to do how to
react it actually has what it calls a
set point right which is a variable and
you can even see in the picture it says
set right cuz for a thermostat we can
set we can change to any to any value
guess within a range that we decide
right that we want the temperature to be
in the room at any given time so in this
case we change that variable to 70°
right we always want the temperature in
the room to be
70° so then it's the job of the
thermostat to make
sure that the temperature in the room
stays at the value we place the set
point a
so in this
case right once we've had or we set the
value one thing to think about is this
piece of operational
technology is that it brings in data
from outside
sources so we actually have a
sensor that's continually taking the
temperature in the room and telling
the
computer well how hot or how cold is it
in the
room so we're continually taking the
temperature in the room and feeding that
into the
device so that way let's just
say if the temperature all of a sudden
goes up to
72° the logic or the programming
in the
thermostat it's going to oh it's getting
too warm I need to turn on the air
conditioner so it sends a electrical
signal Audi wire that's physically wired
into the air conditioner unit to turn it
on and then all of a sudden the air
conditioner is running and we have cool
air coming into the room so we're going
to send that signal to the air
conditioning unit right which is this
physical system out in the real world
and we're going to turn it on and make
it
run and then as it runs it's going to
blow cold air
into the the office or into the into the
the house or to the room we're in and
it's going to then lower that
temperature back so at the same time
we're still continually taking the
temperature so that way as the
temperature goes down and we get back to
the set point of 70° well then we know
okay let's go ahead and turn off the air
conditioner right we're back at our our
set point we're back where we need to be
and then the thermostat continually does
its job of bringing in the the
temperature right what's the temperature
what's the temperature what's the
temperature and then if it's temperature
goes above the set point we send a
signal to turn on the air conditioner or
if oh maybe the temperature goes below
the set point maybe we need to send out
a signal to turn on the
heater but that's the idea of
operational technology they're
computers that we use to control
physical systems out in the real world
like heaters and air conditioners that
we have at home or or at the
offices we can expand that when we talk
about things like power plants so it's
not necessarily when we talk about
things like air conditioning and he
heating or furnace
units but where we talk about things
like turb bines and generators and
combustion
Chambers but that's the idea of again
operational technology in yeah a simple
example is the idea of the
thermostat again that not only think of
it again just remember it's a
computer that can think and is designed
and programmed usually to do you one or
limited number of
jobs it brings in data from different
types of sensors and other
sources and then it can send signals out
to those other physical systems we have
in the real world to control them right
that's the idea of the industrial
Control Systems right the idea of it
allows us to control those
systems and then this whole process it's
right it's this continual Loop going on
inside the asset or the computer or the
the the piece of operational technology
or might refer to this as a programmable
logic controller a
PLC very simple one but at the end of
the
day so the idea is again it's this
continual Loop whether you call it close
loop or control
Loop that we just continually go through
this Loop of logic right what's the
temperature what's the temperature
what's the temperature oh it's too warm
turn on on the heater or turn on the air
conditioner like oh okay we're back to
normal turn it off oh it's too cold all
right turn on the heater oh we're back
to normal turn it off what's the
temperature what's the temperature
what's the temperature so as long as
that is running right we're continually
checking the temperature and that's that
value that we place in the set
point so when we talk about okay we have
operational technology and we have this
thermostat right is there risk
associated even with the thermostat and
there is believe it or not and again it
doesn't matter if it's a thermostat that
we're going to use to control maybe
again the air conditioner that I have at
home or if it's a PLC that I'm using to
control let's say part of the power
plant the real risk starts to come when
I take that
asset right that
system and then I give it an IP address
right because then when I give it an IP
address it can start to talk with other
systems and maybe it's not tcpip if you
give it you know put it on any network
and give it any networking protocol and
you allow it to start talking with other
systems there's a
danger when you use IP or tcpip right it
makes it a billion times worse because
not not only is it communicating with
all the other assets on the local
network over IP but if there's internet
connectivity
anywhere right tcpip is also the
protocol and language we use to
communicate over the
Internet so not only is that thermostat
in this case exposed to the local
network but it's also exposed
potentially to the
Internet so here in the example right if
I do give that thermostat an IP add
address right it can talk with all the
other hosts on my local subnet and maybe
there's my laptop and the Wi-Fi access
point and printer and U maybe that's a
gaming laptop I'm not sure I have a
server at home but I'm not that not that
hardcore nerdy anymore I used to
be so when we have you the thermostat
that yeah it can connect and and talk
potentially with all these other Assets
Now by default isn't
no but it could
right because it has an IP address and
again it's just another computer
essentially again processor
memory makes calculations it's
programmed it doesn't have a lot of
storage space right it's not designed to
to do things like work with Excel
spreadsheets and and Word
Documents but again for the most part
it's just another computer on the
network so it's communicating again
that's where we start to see more risk
if of course all of our homes are
essentially going to be connected to the
internet and then well the attackers are
sitting there out on the internet just
waiting so what if the attacker comes in
and is able to gain access to one of the
internal host on your
network well then they would have access
not only to that host but all the other
hosts or systems on the network
including that
thermostat so sure in this example it's
an attacker that might turn on your air
conditioner right and turn it down
really low to run up your electric
bill so there's not is there any true
risk or danger there
no but what could they do in other types
of OT environments like a manufacturing
plant or when think of more industrial
strength environments like a power plant
what would an attacker do if they gained
access and could touch and control that
asset because if you can control that
asset then you can
control those physical systems that the
asset is connected
to and that's the concern because then
it's is that going to introduce some
type of safety issue right is the safety
of our people at the site and for the
public in the area or the vicinity of
that site are they in danger
we can also think yes you know we want
to make sure that uh the this the plant
or that site stays up and running right
and it does what it's designed to do of
course but ultimately our number one
priority is physical safety followed by
environmental safety like we mentioned
in the first part of the course and Then
followed by the availability of the
plant so we've touched on these when we
talk about the difference between it
where we think of traditional systems
like yeah like laptops or workstations
or servers where we're sitting in the
office
environment right doing our work and
Excel spreadsheets in Word documents
like we we just mentioned the idea is
that those types of it assets have a lot
of storage space right we're storing you
large documents and and spreadsheets and
we have applications and that are
storing large amounts of
data you're talk about operational
technology that they're not storing
large amounts of
data in fact they're processing very
small amounts of data right bringing in
let's say data from a sensor determining
what that value is and then determining
if there's any other action to be
taken as that value
changes it's very very small amounts of
data that's actually brought in and
process and we'll actually look at
behind the scenes what some of that data
data looks like in the next next
section so we have it we have OT that
allows us right to control different
physical systems in the world and then
the difference between OT and IC is just
a matter of the really the size and
scope of the environment the assets
realistically do the exact same job if I
have that thermostat that could actually
also be hooked up to let's say part of a
power
plant and it literally could be the same
same asset it's just one controls a home
air conditioner and One controls let's
say a turbine in in a power plant
environment and it's actually
interesting we'll see some cases as we
go throughout the course that's where
attackers actually get stuck and a big
hangup for them when they're trying to
break into control system and
environments and this idea that as
they let's say gain access into a OT
asset like a
PLC they don't know what it's connected
to right on the other side so there's
been instances where hackers and
