WEBVTT

00:07.190 --> 00:08.780
As a cyber security analyst.

00:08.780 --> 00:13.670
A lot of times we have to deal with different aspects of our environment that are critical in nature.

00:13.670 --> 00:16.850
Critical infrastructure is one of those things that we're really going to play.

00:16.850 --> 00:22.280
If you're attributed to different IT technologies that are outside the norm, meaning that we're not

00:22.280 --> 00:27.500
just dealing with windows servers or different routers or switches, it's more with water departments

00:27.500 --> 00:31.250
or power departments or different aspects that are in the public nature.

00:31.250 --> 00:33.170
That's what we're going to cover in today's episode.

00:33.170 --> 00:37.880
We're going to cover critical infrastructure, operational technology, which coincides with critical

00:37.880 --> 00:43.700
infrastructure, industrial control systems, or ICS, and finally SCADA or SCADA, depending on where

00:43.700 --> 00:47.690
you are in the world, supervisory control and data acquisition systems.

00:47.690 --> 00:52.880
It's important to know, as you're going through this different episodes, that this aspect isn't necessarily

00:52.880 --> 00:58.430
something you may not see throughout your entire career, but Cisa requires that you have a basic understanding

00:58.430 --> 01:01.070
of it as you move through the different exam objectives.

01:01.100 --> 01:06.640
Critical infrastructure encompasses operational technology, industrial control systems, of course

01:06.640 --> 01:09.550
SCADA, DCS and PLCs.

01:09.580 --> 01:13.450
All this comes into play when we're looking at critical infrastructure as a whole.

01:13.450 --> 01:19.420
Remember, critical infrastructure is literally the public facing infrastructure that we utilize within

01:19.420 --> 01:20.380
our own government.

01:20.380 --> 01:24.940
This is where if something were to go bad, the entire public faces a problem with it.

01:24.940 --> 01:31.240
For instance, the Colonial Pipeline that we saw a while back was a lockdown of the entire natural gas

01:31.240 --> 01:36.550
line or the gas line that was associated with it, providing a problem within our communities on the

01:36.550 --> 01:38.080
east coast of the United States.

01:38.080 --> 01:40.900
This was an attack against a critical infrastructure.

01:40.900 --> 01:48.760
Those pipelines provided a needed energy resources to the public at large, and the FBI and major federal

01:48.850 --> 01:52.510
agencies were involved to clear that up as quickly as possible.

01:52.510 --> 01:56.980
When it comes to critical infrastructure, all you really need to know, as far as Cisa is concerned,

01:56.980 --> 02:01.840
is that it has to deal with public facing technologies that serve the greater government or the greater

02:01.870 --> 02:03.010
good for the people.

02:03.040 --> 02:08.820
Operational technology is the hardware and software associated with that critical infrastructure.

02:08.850 --> 02:13.230
These are usually the control boards or the control systems that allow those pipelines or those water

02:13.230 --> 02:15.870
companies to operate in which the ways they which they do.

02:15.900 --> 02:19.920
Now, there's different subsets of operational technology that we'll go into a little bit.

02:19.920 --> 02:24.360
But what you really need to know about operational technology is that it's the control systems that

02:24.360 --> 02:25.650
manage everything.

02:25.650 --> 02:31.080
For instance, if I'm on the electric company, I may have a control system that is specific to the

02:31.080 --> 02:34.440
engineering of the electrical company or the electrical grid.

02:34.440 --> 02:39.270
If I'm in the water company, I may have a different control system, but it's all considered operational

02:39.300 --> 02:42.300
technology at that public facing series.

02:42.300 --> 02:47.670
That could be oil gas, it could be hospital, it could be electrical, it could be plumbing and water.

02:47.700 --> 02:49.020
The boats are endless.

02:49.020 --> 02:52.020
It's still part of that critical infrastructure that we talked about.

02:52.020 --> 02:53.460
Industrial control systems.

02:53.460 --> 02:54.810
Take it one step further.

02:54.810 --> 02:59.250
This is the real time control or operation of those public facing works.

02:59.250 --> 03:02.910
This is real time control and integrated into the sensors and actuators.

03:02.910 --> 03:05.700
When we talked about Colonial Pipeline and how it affected.

03:05.700 --> 03:11.010
We were talking about energy moving from one point to another and the IT systems that are associated

03:11.010 --> 03:11.550
with it.

03:11.580 --> 03:16.050
When it comes to operational technology, more often than not, we're talking about the actual control

03:16.050 --> 03:17.490
boards at a higher level.

