Cyberwar (2016) s01e07 Episode Script

Hacking the Infrastructure

1 BEN: The critical systems that keep society running are connected.
These systems are more and more connected to the internet quite openly.
They're just kind of open game.
But it's exposing them to a massive security risk.
If you can access it remotely, so can everybody else.
Cyber attacks are on the rise.
You don't think this is just needless fear-mongering, do you? I wish it was.
Then I could sleep a lot better.
Malware has infected critical infrastructure everywhere.
We've gotta begin to think about what are the rules of war if, God forbid, you wind up with a cyberwar.
Will cyber attacks trigger an all-out war? The industrialized world runs on an infrastructure that we take for granted.
When things are running well, they're pretty easy to forget about.
But critical infrastructure has always been a prime target in war.
Destroying a power grid or water system can paralyze the enemy.
And as more and more of that kind of infrastructure is connected to digital networks, experts are finding it's also vulnerable to cyber attacks.
In the control system world, if something fails, it's obvious.
The lights go out, a pipe breaks.
What you don't know is: did cyber play a role in what happened? Joe Weiss has been an industrial control systems engineer for almost 40 years.
Joe took me to a power station in California.
That state's power grid was allegedly hacked by China in the early 2000s.
ICS stands for Industrial Control Systems.
It's essentially a ubiquitous term that we're using to cover this range of things that monitor or control physical processes.
So like what you see over here, all of this stuff is controlling the electric system.
So someone from China could effectively gain access to a network that's controlling something in California? Yes.
I don't think there's any question that there are nation states that are targeting critical infrastructure.
Electric, water, pipelines, you name it.
We've already had, many years ago, documented where China did try to meddle with things here, like this.
What did they do? They hacked into what's called the California Independent System Operator, which is in Folsom, California.
Which is what, on an overall basis, controls this.
And if they had, what are the sorts of things we could see? 'Cause that's obviously an attack, right? That was obviously an attack, correct.
And what would've been a fallout if they Again, depending on what they would've done, they could've affected, you know, power to hundreds of thousands of customers.
Shut down California, one of the most important states? Well, they could've certainly played havoc with the grid.
This attack is just one case.
The real turning point was in 2009.
It was a sophisticated computer virus called Stuxnet, and it infiltrated and destroyed nuclear centrifuges at a controversial uranium enrichment plant in Iran.
Observers agree the attack was likely a joint US/Israeli operation.
The critical infrastructure war was on.
But I wanna know how hackers get inside critical infrastructure in the first place.
Nice to meet you.
- Ben.
- A pleasure.
Meredith Patterson is an expert in protocols, the instructions machines use to communicate with each other.
A control system is just a system that takes some reference value and then monitors a centrifuge or a turbine or a fan, any kind of device that has some property that can be measured.
Temperature, speed, direction, whatever.
Like a power plant, or a nuclear power plant, or critical infrastructure.
Yeah, a dam, anything like that.
And are these things secure? Well one of the problems with industrial control systems is that the protocols that are used in them are extremely complex.
So if you have systems from different vendors that are using different implementations, you can sometimes end up with crosstalk essentially, because they're speaking different dialects of the same protocol, and one ends up introducing a mistake into the other.
So if I'm reading this correctly, you're saying that at times the software involved with some of the most critical infrastructure we have, like nuclear power plants, can break down? Can the code essentially like there's an exploit? There's a vulnerability? MEREDITH: That's exactly what I'm saying.
Vulnerabilities are driven by the inputs that people send into systems.
And so if an attacker has any way to control or modify the input that is being sent to a system, they could send it false inputs, they could send it syntactically incorrect inputs.
It is remarkably easy to just mess with the temperature some place, in a natural gas plant, and catch the entire plant on fire.
I mean - Really? - Oh yeah.
Baytown near Houston just frequently has problems where a refinery catches, and the entire river goes up for about a day.
And that's something that could be done if someone got into the system? This is something that happens by accident already, right? So if if somebody were to get into the system, then yes, you could totally set the river on fire.
That threat is real, and the highest levels of government know it.
Michael Chertoff was the Secretary of Homeland Security under George W.
Bush.
He now runs a cybersecurity consulting firm.
What's the biggest threat to America's critical infrastructure? What's the thing that scares you the most? Well, you know, if you're talking about what would cause the greatest consequence, I would say anything that affects transportation, energy or finance, or healthcare would potentially have a very, very big impact on the United States.
But here's the dangerous thing.
We're now moving into what they call the Internet of Things, where everything is gonna get, quote, "smart".
So as we build out all these, you know, widgets that have connectivity and wireless, we've gotta think to ourselves what happens if somebody enters using that wireless and begins to affect the actual physical operation of the system? There's also a lot of debate about what the laws of war would be if we did have a cyber conflict.
And again, that's not about stealing information.
That's literally about using cyber tools to blow up something like a power plant, or to kill people by causing an airliner to crash.
And so we've got to begin to think about how do we what are the rules of war if, God forbid, you wind up with a cyberwar.
Critical infrastructure is clearly a target, and attacks against them aren't a pipe dream, they're actually happening.
