Safeguarding power grids and other critical infrastructure from data leaks

September 14, 2019 posted by

Hi, my name is Steve Reagan with csO online and right now. I’m with code or and Krystia we’re at Blackhat conference, and I can’t really talk about where these two work at the moment, but Government. We’ve looked at Gumboot All right, so they work for the government Today, we’re going to talk about ICs security so stick around. We’ll be right back so to be clear This is not something you just came up with you guys been working on this project Together now for a couple of years and I know that you submitted the concept overall to one of the conference’s out here in Vegas Walk me through this a little bit. What made you want to give a talk on this I? Actually got kind of a spark of the idea From last Year’s def con there was a guy who talked on taking over government when he was using some open source intelligence He was also Hacking things at the same time, but his his original statement in the beginning of the presentation was We we should be considered terrorists, or we should become the terrorists that the government’s afraid of and I thought well that’s really irresponsible, and I had already been looking online and Passing along things that I find that are bad to federal authorities to get it offline, so I contacted code or and cenac Poem and We discussed it, and I found out that they’ve been doing the same kind of thing in parallel to me I didn’t know they were doing it yeah, so we Care about you know kritavarma structure in the grid and you know just by searching Looking for scada this the passwords you know things like that You know documents drawings things like that that shouldn’t be out there. We just trying to see what’s out There’s almost like showed an looking show then look for things They shouldn’t be on them and looking for documents, and other things like that. That should be out there because Those things being online people can find that and use it against you know against the company ars owners or whoever will touch for about a second of that the topic of ICs security in General has actually been pretty big over the last couple of years But I also know there’s been a lot of hype Can you guys talk about some of the hype that’s been around this type of research or the type of real? real-World threats that exist in this place well, you know there’s always this jumping up and down stuxnet and our our solution can stop stuxnet or no hackers are going to take down the grid or it’s going to you know a Lot of overstate statements the thing. It’s like the the ted Koppel book lights out okay, I didn’t want to read it, but I had to read it because He was making the rounds on TV on the news, and oh my God the end of the world We know better so I looked at that. I read it and I had catched a couple of fits and I started once again. Just looking at osen using Google using some other tools Directing it this time at just power companies Nuclear power the grid systems Dams Whatever would be considered critical infrastructure and The amount of stuff is just laying around is enough to make one who knows how to do stuff scared But it’s not going to be anything that’s going to be taking the whole grid down it’s one of the things that’s really kind of made me mental over the years is the hype and No matter how many times I talk to reporter I don’t often see the actual facts coming out in a way that isn’t going to affect their lead Yeah So let’s let’s go back into the actual Meat and potatoes. What you found? how important is Google and Shodhan and other Public repositories of Data to your research how how much of an impact does that have and what did you find okay? Well, you know google obviously is our friend, and it indexes everything. Which is really nice and a lot of people don’t have their Robots.txt set up right or whatever. So there are a lot of things that are indexed by Google And you can find them if you know some keywords you know to search things about the power grid pick a vendor search about you know look for user manuals things like that or certain things that a Certain Power company might have online some things that they have to make public Sometimes they give away too much information And then there’s sometimes You know things that are just not really smart ideas people will backup backups and on their personal Drives and make an anonymous FTP login to that And so we we find these things we found all kinds of things and we try to work with those People or whoever owns the data to try to get it offline. We try to educate them about taking them Yeah, it’s exactly that You know these terabyte workstation. You know drives that you can buy they buy them they plug them in and it’s just default so it’s sharing it to the internet not an anonymous FTP or Smb share so you once you start using the Google food Looking for fTPs or looking for the specific strings for specific drives. They pop up yeah, and you find a lot of stuff It’s not just Grid stuff even though you know sometimes you’ll use direct keywords you’ll find other things, too I found plenty of data that didn’t belong to any kind of grid or Electronic kind of company, but you know government systems things like that you know easy and governments being public You know a lot of times they put what that they buy you know purchase orders and things like that Then makes it easier for an attacker to find that stuff and learn more about their systems And so we try to get a good idea of what’s out there. What is shit, what is the good amount of level that those entities should be putting online and what they should you know there’s a lot of Education that needs to happen, but you know google. It doesn’t care if it’s a FTP drive It’s going and exit, and you can just you don’t even have to