activists have broken into like there
was a um a activist group that had
broken into and what they thought was a
water treatment facility in Israel well
what it turned out to be was yeah it was
a water treatment facility in Israel but
it was basically for a swimming pool at
a hotel it was not for you know entire
like tens of thousands or hundreds of
thousands of people and they drinking
water but they didn't realize that and
that's where it's difficult for
attackers to really know at least
initially right what type of environment
are they in by only looking at it from
certain aspects so yeah I'm jumping
ahead but that gives you just something
to kind of keep in the back of your mind
because that's where really the the
biggest hurdle for attackers is when
they get into the OT environment they
have to map it out they have to figure
out the different systems and what's
connected to what and how these
different processes work and how to
reverse engineer them to where they
could even begin to think of doing
damage and that is not something that is
easy at all it is not
trivial so definitely something we'll
Circle back on but again and you can see
the last note here we say now IC OT or
all even say Control Systems because
that's the term we use at Flor in my day
job you know we'll say those things all
interchangeably so yes there are some
slight differences between OT and IC but
but we'll say you know again we'll just
in for the rest of this course if I say
OT or IC or Control Systems it all means
the same thing right we have essentially
computers that are used to control
physical systems or Assets in the real
world now I did want to throw out just
real quickly the idea of Internet of
things because this does come up in
different conversations Now The Internet
of Things has let's say for now
technically nothing to do with IC or OT
the idea is a iot device right is
usually referred to as a consumer device
something that we're going to have at
home like I have a Amazon Alexa right
with a video screen and so I can ask her
what time it is she can show me menus as
I'm cooking in the kitchen I can play a
movie on it which is usually what I
do but the idea is that that that asset
itself does not have a lot of computing
power let alone the functionality it
needs to do its
job that consumer device to be able to
function it has to take data and send it
to a server Farm out on the internet on
in the cloud right to be able to be
processed to have those numbers crunched
to then have the appropriate responses
sent back down to the device so the
device knows then how to respond so if I
ask it to play copy of the
Matrix it has to First send out my
recorded voice to understand what I'm
asking it to do and then once it
understands oh I'm asking it to play The
Matrix then it has to course stream the
movie well the none of that is stored
locally on the
device so there's these very and they
mention right they're they have very
limited capability themselves their
capability comes from these huge server
farms in the cloud so they have to have
internet access to be able to function
no internet access your iot
devices do not
function that's kind the pure definition
of of iot and I know there's some slight
different differences and this is just
very general high level but for now
think of it that way because we're also
going to come back and talk about the
industrial internet of things which then
starts making things even a little bit
more confusing and definitely less
secure so we'll talk about
that another question that comes up when
we talk about you differences in terms
so and this was one that was more
popular like 5 10 years ago uh I
remember especially when I first got
into OT cyber security or or IC cyber
security because nobody used the term OT
really back then was everybody used to
say ICS or scada I was like oh well
what's the what's the difference and I
remember actually that when Rob Lee
first mentioned this I was like oh my
gosh that's that's exactly
um makes complete sense right was he
just said that with IC it's how a land
Works in it and with scada it's how a w
works in it so if you're Fami you know
if you have an IT background or if
you're familiar with the concepts of
land versus land right the idea is that
we refer to all the systems in an OT or
control system Network as is IC if
they're all at the same physical
location if they are spread out over a
geographical region or distance if
there's some type of distance right
where we have to communicate over a Wan
link something like 5G or
satellite the idea is that's referred to
as skate
up so remember yes if everything's
located if all the systems are located
at one physical location like at maybe a
single power plant right that's
considered
ICS if you have systems spread out so if
I'm doing power transmission and I have
electricity that I'm sending out over
the lines over my Miles and
Miles well along those transmission
lines I have different substations and I
have systems I have control systems at
those substations and I communicate with
those substations over some type of wide
area link like 5G or
satellite so in that instance right
those are considered SC so remember ICS
all local if they're communicating
remotely
that's
SC then we'll come back and talk about
yes supervisory control and data
acquisition but you think really
ultimately that's what we're doing with
control systems in general right we have
an asset that goes out and pulls
information from a system to understand
how it's operating right data
acquisition then it displays it to us in
some
fashion and then we can use that
information to then determine if we need
to make a change and if we need to yeah
we control we make a
change again I know it's kind of high
level and it's oversimplified but really
I mean that's that's it at the end of
the
day and we do the same thing with IC
right SK is not anything special it's
just SK is more when versus L or remote
versus
local
and here's an example just you know
again IC all local like maybe in our
house or in this case that's my idea of
a PLC at
192.168.1.1 and controlling other assets
locally like there's a HMI at
192.168.1.10 so that's essentially a
control system asset that has a video
screen that you can interact with versus
scada maybe we have three different
sites that are set up in three different
system cities that are connected over
some type of white area link maybe it's
just even regular like you know regular
old internet
connections but the idea is that they're
in completely different cities right
they're connected over some type of wide
area
link that's
G now one of the terms that I first
heard when I got
into OT was this idea of owners and
operators which probably makes sense
when you think about it but it was just
new to me and I didn't know 100% what
exactly it was so I wanted to make sure
I included it here and this idea that an
asset owner is you know essentially it's
the company that owns that facility so I
remember the first real project that I
worked on that actually went on site it
was a power plant that Flor had built
for Dominion Energy so in that case
Dominion Energy was considered the right
they were the owner they were the asset
owner for that
facility now you also have a group of
people that are asso that are
responsible for running that
facility now a lot of times they can be
the owner and the operator of the same
company right so at that Dominion Energy
power plant Dominion Energy employees
ran the facility so not only were they
The Operators but yeah they also owned
the facility so Dominion Energy were or
was the owner and operator should say is
the owner and operator for that power
station some owners you know don't want
to have that responsibility for for
whatever reason and so they actually
hire an outside party to operate the
facil for them so floor actually does
some operations work in different types
of environments including nuclear
facilities but that's the idea when you
hear of asset owners and operators and
I'll talk about owners and operators as
we go throughout the
course especially you think it's when
you think of the leadership of the
environment because a lot of what we do
from a cyber security perspective is
it's working with that leadership to
help them understand the risk from a
cyber security perspective in the
environment and how best to
protect
against the different threats and the
risk that we have in the environment
right we want to limit that risk as much
as possible so we have to help them
understand how to do that especially in
a way where they're going to give us
budget to do
that so that's owners and
operators so the next section and I
wanted to mention this this I included
this in this part because I wanted to
highlight when we talk about remember
this idea or the difference between OT
and IC right it's OT is this general
term which we use right for computers or
systems we use to control physical
systems out in the real
world and then we can talk about well IC
is the industrial strength version of
the so when I think of indust industrial
strength my mind goes to when we talk
about critical
infrastructure right and so critical
infrastructure critical infrastructure
sectors are Define defined by your
country's government so these are the 16
critical infrastructure sectors as
defined by the United States government
they're looking at adding number 17
which would be space which would cover
you know security for well just in
general designate space and especially
think of things like satellites
Communications for as uh critical
infrastructure as specifically as its
own sector I was talking with somebody
from India not long ago and the India
government the government of India sorry