03:17.490 --> 03:23.130
If you look at a hierarchy, those operational technologies, maybe they face the interface between

03:23.130 --> 03:29.220
the IT world and the critical infrastructure, the ICS, the industrial control systems.

03:29.220 --> 03:34.380
That's where the real control comes into play outside of our normal IT environment.

03:34.380 --> 03:40.950
This is where we develop real control systems that interface outside of the entire environment and provide

03:40.950 --> 03:47.370
us with the actuators and the internet connected systems that allow those systems to function on a pseudo

03:47.370 --> 03:48.000
internet.

03:48.000 --> 03:53.610
Again, we're not providing internet access to internal industrial cultural systems, but we do have

03:53.610 --> 03:58.080
the OT, which provides that internet access to those industrial control systems.

03:58.080 --> 04:00.690
I know it gets a little bit confusing as I'm going through this.

04:00.690 --> 04:06.660
Just realize that OT stands over it, and if we go back to the original slide, you can see that OT

04:06.740 --> 04:13.430
encompasses all of Ike's that really comes into play, how OT interacts with our Ike's systems, with

04:13.430 --> 04:15.260
the integrated sensors and actuators.

04:15.260 --> 04:21.560
We're really providing the access to those different levers or mechanical functionality of those public

04:21.560 --> 04:22.100
works.

04:22.100 --> 04:24.200
For instance, I want a water pipe opened.

04:24.230 --> 04:30.080
I would go through the OT system to access the Ike's system, and the Ike's system is what turns the

04:30.080 --> 04:32.420
little knob to allow the water to flow.

04:32.420 --> 04:37.850
If I wanted the water to stop, I can again go through the OT system to interface with the Ike's system,

04:37.850 --> 04:39.890
which then makes the flow stop.

04:39.890 --> 04:42.410
This is where the interconnected systems come into play.

04:42.440 --> 04:48.260
Now I can have Ike's systems that interact with other Ike's systems depending on how my network is laid

04:48.260 --> 04:53.870
out, but a lot of times I want to put a clear deliminator between what has online access and what does

04:53.870 --> 04:54.350
not.

04:54.380 --> 04:59.150
A lot of times, those OT systems that we talked about earlier, while they may be connected to the

04:59.150 --> 05:01.880
internet, they're not truly connected to the internet.

05:01.880 --> 05:07.580
That means that yes, you can access them, but you're going through a critical IT system that is blocked

05:07.580 --> 05:14.770
off from everything else and allows only someone with authorized authenticated user privileges to interface

05:14.770 --> 05:16.270
with those IT systems.

05:16.270 --> 05:22.450
Those systems are then firewalled off and encapsulated in such a way to make it highly secure.

05:22.450 --> 05:27.970
But they're not 100% invulnerable, as we saw in the Colonial Pipeline ransomware attack.

05:27.970 --> 05:31.660
We also know that ICS systems use a specialized communication.

05:31.660 --> 05:34.930
We're not talking about basic binary that you see on a computer system.

05:34.930 --> 05:41.410
It's not unusual to have ICS systems talking in a way or a function that isn't normal for regular computers

05:41.410 --> 05:42.220
to talk on.

05:42.220 --> 05:44.470
Believe it or not, that's a security safeguard.

05:44.470 --> 05:50.080
We don't want our ICS systems to be able to talk by a windows system that just connects into it willy

05:50.080 --> 05:50.590
nilly.

05:50.590 --> 05:55.450
It needs to have specialized communication protocols that come into play, so that your average everyday

05:55.450 --> 05:59.200
user can't interconnect with it and make it do things that it's not supposed to do.

05:59.230 --> 06:04.330
By having that specialized communication system in place, we limit the vulnerabilities associated with

06:04.330 --> 06:08.140
the ICS system through standard communication protocols.

06:08.140 --> 06:11.250
We also might update those systems on other pathways.

06:11.250 --> 06:17.610
It's not unwise or unusual to have your specialized communication only available through floppy drives.

06:17.610 --> 06:19.860
If you're familiar with nuclear power plants.

06:19.890 --> 06:24.720
A lot of those nuclear power plants don't actually take CDs or even Blu ray discs.

06:24.720 --> 06:29.850
In fact, if you want to update the software on those systems, you need a five and a quarter or a 3.5in

06:29.880 --> 06:30.750
floppy drive.

06:30.750 --> 06:32.610
And we don't even make those anymore.

06:32.610 --> 06:38.070
But that's how they update those systems, and they refuse to upgrade those systems, because we don't

06:38.070 --> 06:42.060
want people to be able to access those systems through regular means.

