Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,936 --> 00:00:03,735 BEN: The critical systems that keep society running 2 00:00:03,771 --> 00:00:05,070 are connected. 3 00:00:05,105 --> 00:00:06,738 These systems are more and more connected 4 00:00:06,774 --> 00:00:08,440 to the internet quite openly. 5 00:00:08,475 --> 00:00:09,908 They're just kind of open game. 6 00:00:09,944 --> 00:00:12,878 But it's exposing them to a massive security risk. 7 00:00:12,913 --> 00:00:16,548 If you can access it remotely, so can everybody else. 8 00:00:16,584 --> 00:00:19,117 Cyber attacks are on the rise. 9 00:00:19,153 --> 00:00:21,286 You don't think this is just needless fear-mongering, do you? 10 00:00:21,322 --> 00:00:22,554 I wish it was. 11 00:00:22,590 --> 00:00:24,456 Then I could sleep a lot better. 12 00:00:24,491 --> 00:00:28,727 Malware has infected critical infrastructure everywhere. 13 00:00:28,762 --> 00:00:31,396 We've gotta begin to think about what are the rules of war 14 00:00:31,432 --> 00:00:33,765 if, God forbid, you wind up with a cyberwar. 15 00:00:33,801 --> 00:00:36,401 Will cyber attacks trigger an all-out war? 16 00:00:38,472 --> 00:00:48,480 ♪ 17 00:00:59,326 --> 00:01:01,493 The industrialized world runs on an infrastructure 18 00:01:01,528 --> 00:01:03,462 that we take for granted. 19 00:01:03,497 --> 00:01:05,430 When things are running well, 20 00:01:05,466 --> 00:01:07,633 they're pretty easy to forget about. 21 00:01:07,668 --> 00:01:09,301 But critical infrastructure 22 00:01:09,336 --> 00:01:12,137 has always been a prime target in war. 23 00:01:12,172 --> 00:01:15,641 Destroying a power grid or water system can paralyze the enemy. 24 00:01:15,676 --> 00:01:17,609 And as more and more of that kind of infrastructure 25 00:01:17,645 --> 00:01:19,411 is connected to digital networks, 26 00:01:19,446 --> 00:01:22,347 experts are finding it's also vulnerable to cyber attacks. 27 00:01:25,352 --> 00:01:29,955 In the control system world, if something fails, it's obvious. 28 00:01:29,990 --> 00:01:33,625 The lights go out, a pipe breaks. 29 00:01:33,661 --> 00:01:36,361 What you don't know is: 30 00:01:36,397 --> 00:01:40,132 did cyber play a role in what happened? 31 00:01:40,167 --> 00:01:43,168 Joe Weiss has been an industrial control systems engineer 32 00:01:43,203 --> 00:01:45,470 for almost 40 years. 33 00:01:45,506 --> 00:01:48,307 Joe took me to a power station in California. 34 00:01:48,342 --> 00:01:51,009 That state's power grid was allegedly hacked by China 35 00:01:51,045 --> 00:01:53,312 in the early 2000s. 36 00:01:53,347 --> 00:01:56,148 ICS stands for Industrial Control Systems. 37 00:01:56,183 --> 00:01:59,518 It's essentially a ubiquitous term 38 00:01:59,553 --> 00:02:03,455 that we're using to cover this range of things 39 00:02:03,490 --> 00:02:07,993 that monitor or control physical processes. 40 00:02:09,229 --> 00:02:11,229 So like what you see over here, 41 00:02:11,265 --> 00:02:15,000 all of this stuff is controlling the electric system. 42 00:02:15,035 --> 00:02:18,870 So someone from China could effectively gain access 43 00:02:18,906 --> 00:02:21,673 to a network that's controlling something in California? 44 00:02:21,709 --> 00:02:23,008 Yes. 45 00:02:23,043 --> 00:02:25,811 I don't think there's any question that there are 46 00:02:25,846 --> 00:02:31,416 nation states that are targeting critical infrastructure. 47 00:02:31,452 --> 00:02:35,687 Electric, water, pipelines, you name it. 48 00:02:35,723 --> 00:02:39,491 We've already had, many years ago, documented 49 00:02:39,526 --> 00:02:44,096 where China did try to meddle with things here, like this. 50 00:02:44,131 --> 00:02:45,731 What did they do? 51 00:02:45,766 --> 00:02:48,567 They hacked into what's called 52 00:02:48,602 --> 00:02:51,136 the California Independent System Operator, 53 00:02:51,171 --> 00:02:53,205 which is in Folsom, California. 54 00:02:53,240 --> 00:02:57,109 Which is what, on an overall basis, controls this. 55 00:02:57,144 --> 00:02:59,444 And if they had, what are the sorts of things we could see? 56 00:02:59,480 --> 00:03:01,413 'Cause that's obviously an attack, right? 57 00:03:01,448 --> 00:03:03,715 That was obviously an attack, correct. 