log into it. You can just search it yep so the the thing I kind of want to stress here you notice where we’re Really touching around a lot of specifics, and there’s a reason for that the goal is to express the type of Threats and risks that are out there and how to address those but we’re not going to use this video to give anybody a primer on how to replicate their research The only other thing related to this that I actually had a question on was a lot of times the power companies Have a great media Campaign when they’re trying to champion their local neighborhoods and things like this, and so they put a lot of information out there for Town-Hall meeting to another you know public does that help or hurt in? Security or Sorry bad question does that help or hurt you when you’re doing your research Well a lot of the stuff that does pop up is stuff that is Part of that where they’re they’ve got plans they’ve got the Right-Of-way type of stuff and It’s public, so the public is supposed to be able to vote on it or know about it in some way But sometimes they just have too much information guess. It’s not really necessary to have all that information But they’ve got it on a drive shared. They’ve got it on a website and you know we’re trying to get them to weed a little bit more so that you’re not giving everything away and One of my big things is that back Two or three years ago there was a physical attack in Silicon Valley Against the power system and all they did was shoot it with AK-47s but they knew where things were they knew what to shoot they knew where the cameras were and they took them out all that stuff is available online too if you know how to find it and if you wanted to make a physical attack Just like they did for yeast and then there’s also things that vendors they brag about who has bought what systems and Just an example not to talk about us, but ukraine you can look at the ukraine attacks and you can look at the vendors that put in those equipment and substations you can find out all the makes and models of Going to the equipment that they use so it’s it’s making it easier But for an attacker to learn this stuff, but there’s still a lot in to to not be hype about it You have to have an engineering knowledge She’s got it. Yeah, it’s not enough to know the data. You have to know how to use the data is where you’re saying that’s that’s right because It’s just you know you make people are kind of making it easy and putting things some job postings putting things and Linkedin Talking about it you know to some extent you have to do some of that, but you know that some people have just Lack of understanding of the bigger picture of what’s happening in the world today? They you just put too much stuff out there And we’re trying to help find that stuff and take some of that stuff down now that we have adversaries that are deliberately looking for this type of information They already have a level of acumen on how to do some of these things the weirder as well as other things Trying to get that stuff taken out of the equation in the first place if they aren’t able to get it easily is one of our goals and one of the things the cynic pone, and I did we might have heard that the Nine substations, you could take out nine substations. It caused a Major Nationwide Blackout when people forget that there’s 3,000 utilities and there’s a lot of redundancy built in so me and 10 iphone try to figure out what those nine subsections were just by Using our knowledge of power grids and also you know doing open source research about and things like that So we would expect that Adversaries are doing the same thing trying to do the same thing like that So that leads me to my next question which is actually you know now that you have this information. You’ve done your homework what can you do as an attacker like what are some of the immediate impact that you can have just by finding this information publicly exposed Well, I would say is spearfishing is probably the thing that is the most immediate thing so as an attacker you find Out information that you can craft. It’s an email. That’s believable that’s actually just happened. They had Electric Sector was targeted against spearfishing as lesley yeah, and this has been going on since 2015 But and there are control engineers that have clicked on those things not you know But like say at a nuclear plant those systems are well segmented so and Something like that wouldn’t have happened, but maybe in other countries they would have or if it was in another, you know a Smaller power company things like that, so those kind of things we have to worry about and an attacker can use that public information to to generate Something that’s believable to to anyone You know say I hey. I’m a vendor. I’m gonna ask questions about this system or blah blah blah. Yeah for me It’s you know. There’s the electronic component, but for me. It’s more about the physical attack side From my background as some of these people watching this may knows more on the counterterrorism and other things and so far there’s not a lot of actors of that ilk that are At that level doing that kind of fishing and then attacking the grid but they can easily put it into a dubbing Magazine to go tackle a power substation, and if they can google things up I’ll just say go attack all of these all at once or you know in succession And you could cause some of that rolling outage that you were kind of discussing and so You know the theory is out there. There’s a paper by a guy from China. Did it like 2012 2014 yeah, so I? Mean that’s something you can’t physically secure every transmission line. It’s impossible, so we I’ve talked to power companies and say how do you get your head around that how do you get visibility into things like that don’t talk to deer hunters that