Are Hackers the Biggest Threat to America’s Critical Infrastructure? | Cyberwar

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

the critical systems that keep Society Running are connected these systems are more and more connected to the internet quite openly they're just kind of open game but it's exposing them to a massive security risk if you can access it remotely so can everybody else cyber attacks are on the rise you don't think this is just needless fear markering do you I wish it was then I could sleep a lot better malware has infected critical infrastructure everywhere we've got to begin to think about what are the rules of War if God forbid you wind up with a cyber War well cyber attacks triggering all that [Music] war the industrialized world runs on an infrastructure that we take for granted when things are running well they're pretty easy to forget about but critical infrastructure has always been a prime target in war destroying a power grid or water system can paralyze the enemy and as more and more of that kind of infrastructure is connected to digital networks experts are finding it's also vulnerable to cyber attacks in the control system world if something fails it's obvious the lights go out a pipe breaks what you don't know is did cyber play a role in what happened Joe Weiss has been an industrial Control Systems engineer for almost 40 years Joe took me to a power station in California that State's power grid was allegedly hacked by China in the early 2000s okay ICS stands for industrial Control Systems it's essentially ubiquitous term that we're using to cover this range of things that monitor or control physical processes so like what you see over here all of this stuff is controlling the Electric System so someone from China could effectively gain access to a network that's controlling something in California yes I don't think there is any question that there are nation states that are targeting critical infrastructure electric water pipelines you name it we've already had many years ago documented where China did try to meddle with things here like this what did they do they hacked into What's called the California independent system operator which is in fome California which is what on an overall basis controls this and if they had what are the sorts of things we could have SE cuz that's obviously an attack right that was obviously an attack correct and what would have been a Fallout if they had again depending on what they would have done they could have affected you know power to hundreds of thousands of customers shut down California one of the most important States well they could have certainly played Havoc with the grid this attack is just one case the real turning point was in 2009 it was a sophisticated computer virus called stuck net and it infiltrated and destroyed nuclear Center fues at a controversial uranium enrichment plant in Iran observers agreed the attack was likely a joint us Israeli operation the critical infrastructure war was on but I want to know how hackers get inside critical infrastructure in the first place nice pleasure Meredith Patterson is an expert in protocols the instructions machines use to communicate with each other control system is just a system that takes some reference value and then monitors uh a centrifuge or a turbine or a fan any kind of you know device that has some property that can be measured temperature speed uh Direction whatever like a power plant or nuclear power plant or completely critical infrastructure yeah a dam anything like that and are these things secure well one of the problems with industrial Control Systems is that the protocols that are used in them are extremely complex so if you have systems from different vendors that are using different implementations you can sometimes end up with uh cross talk essentially because they're speaking different dialects of the same protocol and one ends up introducing a mistake into the other so if I'm reading this correctly you're saying that at times the software involved with some of the most critical infrastructure we have like nuclear power plants um can break down can they can the code essentially like there's an exploit there's there's a vulnerability that's exactly what I'm saying um vulnerabilities are driven by the inputs that people send into systems and so if an attacker has any way to control or modify the input that is being sent to a system um they could send it false inputs um they could send it syntactically incorrect inputs it it is remarkably easy to just mess with the temperature someplace in a natural gas plant and catch the entire plant on fire I mean really oh yeah like Baytown uh near Houston just frequently has problems with refiner with you know air Refinery catches and you know and the entire river goes up for about a day and that's something that could be done if someone got into the system I mean this is something that happens by accident already right so if you know so if if somebody were to get into the system then yes you could totally set the river on fire that threat is real and the highest levels of government know it Michael cherof was the Secretary of Homeland Security under George W bush he now runs a cyber security consulting firm what's the biggest threat to America's critical infrastructure what's what's the thing that that scares you the most well you know if you're talking about what would cause the greatest consequence I would say anything that affects Transportation energy or Finance or Health Care would be a potentially have a very very big impact on the United States but here's the dangerous thing we are now moving into what they call the Internet of Things where everything is going to get quote smart so as we build out all these you know widgets that have connectivity and wiress we've got to think to ourselves what happens if somebody enters using that wireless and begins to affect the actual physical operation of the system there's also a lot of debate about what the laws of war would be if we did have a cyber conflict and again that's not about stealing information that's literally about using cyber tools to blow up something like a power plant or to kill people by causing an airliner to crash and and so that we've got to begin to think about how do we what are the rules of War if God forbid you wind up with a cyber War critical infrastructure is clearly a Target and attacks against them aren't a pip dream they're actually happening I go to meet someone who knows about hacking critical infrastructure and works to prevent it yes Chris Kuca