58 00:03:03,751 --> 00:03:05,617 And what would've been a fallout if they... 59 00:03:05,652 --> 00:03:08,053 Again, depending on what they would've done, 60 00:03:08,088 --> 00:03:10,889 they could've affected, you know, power 61 00:03:10,924 --> 00:03:14,960 to hundreds of thousands of customers. 62 00:03:14,995 --> 00:03:17,195 Shut down California, one of the most important states? 63 00:03:17,231 --> 00:03:20,932 Well, they could've certainly played havoc with the grid. 64 00:03:23,771 --> 00:03:25,971 This attack is just one case. 65 00:03:26,006 --> 00:03:28,774 The real turning point was in 2009. 66 00:03:28,809 --> 00:03:31,777 It was a sophisticated computer virus called Stuxnet, 67 00:03:31,812 --> 00:03:34,613 and it infiltrated and destroyed nuclear centrifuges 68 00:03:34,648 --> 00:03:38,417 at a controversial uranium enrichment plant in Iran. 69 00:03:38,452 --> 00:03:40,118 Observers agree the attack was likely 70 00:03:40,154 --> 00:03:42,754 a joint US/Israeli operation. 71 00:03:42,790 --> 00:03:44,423 The critical infrastructure war was on. 72 00:03:46,960 --> 00:03:49,594 But I wanna know how hackers get inside critical infrastructure 73 00:03:49,630 --> 00:03:50,862 in the first place. 74 00:03:50,898 --> 00:03:52,097 Nice to meet you. 75 00:03:52,132 --> 00:03:53,432 - Ben. - A pleasure. 76 00:03:53,467 --> 00:03:55,467 Meredith Patterson is an expert in protocols, 77 00:03:55,502 --> 00:03:58,770 the instructions machines use to communicate with each other. 78 00:03:58,806 --> 00:04:02,441 A control system is just a system that takes some 79 00:04:02,476 --> 00:04:06,678 reference value and then monitors a centrifuge 80 00:04:06,713 --> 00:04:10,282 or a turbine or a fan, any kind of device 81 00:04:10,317 --> 00:04:13,318 that has some property that can be measured. 82 00:04:13,353 --> 00:04:16,455 Temperature, speed, direction, whatever. 83 00:04:16,490 --> 00:04:18,790 Like a power plant, or a nuclear power plant, 84 00:04:18,826 --> 00:04:20,625 or critical infrastructure. 85 00:04:20,661 --> 00:04:22,794 Yeah, a dam, anything like that. 86 00:04:22,830 --> 00:04:24,529 And are these things secure? 87 00:04:24,565 --> 00:04:26,798 Well... 88 00:04:26,834 --> 00:04:29,468 one of the problems with industrial control systems is 89 00:04:29,503 --> 00:04:33,872 that the protocols that are used in them are extremely complex. 90 00:04:33,907 --> 00:04:37,209 So if you have systems from different vendors that are using 91 00:04:37,244 --> 00:04:41,179 different implementations, you can sometimes end up with 92 00:04:41,215 --> 00:04:43,148 crosstalk essentially, because they're speaking 93 00:04:43,183 --> 00:04:45,317 different dialects of the same protocol, 94 00:04:45,352 --> 00:04:48,019 and one ends up introducing a mistake into the other. 95 00:04:48,055 --> 00:04:49,921 So if I'm reading this correctly, 96 00:04:49,957 --> 00:04:54,259 you're saying that at times the software involved with 97 00:04:54,294 --> 00:04:57,329 some of the most critical infrastructure we have, 98 00:04:57,364 --> 00:05:02,000 like nuclear power plants, can break down? 99 00:05:02,035 --> 00:05:05,604 Can the code essentially... like there's an exploit? 100 00:05:05,639 --> 00:05:07,105 There's a vulnerability? 101 00:05:07,140 --> 00:05:08,773 MEREDITH: That's exactly what I'm saying. 102 00:05:08,809 --> 00:05:12,377 Vulnerabilities are driven by the inputs 103 00:05:12,412 --> 00:05:14,379 that people send into systems. 104 00:05:14,414 --> 00:05:19,518 And so if an attacker has any way to control or modify 105 00:05:19,553 --> 00:05:22,120 the input that is being sent to a system, 106 00:05:22,155 --> 00:05:25,724 they could send it false inputs, 107 00:05:25,759 --> 00:05:27,859 they could send it syntactically incorrect inputs. 108 00:05:27,895 --> 00:05:30,095 It is remarkably easy to just mess with 109 00:05:30,130 --> 00:05:32,230 the temperature some place, in a natural gas plant, 110 00:05:32,266 --> 00:05:33,431 and catch the entire plant on fire. 111 00:05:33,467 --> 00:05:34,966 I mean... 112 00:05:35,002 --> 00:05:36,468 - Really? - Oh yeah. 113 00:05:36,503 --> 00:05:39,938 Baytown near Houston just frequently has problems 114 00:05:39,973 --> 00:05:42,107 where a refinery catches, 115 00:05:42,142 --> 00:05:44,809 and the entire river goes up for about a day. 116 00:05:44,845 --> 00:05:47,045 And that's something that could be done 117 00:05:47,080 --> 00:05:48,580 if someone got into the system? 