AWS for Industries
Cybersecurity Awareness Month: Ep. 4: Top Security Myths DEBUNKED
In our final episode during cybersecurity awareness month, we turn our discussion with Robert to examine the myths and misunderstandings surrounding industrial IoT systems that persist throughout the manufacturing industry. Robert tells us “A lot of the myths that are out there with regards to industrial IoT systems, unfortunately, misdirect us. They make us think in some directions that are problematic and you’ll end up trying to solve a problem that maybe doesn’t exist.”
Protect yourself from being fooled when you join us as we put on our myth-busting hats and get into the nitty gritty about the truth behind the myth. We’ll talk HVAC hacking, malware, ransomware, programmable logic controllers, and perspectives on the true points of vulnerability that spurred mythical stories.
Listen now to Part 4: Top Security Myths DEBUNKED Apple Podcasts, Spotify, Stitcher, TuneIn
On the motivations of attackers:
“Attackers wish, like most of us, to be reasonably efficient.” – Robert
“And you think about it, what’s you know, what’s that point of contact? Well, it’s about submitting a bill order and then getting paid and that is pretty darn close to a set of people who also have a concern about what’s our income, people who might be looking at the point-of-sale system.” – Robert
On targets of a manufacturing factory:
“Windows is a wonderful and frequently abused target by malware/ransomware” – Robert
On the reasoning behind his password approach:
“There are password managers, and those password managers often work very wonderfully, there have been instances where they themselves have been targeted successfully. And my little book is not something that someone could reach through over my networks and actually ever have a look at.” – Robert
The Industrial Executive’s Guide to Cloud Security
AWS Security Hub
Learn how Siemens strengthens security and enhances productivity using AWS
Learn how Volkswagen Group centrally manages security threats on AWS
Ask A Question
Send us your questions at email@example.com. You can also post your question below in the comment section. We will reply to all questions within 1 business day.
What is AWS Industrial Insights?
Welcome to AWS Industrial Insights. In every episode, we interview visionary leaders from industrial companies to share their insights on technology, innovation, and leadership. This podcast is for industrial business leaders who are looking to make data-driven decisions and learn from those who’ve experienced similar challenges. By interviewing leading executives, we’ll uncover their insights and learn exactly how their organization found a solution. You can find all episodes of AWS Industrial Insights on your favorite streaming platform or listen below.
Growing skills gap, increasing cyber threats, supply chain disruption. Do these sound familiar?
It’s a tough industry to be in and we’re here to help.
I’m your host, Caroline.
And I’m your host, Doug.
And you’re listening to AWS Industrial Insights, the podcast for Manufacturing and Industrial business leaders who aren’t afraid to think big.
We interview executives from well-known companies to share the disruptive ideas and topics like leadership, technology, and innovation.
So, let’s get started.
All right. Well, welcome back, everybody. Thank you for joining us for episode four, which is our final episode of the October Cybersecurity Awareness Month. It’s been such a pleasure learning all of this information from you, Robert. So, I really wanted to make this last episode a little bit more fun, a little bit less serious, and talk about some of the myths that we hear in the industry.
So, during our planning call for this episode, Robert was very passionate about the target age back story, so I just feel like we have to kick it off with this. So, tell us, Robert, what happened at Target?
Well, first, let me just say they’ve all been fun recordings. So, in no way am I anticipating this being the exception. But let’s absolutely talk about some of these myths, because I think a lot of the myths that are out there with regards to industrial IoT systems, unfortunately, misdirect us. They make us think in some directions, which are problematic, and you’ll end up trying to solve a problem that maybe doesn’t exist.
And so, to the story of the Target store, the hack of its point-of-sale systems and the heating, ventilation, and air conditioning system. It’s a very compelling story to say that somebody went and hacked an HVAC system and from the HVAC system, they’d leapt over the point-of-sale system where they in turn plundered and abused Target customer credit cards and so forth.
I mean, it makes a good news story, though, at least grabbing headlines.