uh had just assigned Healthcare as a
critical infrastructure for the country
right so there's there's a definite
definite additional
oversight and there could be additional
requirements and regulations for
different uh critical infrastructure
sectors we still don't see a lot of
regulation in the United States though
the main regulation in ic or OT that we
see in the United States which we
mentioned a little bit earlier is nerk
or nerk
siip which governs how power
transmission and power generation
facilities work in the United States and
Canada and there's a few others that
we'll talk about so there's some
additional guidance and regulations from
the Transport Security Agency or TSA in
the United States around pipeline
operators and Railway operators since
the colonial pipeline
incident but those are the main ones and
that's that's about it I mean there's
some general requirements that we'll get
into in other areas um but for like true
cyber security
regulations there's just there's just
not a lot in the United States but and
we'll talk more about that and why that
is a little bit later on but anyways I
jump ahead and I digress because I just
wanted to go through the different
critical infrastructure sectors just to
give you an idea when they talk about
things like the chemical industry right
so when we're actually I was talking
about that example earlier where we have
that that chemical refinery that maybe
we're producing uh some type of of asset
that we're going to package and then
turn around and and sell maybe even if
it's just something like glass
cleaner but chemicals play a very
important part in society and that's
really where we talk about critical
infrastructure right what part do they
play in society and our uring our daily
lives I think yes we could all live
without glass cleaner if we absolutely
had to but right there's other chemicals
that we use on a daily basis even if you
just think of something like pesticide
and we use that for spraying the fields
for agriculture right which we use to
feed
people so you'll see there's a lot of
interconnectedness between the sectors
as well so commercial facilities is an
interesting one and this is one where
pretty much where anybody or large
groups or can can gather in public so
whether like a sports arena like you can
see see here or a shop mall would also
be considered a commercial facility um
so of course there's definitely
different protections that that come to
mind we're probably less concerned about
cyber
attacks you know creating physical
safety issues in these types of
environments rather than like a chemical
facility but uh Communications which is
important so of course it it provides
essentially the foundation for Society
these days um when we talk about what
would we do if we lost the
internet society would would would just
simply cease to function I think even if
we had power we we'd still probably
cease to function if we had no no
internet connectivity right we weren't
able to to communicate and our phones
you know didn't work any longer so uh we
weren't able to text or get on to uh
social media but uh critical
manufacturing so we're not talking about
just creating Widgets or maybe the the
glass cleaner right but when you think
of you know I think of like floor had
created um the we have built designed
and built the largest insulin
manufacturing plant in the world right
that's that's a that would be considered
critical manufacturing because if that
facility went down right then there's a
supply shortage of insulin that people
need right people with diabetes need to
live right their lives and so there's
there's
definitely uh an impact there so there's
different types of manufacturing so when
we talk about especially critical
infrastructure right critical
manufacturing we talk about
dams uh so that they actually are set up
as their own critical infrastructure
sector it's another one where not a lot
of risk usually is associated with dams
from a cyber security perspective but
but could be we'll actually talk about a
few few damn related
stories there's the defense industrial
base this is
for different essentially really
companies that act as contractors to the
United States government so floor where
I work in my day job is a you know part
about 15% of our company is acting as a
government contractor so we run you some
national uh labs for for the United
States government we were a big part of
you know different um efforts like in
Afghanistan in Iraq uh and and many
other efforts that we do for for the US
so so we would definitely be considered
part of the defense industrial
base we look at emergency services so
police fire other First Responders like
like uh EMS right paramedics so they
would also fall under critical
infrastructure uh in energy is probably
the you know the the most important
critical infrastructure sector it gets
the most attention I think because so
many other of the sectors they need
electricity to to run and operate
without the power right they're they
essentially don't exist and so they
think that's why why energy gets as much
attention as it
does you there's I don't think there's
there's any other um sector that gets
even probably a hundredth of the
attention that that energy does it's
also why especially again in in the
United States and Canada where we have
nerk or n nerk sip we have the cyber
security requirements all right for
energy generation and
transmission we have uh financial
services so I think of banks stocks
stock markets and such right it's
definitely an important part of the
economy and any nation's overall
security talk about and we already
mentioned a little bit earlier right
food and agriculture right so we need to
make sure we have not only things like
pesticides from the chemical sector but
we also have to have water to of course
irrigate the fields we have to have
electricity to be able to to
um sometimes you know deliver different
uh services like
water in some
cases there's government facilities so
okay and then of course Healthcare as
well the final four that we're going to
talk about so there's big informational
technology I think of of course for me I
go to immediately think of data centers
which is why I included this picture so
the large data centers that we use to
host essentially all right all the cloud
functionality that we all need in our
daily lives to to be able to operate so
so there's nuclear reactors so they do
break out traditional energy from
nuclear because there's definitely a lot
of additional especially safety
considerations when we work move into
nuclear so you can see whether nuclear
reactors of course we have to be able to
store safely nuclear material before we
use it and after when it's waste so
there's definitely a big part of the
conversation there how do we do this
securely we talk about I jumped around
like this but we mentioned water
everything from agriculture to the
drinking water to you know the water
coming out of our tap you every day you
know a lot of things that that we take
for
granted and then you know Transportation
Systems as well so rail I get to do a
lot of work in in rail these days which
actually is really fun and and exciting
it's just a different type of OT
environment it's a different critical uh
infrastructure sector but the idea is
when you think about again this the
intent behind critical infrastructure
sectors is this
idea that these are services that we
need in our daily lives right we've come
to rely on them the vast majority of
people take them for granted every day I
mean I still do even though I try to not
but when I started just to get into OT
cyber security and started asking those
questions and oh how does you cyber
security work at a power
plant right it gets into those questions
that we started to touch on a little bit
earlier was well what happens if that
power plant goes down for a couple of
hours okay we can live without power for
a couple hours not a
problem but what if it's you know a day
or a couple of days that's a a big
difference let alone a couple of days
becomes a week or a couple of weeks and
then you start to think of how right the
different the impact right can just
exponentially grow the longer right we
no longer have access to that facility
or whatever that facility is
designed to generate for
us so what happens if we lost healthare
or drinking water or our data centers in
the cloud right it's it's that's where
we get in I think of like The Walking
Dead right we get into Walking Dead
territory and the breakdown of
civilization again I did want to include
the critical infrastructure sectors just
to be able to highlight especially when
we get into these conversations of OT
versus IC and what do we really mean by
industrial well this is you know these
are some examples of true industrial
environments anything in critical
infrastructure would be considered
industrial or industrial
strength so hopefully that helps and
we'll talk about it more as we go
throughout the course and we'll talk
about some other examples to hopefully
help it you know really kind of sink in
and we'll start to see what's going on
there so let's talk about cyber security
in the the OT world so the idea
is and it's it's interesting because it
can mean different things to different
people but the idea is when we think of
an OT Network again we're going to use
the the main example in this course of a
power plant and so I think of that power
plant and in that power plant it has
computers and those computers are
networked right they're they're
communicating amongst each other and
those computers are used to control the
the power plant that generates
electricity that the world around it
depends
