Placeholder Image

字幕表 動画を再生する

  • From transportation, to telecommunications,

  • health care and banking.

  • The digitization of our infrastructure has made

  • our daily lives more convenient, but it's also

  • opened us up to the threat of cyberattacks.

  • Yahoo's hack of over 500 million accounts will

  • make it the biggest data breach ever.

  • Equifax, which, as you know, is a very large

  • supplier of credit information, has announced a

  • cybersecurity incident that they say potentially

  • impacts about 143 million U.S.

  • consumers. Marriott announcing that up to 500

  • million guests with reservations at Starwood

  • Properties could have had their data compromised.

  • But it's not just companies under attack.

  • Increasingly, power plants and other critical

  • infrastructures are also becoming a target.

  • Critical infrastructure is really anything that

  • makes up the backbone of society.

  • Everything from transportation and airlines to

  • banks. Cyberwarfare is the new weapon of choice.

  • You can run a cyberattack remotely, shut down the

  • critical infrastructure of other countries,

  • create massive destruction of refineries and

  • chemical plants without ever shooting a gun.

  • Electricity is so prevalent in our lives that we

  • often don't even think about it until it fails to

  • work. All electricity starts at a generator,

  • which can be powered by wind, water, coal or even

  • nuclear fission. After it is generated, the

  • electricity travels from the power plant to

  • transmission substations, which convert it to a

  • very high voltage so that it can travel long

  • distances. From there, the electricity travels

  • along power lines to another transformer, which

  • again converts the power, this time to a lower

  • voltage, before it goes into our homes and

  • businesses. Often people think of the power grid

  • as "the grid."

  • It's really not. It's a quilt made up of 3,000 or

  • so power companies that are owned by

  • investor-owned utilities.

  • But most of them are rural electric associations,

  • or maybe a few owned by the government.

  • But generally it's a mixture.

  • This ownership disparity also means that

  • utilities are regulated differently.

  • The focus of the regulation is to prevent the

  • bulk electric system from suffering a widespread

  • outage. So it may not affect the smaller

  • companies that are serving smaller cities or

  • rural areas. On one hand, smaller power companies

  • in the United States may not be as juicy of a

  • target because they have a small amount of

  • customers, say 25,000.

  • But on the other hand, they may be more

  • susceptible to cyberattacks because they don't

  • have a big as security team or a big as security

  • budget to focus on protecting their critical

  • systems. That's where Sistrunk comes in.

  • As a consultant for cybersecurity firm, FireEye,

  • part of Sistrunk's job involves teaching a

  • digital forensics class for people who want to

  • learn how to defend the control systems running

  • our power plants. And to learn how to defend

  • against an attack, you first have to learn to

  • hack. This is a small PLC, programmable logic

  • controller. This particular device is made by

  • Phoenix Contact and it's basically easy to for an

  • attacker to get into.

  • There's a lot of vulnerabilities in it.

  • Sistrunk demonstrated how a hacker may alter the

  • functions of "stop" and "go" buttons that in a

  • power facility may control something like a motor

  • or a pump. This is a web page of this PLC and

  • it's been hacked. You can see whenever I try to

  • click on the red stop button, the green start

  • button comes on.

  • So an attacker can go download the software and

  • change things if they wanted to.

  • And that's what we do in the class.

  • In a conventional warfare attack, the first thing

  • that is hit is the infrastructure, the

  • refineries, the electrical systems, the chemical

  • plants, those things that fuel the war machine.

  • You can simply do the same thing remotely with

  • cyberweapons. It seems like attackers have

  • crossed the Rubicon or they've crossed the red

  • line in the sand.

  • You know, that they are going after control

  • systems, whereas once no one cared.

  • Today, there are more than 9,700 power plants in

  • the US. Many of them were built decades ago when

  • operating a plant required a lot of manual labor

  • and cybersecurity was not a consideration.

  • But that's changing. Starting in the mid '80s and

  • early 2000s, the industry started connecting

  • these control systems through the enterprise

  • networks to the internet, for the benefit of

  • remote access, information sharing, etc..

  • Fantastic for productivity improvement and

  • business enhancements, but that exposed us to

  • cybersecurity threats.

  • The heart of a power plant is what is known as a

  • SCADA system. SCADA stands for supervisory

  • control and data acquisition.

  • These systems are made up of a combination of

  • software and hardware that allow operators to

  • monitor and control plant processes in one

  • central location. Besides power generation

  • plants, SCADA systems are ubiquitous in the

  • manufacturing, telecommunications and

  • transportation sectors, among others.

  • Today, a typical SCADA system is made up of

  • thousands of components and runs on several

  • different kinds of operating systems.

  • Because of this wide spread of operating systems,

  • it creates a very complex surface that security

  • experts have to understand before they can defend

  • against the many different types of exploits used

  • against those specific operating systems.

  • Since 2010, the number of attacks have increased

  • exponentially. The reason for it is that it's a

  • lucrative business for ransom attackers as well

  • as for nation states.