have Deer stands almost power lines of DC. Seeing strange activity going on something like that. You know there’s a lot for this work Yeah, I mean bringing a box of donuts and say hey, we’ll have you seen anything strange You know when I got here, and I have cams. I have recently seen more infrastructure going in Walls Around some of this power infrastructure that I would I was worried about in my local area So it’s good that they’re picking up on it. I think it’s probably because of that attack in California. Yes so Tell me some war stories based on the research and things you found. What are What are some of the more? Standout Items of interest okay, we found a whole city It is in Florida. I won’t mention which one they had their whole Scada system documents, and their whole all their backups on their public FTP site So the city has a public FTP site, but they had our other scada stuff backed up So me and Sandy Cohen. We notified IcS-cert, and we notified them you know we got them on the phone told them about what was going on and They we all work together to get that stuff taken off You know that it’s a smaller utility, but you know as one of the things that we’ve seen Plans for like jails and all their control systems related is that we found my skiff plans It’s just out there. We we found a a skate engineer head, it’s work You know work laptop backed up on his home? Seagate drive and we called him and said hey, we’re we’re from the internet and You have something on online that shouldn’t be on there, and we’d total mine, and he kind of just hung up and then in 10-15 minutes later we tried to act. You know look at it again and see and it was gone So he had taken it down we baited pizza for you. Yeah, so those are some of the things that we’ve what a heavy fan Like Google dork my way into a dan oh I it was after after there was an alleged attack I forget was a run one of the other yeah anyway Yeah, and so I started googling around just to see what I could find I found one Dam that had this website I’m tooling around I clicked on something and suddenly I was inside, and I was looking at an actual page for one of their scada systems for controlling part of the Dam No off not nothing stuck. I backed away slowly, and I called the federal authorities and I said Here you might want to give them a call You know going through this you not only fine like I said not just infrastructure But I guess what this could be considered infrastructure one at one point I found a a guy’s terabyte drives shared to the internet and he had All of his infrastructure which was a service provider for internet a big one Had all their passwords all their high-level passwords in an excel sheet shared out and So I immediately called my friends, and I said here you go you call these people because this is out there now and shortly after that was gone One more is we found a and this isn’t related to power grid or anything like that. We found a cybersecurity pen testing company had all their customer reports on an anonymous FTP and Yeah, so you know you’d expect them not to do that, but you know that’s some of the things that we found yeah, and oftentimes the if the provider of these pen tests or the security assessments does the right thing and they zip it up and It’s encrypted and everything the actual people that they’ve done it for will often put it somewhere And it’s available on the internet eventually if you know how to dig So as a practical matter what advice. Do you have for organizations to prevent the type of data leaks? Unintentional exposures or however you want to call it that you to find two to color cross system. I’ll go first you know talking about power companies they can look at the documents that they make public that they require to for Regulation to make public and make sure have the cybersecurity team Looked through that information see if there’s any sensitive information have the engineers look through then see if there’s anything that You know they need to know some information, but if they’re building a transmission line But you know don’t share like IP addresses And you know those kind of things and down on the firmware you don’t need to know what firmware is in on this thing or Schematics schematics yeah whole schematics yeah yeah, and you know for for engineers? You know personally don’t back up your work laptop and take it at home. You know It may be a thing around training training your people Having an assessment done to see how good their You know sin awareness is and you know hey, how can I protect ourselves? You know like on Linkedin if you have is if you have a policy around not posting stuff to Linkedin about what? sensitive information But are your employees following that you know things like that things will be marked as Proprietary or private you know sometimes it’s still shared out Sometimes even with some implementations of websites web servers, it’ll say you know you click on it and say no You can’t get it from you click cancel it’ll still download the file So there’s msConfig on you know. It’s part of that, too And the caching issue, but overall I think it’s a data awareness data classification problem and coming from the background that I’ve come from there are Government entities military entities so it’s still don’t classify their data properly, so I think everyone needs to take a look at that So what do you share? You know is that something that really needs to be there? Or can we kind of you know redact something or just? Create a separate report that needs to go to the public instead of just dropping all the docs into a share on TP Anonymously my name is Steve Regan with csO online comm if you’d like to learn more about critical infrastructure feel free to visit us online cso

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *