Governance & Risk Management , Operational Technology (OT) , Video
Cyber Psychological Warfare: Hacking Operational Technology
Even the Threat of Disruption Plays Into Attackers' Hands, Says Ian Thornton-Trump Mathew J. Schwartz (euroinfosec) • May 29, 2024Defenders of operational technology environments should look beyond the technical controls and incident response plans they've put in place. They also need to consider how attackers might undermine confidence in the service itself.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
So said Ian Thornton-Trump, CISO of Cyjax. He said that attackers don't have to knock out power for days or weeks or crash a water purification plant to cause psychological damage. Sometimes, even the mere suggestion that they're targeting critical infrastructure systems or sectors, whether or not their attacks are effective, can have a negative psychological effect, and might even be what they're aiming for (see: KillNet DDoS Attacks Further Moscow's Psychological Agenda).
Where psychological warfare is concerned, adversaries often "attack the leadership by attacking the things that the leader is perceived as being responsible for: the economy, all the way down to operational technology," Thornton-Trump said.
"From the operational technology perspective, lights, water, transportation networks, healthcare, all of these things are sacrosanct to our way of life," he said. "Any sort of disruption that takes place is always going to make headlines. It's always going to undermine the leadership."
In this video interview with Information Security Media Group, Thornton-Trump discussed:
- How Western governments are turning psychological operations back on Russian groups, albeit with a more ethical playbook;
- Why any attack on national critical infrastructure should be treated as a nation-state attack;
- The technical and psychological factors attackers seek to exploit when they target OT networks.
At Cyjax, Thornton-Trump performs real-time analysis of immediate threats and keeps abreast of developing security threats. Previously, he was CTO at Octopi Managed Services. His previous experience includes serving with the Military Intelligence Branch of the Canadian Forces, later joining the CF Military Police Reserves and retiring as a public affairs officer in 2013. After a year with the RCMP as a criminal intelligence analyst, he began working as a cybersecurity analyst/consultant for multinational insurance, banking and regional healthcare firms. Thornton-Trump also teaches cybersecurity and IT business courses for CompTIA as part of its global faculty. He is a member of the CyberEdBoard.
Transcript
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information security Media Group. Increasingly, we're seeing operational technology in the crosshairs. Why is this? Why are adversaries looking to exploit this, both tactically and psychologically? Joining me to give us some insights into this evolution is in Ian Thornton-Trump, CISO of Cyjax. Ian, it is always a pleasure to have you in our studio. Thanks for being here today.
Ian Thornton-Trump: I'm so excited to talk about this topic, it's I think, kind of both going to be a big revelation for a lot of people, I kind of feel a little bit like that meme with the guy connecting all the dots and lines. So let's go for it.
Mathew Schwartz: Operational technology murder board, here we come. While there have been a number of notable changes on the OT front of late, what would you highlight from a security standpoint?
Ian Thornton-Trump: Mathew, I think that's a great question, because we hit an influx moment, largely driven by the takedown of Volt Typhoon, but also driven by the sudden realization that the most vulnerable thing that's a clear and present danger - as was described in a video podcast I watched yesterday - to the United States is a disruption to our way of life via a cyberattack on national critical infrastructure. And this is something that the man in the street to the person in the street can understand. This is something that policymakers can understand. And I think this is something that cybersecurity professionals have been talking about for a really long time. And so the inflection moment, as I see it, is that this is going to spark an unprecedented amount of interdepartmental cooperation and perhaps even pull in global capability as well from other countries. Because at the end of the day, turning the lights off, preventing fresh potable water, or attacks on the healthcare delivery system, or the 911 system …
Mathew Schwartz: Never let a good crisis go to waste. And we've been seeing policymakers rally around that flag, not least with operational technology.
Ian Thornton-Trump: Yeah, very much so. In fact, the president - both the president past, and the president future - recognized it as being a problem, and has put a number of presidential decrees forward, including what I love to call the giant dump truck of money, for many of the operators of operational technology to better secure it. Recently it's hit the news that water systems had been tampered with, I made reference to the Volt Typhoon group, which was targeting national critical infrastructure, using infrastructure that they turned into a botnet. It was so serious that the Department of Justice authorized the FBI to go into home routers - largely home routers - and remove the malware and patch those devices. That's sort of unprecedented. We've seen the DOJ directly intervene in the overall cyber defense of the country. They did so with the WatchGuard firewalls since the beginning of Ukrainian conflict, and they did it as well with a bunch of Exchange servers that were being compromised by another threat actor group. But I think this is the first time that we suddenly realize that your router could potentially shut the lights off in Chicago. And that in itself would have huge political ramifications. Now, the United States has sort of, I think, really forged the way forward by using the presidential declarations to start forcing money and compliance and encouraging national critical infrastructure in the United States. But Bruce Schneier pointed out that 85%, I believe, was his number, of the amount of national critical infrastructure is owned by private companies.
So here's a situation where it's really difficult, when you have that many companies, to bring and herd them together. Now the EU is going in a totally different direction with the NIS2 mandate. They're going all in on telling you exactly what you need to do, in excruciating detail, including a new Telecom Services Act. That's a great example. Not only is it a regulatory act, but it has a whole bunch of direct guidelines and best practices that thou shalt do. So this is the more effective way of communicating the importance of a regulatory framework: with a compliance framework that's prescriptive.
When we look at PCI DSS, it says specific things about what you need to do to secure the PCI DSS infrastructure, and if you haven't segmented your infrastructure, it applies to the entire network that you're running. So to gain compliance with PCI DSS, it's super important to figure out what is PCI DSS and not PCI DSS. I love that about this particular regulation. I mean, it has its critics, and people say, well, it didn't prevent data breach. And yeah, it didn't, because probably the scope wasn't properly set for that organization, and they felt a bunch of stuff was out of scope that actually technically could have been in scope. So there's maneuvering around all of the regulations. But where I think we can universally agree right now, and it is coming in the U.K., the way it's coming as a freight train to the United States, is that lying to investigators in the process of determining a cause for a data breach is a terrible idea.
We've actually seen some CSOs certainly become criminally convicted for it. We're seeing fraud trials - in terms of alleged allegations that cybersecurity was in a worse state than promised - coming on the heels of aggressive class action lawsuits, when it's determined that this one particular piece of software is the root cause. So the winds, I think, are changing. There's no longer a tolerance from the entire cybersecurity system to bring a product that has cyber vulnerabilities or isn't following best practices to market. With the Digital Operational Resilience Act, that is now being codified into the supply chain. During the Reagan era, we talked about trickle-down economics; this is trickle-down cyber regulation, where it's going to come to the point where if you if your product or service that you're offering isn't backed up and compliant, the toleration for you will be minimal, because the company can't afford to expose themselves to a big, fine regulatory allegations of negligence by a class action lawsuit, and possible Department of Justice and SEC action, there's too much risk now, in not being compliant. That's a good thing.
The problem, as I see it, is we need to be way more specific about how to be compliant, until we find out we're not compliant because we suffered a cybersecurity event. So it's time to take the horse and put it in front of the cart, as opposed to the horse pushing the cart, right? And when the cart gets hit by a train, we need we need to change the dynamic of how this is all working. But it's nice to see what I consider an overall trend and improvement.
Mathew Schwartz: You have detailed so many of the different interesting threads going on here. I mean, you've got the FBI forcibly taking offline old routers that Chinese hackers were pre-positioning on. We've never seen that. I mean, we've seen websites get taken down, sure, but not this.
Ian Thornton-Trump: Right? The Department of Pest Management in the United States is not putting up with this anymore, because it's being used in attacks on national critical infrastructure. Connecting those two dots was the moment where everybody got it. I think that was on the policy side. They always thought it's a technical problem: We don't want a big WatchGuard botnet attacking the Ukraine and the Western powers. That seems like a terrible idea on the eve of war with Russia. I get it. That's again, slightly national security. But this is another step down that path. Most people using TP-Link, NetGear and the other routers that were impacted by Volt Typhoon, that's old stuff, and that's ballsy: going into an American's home network, and fixing and removing the malware from that.
Mathew Schwartz: So Ian, you mentioned the Russian invasion of Ukraine. I think that's a really interesting case study, if you will, on operational red lines. Neither you nor I are policymakers. A lot of people before the all-out invasion by Russia, though, did question would Russia do something like target the U.S. banking sector, which might precipitate some kind of kinetic response by the U.S., saying: Look, that's an obvious red line in terms of making war. With operational technology, it feels to me like maybe they've been probing the extent to which they can misbehave before there's some kind of a bigger response than they were hoping for?