on so it's very similar to cyber
security and it where we're trying to
protect the environment against hackers
against compromise in this case we're
trying to protect the power plant
against an attacker or or compromise
again it's can be different things that
we're protecting against cuz in it we're
usually worried about an attacker coming
in and stealing our data versus an
attacker coming in and turning off the
power or potentially blowing up the
facility which would be the worst case
scenario but in OT environments this is
where we we talk about the different
types of assets which is a very
fascinating World these days because you
have traditional
OT assets like programmable logic
controllers or plc's or hmis that human
management interfaces or when we talk
about data
historians but then we also have these
other computers that are they look and
they are just like the uh it traditional
assets that we have like laptops running
Windows and servers running Windows
which are for data historians and
Engineering workstations and we could
have other you know laptops that
technicians use to do maintenance or
they could have tablets probably running
Windows you know maybe sitting in the
plant on
Wi-Fi so there's a lot of different
attack vectors from a cyber perspective
right anytime we have computers and
those computers especially are network
together and that's where then we go
back of course to where the real risk is
today because not only is it that we
have these computers in the OT
environment and they're networked over
tcpip but they're probably connected to
the it Network in sh some way shap per
form over tcpip which and then is in
turn connected to the internet over
tcpip so our OT Network in some way is
probably connected to the OT whether we
realize it or
not you mentioned cyber attacks can have
very real world consequences in in OT
and and in it as well I don't I don't
want my company getting compromised and
being shut down for 10 days to where you
people are going to lose jobs that's
that's the last thing I would want but
the the consequences are much more
serious when we talk about OT
environments and what if that power
plant went offline for 3 months what
would be the impact to
society what if that largest
manufacturing facility for
insulin was offline for six months what
would the impact be right there's
there's much more stronger conse
consequences in the OT World especially
when we talk about critical
infrastructure now one of the most
overlooked aspects of cyber security in
the OT world and in it is this idea of
physical security because remember if
you can walk into an environment it
doesn't matter if it's a power plant or
if it's an office building but if you
can walk into an environment and you can
touch an asset you can almost always
completely control it there's some way
to you know reset an admin password or
there's some switch that you can use to
gain access or you can even at least you
know set it to factory defaults to where
you have control over that asset the
control has been lost by the the real
owners of the
organization so physical security is
very important and we'll talk a little
bit more about it as we go throughout
the course but it is one of those most
overlooked over L looked aspects of
cyber security because most cyber
security people just don't think of it
as their job or their
responsibility but again think if an
attacker can get into an environment and
touch the system they can own it and
they can do whatever they want or what
if they can come in and and just plug in
their laptop maybe running something
like C Linux into your network and then
be able to start scanning the network
for host and in vulnerabilities that
they could exploit to take control over
the networ
Network so we already started to
highlight right the differences between
it and OT and and the differences
between it and OT cyber security right
much different environments our goals
are much different remember in
OT our primary concern is always
ensuring physical safety of on-site
personnel and then sure the general
public that live in the area but we want
to make sure everybody on site goes home
at the end of the
day there's environmental safety right
we want to make sure the the environment
in which the site sits right is is
safe and
then we worry about or we're concerned
with the availability of the site right
making sure it stays up and running and
delivering what it was designed to do
and if I have that power plant I want to
make sure that the power plant stays up
and running generating electricity if I
have uh a Subway that I'm concerned with
right I want to make sure that the the
subway is moving people from point A to
point B safely and on on
Time those are the primary requirements
in in
OT when we talk about it cyber security
this is where we should talk about CIA
or confidentiality integrity and
availability right with confidentiality
we talk about and this is where you know
our main goal in it cyber security is to
prevent unauthorized disclosure or
access of our data we want to make sure
that an attacker that unauthorized party
does not gain access to our information
that's our number one goal by
far we also worry about or are concerns
in part with Integrity so making sure an
attacker doesn't come in and change
information to some something that in
some unauthorized fashion to change it
to something that it shouldn't be I just
think of the example if I'm Amazon I
don't want somebody to come in and
change the price of a $50 product to 5
cents and then allow somebody to buy a
thousand of
them that would violate the Integrity of
the
platform and then
availability right so we want to make
sure our system stay up and running so
the company can keep doing what theany
does a lot of people in it cyber
security Dirty Little Secret don't
really think of availability as their
job but when you think about it the
number one threat against it and OT
networks today is
ransomware and ransomware a big or a
significant part of its impact is
availability if it infects all of your
it and potentially all of your OT at
least your windows-based assets in the
OT Network
it has substantially impact the
availability of not only your it Network
and your business but also the OT
Network as well to where your your OT
environment is going to be shut down
it's going to be
offline and that is very much a cyber
security
responsibility in OT we talk about our
three primary concerns physical safety
environmental safety and then
availability of the
plant and then we can talk about
integrity right we want to make sure
that attackers aren't able to come in
and change or manipulate what we call
Process data so we're going to come back
and talk about the different control
processes and how we
generate data and we store it on data
historians we don't want an attacker to
be able to come in and change that data
whether it's on a control system asset
or if it's sitting stored on a data
historian
now many OT environments might not be a
a requirement might not be a concern
just like
confidentiality many OT environments
don't necessarily have confidentiality
concerns when it comes to their OT data
now if I have a propri proprietary
formula that I use to create let's say
some type of special
Fuel and only I have that formula I
definitely confidentiality is definitely
going to be very important for me and
we'll talk about how that factors into
OT cyber security but a lot of OT
environments maybe it's in manufacturing
and if someone was able to come in and
steal their information that shows how
many units of widgets they created for
the day they're probably not necessarily
concerned with somebody having access to
that
information so one thing to think about
or focus on is every OT environment is
different every OT environment is
unique we can say every it environment
is different but yeah every it
environment they're roughly kind of the
same right 95 probably percent of the
same as you go from it environment to it
environment OT environments are very
different so to truly understand what's
important you have to understand that
environment and you have to work with
the owners and The Operators to
understand what makes that environment
unique that's a big part of what we're
going to be talking about as we go
throughout the
course so just keep that in mind right
every OT environment is unique we'll
talk about some of those differences as
as we move along
but so the next part of the section
let's talk about the different types of
attackers
targeting OT
environments and we use or I at least
for myself I go back to the Colonial
pipeline breach that happened in
2021 the idea is before Colonial
pipeline we were
only the vast majority of the time
99.99% of the time we were worried about
nation state adversaries we were worried
about Russia we were worried about China
we were worried about the Americans or
the North Koreans or the Iranians or the
Israelis right breaking
in to our OT environments because it was
only the nation states that had the
capabilities and the want or the desire
to break into those environments for
whatever their their motives were we'll
talk about some of those in a few but
before Colonial pipeline before
2021 again the vast majority of the time
we were only worried about nation state
attackers or advanced persistent
threats so a lot lot of OT environments
they didn't worry about cyber security
before
2021 because they didn't see themselves
as targets by nation state actors and
and that could have been
true but today it's very different right
with Colonial pipeline remember it
wasn't a nation state adversary that
came into the OT Network and took the
United States largest gasoline pipeline
offline for 10
days it was a ransomware group and the
ransomware group wasn't targeting the
pipeline they were just sending out
emails to everyone in the
world to try and get someone to click on
a link or open up an attachment to
infect their computer and spread
ransomware within the it Network at
their company so that way they could get
paid for a ransom and they could move on
and then make more money somewhere
else so when Colonial pipeline happened
it was this watershed moment where all
of a sudden you have all the different
types of attackers out in the world
realizing that they could Target OT
environments and that they weren't as I
think you know
mysterious as they were kind of seen to
be that they weren't I mean they're not
not anything necessarily
special and that they look very much
like it
networks in fact you could like in the
colonial pipeline example you can infect
all the
it systems and it would have an impact
on the OT
Network that's this idea of it and OT
convergence right how we allow those
environments to talk to each other
because for the business and the
environment to function it needs that
communication
part of that communication goes down
then so does your OT environment that
that happens in a lot of examples we'll
talk about but like recently in the port
of ngoya which is the largest port in
Japan their it environment just like in
colonial pipeline became infected it
goes down their Communications went down
well with Communications down then your
OT Network goes down and you can't have
ships moving around you can't coordinate
things like um you movement of different
containers everything has to shut
down that's very true in in a lot of OT
environments no
Communications everything has to shut
down for safety purposes most
importantly so again in colonial
pipeline in 2021 it wasn't a nation
state that took down the largest
gasoline pipeline pipeline in the US it
was a ransomware group that they didn't
even know what they were
doing but since then every type of
attacker out there right understands
that they can Target OT environments and
that again they're not that difficult to
have an
impact now to get in an environment and
have some like real control or to even
potentially get to where you could cause
some type of explosion or kill somebody
that is extremely to almost you
impossible to pull off but to have an
impact where you shut down the
environment let's say for a week and a
half like with Colonial pipeline that's
easy to do we've we we've seen it we've
seen it multiple times even just over
the last year in very large OT
environments around the
world so now not only do we still have
to be concerned with the nation state
adversaries if we work in an environment
that could potentially be a
Target but we do we do worry about all
the other hackers
or attackers that are out there like the
ransomware groups and activists right
the the level of activity from activist
these days is at an all-time
high because when we look at things like
the current Russian invasion of the
Ukraine or now the conflict between
Israel and
Palestine not to mention the other
activist activity that we saw before
that including you know Iran Iranian
Alliant activist targeting
Israel and we'll talk about some of
these others like talk about cyber
mercenaries or lone wolves I think of
you know especially the nation state
actors that retire right they get out of
the military then what are they going to
do are they going to go into cyber
security and work for the forces of good
or are they going to go out on their own
and keep doing what they were doing for
their government but for the forces of
evil and script kitties are we use it as
a term for anyone that doesn't have any
cyber security or experience knowledge
or experience but they can go online
they can download a free tool they can
you know play around with it and maybe
launch an attack against an asset that
you might have exposed to the internet
accidentally and and they might get
lucky that's the idea of a a script
Kitty but you have there's there's also
a lot of people interested in hacking OT
environments today I mean this just has
exponentially ramped up even in just the
last few weeks not the last few
months so now as we come to the close
right now this is November
2024 or 2023
sorry right I I suspect in in another
year it's it's just going to be off the
charts it'll be a completely different
discussion when I uh re-record this for
next
year but keep in mind again it's up
until like two and a half years ago we
just worried about nation state actors
where now we have to worry about all of
the different types of attackers and
where that's partly important is up
until recently most owners and operators
never thought that their environments
were targets it's not going to happen to
us why bother we're not going to you
know we don't have to invest in cyber
security because no one wants into our
environment they don't want what we
have and that's some that's a big hurdle
that we have to get over working with
these environments and helping them
understand that we do need to implement
cyber security we do need to protect
these environments and you are an
attacker you might not be an attack you
know a target for Russia or China or the
Americans but you're a target from
activists or ransomware groups you're
definitely a tar everybody's a target of
ransomware groups
so just keep that in mind so the number
of attackers has
just exponentially gone up over the last
couple of
years now we'll start to see and this is
my
abbreviated version of OT cyber security
history or some of the big events that
have you know impacted OT networks over
the
years there's a lot more there's
probably 20 or 30 I could probably we
talk about but since you we only have so
much time I did want to at least make
sure to hit the the
highlights and so when we talk about for
me the first one I thought was of the
most interest even though some of these
can go back literally to the I think
1970s but we look at SQL Slammer was a
worm or virus that was designed to
infect micros moft SQL Server which is
an application that runs on Microsoft
Windows it's a it's a database
application and so if you didn't have
your database server patched and it was
connected to the
internet other infected systems would
hit it and then it would in turn become
infected and then it would try to spread
to other systems and infect those right
that's the idea of a worm it it
self-replicates by infecting other hosts
which then in turn infect other
vulnerable host and so on and so
forth and so it's what we call it's
built for a Windows based application or
operating system so it's what we call
commodity malware right it's a operating
system or application we see in every it
environment out there
everywhere we did not typically see them
as much in OT networks back then most
definitely today and we did see some and
obviously in this case they had a data
historian running Windows and SQL server
in the Davis Bessy plant right and
windows and and SQL servers the most
popular combination you see for data
historians where we store processed data
the data about what's happening inside
the plant come back and talk more about
that but in this case right we had
inside a power plant at Davis Bessie the
data historian had gotten infected with
this
commodity malware that was running
around the internet and the the big
kicker is Davis Bessy was a nuclear
power plant and so with nuclear power
plants this is where we talk about the
idea that nuclear environments are air
gapped the idea is that an air gapped
environment means that it is not
connected to any network at all not the
internet not a contractor network not a
remote vendor Network nothing there are
no network connections to anything
outside of the local
plant well then how did this worm from
the internet get into this nuclear power
plant that was supposedly air gapped
well obviously it was not air gapped
this is why you always hear a lot of
people talk about in OT there is no such
thing as an air gap because even if you
think you are you're
not in the case of Davis Bessie the one
of the contractors I think it was the
one that was responsible for running the
data historian they ran a T1 line they
ran a data line from the inside the
power plant to their office so when
their office which was connected to the
internet became infected with SQL
Slammer the worm came in over that T1
over the power plant and infected the
data historian and I think one or two
other systems so they had to take them
offline I don't think they actually had
to take off the take the plant offline
they just had to take a couple Systems
off off line for I think six seven or
eight hours rebuild them and they were
good to go so there were there were no
no safety issues there were no
availability or production issues
but I still find it absolutely
fascinating because we had a nuclear
power plant impacted by commodity
malware running around the internet
right that should never happen but
obviously it did and that was 20 years
ago and unfortunately we still see the
same thing happening 20 years
later so conficker which was a very
similar uh worm running around the
internet like SQL Slammer so you can see
in 2009 so that that happened as well
again I'm still very fascinated when you
have commodity malware designed for
Windows environments that's infecting OT
networks from over the internet right it
should not happen but it does it does
when we have poor cyber security
controls so we'll talk about in part
four right how do we protect against the
impact of SQL Slammer and conficker and
other commodity
malware now 2010 this this was the big
Watershed movement and it was for me
because at that point I had already been
working in it cyber security for the
better part of what 15 20 years but I
had never really and I quite sure I had
thought a little bit about OT cyber
security and I had heard about it a
little
bit but at the same time it it wasn't on
my
radar and then stuck it happened and I
was just in awe
of the Wonder right the techn
technological Marvel that that stuck net
was and still is
today and the idea is with Stu net you
know the United States government along
with the Israelis created stet to Target
the Iranian nuclear program right their
nuclear arms
program and that back in the the Bush
Administration the ideas was well we can
drop physical bombs on this Nan facility
where the Iranians had their nuclear
enrichment suer fuses right they would
enrich the uranium for to be able to
build nulear
bombs and so they could drop the bombs
on the facility and potentially kill
innocent civilians and scientists or
well what if we create a piece of
malware that can go in and destroy the
centrifuges behind the scenes and nobody
knew it so nobody would die but we would
still destroy the centrifuges which
would still set back the Iranians in
Ambitions for nuclear weapons for you
know 5 6 7 8 9 10
years so the United States and Israelis
built stuck net and stuck net was still
a technological Marvel for many reasons
but one of the things that it had done
was once it was brought into the
environment that not only did it you
move across Windows machines kind of
rather blindly because it wasn't being
remotely controlled because the
environment was air
gapped but once it was on the Windows
systems it found the controllers the
actual OT systems that were responsible
for controlling the Cent fusiones right
turning them on turning them off
spinning them up and making sure that
they spin at the the proper
speed I know I'm oversimplifying it but
you get the
idea and
so it would take control over these
controllers
and couple things that it did one was it
would record the Telemetry data of how
the centrifuges would normally operate
so what does a centrifuge look like when
it's operating
normally so that way when Stu net
started to tried to physically break
down the craes by spinning them up and
spinning them down and spinning them up
and spinning them down right it's using
physics against the the the assets
themselves right they would just
physically break down over
time what it would do was it made it
appear to the people sitting in the
control room that everything was fine so
people are sitting in the control room
watching a big screen with lights for
all the the centrifuges and all the
lights said oh everything's
good but behind the scenes the
centrifuges are spinning up and spinning
down and spinning up and spinning down
they're breaking down and they couldn't
figure out what was going on for months
and
months I still not sure people weren't
you know either going to jail or
potentially executed for for not
figuring this out in Iran
but I should laugh about
that
but so you have the operators in the
control room sitting there watching the
control screen and everything's
good but really behind the scenes right
everything's breaking down so that's
what we call a loss of visibility from a
cyber security perspective in OT we
can't see what's going on we think we
can but we can't it's like in the the
heist movies like I always think of you
like in Oceans 11 or other heist movies
where the thieves break into an
environment they tape right the the
video segment of um you know
CCTV and then they play it back so the
security guard who was watching the the
playback or the screen right everything
looks fine but behind the scenes right
the thieves are probably in the van The
Vault stealing the
money so it's the same thing stuck net
actually did that right he recorded the
Telemetry of how the cuses normally work
and played that back for the operators
so that way everything in the control
room looked perfectly fine when it
wasn't that was one of the beautiful
things about it but again it violated
right that that loss of
visibility and then there was also an
idea I think a loss of control right
because well we didn't even know
anything was wrong but if we did would
we even be able to make a change or
control those
cuses but the main focus there was that
that loss of visibility so we'll come
back and talk more about loss of
visibility and and loss of control but
high level that's that's stucks
net and that's what got me interested
into OT cyber security and started
asking you know a lot more
questions so we'll talk more about that
as as we go on so in 2015 so you see it
was five years I mean there again
there's some other things that happen
but not really any big events so in 2015
this is where the Russians
had gone in and turned off the power for
the ukrainians and so I should go back
to stuck it because this is one aspect
that we didn't talk about was this was
the first known case of you know one
nation state attacking another station
nation state with a cyber weapon and so
at the time it was really seen as
Crossing the Rubicon right or or the
idea that it was the the point of no
return because you had the Americans and
Israelis launch this against Iran I
think it was pretty obvious at the time
who the attackers were because of who
the target was and then you had other
nation states like Russia and China now
that you realize well the Americans and
Israelis can attack Iran and nothing
happens to them so okay well we'll do
that too and they also realized that wow
stet really was impressive and they
really needed to step up their
game think those were the the two big
things that
happened that's just me right I I was
not in the military or nor the
government so I'm sure there are a lot
of other layers there as well
but so stet was this first known case of
a cyber weapon used You by One Nation
State against another nation
state so then fast forward 2015 and this
is where the Russians had designed ICS
specific malware to go into a Ukrainian
power generation a power
plant and essentially infected a Windows
machine that was used to control the
breakers for power and Gotto the Windows
machine and used it to flip the breakers
off literally just turn the breakers off
turn the power off and then they wiped
the the machine so it had to be rebuilt
if you're going to try to turn the power
on again using the
computer but they did this they turned
the power off in the middle of the night
in the middle of winter in Kiev for you
hundreds of thousands of people and I
can only imagine what it was like being
if I was a father with little kids or
you know in the middle of winter in the
middle you know that's that would be
very concerning to say the
least but the ukrainians did recover
they actually fell back to manual
operations which means right instead of
being able to use computers to control
the the power generation and and
transmission they have to send people
out into the to the side and into the
field to manually flip Breakers so it's
not ideal right it's there's danger
there's risk that's you know associated
with that but at the same time they gots
power back on after I like six or seven
or eight hours and they ran on manual
operations I think the story goes by for
about six months before they were
comfortable enough to go back to
computer computerized
operations in 2016
the the Russians did the same thing to
the
ukrainians a year to to the date
essentially um slightly different uh
entity um so it wasn't the same uh Power
Generation facility but when in and turn
the power off you know less less people
you know same idea they went back to
manual operations but in the middle of
the night in the middle of winter just
to just to prove that they could do
it and allegedly maybe I heard you know
that maybe it happened also in 2017 as
well but it was much smaller scale and
nobody really wanted to talk about it
because it was such smaller scale and
that didn't want to make the ukrainians
look like oh it happened again so um
yeah definitely ukrainians have been an
understatement now these days I've
always said you know for the last
probably 15 or 20 years about Russians
picking on Ukraine obviously yeah vast
understatement these days with the
invasion
now in 2017 we also had what they call
the tcis or Triton
incident and so with the tcis incident
this is where the Russians had
compromised the sis or the Safety
instrumented Systems of a prochemical
facility run by Saud ramco in the Middle
East the Safety instrumented Systems
which we'll talk more about in the next
section but the idea is the sis is
access the fail safe backup for your
facility so if there's ever any type of
fault
condition from an engineering or a cyber
perspective that could Impact Physical
safety or environmental safety or the
availability of the plant that the sis
would shut down part of or the entire
facility to protect life and the
environment and and the plant
itself in the case of tcis that the
attackers had come in and they had taken
control they of the sis well they had
taken control like
99.99% over the trionics controllers
which is why it's called tcis by
dros and
that they had taken control like said 99
99% over control over the the
controllers and they had made one little
programming
mistake and because of that programming
mistake the sis just crashed and then
the operators realized something was
wrong so they brought in the vendor the
vendor realized something else much
nefar more nefarious was going on and
realized uh this this looks like a Cyber
attack you need to bring in you Dr goes
and mandian and and other OT cyber
security companies to investigate which
is what happened so the interesting
thing was I was actually taking Rob Le's