06:42.060 --> 06:47.970
By keeping that system down to a 3.5in drive or a five and a quarter drive, even though it doesn't

06:47.970 --> 06:54.030
possess all the data infrastructure that we see in modern communication, we limit the attack vectors

06:54.030 --> 07:00.060
associated with our ICS systems that a malicious actor may be able to utilize the supervisory control

07:00.060 --> 07:06.690
and data acquisition, SCADA or SCADA, depending on where you're from, provides those limited supervisory

07:06.690 --> 07:09.840
control over specific user machines.

07:09.840 --> 07:11.160
What do I mean by that?

07:11.160 --> 07:18.380
It's not uncommon to have a big machine that you interact with that may have a lever or a limited functionality

07:18.410 --> 07:21.050
for pen or code utilization.

07:21.050 --> 07:25.670
We provide data acquisitions back into our IX machines through SCADA.

07:25.700 --> 07:31.190
This device then allows the human to interact with it by either punching in a code, maybe switching

07:31.190 --> 07:34.790
a lever, or even providing limited remote access to it.

07:34.820 --> 07:41.570
When you think about OT and then IX, realize that SCADA or SCADA is really the man machine interface

07:41.570 --> 07:42.740
that interacts with it.

07:42.740 --> 07:48.950
This data acquisition and supervisory control system allows for things like power plants to remain operational,

07:48.950 --> 07:54.170
utilizing older technology that would then not be available to most people.

07:54.200 --> 07:59.210
It's not uncommon to have a Scottish system that literally looks like it was from the 1990s or even

07:59.210 --> 08:02.210
1980s, because it hasn't been updated that often.

08:02.210 --> 08:08.090
And again, we use that as a security safeguard against normal malicious attack vectors that we may

08:08.120 --> 08:09.590
see on a day to day basis.

08:09.620 --> 08:13.280
We also provide limited, very limited remote access.

08:13.280 --> 08:18.740
This is usually via command line interface, using a proprietary software that allows somebody to access

08:18.740 --> 08:24.950
that software or that machine interface device in such a manner to where, again, you have very limited

08:24.950 --> 08:25.970
capabilities of it.

08:26.000 --> 08:31.280
If I wanted, for instance, to shut down an entire gas line for emergency control, then yes, I might

08:31.280 --> 08:34.010
write that into the code that allows me to have remote access.

08:34.010 --> 08:39.800
However, I would have to have a secure mechanism in place to limit the availability for malicious actor

08:39.800 --> 08:41.030
to get into play.

08:41.030 --> 08:42.320
To be able to use that.

08:42.320 --> 08:48.260
Now, within the Colonial Pipeline, we saw that Scota was taken advantage of through a known vulnerability

08:48.260 --> 08:53.030
that the malware was able to get into, but they didn't really get into the remote SCADA access.

08:53.030 --> 08:58.310
What they really did was provide a ransomware, which locked them out of the main systems for understanding

08:58.310 --> 09:01.220
how those systems are hacked and the data flow within them.

09:01.220 --> 09:03.110
They didn't really get into the Scottish system.

09:03.110 --> 09:08.120
They got into the controlling hierarchy system that allowed them to see the data and then lock it out.

09:08.120 --> 09:10.760
If you really look at it, the Colonial Pipeline was fine.

09:10.760 --> 09:15.280
It just couldn't be operated because all the higher level systems and the high point of the hierarchy

09:15.310 --> 09:17.440
were locked down because of a ransomware attack.

09:17.440 --> 09:22.060
Within this episode, we talked about critical infrastructure and how it intersected with operations,

09:22.060 --> 09:28.330
technology and again with industrial control systems and finally the supervisory control and data acquisition

09:28.330 --> 09:28.930
systems.

09:28.930 --> 09:33.790
It's important to understand you only need to have a high level overview of what these systems represent

09:33.790 --> 09:34.990
and how they are utilized.

09:34.990 --> 09:40.480
I would expect to see systems or questions that interface with if the power plant is associated with

09:40.480 --> 09:47.020
a known attack, where does that tie into the overall infrastructure of the operational system?

09:47.050 --> 09:49.360
Obviously, that would be a critical infrastructure.

09:49.360 --> 09:54.850
I would not expect to see questions that relate back to a specific control system or a make and model,

09:54.850 --> 10:00.850
and I would not expect to see a lot of questions that go into pure detail of a specific technology when

10:00.850 --> 10:02.980
associated with critical infrastructure.

10:03.010 --> 10:08.200
A lot of the questions that you are going to see really relate back to the high level overview of what

10:08.200 --> 10:12.820
is critical infrastructure, and how does it interplay with different utility companies.

10:12.820 --> 10:16.540
If you can answer most of those questions, you should be fine within this episode.