Ian Thornton-Trump: Yeah, absolutely. So part of it is psychological to try and undermine the confidence in that particular country's infrastructure in general and to keep policymakers up at night over it. It's really difficult to justify any sort of kinetic escalation from a cyberattack, but with any sort of mass casualty event? With attributions, all bets are off at that particular point.
What we've seen, especially from the stuff that has happened in the Ukraine conflict, plus the other cyberattacks by Russia on other countries, is that the Russians are being very careful not to have Article 7 invoked as a result of a cyberattack, because then all of the capability of all of the NATO members ends up against their country. Even though Microsoft and Google and Facebook have made overtures about what the Russians can access and what they can't access, it could get far worse for them if American tech was ordered to be part of those cyberattacks.
So I think the Russians do realize that they're vulnerable, but they still want to effect policy and make lives uncomfortable and do election tampering, and continue cybercrime and to encourage ransomware groups to continue to attack Western business.
Mathew Schwartz: It seems to play into their geopolitical ads to have these more low level nuisance disruptions. Right, you mentioned Russia, there was the iSoon contractors that we've seen in China. Are they contractors? Are they government employees? Are they being used as deniability? All kinds of unanswered questions there.
Ian Thornton-Trump: Yeah, and this is a textbook thing. Iran had done the same, they had set up shell corporations. And recently there's a Department of Justice, sanctioning those entities, and it's all part of the Russian strategy is to make you worry about this thing, while they do this other thing that maybe could potentially escalate the situation.
But I think what they're trying to really do is keep that amount of distraction going so that their actual plan, if you will, faces fewer obstacles, right? When we look at the big announcement of the United States in funding the Ukrainian forces to the tune of $60 billion, if you don't think cyber is part of that - electronic warfare, signals intelligence, all of these types of things - well that is absolutely part of it. I would be surprised if Cyber Command hasn't leaned forward in that Ukrainian conflict to help them out, as have the intelligence agencies, which many of them have publicly admitted that they've supported Ukraine.
But I think what people don't quite understand is this is not a $60 billion check that gets handed to the Ukrainians. It's a $60 billion investment where the United States government is building the weapons by using this money to send to Ukraine. So to suggest that this is like a Ukraine cash grab, is the type of policy rhetoric that is being used to try and divide America at the beginnings of the entire American psyche of World War One and World War Two was massive support for allies and what they believed were the groups that were on the right side or the good side. So, sometimes the questionable side, sure, but the reality is, this is an investment in the American military industrial complex, that the net benefit is not having to make another investment when it's Poland, and then another investment when it's the Baltics.
If you don't fund Ukraine, you'll be funding Poland and Lithuania and some of the other countries that have exposure to the Russian border. In the grand scheme of things, some folks are misinterpreting what the United States is trying to do with its public policy. I think other folks have tried to make it a partisan issue, when to be honest with the American soul and generosity that's always been characteristic, that just doesn't compute.
Mathew Schwartz: You raised some great points about Russia not having to bother fighting on one single front, and not even at the threshold of war, necessarily, but they're very well versed in psychological operations. So switching - geopolitically speaking - from what adversaries are doing to the West, and what the West has been doing to adversaries, has been changing a bit. So for example, you mentioned the Volt Typhoon disruption. You've got LockBit being disrupted, coming back, BlackCat got disrupted, seemed to come back for a while until they exit-scammed, I would bet they'll be back as well. But there's more of a psychological component going on with the law enforcement response to what some of these sort of long running campaigns has been, not a purely technical one. It seems like they're battling the psychology with the psychology.
Ian Thornton-Trump: Yeah, it is a game of one-upmanship, in that you want to prove that you're capable of being resilient and defending your turf, as it were, that's an important consideration. If you feel if you make a nation-state feel like they can run around without suffering consequences, without being named, without having these funds get seized? If they can get away with it, they will continue to escalate.
What we're seeing now is a real, coordinated effort by law enforcement globally, in the Western nations, to try and put a stop to this scourge, and they are, I think, slowly and incrementally turning the screws on nations that are, you know, outright supporting or sheltering these groups.
True patriotism is convincing somebody else to do something for your country - usually lay down their life, right? And this is exactly what the playbook has been with Russia, recruiting various cyber mercenary groups. Now, the United States and the Western allies, they and the Five Eyes community, have certainly hit back hard at Russia. We're not going to publicly go out there and proclaim, these are all the cyberattacks we did. But I am absolutely certain that various hacktivist groups that are anti-Russia have had considerable support by the intelligence community, to make what they're doing count more.