  • A 2015 risk report put out by the University of

  • Cambridge and Lloyd's, a large insurance company,

  • posed a hypothetical scenario in which a

  • cyberattack plunged 15 U.S.

  • states into darkness, leaving 93 million people

  • without power. The report estimated that the loss

  • to the U.S. economy would range between $243

  • billion to $1 trillion.

  • There is a belief that every system could be

  • compromised, especially these control systems,

  • since they were not originally designed for

  • cybersecurity, unlike computers that we use at

  • home and at work that are regularly patched and

  • protected from cyberattacks.

  • As reported in this "60 Minutes" episode on CNBC

  • from December 2014, the first cyberweapon to

  • cause physical damage was used in Iran in 2010.

  • We begin with the story of Stuxnet, a computer

  • virus considered to be the world's first

  • destructive cyberweapon.

  • It was launched several years ago against an

  • Iranian nuclear facility, almost certainly with

  • some U.S. involvement.

  • Stuxnet infected SCADA systems that were running

  • Windows and Siemens software within the nuclear

  • facility. It was used to spin centrifuges too

  • fast until they basically destroyed themselves.

  • This was the first time a virus of this type was

  • used to physically destroy something within a

  • power facility. In December 2015, hackers cut

  • power to around 225,000 people in Ukraine.

  • The incident became the first successful hack on

  • utilities. It was believed to have been done

  • through a tactic called spearphishing, where

  • hackers sent emails with malicious attachments to

  • I.T. staff and system administrators that helped

  • to steal the recipients' credentials.

  • Almost exactly a year later, hackers again shut

  • off power to a large part of the Ukrainian

  • capital. Some have blamed the attacks on Russia.

  • While the attacks were short lived, it showed the

  • world that Russia had the will and the ability to

  • conduct cyberwarfare in this way.

  • Another attack shook the cybersecurity world in

  • 2017, this time in the Middle East.

  • In the past year, researchers have spotted a new

  • family of industrial control malware.

  • It's called Triton. Triton was a really alarming

  • piece of malware. It affected facilities in the

  • Middle East. And what was most alarming about it

  • was that it disabled what essentially was the

  • kill switch for a catastrophic disaster.

  • The metaphor I use here is relying on the police

  • to come help you out when your house is broken

  • into. But the police is asleep in his police car.

  • That is a metaphor of that safety system being

  • bypassed. Though there's not been a cyberattack

  • in the U.S. that has shut off power to the grid,

  • hackers have still gone after utility companies.

  • In 2016, an electric power and water utility

  • company paid $25,000 in bitcoin ransom after

  • hackers locked the utility out of its computer

  • systems. In 2018, the Department of Homeland

  • Security and the FBI issued a joint alert,

  • warning that Russian cyberactors had been

  • targeting U.S. government entities and critical

  • infrastructure sectors since 2016.

  • And in 2017, the Department of Energy disclosed a

  • hack at an electric utility in the western U.S.

  • Though the hack did not cause outages, it did

  • show that our power grid was vulnerable.

  • Most countries that the United States has an

  • adversarial relationship with don't actually want

  • to go to war with the United States.

  • It makes more sense for them to conduct

  • reconnaissance missions against our electrical

  • grid. For that reason, it's more realistic that

  • the types of attacks we see are in the name of

  • gathering information or opening back doors, then

  • some sort of catastrophic attack or an attack

  • similar to the one that we saw in Ukraine.

  • Protecting our energy grid is essential to our

  • national security. But there are a few reasons

  • why it is difficult to do.

  • For one, it's hard to even gauge how many cyber

  • attacks there are. The reason we don't have good

  • numbers around how many cyber attacks there are

  • against utilities is that most of these companies

  • simply don't report them.

  • There's not much of an incentive for utilities or

  • the companies that provide them with equipment to

  • tell the public about every cyberattack they've

  • had. They would risk panicking the public and

  • they might also even open themselves up to

  • further attacks if attackers know what's working

  • against them. That's changing.

  • In early 2019, the Federal Energy Regulatory

  • Commission updated cybersecurity standards for

  • electric grids.

  • The new standards require electric companies to

  • report any incidents that either compromise or

  • attempt to compromise electronic security

  • perimeters, electronic access control or

  • monitoring systems and physical security

  • perimeters associated with cyber systems.

  • The new reliability standard also encompasses

  • disruptions or attempts to disrupt the operation

  • of a bulk electric system or cyber system.

  • Like with Stuxnet, hackers may try to subvert

  • security measures by targeting suppliers as

  • opposed to going after the big utility companies.

  • Companies are becoming very careful about

  • checking the software that comes from their

  • suppliers. In fact, they have a test environment

  • whereby the updates for the software is tested to

  • make sure that the software they're getting from

  • their automation vendor is not infested with

  • malware. Another best practice is what is known

  • as PEN or penetration testing.

  • PEN testing is a process through which you

  • intentionally attack your own system, whether

  • with your own people or bring people from the

  • outside to see how well your defenses are.

  • But finding someone to perform this test is often

  • difficult. There is a shortage of over 1.5