The_Gibson is a user on hackers.town. You can follow them or interact with them if you have an account anywhere in the fediverse.
The_Gibson @thegibson

manafort is states evidence!!!!!!

@thegibson Hey, question for you:

While the mundane explanation is the most likely in the recent Boston gas explosions, could it also be caused by a cyber attack? It's no secret that foreign agents have been not only getting into our power grid, but into local systems themselves. And, apparently, no real action has been taken to stop this.

I'm not, like, panicking or anything. It's just an honest question.

@fidgety

It is unlikely.

It is not impossible.

I would need to know more about the various systems involved.

@fidgety If you are asking me to speculate how it could happen, that's a different question entirely.

@thegibson I figured that it was highly unlikely, but I sort of have an interest in this stuff because 1.) it's neat, and 2.) I swear to God, whenever I worked at the hospital, I knew more about cyber security than the entire IT department -- as inexperienced as I am in a topic that's totally foreign to me, so I'd like to learn even more.

@fidgety

it all depends if the pipelines are computer controlled, and an ip enabled system that can access it and finding a nearby system that could generate a spark of some
sort.

If both systems were in proximity, and had exploitable vulnerabilities, then I wouldn't rule it out.

It is possible, but unlikely.

@fidgety The sorts of exploits used in Dragonfly 2.0 and Energetic Bear did drop RATs, so if those exploits applied here, then it could be done under the right circumstances and goals.

@thegibson @fidgety I know about a really interesting talk on this subject but I dont think the video exists yet.

Adding to the conversation. If such systems were remotely accessible, a poorly implemented exploit or a general lack of understanding of the systems involved could inadvertantly cause catastrophic damage.

Poor maintenance or human fuckups are perhaps more likely.

@thegibson @fidgety Ukraine is a case study for cyber attacks on industrial infrastructure.

@remotenemesis @thegibson See, that's my other big interest in this. Yeah, the mechanics of cyber attacks are neat, but I'm also interested in the security end as well -- how to defend against this stuff.

And then there's the social engineering end of this, too. If I learned any one thing from Kevin Mitnik, it was how just simple observation is probably your best tool for breaching someone's stuff. So, how much is cyber defence being beefed up along THESE parameters, too?

It's just...neat.

@remotenemesis @thegibson (A secret about me: I have a weird love of military strategy. And, also, I really got into watching Steeler football for a while because it was a joy to watch Bill Cowher at work.

Tomlin, not so much. But, that's another story.)

@remotenemesis @thegibson (So, yeah, cyber war comes down to strategy, and there's no real large-scale counter strategy at this point because there's never been a full-scale cyberwar yet.

So, that's where my interest in strategy comes in.)

@fidgety @remotenemesis

I would argue there has been a fullscale cyberwar for years...

We just don't talk about it like that.

@thegibson @remotenemesis I suppose that's true, yeah. I mean, yeah, Stuxnet is interesting on its own, but the geopolitical ramifications are SUCH a huge topic.

How would cyber attacks be used in, say, WWIII? I have a good idea, but it's a lot of fun to run through the theoretical.

@fidgety @remotenemesis

so currently they are used largely for disinformation, supply chain disruption, Service disruption, recon, intel gathering and collateral damage.

Most machines of war would not be easy to disrupt on the battlefield... although, there are indicators that DPRK's failed missile launches were due to American intervention (think Stuxnet)...

Critical weapons systems should not be put into a vulnerable stance to start with.

@thegibson @fidgety Ukraine is being hammered by Russian state-sponsored attacks on in its critical infrastructure. Checkout NotPetya as an example

@remotenemesis @thegibson Ukraine, in general, used to be a big thing for me. It has to partially do with my decades-long interest in Chernobyl, and that sort of led me into Ukrainian history and politics.

I'm nowhere near into it as I used to be, and I'm absolutely not an expert by any stretch of the imagination, but, God, Ukraine is probably one of the most interesting counties on Earth.

So, yeah, I've been watching the Russian attacks somewhat closely, but not as much as I probably should.

@fidgety @remotenemesis The TTP's used in Ukraine have been applied elsewhere...

I can confirm two energy production clients in which we have found remnants and attempts that have VERY similar fingerprints.

There are a few Nuke plants that have been known to be impacted in the US as well.

@remotenemesis @fidgety I've read that.

Very familiar with that
situation.

Endpoints are the network edge now... treat them as such.

@thegibson
See, that's my OTHER thing. My interest in all things radiological makes me REALLY interested in attacks on nuclear power plants.

That's what Stuxnet ultimately did -- well, mess with the process of refining Uranium and overwork the centrifuges.

So, how much farther could that go? Would it be possible to start at least a partial meltdown, much in the same way that Three Mile Island went down?

This is the fun theoretical.
@remotenemesis

@fidgety @remotenemesis Stuxnet proves that CNC is possible even on sirgapped systems in a nuke plant...

so yes, it is certainly theoretically possible.

Probably easier in the US due to use of commercial software.

@fidgety @remotenemesis commercial software simply providing a known consistent platform to attack.

@fidgety @remotenemesis

This is all as a thought experiment.

I can say that since the Ukrainian powergrid attack, power generation facilities across the US have certainly gotten more serious.

@thegibson @fidgety and used hardware and manuals one can buy off of ebay...

@remotenemesis @fidgety exactly.

The best way to stop this is to utilize a security model that mitigates thoughts not by solely file signature, but monitoring processes on the endpoint and killing processes that appear to be malicious before they can do damage.

It's why I sell the products I do in particular... they do both.

@thegibson @remotenemesis Yeah, that's the other thing: Why are they still using stuff like Windows? I mean, I'm totally not a Linux expert, but I can at least make it, you know, do stuff.

If it's a system you HAD to learn for work, well, come on. I had to learn how the various patient/orders/charts/film transfer system worked. They were all different things, but I didn't have a problem! It can be done!

Linux is malleable. Can't they make a special one for, say, nuclear power plants?

@fidgety @remotenemesis Oh yeah, those exist... and then as an attacker you just target that instead of windows...

it's hardened, so your work is cut out for you... but state actors have a lot of resources to throw at things like that...

Back to the initial discussion.

@fidgety @thegibson From the little I understand about this space, typically there's an IT network and a separate Operations Network which may be or not be airgapped.

Industrial PLCs are embedded systems, often running on less mainstream hardware like NXP POWER processors and the like.

An attacker might look to gain persistent access on the IT Network as a vector to attack the Operations Network.

Here's a very entertaining talk on how that first part could happen

youtube.com/watch?v=qLCE8spVX9

@fidgety @thegibson What you really want for this kind of system is a real-time OS. That's an operating system that honors time constraints in which tasks must be complete. Something like QNX.

@thegibson @fidgety We've entered a period of continual low-intensity electronic, economic, and "cyber" warfare. Future wars may look a lot more like Crimea 2014 and Libya 2011 (when things go less well).

@fidgety @remotenemesis I get that... me too.

Strategy and Tactics are kingmakers.

@thegibson @fidgety you're in good company. Except for to the Football part.

@remotenemesis @fidgety

Is that the game with the little white ball they knock into the hole it the ground, or the one they play on Ice with brooms?

@fidgety @remotenemesis

So here's what I see out there... as a blue team professional.

The people to handle these vulnerabilities are in short supply, and they are human.

The tools to handle these threats exist, but aren't cheap.

Companies often don't take the threats seriously enough to spend the money "that wouldn't happen here"

They are gambling.

These problems can be mitigated.

BUT... you are just making yourself a harder target ultimately.

If a state actor is determined...

@thegibson @fidgety or they just fix the "red" vulns in the report and drive on.

@remotenemesis @TheGibson @fidgety even if not remotely accessible it's possible for an attack to jump the airgap. Stuxnet did. wired.com/2011/07/how-digital- and csmonitor.com/USA/2010/1003/St

Now, its almost certain that the gas main explosion in MA (and the similar one here in SFBA in 2010 en.m.wikipedia.org/wiki/San_Br ) are due to infrastructure underinvestment and financial rigamarole at the utility companies leading to incompetent maintenance and ops staff.

@eqe @remotenemesis @fidgety

No arguments on any of the points you present.

@TheGibson @remotenemesis @fidgety Ralph Langner had some really amazingly informative blog posts during the stuxnet exposé, wish i could find them.

I see y'all covered most of what i said later in that thread, sorry. :)

@eqe @thegibson @remotenemesis Nah, it's cool. Always fun to learn about this stuff.

I can't write a line of code, so most of this stuff is outside of my field of knowledge. Which is why it's fun to read about and discuss.

@remotenemesis @TheGibson @fidgety (I guess I mean "undertrained and overworked" where i said "incompetent". It's the fault of the company and the social/regulatory systems around that, not the fault of the individual workers for the most part.)