We certainly saw and continue to see a bunch of retaliatory strikes by the Ukrainian cyber forces at Russian targets, both kinetically, where they will use their drone technology to try and attack deep into the supply chain, the logistical supply chain for the war itself, but also just disruption of day-to-day things, everything from parking meters and attacks like that, which again, try to get the message out that this is absolutely a war crime that their country is participating in. What is interesting about the Ukrainian and Western strategy is distracting Russia internally sowing the seeds of discontent in their proxy countries, ones that were maybe part of the former Russian republic. All of that is part of the playbook to sap away resources that could be directly put in the path of the Ukraine.
So it's part of the overall strategy. And so what they do us we attempt to do back to them, but I think our ethical playbook is a little bit higher that that, you know, we recognize and realize that any sort of ransomware attack on a healthcare organization is verboten. But I think the Russians have been known to be very sloppy and even sloppier with some of their cyber mercenaries and cybercrime groups that they've hired. So they're not holding, I think, as high an ethical standard. If you could even determine they were, then we are.
Mathew Schwartz: Really interesting point you raised there about the Western playbook using psychology or psychological operations inside Russia, maybe not in a way that does any damage, but which highlights the fact that Russia is engaged in a war with Ukraine, and Ukraine has the ability to make Russia look less strong.
Looking at the OT component: At what point do you think operational technology as a concept became part of the adversarial playbook? We've been talking about this inside the industry for a long time, since 9/11. They had ISACs to try to deal with this. Terrorists didn't seem to go after this sort of thing, though. More recently, as we've been discussing, there's pre-positioning on things like home routers, Soho routers, warnings from the FBI that the Chinese would love to crash as much as possible if and when they invade Taiwan, increasing warnings for what we've been seeing for more than a few years, possibly of pre-positioning. But it seems like there's been a real rise in the OT security rhetoric of late.
Ian Thornton-Trump: Yeah, it's not surprising to me, because, you know, let's, let's look at it at a number of different levels. It's inconvenience. And the more people that are inconvenienced, the more the leadership is undermined, the mayor of the city is going to be held accountable if they can't pick up the trash, right? Even though there could be a zillion reasons why the system isn't working, if it's attributed to some sort of cyber incident, that it's an "Oh, my God moment, look what those bad guys did to us," right? If it's a union strike or whatnot, we can clearly see the battle lines drawn between what the city wants, and what the city can afford. These are easy to understand stories.
So we think, from the operational technology perspective, lights, water, transportation networks, healthcare, all of these things are sacrosanct to our way of life, and any sort of disruption that takes place is always going to make headlines, it's always going to undermine the leadership and whatnot. So there's a political aspect to it.
I argue that all attacks on national critical infrastructure are nation-state attacks, and the idea behind that is that if there's a firm that succumbs, that firm is regulated by usually a government agency, and the head of that government agency will be the one called on to the carpet to explain why the lights are out in Texas - other than Texas being a poor example, in that they self-regulate themselves, and that's gotten them into a number of trouble situations when the heat goes up, or when the cold comes.
Rather than dwell on that aspect, there is the implicit problem of that an attack on national critical infrastructure could result in a kinetic event, an explosion of fire, a toxic, a spill, a ship crashing into a bridge - which apparently was not a cyber event at all, despite the allegations of, I believe it was Andrew Tate and Alex Jones, two well-known cybersecurity professionals who got their qualifications from LinkedIn.
But my point is that cyber is the most sensational way of reporting an otherwise mundane event. Here in the U.K. we'll shut down the entire transportation network north and south because we had swans on a road. And I mean, it's cute when it's swans. It's a national emergency if it's Russians. We somehow have gotten to the point where the media loves those type of stories.
You'll find if it was a Russian cyberattack that shut down the transformers in the U.K., I don't think it would be that cutesy little segment at the end where they need some space filler before they bump to the real story; I think it would be a little higher in the overall coverage.
If you're an adversarial nation, the more coverage you get, because of the things you've done, the bigger deal it is, and it really puts companies like United Healthcare, which had to admit that they had paid a ransom to try and prevent the massive amount of healthcare data that they had from being made public. That's why they paid the $22 million, not to get access to their systems, but for the assurance from criminals. There are ongoing questions there about if they would or wouldn't destroy this data, and why they wouldn't keep it for sale.