course at sanss the week this was
happening so as his you know as his team
was on the ground in the Middle East
doing this investigation and we were
kind of getting the the the play byplay
of of what was happening which was
really fascinating and really
interesting so but I share a lot of his
stories that he shares openly with the
class there's some that he um didn't
share is openly so do obviously I don't
share out of respect but um you know
we'll definitely talk a lot about some
other you know really interesting Rob
stories but you can imagine it was
pretty fascinating to be able to kind of
get that play byplay of what they were
finding as they were doing the tcis
incident uh response uh because and at
the time that I think everybody in the
OT cyber security Community was looking
at this is going to be the incident
that's going to make the world wake up
and they're going to understand that we
need to do something about securing our
OT environments from a cyber perspective
this is the one that's going to get us
all the budget and the support that we
need to secure our networks and it never
it never
happened but as rob you know likes to
focus on and he still talks about this
and a lot of his key notes and speeches
that he does and like when he goes to
talk in front of Congress and the United
States and other places like the world
economic forum and so he's you know well
on the global stage you know focus on
the only reason why an attacker would
take control over the sis is to kill
somebody or this idea that it's you're
going to blow up the plan which in turn
is is going to kill
people you that's and so it's still a
very serious
scenario or incident that occurred and
it just it doesn't it's not taken as
seriously as it should be
unfortunately so since tcis a lot has
happened actually uh even in just the
last six months when I'm recording this
at the end of
2023 but we do mention 2021 right in May
was colonial
pipeline so Colonial pipeline was an in
inent where it did make a lot of people
in OT stand up and realize o pay
attention right we need we need to do
something about cyber security which
which is amazing right so it was really
good um we still have a long way to go
and there still are some environments
out there that still have little to no
cyber security but many if not most
today are they're trying at least I
would say so they're not ignoring the
problem any longer which is
good so we talked a lot about Colonial
Pipeline and we'll talk about it some
more but for now uh 2022 you can see
also was interesting there's some other
things that happened as well but the big
one was pipe dream that was discovered I
think this was ideally probably designed
by the Russian nation state or
contractor working for the nation state
as this automated framework for
targeting and compromising OT networks
so if you're if you're familiar in the
IT world with Metasploit which is a
automatic framework to essentially you
point and click in a way to take control
over it machines right if an IT machine
is vulnerable it allows you to pretty
easily take complete control over those
systems pipe dream is kind of the OT
equivalent of metas
spit at a high level uh it's really
fascinating it's really these three main
components to it and uh we'll talk a
little bit about it as we go throughout
the course but but definitely a
Fascinate I wish I could actually see
what it looks like but dros doesn't
shown any any screenshots maybe someone
has some somewhere but um really
fascinating they've done some
demonstrations of showing you know using
it to take over some mocked up uh OT you
know lab environments like you know kind
of a simulated I think like a water
treatment facility if I remember
remember right was one and and there was
a couple others that they had uh talked
about at Defcon last year but um so it's
one of those to just to highlight the
different types of attack tools that are
out there and that nation state
attackers are still out there and they
are creating these tools and yeah this
one is is really devastating because it
really makes it very easy for an
attacker to get into an OT environment
and essentially take full control of
over that environment and the processes
running in the facility there's still
some work that they have to do
undoubtedly but it makes it so much more
easier on them and and there's really
interesting aspects to we'll talk again
we'll talk about later as we get into
into the course
but so this is a slide though that the
marketing team at Flor actually put
together and actually used it in one of
my presentations I did for the company
which is up on YouTube which I put on
the the link there in case anybody
interest interested so I talk about the
top 10 ways really the top five ways to
protect our OT
environments but the idea behind this
slide was that over time right and you
can see since 2010 there's been eight
known specific pieces of malware written
to Target control system environments
right they're not written for Windows
right they're not it's not commodity
malware it's you it's going to be a
nation state attacker with tremendous
resources riding malware that's
specifically designed to infect a
control
system
itself so we see stuck net back in 2010
and then over time you can see havocs in
2013 we talked about our Ukrainian
blackouts and so black energy 3 in
Destroyer which was also called crash
override so for all the hacker movie
fans out there uh we talked about tcis
right the safety instrumented system the
the fail safe
backup and then we see in Destroyer 2
which was where the Russians had
deployed malware in the Ukraine prior to
the current Invasion to cause a blackout
the idea was that they were I think the
idea or the thought is that the Russians
were going to turn off the power just as
the Russian tanks were rolling into the
country to launch the the current
invasion
well thankfully I think the ukrainians
and the Americans and you know other
parties realized this was going to
happen because that's pretty typical for
the Russians over the years so they went
and found the malware where it was
implanted before The Invasion started
and they removed it so they essentially
got it out of the environment so there
was no uh blockout in the current
Invasion
or so we
thought so actually last week mandian
had announced and shared that there was
a different blackout in
2022 uh so just as Russia was dropping
bombs on critical infrastructure they
did use malare to turn off well actually
I misspoke they did not use malare but
the Russians did turn off the power
using computers they actually used what
they call living off the land technique
so they didn't have to design
any specific malware to break into those
specific types of systems actually we're
just using the commands and the
functionality already built into those
operating systems so whether it was
Windows and moving from it to OT and
moving across those windows machines and
then they moved into this actual OT
specific system called micro skada that
was used to control essentially the
power and and they were able to use
those commands just to log in and and
turn the power off and then they wiped
the it environment again which is very
very Russian uh to
do but so there there was a power out it
so long story short um so there was
another piece of ICS malware in 2022
ended up not being used which was good
there still was a power outage uh but
didn't require IC malare which has its
own other applications which we'll talk
about again later we talked about that
pipe dream uh framework which is like
metas in the IT world and then there was
also 2023 where we found cosmic energy
which was a probably a tool designed by
a Russian government contractor more as
a training
utility um in part of you know cyber
operations against you can see Power
Generation and and
transmission why I what I was trying to
highlight with this slide is that
there's only been eight known pieces of
specific IC malare
in history that again that we know about
and the occurrences right as time goes
on they become more and more frequent
and the idea is that things are
escalating things are escal escalating
exponentially I think this is my
LinkedIn post for tomorrow because again
we've had more incidents and stories in
the last couple months let alone the
last couple weeks now a lot of them are
you know minor water treatment fac
facilities and pipelines that are
compromised and so the overall impact is
minimal but it's telling the
story that and it's just going to build
until unfortunately it's going to take
somebody dying or multiple people dying
before a lot more environments take it
as seriously as they should I hate
saying that but it's
true pisses me off for having to say it
honestly
but that's the kind of the point of this
slide right things are
escalating the need for cyber security
in OT is only escalating we cannot wait
our owners and operators cannot wait if
we want to ensure not only the safety of
the people at the facilities and in the
general public and the environment but
also you the availability of those
environments to make sure they continue
to do what they need to do
let's continue generating power and
let's continue moving the trains and our
minds dig gold out of the ground and our
hospitals still function and we're still
producing our our our glass
cleaner so the next part of the section
we're going to look at is it really it
kind of transitions to well how do we
start to protect our
environments so Isa
62443 is a
standard that was created by there's an
international group and we'll talk about
IEC and then Isa which is if you want
for now the American version of IEC
essentially right they came up with this
standard that helps explain how to