It’s absolutely I mean, you imagine, you know, Mission Impossible stuff, somebody coming through the ceiling, you know, doing something to a thermostat and suddenly the cash registers all open and start spewing cash everywhere, right? So clearly not what happened, much more mundane event. And so, we have to think a little bit about, really the distributed nature of large-scale retail and what does it take to maintain all of these stores that are just all-over North America?
So, Target does not have a fleet of trucks and air conditioner repair people that are just traveling around America repairing things. They outsource that work to local practitioners. And in this case, they were in Pennsylvania and somebody, credit to the attackers—just full credit to the attackers, they figured out who was doing the work here on behalf of Target.
And what they did was that they found this particular air conditioning repair service. They got into that organization. And then what they did was they went, they took the credentials of that organization when they go to submit their bills to Target – because, hey, I’m going to do work for you, Target. I’m going to make sure that during the winter, your Target store here in Pennsylvania is nice and warm and that during these humid summer nights, it is going to be kept reasonably cool and you’re going to pay me in return.
So, I have to submit a bill to you and then you in turn will reimburse me, okay? So, what we’re doing is we are doing financial transactions. And it was through the use of that particular small local supplier – their credentials into that billing system from Target, that they were able to make this leap.
And you think about it, what’s you know, what’s that point of contact? Well, it’s about submitting a bill order and then getting paid that is pretty darn close to a set of people who also have concern about what’s our income, people who might be looking at the point-of-sale system.
Which is a heck of a lot easier from saying from my thermostat, I am somehow going to jump across to that point-of-sale system somehow, some way, and do that because it’s really super simple to segment those. I suspect that they actually were reasonably segmented, but this is a myth that I am sorry to admit, I’ve even heard Cisco executives, this year, make mention of. I’m not going to say who it was because I like my job, but I will just say that it’s a myth that needs to be busted.
It literally came up in a conversation with my friends the other week at lunch, and I was like, I cannot believe we’re still talking about this. And I got to prove them wrong. I got to tell them; it was pretty exciting.
Cool by you. Thanks for- thanks for spreading the true word.
Yeah, exactly. I feel like I’m finally going to be all the fall asleep at night now. All right. So that was our first fun one. But I want to talk about a huge misunderstanding when people are thinking about like ransomware and like where is your factory most vulnerable? Everybody’s usually making the assumption that, you know, they’re trying to hack your PLCs, and this is a myth. So, can you tell us a little bit about what are they actually going after?
Sure. Tell you what, let’s start with, “What’s a PLC?” A PLC is a programable logic controller. It houses both communications in terms of IO to this, either sets of sensors, which note the state of our process, and then we’ve got actuators out there which will take action. Between those two is some set of logic.
And that logic sits in the PLC which says, “Gee, if my, if the pressure in this particular componentry of the system is at five PSI” we’re gonna use nonmetric values here. “And my target is six PSI, then I potentially need to increase the rate of operation of my pump here by 20%,” I’m making things very linear, “and thus I can reach my target.”
So, the PLC has that logic in place, which suggests that it is in some ways a mini-computer. It’s absolutely taking in inputs, it’s doing calculations, and it’s sending commands to rectify or continue the state of things. So that’s the PLC.
Gee, Sounds like a computer, right? Like any other computer. Well, it’s really not a particularly sophisticated computer, at least not with what you and I are used to in terms of browsing the internet and doing spreadsheets and other types of stuff like recording podcasts. So, it has a very limited set of compute capabilities. It’s running specialized operating systems in many cases, and it’s not the kind of standard compute platform that has generally attracted investment from attackers.
Attackers wish, like most of us, to be reasonably efficient. And what they may understand or they may not, because and honestly, my belief is that these things began by accident, is that I could spend a lot of time investment trying to figure out exactly how a PLC works and what I might be able to do is cause damage. I might be able to cause a negative impact to my target’s quality and outcome and so forth.
But that requires a lot of special knowledge and highly crafted activities to go down there. And the way I’m going to get there is I’m going to come from the top of the factory. I’m going to make my way into the factory. I’m going to make my way through the factory down and eventually hit this particular target, and create impact.