Well, the bad news is, UnitedHealthcare, that $22 million that you spent might have been in vain, but they were forced into it. Because if they didn't, and the data got leaked, they'd be held accountable. So they did pay the ransom. Now, we they can say: They were all terrible cybercriminals. They were dealing with us fairly. …
We got to examine LockBit's servers when they were seized by the NCA and the FBI and DOJ and a number of other agencies that they didn't exactly all list out. What was apparent and reported was that a lot of companies that paid, investigators found their data on LockBit's servers anyway. So if that's any indication of the sort of situation, in terms of paying to not have the data released, it does not bode well. It does not bode well.
Mathew Schwartz: No. And again, coming back to this perception versus reality, ransomware groups have been so good at bigging themselves up, making themselves look scary, so that you do pay that ransom without thinking too hard, double-billing people, including for a ransom for a guarantee that they have no intention of keeping.
But then pulling the lens back onto the operational technology attacks, like we were talking about: Are these OT attacks really having a big effect? Is it crashing power for the west of Ukraine, as happened nearly a decade ago in the middle of winter? Yes, that's horrible. But there's so many things which are maybe on the nuisance level, thankfully, but which have this massive psychological impact, as you were saying. So the big news for defending is that you need to you need to think about not just the technical aspects, but also the psychology of it all.
Ian Thornton-Trump: Yeah, the psychological warfare part of this is true, because actually, what wasn't widely reported in the BlackEnergy attacks that you just you just referenced, is I believe the entire outage was three hours. Okay, so was it sensational? Was it like: Oh, my God, this happened, and it was a cyberattack, for reals? Yes, but it lasted three hours. And let's just face it, like in those particular situations, those countries who had been living with those type of temperatures know how to survive at least for three hours, OK? They may not be able to go out and get a taco during that period of time, all right?
But you do that to a global climate change event hitting part of the southern United States, and you turn the power out during an unprecedented heatwave, for instance, and three hours could in some cases, especially I'm thinking old folks' homes, I'm thinking about hospitals, I'm thinking about daycare centers and things like that, that could have actual kinetic effect. Anything short of dead people is relatively easy to be like: Hey, look at the bright side of this, right?
Once you have dead people as a result of a cyberattack, it's really hard to try and find a bright side, because those people are the casualties. And we all know what happens with a mass casualty event, that most of the trauma is carried by the survivors, right, and then there's trauma and a deep mistrust of whoever was found to be responsible. In some cases, it becomes a partisan issue around gun control. In other cases, it's a partisan issue around mental health services in the United States.
So it becomes an immediate partisan issue that politically is very difficult to navigate for anyone in leadership. So this is this is the end route. You 100% hit it right on the head, which is that the end state is to attack the leadership by attacking the things that the leader is perceived as being responsible for: the economy, all the way down to operational technology.
Mathew Schwartz: That's a huge attack surface.
Ian Thornton-Trump: Yeah, we saw this in catastrophic global climate change events with the 2017 failure of the spillway in a dam in the northern part of California, and when that causes a giant river of water to come all the way down through a valley and wipe out a number of small towns and villages. We saw that with the 2018 catastrophic fire that burned Paradise, California, down to the ground, a fire so hot that it melted the very PVC pipes that were in the ground, so the entire infrastructure needs to be basically yanked out and replaced.
Increasingly, when we see one of these events, immediately political leadership gets called into question. Regulatory agencies are called into question. To their credit, if not maybe not doing the right thing back at the right time, PG&E, which is the service delivery of energy in California, admitted that it was their issue, because the fire was started by sparking wires.
So at some point, someone is held accountable for these catastrophic events, and the same can be said to be true with cyber.
Mathew Schwartz: Fascinating to see all of the continuing changes in should be mundane, like power delivery, for example, but which can be weaponized in multiple ways by attackers, necessitating better defensive playbooks by the defenders, as we discussed today. Thank you so much for your time and insights, Ian.
Ian Thornton-Trump: Thanks so much, Mathew.
Mathew Schwartz: I was talking with Ian Thornton Trump, CISO of Cyjax. I'm Mathew Schwartz with ISMG. Thanks for joining us.