create a cyber security program for your
OT networks which we're going to and
we're going to talk about this and there
there are some other standards as well
so there's nist
882 now now this is a government that SP
or is a entity in the United States
that's essentially sponsored by the
United States government so it's very
well regarded if you're in the United
States but maybe not so much if you're
in Russia or China or you know in other
countries so I think most people
internationally look at
62443 really as the standard for how do
we build a cyber security
program for o versus nist but they both
have their their positives and their
their negatives undoubtedly and we'll
talk about both of them as we go
throughout but if you want you can start
looking at isa.org which is a um
Association for of
Engineers that you can join I think it's
like
125 us uh a year now and you can gain
access to the standards by being a
member um and and access to to some
other resources that that are great
we'll also talk well we talked about the
certification courses that they have in
the first section as well and we'll talk
more we'll definitely be talking a lot
more about 62443 as we go throughout but
you know for now at least that it it's
out there and it's that standard or it's
that that guideline if you want well
technically it's a standard but you can
use it as a guideline or framework to
build a cyber security program for your
OT Network for your OT environment
now I also am a big fan you and I've
mentioned that I come from an IT cyber
security background I've been working in
it cyber security for 25
years and so when we look at how do we
build a cyber security program or how do
we protect our it networks one of the
really one of the best things that I
thought when it first came out was
called the critical security controls
that some of you might be famili with
the idea is that the critical security
controls which was initially started by
the Sans
Institute basically came about by Sans
sending out you know a survey really to
a couple thousand cyber Security
Professionals and saying hey tell us
what you do to protect your network and
what you feel has the most impact to
reducing risk right what's going to have
the most
value in protecting your environment
don't tell me a hundred things tell me
like the top five or tell me the top 10
and tell me which ones of those right
which gives you the most value right the
idea is well what should I do
first and so they took all the the
responses back and they built out the
top 20 at the time critical security
controls and so the idea was you had
this
framework that had all these 20 controls
which is now down to
18 but you had this list of controls It
Was Written in really you know
straightforward easy to understand terms
even my 76y old mother could understand
it right so I was really impressed with
it from that perspective right so it's
really accessible and open to
people and then also it was a prioritize
list so you knew where to start and
where to go to next so if you had no
program today start at one and then go
to two and go to three or you you might
be working on one two and three all at
the same time and then you would go to 4
five6 or as time and resources like
money permit you would you do do more
and more but the idea is that the number
one item would have the most benefit in
reducing risk in the network so you want
to start there and what you would often
see the nice thing is that the less
expensive controls were also the ones
that reduce risk the most which is
awesome that's why when you look at
something like penetration testing which
is usually always at the bottom it's
because will it help you reduce risk yes
but not a lot it's really expensive so
relatively speaking I'm going to invest
my money elsewhere because I
get more for my
dollar right it's much better investment
right that return on investment like I
want to spend my money where I get the
most reduction in Risk
first so I created a version of this for
OT this is part of that that webinar I
had done for the office that's where the
screenshot comes from actually slightly
updated these so I probably should
update this slide but and I have 20
controls but you can see 10
here a lot of what we're going to talk
about going through the course but is
emulates this cuz the number one control
which we've already talked about earlier
in this part was the best way to reduce
risk the vast majority of risk that you
have from a cyber security perspective
in your OT environment is secure network
architecture remember allow ot to send
data to it do not allow it to reach into
the OT Network though to get
it because if you do an attacker will
find that path and they'll use it
against you
if it is not allowed to talk with OT
you've just reduced the vast majority of
risk in the
environment not all of the risk but the
vast majority of
risk and Rob Lee has stressed that I've
talked with you know nation state
attackers from the American side of
course that also have they don't say
anything but like they'll nod or shake
their head to kind of indicate if I'm on
the right track or
know cuz I want to know well what's like
the one thing I can do that would really
you know either stop or deter or piss
off right a nation state attacker don't
allow it to talk with you know OT it's
as easy as that even though again it's
not as easy as that because you just
can't Implement that in every
environment
unfortunately but that's the idea of you
taking this approach okay I want a
simple list but I want to prioritize
list to where do I start and build it
from
there so to wrap up a couple of last
things and these are some great
resources that come from from Rob Lee so
one and this was all taken to
consideration when I created you know my
my format for the program there and this
goes back to they talk about the sliding
scale of cyber security and there's you
can see you can get the the paper from
Sans well worth and it's not a long read
but this idea that again let's look for
what controls we can Implement in the
environment what gives us the most risk
reduction right what's going to give us
the best benefit what's going to stop
the attackers more effectively than
anything else and let's start there
right so we start with secure network
architecture again we'll have an entire
section on
that and then build from there and then
we can talk about things like passive
defense right where we deploy things
like intrusion
detection and then active defense where
we have analysts that respond to
alerts and then we can invest in things
like cyber thread intelligence which can
help us reduce risk it's just very
expensive and then things like
offensive capabilities like penetration
testing again is there risk reduction
yes but it's not as much as the other
categories and it could be just as
expensive if not a lot more
expensive he's not saying don't do these
things it's just do these things last do
the basics first do the fundamentals
first to protect the
environment to reduce the risk as much
as possible and then we just keep
improving over time we just keep doing
more as time and money and other
resources allows us
to
and then here's a different look at that
we're building in the the cost right
because I always focus on where do I
bring value to the organization where do
I bring you know whether it's at floor
in my day job or with the other clients
I have outside of that or anything I do
right where's the value where am I
bringing value and if I have the choice
between doing two different things and
one brings a tremendous lot amount of
value and one brings a little amount of
value well I need to be focused on the
thing that brings the most
value and so that's you know kind of
this idea of looking at yeah where's the
return on investment let's focus on
those things that bring the most value
which means that bring us the most risk
reduction what's going to cause the most
trouble for the attackers again this is
where the beautiful thing in OT is we
talk about secure network architecture
brings the most risk reduction
and it also has the least amount of
cost so that's a win-win that's a
not I want to say it's an easy sell to
the owners and operators doesn't always
mean you're going to get budget but when
you can talk about the vast majority of
risk you can reduce by investing the
smallest amount possible as compared to
all these other types of
controls then yeah why not not that's a
pretty straightforward case to be able
to make and actually get some budget to
to be able to do some
things and I could talk a couple more
hours on that but with that we'll uh
we'll wrap up this section so that
wrapped up it was good you know two
solid hours for this part so I
appreciate everybody for tuning in uh if
you did like this if you can do me a
favor and like it on YouTube or
subscribe I would appreciate it gives me
a little bit better understanding of how
people are taking it and I will see you
uh shortly for part three all right take
care
UNLOCK MORE
Sign up free to access premium features
INTERACTIVE VIEWER
Watch the video with synced subtitles, adjustable overlay, and full playback control.
AI SUMMARY
Get an instant AI-generated summary of the video content, key points, and takeaways.
TRANSLATE
Translate the transcript to 100+ languages with one click. Download in any format.
MIND MAP
Visualize the transcript as an interactive mind map. Understand structure at a glance.
CHAT WITH TRANSCRIPT
Ask questions about the video content. Get answers powered by AI directly from the transcript.
GET MORE FROM YOUR TRANSCRIPTS
Sign up for free and unlock interactive viewer, AI summaries, translations, mind maps, and more. No credit card required.