118 00:05:48,615 --> 00:05:50,649 This is something that happens by accident already, right? 119 00:05:50,684 --> 00:05:54,252 So if... if somebody were to get into the system, 120 00:05:54,288 --> 00:05:56,254 then yes, you could totally set the river on fire. 121 00:05:57,958 --> 00:05:59,591 That threat is real, 122 00:05:59,626 --> 00:06:01,960 and the highest levels of government know it. 123 00:06:01,995 --> 00:06:04,896 Michael Chertoff was the Secretary of Homeland Security 124 00:06:04,932 --> 00:06:06,998 under George W. Bush. 125 00:06:07,034 --> 00:06:09,434 He now runs a cybersecurity consulting firm. 126 00:06:11,438 --> 00:06:14,105 What's the biggest threat to America's 127 00:06:14,141 --> 00:06:15,907 critical infrastructure? 128 00:06:15,943 --> 00:06:18,410 What's the thing that scares you the most? 129 00:06:18,445 --> 00:06:20,579 Well, you know, if you're talking about what would cause 130 00:06:20,614 --> 00:06:23,648 the greatest consequence, I would say anything that affects 131 00:06:23,684 --> 00:06:27,919 transportation, energy or finance, or healthcare 132 00:06:27,955 --> 00:06:30,755 would potentially have a very, very big impact 133 00:06:30,791 --> 00:06:32,123 on the United States. 134 00:06:32,159 --> 00:06:33,959 But here's the dangerous thing. 135 00:06:33,994 --> 00:06:36,528 We're now moving into what they call the Internet of Things, 136 00:06:36,563 --> 00:06:39,564 where everything is gonna get, quote, "smart". 137 00:06:39,600 --> 00:06:45,003 So as we build out all these, you know, widgets that have 138 00:06:45,038 --> 00:06:48,440 connectivity and wireless, we've gotta think to ourselves 139 00:06:48,475 --> 00:06:53,011 what happens if somebody enters using that wireless and begins 140 00:06:53,046 --> 00:06:55,880 to affect the actual physical operation of the system? 141 00:06:55,916 --> 00:06:58,483 There's also a lot of debate about what the laws of war 142 00:06:58,518 --> 00:07:00,652 would be if we did have a cyber conflict. 143 00:07:00,687 --> 00:07:03,121 And again, that's not about stealing information. 144 00:07:03,156 --> 00:07:07,492 That's literally about using cyber tools to blow up something 145 00:07:07,527 --> 00:07:10,161 like a power plant, or to kill people 146 00:07:10,197 --> 00:07:12,364 by causing an airliner to crash. 147 00:07:12,399 --> 00:07:15,066 And so we've got to begin to think about how do we... 148 00:07:15,102 --> 00:07:17,402 what are the rules of war if, God forbid, 149 00:07:17,437 --> 00:07:18,903 you wind up with a cyberwar. 150 00:07:20,507 --> 00:07:22,807 Critical infrastructure is clearly a target, 151 00:07:22,843 --> 00:07:24,843 and attacks against them aren't a pipe dream, 152 00:07:24,878 --> 00:07:26,578 they're actually happening. 153 00:07:32,919 --> 00:07:34,319 BEN: I go to meet someone who knows about 154 00:07:34,354 --> 00:07:36,855 hacking critical infrastructure and works to prevent it. 155 00:07:42,396 --> 00:07:45,530 Chris Kubecka is an independent security consultant. 156 00:07:45,565 --> 00:07:48,299 She says she first got into hacking as a kid. 157 00:07:48,335 --> 00:07:49,467 What'd you hack into? 158 00:07:49,503 --> 00:07:51,302 The FBI and the Department of Justice. 159 00:07:51,338 --> 00:07:52,537 And how old were you? 160 00:07:52,572 --> 00:07:54,239 - I was 10. - What?! 161 00:07:54,274 --> 00:07:57,709 And I had no idea I was really doing much of anything 162 00:07:57,744 --> 00:07:59,577 'cause it was really easy. 163 00:08:01,581 --> 00:08:04,716 Back in August of 2012, malware dubbed Shamoon infected 164 00:08:04,751 --> 00:08:07,886 the network of Saudi Arabia's national oil and gas company, 165 00:08:07,921 --> 00:08:09,220 Saudi Aramco. 166 00:08:10,791 --> 00:08:12,624 Kubecka was hired to assess the damage. 167 00:08:13,994 --> 00:08:16,394 Why don't you tell me what Shamoon is. 168 00:08:16,430 --> 00:08:21,232 Shamoon was a piece of malware that began to randomly wipe 169 00:08:21,268 --> 00:08:25,904 over 35,000 Windows-based computers in Saudi Aramco. 170 00:08:25,939 --> 00:08:28,573 When it was discovered what was going on, 171 00:08:28,608 --> 00:08:32,844 individuals inside Saudi physically pulled plugs 172 00:08:32,879 --> 00:08:35,113 to keep it from getting further. 173 00:08:35,148 --> 00:08:37,082 And what was the damage? 174 00:08:37,117 --> 00:08:40,351 The damage was about 85% of their IT systems 175 00:08:40,387 --> 00:08:42,854 were knocked out, and when I say IT systems, 176 00:08:42,889 --> 00:08:44,923 it wasn't just your desktop computer. 177 00:08:44,958 --> 00:08:48,026 It was the servers they connected to, payroll systems, 178 00:08:48,061 --> 00:08:52,130 databases, any sort of data that held research and development, 179 00:08:52,165 --> 00:08:55,767 all the way up to the voice of our IP phones. 180 00:08:55,802 --> 00:08:57,836 Did that target any... 181 00:08:57,871 --> 00:09:00,705 let's say critical infrastructure, oil production? 182 00:09:00,741 --> 00:09:02,107 Yes. 183 00:09:02,142 --> 00:09:04,809 It appeared that the attack was meant to target 184 00:09:04,845 --> 00:09:06,444 the production systems to take them down. 185 00:09:06,480 --> 00:09:08,646 So it was actually a critical infrastructure attack? 186 00:09:08,682 --> 00:09:10,782 Yes, absolutely, it was targeting it, yes. 187 00:09:10,817 --> 00:09:12,350 Who did it? 188 00:09:12,385 --> 00:09:15,186 According to Saudi Aramco, they think that the Iranians did it. 189 00:09:15,222 --> 00:09:16,855 And would you agree with that? 190 00:09:16,890 --> 00:09:20,692 It seemed like it was an extremely political attack 191 00:09:20,727 --> 00:09:23,995 done in a way that was extremely damaging 192 00:09:24,030 --> 00:09:26,531 to Saudi business culture. 193 00:09:26,566 --> 00:09:31,903 It seemed like either it had to do with a group 194 00:09:31,938 --> 00:09:36,708 related to the Saudi Arab Spring or Bahrainian Spring, 195 00:09:36,743 --> 00:09:39,144 which was going on at the same time, 196 00:09:39,179 --> 00:09:41,212 or perhaps it was Iranian. 197 00:09:41,248 --> 00:09:43,515 Have critical infrastructure attacks increased 198 00:09:43,550 --> 00:09:45,683 since Stuxnet and Shamoon? 199 00:09:45,719 --> 00:09:47,819 Yes, they have, absolutely. 200 00:09:47,854 --> 00:09:49,888 More and more people are aware of them. 201 00:09:49,923 --> 00:09:51,890 So now curiosity is peaking. 202 00:09:51,925 --> 00:09:55,393 And if you went from just writing code 203 00:09:55,428 --> 00:09:57,929 to writing code and being able to move things... 204 00:09:59,900 --> 00:10:03,334 attacks are gonna get more and more as curiosity peaks. 205 00:10:03,370 --> 00:10:06,604 And also, these systems are more and more connected 206 00:10:06,640 --> 00:10:08,773 to the internet quite openly. 207 00:10:08,809 --> 00:10:10,542 They're just kind of open game. 208 00:10:13,380 --> 00:10:17,582 The Shamoon virus was probably the most destructive attack 209 00:10:17,617 --> 00:10:20,718 that the private sector has seen to date. 210 00:10:22,055 --> 00:10:24,756 After Shamoon, US Defense Secretary Leon Panetta 211 00:10:24,791 --> 00:10:26,658 sounded the alarm. 212 00:10:26,693 --> 00:10:32,030 The collective result of these kinds of attacks 213 00:10:32,065 --> 00:10:34,599 could be a cyber Pearl Harbor. 214 00:10:37,671 --> 00:10:40,738 How would cyber attackers find their targets? 215 00:10:40,774 --> 00:10:44,309 I learned, in fact, that there's a search engine called Shodan 216 00:10:44,344 --> 00:10:47,879 dedicated to scanning devices connected to the internet. 217 00:10:47,914 --> 00:10:49,781 John Matherly is its architect. 218 00:10:51,785 --> 00:10:53,117 So what am I looking at here? 219 00:10:53,153 --> 00:10:56,554 Shodan is a search engine that unlike Google, 220 00:10:56,590 --> 00:11:00,158 which just looks at the web, Shodan looks at the internet, 221 00:11:00,193 --> 00:11:02,427 which can include much more than just the web. 222 00:11:02,462 --> 00:11:04,095 All these device are becoming connected, 223 00:11:04,130 --> 00:11:06,497 and Shodan finds them. 224 00:11:06,533 --> 00:11:09,901 It can be buildings, water treatment facilities, 225 00:11:09,936 --> 00:11:13,304 factories, webcams, offices, 226 00:11:13,340 --> 00:11:15,340 everything that you can possibly imagine. 227 00:11:15,375 --> 00:11:18,910 If it can have a computer inside it, Shodan's found it. 228 00:11:18,945 --> 00:11:23,081 So this is a 3D globe where the red dots represent 229 00:11:23,116 --> 00:11:25,650 publicly accessible control systems. 230 00:11:25,685 --> 00:11:27,619 So these are control systems 231 00:11:27,654 --> 00:11:30,588 that are exposing their raw protocols. 232 00:11:30,624 --> 00:11:32,857 There's no authentication on any of these. 233 00:11:32,893 --> 00:11:35,093 You just connect, and you have full access. 234 00:11:35,128 --> 00:11:36,995 BEN: America is just a big red blob. 235 00:11:37,030 --> 00:11:38,596 That's not good. 236 00:11:38,632 --> 00:11:40,198 Most connected country in the world. 237 00:11:40,233 --> 00:11:42,166 It's not that surprising, I guess. 238 00:11:42,202 --> 00:11:43,801 Very, very connected. 239 00:11:43,837 --> 00:11:46,771 What was one thing you saw where you said to yourself, 240 00:11:46,806 --> 00:11:49,307 like, "How the hell did this get up online?" 241 00:11:49,342 --> 00:11:51,276 There are a lot of things like that. 242 00:11:51,311 --> 00:11:52,777 (Laughing) 243 00:11:52,812 --> 00:11:54,178 A big one was one in France. 244 00:11:54,214 --> 00:11:56,114 It's the hydro electric dam, 245 00:11:56,149 --> 00:11:58,216 churning like a few megawatts of power. 246 00:11:58,251 --> 00:12:00,118 It was pretty big. 247 00:12:00,153 --> 00:12:02,020 And actually, I can show it. 248 00:12:02,055 --> 00:12:04,122 And this one actually had a web interface, 249 00:12:04,157 --> 00:12:06,691 which is unusual, that showed a real-time view 250 00:12:06,726 --> 00:12:08,693 of how much power was being generated. 251 00:12:08,728 --> 00:12:11,296 And it also had all sorts of other stuff exposed. 252 00:12:11,331 --> 00:12:13,798 That's actually a common theme with ICS devices. 253 00:12:13,833 --> 00:12:15,366 They will give you serial numbers, 254 00:12:15,402 --> 00:12:17,035 they're gonna give you firmware versions, 255 00:12:17,070 --> 00:12:20,171 because it was meant for engineers to maintain remotely. 256 00:12:20,206 --> 00:12:21,973 And if you're a remote engineer, 257 00:12:22,008 --> 00:12:24,142 you wanna know what you're working with. 258 00:12:24,177 --> 00:12:25,977 And then you look at the history of it, 259 00:12:26,012 --> 00:12:28,046 and there's a history of flooding. 260 00:12:28,081 --> 00:12:31,049 Like there are known flooding instances of this dam. 261 00:12:31,084 --> 00:12:34,319 And it took 2 years of poking and prodding 262 00:12:34,354 --> 00:12:36,387 for these guys to secure it. 263 00:12:36,423 --> 00:12:39,157 Do you think something this vulnerable and this shitty 264 00:12:39,192 --> 00:12:41,326 is lying around in the US somewhere? 265 00:12:41,361 --> 00:12:42,994 Most likely, yes. 266 00:12:43,029 --> 00:12:45,163 A lot of the guys operating these things don't understand 267 00:12:45,198 --> 00:12:49,334 that if you can access it remotely without logging in 268 00:12:49,369 --> 00:12:52,503 over the internet, so can everybody else. 269 00:12:55,442 --> 00:12:57,742 Shodan proves that critical infrastructure is in danger 270 00:12:57,777 --> 00:13:00,912 all over the world, but who else has figured that out, 271 00:13:00,947 --> 00:13:02,680 and what are they doing with it? 272 00:13:08,621 --> 00:13:09,754 BEN: Everyone was telling me that 273 00:13:09,789 --> 00:13:11,556 critical infrastructure control systems 274 00:13:11,591 --> 00:13:14,125 were not only outdated, but ripe for an attack. 275 00:13:15,929 --> 00:13:17,962 If accessing them could be as simple as finding them 276 00:13:17,998 --> 00:13:20,431 on the internet, how hard could it be to trigger 277 00:13:20,467 --> 00:13:23,134 the nightmarish damage everyone was warning about? 278 00:13:24,738 --> 00:13:26,571 I went to meet Stuart McClure, 279 00:13:26,606 --> 00:13:29,607 the founder and owner of a security firm called Cylance. 280 00:13:31,911 --> 00:13:34,612 He shows me a device called a Programmable Logic Controller, 281 00:13:34,647 --> 00:13:36,714 or PLC. 282 00:13:36,750 --> 00:13:40,284 PLCs have been around since the 1960s, but in the digital age, 283 00:13:40,320 --> 00:13:42,587 they're the weak link for hackers to exploit. 284 00:13:44,758 --> 00:13:46,724 First off, why don't you explain to me what a PLC is. 285 00:13:46,760 --> 00:13:49,494 Yeah, a PLC is a Programmable Logic Controller. 286 00:13:49,529 --> 00:13:51,896 Basically it controls the physical world 287 00:13:51,931 --> 00:13:54,165 by programming, or computers. 288 00:13:54,200 --> 00:13:55,666 So you typically find these though 289 00:13:55,702 --> 00:13:57,101 in a lot of critical infrastructure, right? 290 00:13:57,137 --> 00:13:58,569 Absolutely. 291 00:13:58,605 --> 00:14:01,072 Any kind of oil and gas or industrial control systems. 292 00:14:01,107 --> 00:14:03,775 Anything that tries to control, like I said, 293 00:14:03,810 --> 00:14:06,911 the physical world or physical elements 294 00:14:06,946 --> 00:14:10,348 for power or oil and gas, transportation, you name it, 295 00:14:10,383 --> 00:14:13,618 they all require the use of PLCs in some form or fashion 296 00:14:13,653 --> 00:14:15,186 to make them work every day. 297 00:14:15,221 --> 00:14:18,423 As I understand it, PLCs are quite buggy and easy to exploit, 298 00:14:18,458 --> 00:14:19,957 are they not? 299 00:14:19,993 --> 00:14:23,294 Well yeah, they're built on 30, 40 years of code that has 300 00:14:23,329 --> 00:14:26,464 really never been audited for security, or very rarely. 301 00:14:26,499 --> 00:14:28,866 So they often have a lot of vulnerabilities and exploits 302 00:14:28,902 --> 00:14:30,802 that have yet to be discovered. 303 00:14:30,837 --> 00:14:32,270 And of course, hackers love that. 304 00:14:32,305 --> 00:14:33,838 So you know how to hack a PLC? 305 00:14:33,873 --> 00:14:34,839 Yes. 306 00:14:34,874 --> 00:14:36,007 And you're gonna show us? 307 00:14:36,042 --> 00:14:37,275 Yes, absolutely. 308 00:14:37,310 --> 00:14:38,976 Let's get to it, let's try it out. 309 00:14:39,012 --> 00:14:41,512 So what this is is a rig that we built 310 00:14:41,548 --> 00:14:44,715 to represent the physical world out there that usually has 311 00:14:44,751 --> 00:14:46,818 very large versions of these things. 312 00:14:46,853 --> 00:14:51,122 This PLC is hooked up to this air pump and compressor, 313 00:14:51,157 --> 00:14:55,026 which is going to allow us to over-pressurize a bottle 314 00:14:55,061 --> 00:14:56,794 and make it explode. 315 00:14:56,830 --> 00:14:58,029 So... 316 00:14:58,064 --> 00:14:59,330 BEN: And are you gonna run any code on it? 317 00:14:59,365 --> 00:15:00,865 STUART: I am. 318 00:15:00,900 --> 00:15:03,334 I'm actually running code that we have in Python right now. 319 00:15:03,369 --> 00:15:07,004 First we set our variable to the IP address of the PLC. 320 00:15:07,040 --> 00:15:11,042 Then override our memory address here, MX0.0, which is 321 00:15:11,077 --> 00:15:14,378 the area in ladder logic which allows us to control 322 00:15:14,414 --> 00:15:18,049 the safety disable, and override that, which allows us 323 00:15:18,084 --> 00:15:21,219 to control the PLC itself and do anything we want with it. 324 00:15:21,254 --> 00:15:23,554 So would you like to do the honours? 325 00:15:23,590 --> 00:15:25,156 Alright. 326 00:15:26,426 --> 00:15:27,692 Just hit enter. 327 00:15:27,727 --> 00:15:32,563 (Loud buzzing) 328 00:15:36,636 --> 00:15:37,835 (Explosion) 329 00:15:37,871 --> 00:15:39,370 Woo! 330 00:15:41,908 --> 00:15:43,875 STUART: Judas Priest! 331 00:15:43,910 --> 00:15:45,610 That actually sounded like a bomb. 332 00:15:45,645 --> 00:15:48,546 Yeah, now I won't hear for a while, but that was good. 333 00:15:48,581 --> 00:15:51,449 Why is it so easy to control a PLC? 334 00:15:51,484 --> 00:15:53,451 Well, it's so easy because 335 00:15:53,486 --> 00:15:55,553 the way that these things have been designed, 336 00:15:55,588 --> 00:15:57,955 they never really considered security from the ground up. 337 00:15:57,991 --> 00:16:00,258 So when they designed them, they designed them just to work. 338 00:16:00,293 --> 00:16:02,426 Now what's happening is more and more of them 339 00:16:02,462 --> 00:16:04,862 are getting hacked up, which is requiring manufacturers 340 00:16:04,898 --> 00:16:07,031 to go back and redesign them. 341 00:16:07,066 --> 00:16:09,400 And you don't think this is just needless fear-mongering, do you? 342 00:16:09,435 --> 00:16:10,801 I wish it was. 343 00:16:10,837 --> 00:16:12,703 Then I could sleep a lot better. 344 00:16:12,739 --> 00:16:14,539 You can make it more difficult, 345 00:16:14,574 --> 00:16:16,908 you can make it more challenging, but 346 00:16:16,943 --> 00:16:19,944 at the end of the day it's built so foundationally insecure that 347 00:16:19,979 --> 00:16:23,481 it makes it incredibly easy for attackers to gain access. 348 00:16:25,952 --> 00:16:28,152 All the experts I've spoken say our critical infrastructure 349 00:16:28,188 --> 00:16:31,289 is vulnerable, and I wonder what Washington is doing about it. 350 00:16:32,926 --> 00:16:35,626 The best guy to ask that question is Michael Daniel. 351 00:16:35,662 --> 00:16:39,597 He advises President Obama on cybersecurity issues. 352 00:16:39,632 --> 00:16:42,934 So what's the attack that keeps you up at night? 353 00:16:42,969 --> 00:16:46,971 I would say it's one that is focused on our 354 00:16:47,006 --> 00:16:51,275 critical infrastructure that has some unintended consequences. 355 00:16:51,311 --> 00:16:54,178 That's the one that really I think worries me, 356 00:16:54,214 --> 00:16:57,248 because we don't really actually understand how these incredibly 357 00:16:57,283 --> 00:17:00,785 complex systems actually interact with each other. 358 00:17:02,522 --> 00:17:04,922 So you fear that another superpower might infiltrate 359 00:17:04,958 --> 00:17:07,825 critical infrastructure and set off an unneeded conflict? 360 00:17:07,860 --> 00:17:11,662 So that is certainly a concern, although I would actually say 361 00:17:11,698 --> 00:17:16,634 that I'm less worried about that than I am other actors 362 00:17:16,669 --> 00:17:20,104 that have less interest in the overall sort of 363 00:17:20,139 --> 00:17:23,641 international current, you know, status quo. 364 00:17:23,676 --> 00:17:25,343 Who are these adversaries? 365 00:17:25,378 --> 00:17:28,045 So you know, the Director of National Intelligence 366 00:17:28,081 --> 00:17:29,880 has talked about them in his testimony. 367 00:17:29,916 --> 00:17:33,017 So Iran and North Korea certainly top the list. 368 00:17:33,052 --> 00:17:36,787 Although we are not unconcerned about terrorists 369 00:17:36,823 --> 00:17:39,824 and other actors who don't bill themselves so much 370 00:17:39,859 --> 00:17:43,327 as terrorists, but certainly cyber hacktivists and others. 371 00:17:43,363 --> 00:17:44,662 Everything's crackable. 372 00:17:44,697 --> 00:17:48,232 You cannot prevent all cyber intrusions. 373 00:17:48,268 --> 00:17:49,900 That's just impossible. 374 00:17:49,936 --> 00:17:52,103 You'll never be able to prevent all of them. 375 00:17:52,138 --> 00:17:54,038 Everything is penetrable eventually. 376 00:17:58,578 --> 00:18:00,745 Everyone's told me that no critical infrastructure system 377 00:18:00,780 --> 00:18:04,248 is bulletproof, and one US government agency 378 00:18:04,284 --> 00:18:06,217 is trying to keep track of the cyber attacks 379 00:18:06,252 --> 00:18:08,019 happening across the country. 380 00:18:16,696 --> 00:18:17,895 I'm about to meet with Martin Edwards, 381 00:18:17,930 --> 00:18:20,765 who's the guy tasked by Homeland Security 382 00:18:20,800 --> 00:18:23,834 at ICS-CERT to protect US critical infrastructure 383 00:18:23,870 --> 00:18:25,536 against a cyber attack. 384 00:18:28,207 --> 00:18:30,174 BEN: Edwards is somebody who knows the cyber attacks 385 00:18:30,209 --> 00:18:32,610 being lobbed at America's critical infrastructure. 386 00:18:32,645 --> 00:18:36,180 This sort of looks a lot like Enemy of the State or something. 387 00:18:36,215 --> 00:18:39,784 So what you're in is you're in the National Cybersecurity 388 00:18:39,819 --> 00:18:42,019 and Communications Integration Center, 389 00:18:42,055 --> 00:18:45,723 which is more or less the DHS Operations Center for Cyber. 390 00:18:45,758 --> 00:18:47,591 These are where all the different analysts 391 00:18:47,627 --> 00:18:50,027 from ICS-CERT, US-CERT are actively defending 392 00:18:50,063 --> 00:18:52,029 the country's networks. 393 00:18:52,065 --> 00:18:55,032 In 2015 alone, the Department of Homeland Security 394 00:18:55,068 --> 00:18:58,069 spent $1.25 billion on cybersecurity. 395 00:18:59,906 --> 00:19:02,206 You know, we've cleaned up the place a little bit 396 00:19:02,241 --> 00:19:04,675 for you to come in, but it's definitely 397 00:19:04,711 --> 00:19:08,913 a very highly active environment all the time. 398 00:19:10,416 --> 00:19:12,116 Edwards has declassified the control room, 399 00:19:12,151 --> 00:19:15,219 so we won't see any real-time threats, but it still gives us 400 00:19:15,254 --> 00:19:17,888 a rare look into their nation-wide monitoring system. 401 00:19:20,660 --> 00:19:23,828 And how does ICS-CERT protect the United States? 