BEN: I go to meet someone who knows about hacking critical infrastructure and works to prevent it.
Chris Kubecka is an independent security consultant.
She says she first got into hacking as a kid.
What'd you hack into? The FBI and the Department of Justice.
And how old were you? - I was 10.
- What?! And I had no idea I was really doing much of anything 'cause it was really easy.
Back in August of 2012, malware dubbed Shamoon infected the network of Saudi Arabia's national oil and gas company, Saudi Aramco.
Kubecka was hired to assess the damage.
Why don't you tell me what Shamoon is.
Shamoon was a piece of malware that began to randomly wipe over 35,000 Windows-based computers in Saudi Aramco.
When it was discovered what was going on, individuals inside Saudi physically pulled plugs to keep it from getting further.
And what was the damage? The damage was about 85% of their IT systems were knocked out, and when I say IT systems, it wasn't just your desktop computer.
It was the servers they connected to, payroll systems, databases, any sort of data that held research and development, all the way up to the voice of our IP phones.
Did that target any let's say critical infrastructure, oil production? Yes.
It appeared that the attack was meant to target the production systems to take them down.
So it was actually a critical infrastructure attack? Yes, absolutely, it was targeting it, yes.
Who did it? According to Saudi Aramco, they think that the Iranians did it.
And would you agree with that? It seemed like it was an extremely political attack done in a way that was extremely damaging to Saudi business culture.
It seemed like either it had to do with a group related to the Saudi Arab Spring or Bahrainian Spring, which was going on at the same time, or perhaps it was Iranian.
Have critical infrastructure attacks increased since Stuxnet and Shamoon? Yes, they have, absolutely.
More and more people are aware of them.
So now curiosity is peaking.
And if you went from just writing code to writing code and being able to move things attacks are gonna get more and more as curiosity peaks.
And also, these systems are more and more connected to the internet quite openly.
They're just kind of open game.
The Shamoon virus was probably the most destructive attack that the private sector has seen to date.
After Shamoon, US Defense Secretary Leon Panetta sounded the alarm.
The collective result of these kinds of attacks could be a cyber Pearl Harbor.
How would cyber attackers find their targets? I learned, in fact, that there's a search engine called Shodan dedicated to scanning devices connected to the internet.
John Matherly is its architect.
So what am I looking at here? Shodan is a search engine that unlike Google, which just looks at the web, Shodan looks at the internet, which can include much more than just the web.
All these device are becoming connected, and Shodan finds them.
It can be buildings, water treatment facilities, factories, webcams, offices, everything that you can possibly imagine.
If it can have a computer inside it, Shodan's found it.
So this is a 3D globe where the red dots represent publicly accessible control systems.
So these are control systems that are exposing their raw protocols.
There's no authentication on any of these.
You just connect, and you have full access.
BEN: America is just a big red blob.
That's not good.
Most connected country in the world.
It's not that surprising, I guess.
Very, very connected.
What was one thing you saw where you said to yourself, like, "How the hell did this get up online?" There are a lot of things like that.
(Laughing) A big one was one in France.
It's the hydro electric dam, churning like a few megawatts of power.
It was pretty big.
And actually, I can show it.
And this one actually had a web interface, which is unusual, that showed a real-time view of how much power was being generated.
And it also had all sorts of other stuff exposed.
That's actually a common theme with ICS devices.
They will give you serial numbers, they're gonna give you firmware versions, because it was meant for engineers to maintain remotely.
And if you're a remote engineer, you wanna know what you're working with.
And then you look at the history of it, and there's a history of flooding.
Like there are known flooding instances of this dam.
And it took 2 years of poking and prodding for these guys to secure it.
Do you think something this vulnerable and this shitty is lying around in the US somewhere? Most likely, yes.
A lot of the guys operating these things don't understand that if you can access it remotely without logging in over the internet, so can everybody else.
Shodan proves that critical infrastructure is in danger all over the world, but who else has figured that out, and what are they doing with it? BEN: Everyone was telling me that critical infrastructure control systems were not only outdated, but ripe for an attack.
If accessing them could be as simple as finding them on the internet, how hard could it be to trigger the nightmarish damage everyone was warning about? I went to meet Stuart McClure, the founder and owner of a security firm called Cylance.
He shows me a device called a Programmable Logic Controller, or PLC.
PLCs have been around since the 1960s, but in the digital age, they're the weak link for hackers to exploit.
First off, why don't you explain to me what a PLC is.
Yeah, a PLC is a Programmable Logic Controller.
Basically it controls the physical world by programming, or computers.
So you typically find these though in a lot of critical infrastructure, right? Absolutely.
Any kind of oil and gas or industrial control systems.
Anything that tries to control, like I said, the physical world or physical elements for power or oil and gas, transportation, you name it, they all require the use of PLCs in some form or fashion to make them work every day.
As I understand it, PLCs are quite buggy and easy to exploit, are they not? Well yeah, they're built on 30, 40 years of code that has really never been audited for security, or very rarely.
So they often have a lot of vulnerabilities and exploits that have yet to be discovered.
And of course, hackers love that.
So you know how to hack a PLC? Yes.
And you're gonna show us? Yes, absolutely.