is an independent security consultant she says she first got into hacking as a kid what' you hack into uh the FBI and the Department of Justice and how old were you I was 10 what and I had no idea I was really doing much of anything cuz it was really easy back in August of 2012 mward dub shamon infected the network of Saudi Arabia's National oil and gas company Saudi aramco kuco was hired to assess the damage why didn't you tell me what shamun is shimun was a piece of uh malware that began to randomly wipe over 35,000 windows-based computers in Saudi Arco when it was discovered what was going on individuals inside Saudi physically pulled plugs to keep it from getting further and what was the damage uh the damage was about 85% of their it systems were knocked out when I say it systems it wasn't just your desktop computer it was the servers they connected to payroll systems databases any sort of data that held research and development all the way up to the Voiceover IP phones did that Target any let's say critical infrastructure or production yes it appeared that the attack was meant to Target the production systems to take them down so it was actually a critical infrastructure attack yes absolutely it was targeting it yes who did it according to Saudi ramco they think that the Iranians did it and would you agree with that it seemed like it was an extremely political attack done in a way that was extremely damaging to Saudi business culture it seemed like either it had to do with a group related to the Saudi Arab Spring or banian spring which was going on at the same time or perhaps it was Iranian have critical infrastructure attacks increased since stuck net and shamon yes they have absolutely uh more and more people are aware of them so now curiosity is peing and if you went from just writing code to writing code and being able to move things attacks are going to get more and more as curiosity Peaks and also these systems are more and more connected to the internet quite openly they're just kind of open game the Shimon virus was probably the most destructive attack that the private sector has seen today after shamun us defense secretary Leon Panetta sounded the alarm the collective result of these kinds of attacks could be a cyber Pearl Harbor how would cyber attackers find their targets I learned in fact that there's a search engine called Shodan dedicated to scanning devices connected to the internet John mle is its architect what so what am I looking at here Shodan is a search engine that unlike Google which just looks at the web showan looks at the internet which can include much more than just web all these devices are become connected and showan finds them it can be buildings W treatment facilities factories webcams offices everything that you can possibly imagine if it can have a computer inside it show ends found it so this is a 3D Globe where the red dots represent publicly accessible Control Systems so these are control systems that are exposing the Raw protocols there's no authentication on any of these you just connect and you have full access America is just a big red blob yeah that's not good most connected country in the world it's not that surprising but yes very very connected what was one thing you saw you said to yourself like how the hell did this get up online there are a lot of things like that um a big one was one in France it's the hydroelectric Dam it generated like a few megawatts of power it was it was pretty big and actually I can show it and this one actually had a web interface which is unusual that showed a real-time view of how much power was being generated and it also had all sorts of other stuff exposed that's actually a common theme with IC devices they will give you serial numbers they're going to give you firmware versions because it was meant for engineers to maintain remotely and if you're a remote engineer you want to know what you're working with and then you look at the history of it and there's a history of flooding like there are known flooding instances of this Dam and it took two years of poking and prodding for these guys to secure it do you think something this vulnerable and this shitty is lying around in the US somewhere most likely yes a lot of the guys operating these things I didn't understand that if you can access it remotely without logging in over the Internet so can everybody else Shodan proves that critical infrastructure is in danger all over the world but who else has figured that out and what are they doing with it everyone was telling me that critical infrastructure control systems were not only outdated but right for an attack if accessing them could be as simple as finding them on the Internet how hard could it be to trigger the nightmarish damage everyone was warning about I went to meet Stuart McClure the founder and owner of a security firm called silence he shows me a device called a programmable logic controller or PLC plcs have been around since the 1960s but in the digital age they're the weak link for hackers to exploit first off why don't you explain to me what a PLC is yeah PLC is a programmable logic controller basically it controls the physical world with by programming or computers so you typically find these though in a lot of critical infrastructure right absolutely any kind of oil and gas or industrial Control Systems anything that tries to control like I said the physical world or physical elements um for power or oil and gas Transportation you name it they all require the use of plc's in some form of fashion to make them work every day as I understand it plc's are quite buggy and easy to exploit are they not well yeah they're built on 30 40 Years of code that is really never been audited for security or very rarely so they often have a lot of vulnerabilities and exploits that have yet to be discovered and of course hackers love that so you know how to hack a PLC yes and you're going to show us yes absolutely let's get to it let's try it out so what this is is a rig that we built to represent the physical world out there that usually has very large versions of these things this PLC is hooked up to this air pump and compressor which is going to allow us to over pressurize a bottle and make it explode so and are you going to run any coat on it is it just am I'm actually running code that we have in Python right now first we set our variable to the IP address of the PLC then overwrite our memory address here MX 0.0 which is the area and Ladder logic which allows us to control the safety disable and overwrite that which allows us to control