402 00:19:23,863 --> 00:19:25,229 Yeah, it's tough, it's tough. 403 00:19:25,264 --> 00:19:26,797 It's a big problem. 404 00:19:26,833 --> 00:19:29,100 If there is an incident, either criminal or nation state level, 405 00:19:29,135 --> 00:19:32,636 we'll send an instant response team to those companies to work 406 00:19:32,672 --> 00:19:36,240 hand-in-hand with them to clean up, mitigate the event. 407 00:19:36,275 --> 00:19:39,610 Do you see an awful lot of nation state actors going after 408 00:19:39,645 --> 00:19:41,112 critical infrastructure? 409 00:19:41,147 --> 00:19:43,080 I would say we see the whole spectrum. 410 00:19:43,116 --> 00:19:46,250 They all look different, and we save the word "attack" 411 00:19:46,285 --> 00:19:49,954 for something that is purposeful and intentional 412 00:19:49,989 --> 00:19:52,990 with an intentional consequence. 413 00:19:53,025 --> 00:19:57,795 A lot of what we see is sort of reconnaissance, and then 414 00:19:57,830 --> 00:20:00,765 of course yes, we do see the nation state level actors 415 00:20:00,800 --> 00:20:03,768 either in the espionage business 416 00:20:03,803 --> 00:20:06,704 or prepping the battlefield type of perspective, right? 417 00:20:06,739 --> 00:20:09,440 So you're trying to understand the infrastructure 418 00:20:09,475 --> 00:20:11,142 for some future unknown use. 419 00:20:13,413 --> 00:20:15,713 So if most threats Homeland Security see are about 420 00:20:15,748 --> 00:20:18,783 espionage, at what point does a cyber attack cross the line? 421 00:20:20,553 --> 00:20:23,621 At what point does the administration consider 422 00:20:23,656 --> 00:20:26,157 a critical infrastructure attack an act of war? 423 00:20:26,192 --> 00:20:29,326 So that is not something that is well defined. 424 00:20:29,362 --> 00:20:34,298 Fortunately we haven't seen one of those events here 425 00:20:34,333 --> 00:20:36,801 in the United States in a way that would, you know, 426 00:20:36,836 --> 00:20:38,469 probably cross that threshold. 427 00:20:38,504 --> 00:20:42,640 And so therefore I think that we focus on, you know, 428 00:20:42,675 --> 00:20:44,975 really raising the level of cybersecurity 429 00:20:45,011 --> 00:20:46,844 in our critical infrastructure. 430 00:20:46,879 --> 00:20:49,146 It's one of the areas that we've worked very hard on 431 00:20:49,182 --> 00:20:51,849 over the course of this administration. 432 00:20:53,052 --> 00:20:55,986 Even as the US tries to shore up its cyber defenses, 433 00:20:56,022 --> 00:20:58,856 there's little incentive not to attack. 434 00:20:58,891 --> 00:21:00,424 You know, mutually assured destruction 435 00:21:00,460 --> 00:21:02,593 is another way of describing deterrence. 436 00:21:02,628 --> 00:21:05,229 If you attack me, I will fight back, and therefore 437 00:21:05,264 --> 00:21:08,666 it's not in your interest to attack me in the first place. 438 00:21:08,701 --> 00:21:11,535 And that's where the difficulty of proving 439 00:21:11,571 --> 00:21:14,872 who actually launched an attack becomes a major issue, 440 00:21:14,907 --> 00:21:18,175 because it's very rare for a nation state or a criminal group 441 00:21:18,211 --> 00:21:22,012 to go directly from the server it controls at the target. 442 00:21:22,048 --> 00:21:24,548 They will often launch from around the world. 443 00:21:24,584 --> 00:21:26,617 They may hop multiple points. 444 00:21:26,652 --> 00:21:30,054 They may enlist computers that they've hijacked 445 00:21:30,089 --> 00:21:33,257 as being the spears basically that they throw at the target. 446 00:21:33,292 --> 00:21:34,959 I mean, you're painting a pretty dark picture then. 447 00:21:34,994 --> 00:21:37,595 When you get attacked, even if it's major infrastructure, 448 00:21:37,630 --> 00:21:41,198 the first question is: how sure am I that I know the country 449 00:21:41,234 --> 00:21:43,300 that either caused it or allowed it to happen? 450 00:21:43,336 --> 00:21:46,670 And that ambiguity and that uncertainty is one of 451 00:21:46,706 --> 00:21:49,440 the obstacles to having a very clear deterrent policy. 452 00:21:53,412 --> 00:21:55,279 Experts and hackers agree that a new war 453 00:21:55,314 --> 00:21:57,515 on critical infrastructure has not only begun, 454 00:21:57,550 --> 00:21:59,149 it's well underway. 455 00:22:01,754 --> 00:22:11,762 ♪ 41794