Let's get to it, let's try it out.
So what this is is a rig that we built to represent the physical world out there that usually has very large versions of these things.
This PLC is hooked up to this air pump and compressor, which is going to allow us to over-pressurize a bottle and make it explode.
So BEN: And are you gonna run any code on it? STUART: I am.
I'm actually running code that we have in Python right now.
First we set our variable to the IP address of the PLC.
Then override our memory address here, MX0.
0, which is the area in ladder logic which allows us to control the safety disable, and override that, which allows us to control the PLC itself and do anything we want with it.
So would you like to do the honours? Alright.
Just hit enter.
(Loud buzzing) (Explosion) Woo! STUART: Judas Priest! That actually sounded like a bomb.
Yeah, now I won't hear for a while, but that was good.
Why is it so easy to control a PLC? Well, it's so easy because the way that these things have been designed, they never really considered security from the ground up.
So when they designed them, they designed them just to work.
Now what's happening is more and more of them are getting hacked up, which is requiring manufacturers to go back and redesign them.
And you don't think this is just needless fear-mongering, do you? I wish it was.
Then I could sleep a lot better.
You can make it more difficult, you can make it more challenging, but at the end of the day it's built so foundationally insecure that it makes it incredibly easy for attackers to gain access.
All the experts I've spoken say our critical infrastructure is vulnerable, and I wonder what Washington is doing about it.
The best guy to ask that question is Michael Daniel.
He advises President Obama on cybersecurity issues.
So what's the attack that keeps you up at night? I would say it's one that is focused on our critical infrastructure that has some unintended consequences.
That's the one that really I think worries me, because we don't really actually understand how these incredibly complex systems actually interact with each other.
So you fear that another superpower might infiltrate critical infrastructure and set off an unneeded conflict? So that is certainly a concern, although I would actually say that I'm less worried about that than I am other actors that have less interest in the overall sort of international current, you know, status quo.
Who are these adversaries? So you know, the Director of National Intelligence has talked about them in his testimony.
So Iran and North Korea certainly top the list.
Although we are not unconcerned about terrorists and other actors who don't bill themselves so much as terrorists, but certainly cyber hacktivists and others.
Everything's crackable.
You cannot prevent all cyber intrusions.
That's just impossible.
You'll never be able to prevent all of them.
Everything is penetrable eventually.
Everyone's told me that no critical infrastructure system is bulletproof, and one US government agency is trying to keep track of the cyber attacks happening across the country.
I'm about to meet with Martin Edwards, who's the guy tasked by Homeland Security at ICS-CERT to protect US critical infrastructure against a cyber attack.
BEN: Edwards is somebody who knows the cyber attacks being lobbed at America's critical infrastructure.
This sort of looks a lot like Enemy of the State or something.
So what you're in is you're in the National Cybersecurity and Communications Integration Center, which is more or less the DHS Operations Center for Cyber.
These are where all the different analysts from ICS-CERT, US-CER are actively defending the country's networks.
In 2015 alone, the Department of Homeland Security spent $1.
25 billion on cybersecurity.
You know, we've cleaned up the place a little bit for you to come in, but it's definitely a very highly active environment all the time.
Edwards has declassified the control room, so we won't see any real-time threats, but it still gives us a rare look into their nation-wide monitoring system.
And how does ICS-CER protect the United States? Yeah, it's tough, it's tough.
It's a big problem.
If there is an incident, either criminal or nation state level, we'll send an instant response team to those companies to work hand-in-hand with them to clean up, mitigate the event.
Do you see an awful lot of nation state actors going after critical infrastructure? I would say we see the whole spectrum.
They all look different, and we save the word "attack" for something that is purposeful and intentional with an intentional consequence.
A lot of what we see is sort of reconnaissance, and then of course yes, we do see the nation state level actors either in the espionage business or prepping the battlefield type of perspective, right? So you're trying to understand the infrastructure for some future unknown use.
So if most threats Homeland Security see are about espionage, at what point does a cyber attack cross the line? At what point does the administration consider a critical infrastructure attack an act of war? So that is not something that is well defined.
Fortunately we haven't seen one of those events here in the United States in a way that would, you know, probably cross that threshold.
And so therefore I think that we focus on, you know, really raising the level of cybersecurity in our critical infrastructure.
It's one of the areas that we've worked very hard on over the course of this administration.
Even as the US tries to shore up its cyber defenses, there's little incentive not to attack.
You know, mutually assured destruction is another way of describing deterrence.
If you attack me, I will fight back, and therefore it's not in your interest to attack me in the first place.
And that's where the difficulty of proving who actually launched an attack becomes a major issue, because it's very rare for a nation state or a criminal group to go directly from the server it controls at the target.
They will often launch from around the world.
They may hop multiple points.
They may enlist computers that they've hijacked as being the spears basically that they throw at the target.
I mean, you're painting a pretty dark picture then.
When you get attacked, even if it's major infrastructure, the first question is: how sure am I that I know the country that either caused it or allowed it to happen? And that ambiguity and that uncertainty is one of the obstacles to having a very clear deterrent policy.
Experts and hackers agree that a new war on critical infrastructure has not only begun, it's well underway.