the PLC itself and do anything we want with it so uh would you like to do the honors all right just hit enter Judas Priest that actually sounded like a bomb now I won't yeah now I won't hear for a while but that was good why is it so easy to control a PLC well it's so easy because the way that these things have been designed they never really considered security from the ground up so when they design them they design them just to work now what's happening is more and more of them are getting hacked up which is requiring manufacturers to go back and redesign them and you don't think this is just needless fear marging do you I wish it was then I could sleep a lot better you can make it more difficult you can make it more challenging uh but at the end of the day it's built so foundationally insecure that it it makes it incredibly easy for attackers to gain access all the experts I've spoken to say our critical infrastructure is vulnerable and I wonder what Washington is doing about it the best guy to ask that question is Michael Daniel he advises President Obama on cyber security issues so what's the attack that keeps you up at night I would say it's one that is focused uh on our critical infrastructure that um has some unintended consequences uh that's the one that really I think worries me because we don't really actually understand how these incredibly complex systems actually interact with each other so you fear that another superpower might infiltrate critical infrastructure and set off an unneeded conflict so that is certainly a concern although I would actually say that I'm less worried about uh that than I am other actors that have less interest in the overall U sort of international Uh current you know status quo who are these adversaries so you know uh the Director of National Intelligence has talked about them and his testimony so Iran and North Korea certainly top uh the list although we are not unconcerned about uh terrorists um and other uh actors who don't build themselves so much as terrorists but certainly cyber activists uh and others everything's crackable you cannot prevent all uh cyber uh intrusions that's just impossible um you'll never be able to prevent all of them everything is penetrat eventually everyone's told me that no critical infrastructure system is bulletproof and one US government agency is trying to keep track of the cyber attacks happening across the [Music] country wrot to meet with Martin Edwards who's the guy tasked by Homeland Security at IC C to protect us critical infrastructure against a Cyber attack Edwards is somebody who knows is the Cyber tax being lobbed at America's critical infrastructure this uh this room looks a lot like Enemy of the State or something so what you're in is you're in the National cyber security and Communications integration Center which is a more or less the DHS operations center for cyber these are where all the different analysts from icert user are actively defending the country's networks in 2015 alone the Department of Homeland Security spent 1.25 billion on cyber security you know we've uh We've cleaned up the place a little bit for you to come in but it's uh it's definitely a very uh High highly active uh environment all the time Edwards has Declassified the control room so we won't see any real-time threats but it still gives us a rare look into their Nationwide monitoring system and how does icert protect the United States yeah it's tough it's tough It's a big problem if there is an incident either criminal or nation state level you we'll send an instant response team to those companies to work hand inand with them to clean up mitigate the event do you see it an awful lot of nation state actors going after critical infrastructure I would say we see the whole spectrum they all look different and we save the word attack for something that you know is is purposeful and intentional uh with an intentional consequence uh a lot of what we see is uh sort of reconnaissance and then of course yes we do see the the nation state level actors uh either in the Espionage uh business or prepping the battlefield type of perspective right so you're trying to understand the infrastructure for some future unknown use so if most threats Homeland Security see or about Espionage at what point do a Cyber attack cross the line at what point does the administration consider a critical infrastructure attack an act of War so that is not something that is well defined um fortunately we haven't seen uh one of those events here in the United States in a way that would uh you know probably Crush that threshold and so therefore I think that we focus on you know really raising the level of cyber security in our in our critical infrastructure it's one of the areas that we've worked very hard on uh over the course of this Administration even as the US tries to shore up its cyber defenses there's little incentive not to attack you know Mutual truly assured destruction is another way of describing deterrence if you attack me I will fight back and therefore it's not in your interest to attack me in the first place and that's where the difficulty of proving who actually launched an attack becomes a major issue because it's very rare for a nation state or a criminal group to go directly from the server at controls at the Target they will often launch from around the world they may hop multiple points they may enlist uh computers at they've hijacked as being the spears basically that they throw at the Target I mean you're painting a pretty dark picture then when you get attacked even if it's major infrastructure the first question is how sure am I that I know the country that either caused it or allowed it to happen and that ambiguity and that uncertainty is one of the obstacles to having a very clear deterrent policy experts and hackers agree that a new war on critical infrastructure has not only begun it's well underway [Music] all

Info

Channel: VICE News

Views: 385,051

Rating: undefined out of 5

Keywords: VICE News, VICE News Tonight, VICE on HBO, news, vice video, VICE on SHOWTIME, HOLLYWOOD4, security, movie, Technology, email, hacking, FBI, hacktivists, malware, phishing, Cyberwar, cyber attack, hacker, hack, data breach, inside job, cyber warfare, america, CIA, cyberwar, hackers, virus, US army, china hack us, usa, technology news, facebook down, instagram down, outage, facebook outage, facebook crash, instagram crash, ddos, russia, russian hackers, critical infrastructure

Id: 0pOlAaLU7Xc

Channel Id: undefined

Length: 22min 25sec (1345 seconds)

Published: Tue Apr 09 2024