Well along the way, within that factory, I’m going to be passing a whole bunch of windows boxes, and it’s those windows boxes which actually tell that PLC what needs to be done and it’s also receiving information with regards to how that process is working. Windows boxes are ubiquitous.
What does that mean?
They are everywhere.
So everywhere you look, you’re going to find windows boxes, including the one I happen to be talking to you through. And as such, Windows is a wonderful and frequently abused target by malware/ransomware and I’m going to emphasize ransomware here because we’ve got the concept ransom, which means you will pay me money. And I, in turn, will free you. Right, that’s a ransom, what’s a king’s ransom, and so forth. I will free you. In this case, I will free your Windows Systems from my grip.
I’ll free your windows 80 from my grip.
Yes, yes. And so, in these particular cases, this is the attacker A) having a particular goal: I wish to make money, you know, key Benny, who benefits when I do this? Well, if you can take control of these things, you will. The operator of the factory will shut down the factory just out of safety concerns. As we talked about, I think in the first episode, safety is job number one.
If I’ve lost control of what would be referred to as level three in the Purdue model, that high level control space, then I will very frequently shut down the rest of the operations just out of safety concerns for my workers and my environment. So now if I take control of that, I have the opportunity to make money because as the owner of said factory is incented to get back up and running again.
They will either invest in someone coming in and cleaning up the infection and reimaging things. Or perhaps I pay an intermediary who promises to get things taken care of, and that intermediary in turn pays off the ransomware gang.
So, what I’m hearing you say then is that, you know, we think they’re going after the PLCs, but what’s actually happening is they’re going after the software above it.
For the most part. And it’s like any kind of Windows thing because some of the componentry down at the lower levels, such as HMIs or just some local compute, may be running windows. So those are clearly potential victims, but I don’t necessarily have to go that low.
If I just hit all of these Windows-based systems that major automation vendors have built upon, honestly the same technology stack that you’re going to have at your local library, your garden variety malware works perfectly well and thus we have an economy of scale. I can hit lots and lots of different targets with my standard ransomware. I don’t have to customize anything in particular.
And so, my, very much like the manufacturing environments themselves, you know, the more I can produce with the broader variety of appeal that works everywhere, then the better off I am. So that’s why there’s no point in doing this really kind of exciting PLC attack because it doesn’t really benefit me well and it scales poorly.
Well, I’m really glad we know that. I think that’s definitely a very common one. I’ve heard that kind of especially like throughout events and people are talking about it. So, you give a really good.
Stuxnet, stuxnet, stuxnet. Yes.
Exactly it is. Yeah. I mean, security in general is really sensitive. So, you know, we’re so lucky that we were able to have you on the podcast for all four episodes. Robert, we really appreciate it. So, before we wrap up by one last question for you is not in regards to industrial companies, but more like your personal security.
Just curious, you know, like people give you tips like, you know, when you do your passwords, make sure it’s a bunch of characters, uppercase, lowercase numbers. Do you have any like personal security rules that you live by that everybody should do too?
Well, I’d hate to say that whatever I happen to do something everybody should do. I will acknowledge I write down my passwords in a little book.
You write them down on paper?
I write them down on paper, with a pen.
Really? But there’s like password managers, I guess if those get hacked.
There are password managers, and those password managers often work very wonderfully, there have been instances where they themselves have been targeted successfully. And my little book is not something that someone could reach through over my networks and actually ever have a look at.
Interesting. Maybe I’ll have to try that traditional method. That’s actually very surprising to me, but I like that it’s very old school.
I’m here to surprise you.
Awesome. All right, well, Robert, thank you so much. And, you know, looking forward to seeing you at the next event.
And I as well, Caroline.
Thank you for tuning in to AWS Industrial Insights. If you want to learn more about today’s episode head over to the blog for a list of featured resources on this topic. You can also find today’s blog in the episode description and also on our web site at AWS: Amazon.com/industrial/podcast