Bull Session

Hacking Power

January 21, 2016          

Episode Summary

This week on The Digital Life, we chat about hacking power grids, the IoT, and the escalation of cyber warfare.

Power grids are becoming increasingly subject to cyber attacks and now, at least one has been successful. In December, an attack on a utility in Western Ukraine caused a blackout for 80,000 customers, which was the first known power outage caused by a cyber attack. The malware used in the attack, called BlackEnergy, infected systems via a corrupted Microsoft Word attachment. In January, Kiev’s main airport went dark after a power outage, once again linked to BlackEnergy. As cyber attacks begin causing life and death situations in the real world, the concern over security and the IoT grows.

First Known Hacker Caused Power Outage Signals Troubling Escalation
Malware Clearly Behind Ukraine Power Outage, SANS Utility Expert Says
Hackers caused power cut in western Ukraine – US

Welcome to episode 139 of The Digital Life. A show about our adventures in the world of design and technology. I’m your host Jon Follett, and with me is founder and co-host, Dirk Knemeyer.

Greetings, Jon.

Today Dirk, we’re going to talk about something that I find a little frightening, which is the topic is hacking the IoT, and the escalation of cyber-warfare and power outages.

That sounds scary Jon.

Yeah, it is. You referred me to an article that I found very interesting. It was about a power outage in the Ukraine in December where essentially, 80,000 customers were without power. This was in Western Ukraine. The outage was caused by hackers, and this was the 1st incident known where a cyber attack actually caused a massive power outage. This is very much related to our digital lives because now we have all the utilities online.

Of course, I mean electric power is the ultimate foundation of a lot of our civilization. We take it for granted but it’s powering pretty everything from heating systems to communication systems. You name it. These are life and death situations when you lose power unexpectedly.

Sometimes, here in the northeast, the US, we have some warning when a power outage might come as a result of a storm, but this sort of cyber attack introduces a level of volatility around power usage that we’re certainly not ready for in the US. In a place like Ukraine, I’m sure its devastating, very cold.

The malware used was called black energy, which of course I know very little about malware, but apparently it was delivered via a corrupted Microsoft Word document, which if that’s not a reason to switch to Google docs. I don’t know what is.

Even more disturbing, there was a 2nd power outage in January at the Kiev airport attributed to this malware as well. This is all setting up a scenario that we’ve talked a lot about, and security experts, an IoT experts have talked a lot about, but now, it’s becoming real life. There was a television show on a couple years ago about the end of society when the power goes out. I can’t recall the name of this series. Off the top of my head, but I’ve watched a couple of episodes and the predictions are dire. Dirk, what do you make of this?

Well, we’re a long way from that.

Right. Of course.

We’re a long way from civilization without any power degrading to a jungle. Cities overrun by animals, but no, your point that things becoming real is right on. For many years now, we’ve been warned. By we, I mean the tech intelligentsia has been warned that major utilities, such as electric companies are on the grid, are operating with software systems that are corruptible. The theoretical attack of the grid being taken down has been floated. Logically, I nod my head and saw that is possible, but realistically, I went nuh, you know. They’re doing things I can’t see and I don’t understand to prevent that from ever happening.

Well, enter the Ukraine. Certainly, they weren’t doing things to prevent that from happening. 80,000 people were without power for an extended period of time. The computers, the systems running this 1 or multiple … I don’t even know electricity, how the process works enough, but I’ll call it substations knowing it’s wrong, we’re fried.

That’s what’s scary about it. Right? It’s taking these things, that were almost bogeyman predictions that while on 1 hand logically, you’re like, “OK, yeah. I mean, maybe that could happen,” but realistically like in a way, that’s never going to transpire. Well, it has transpired. It’s not theory anymore. It’s practice and real, and something that can impact us.

From a very local perspective, just looking at myself, we had to due to the weather, a few years ago, our home and the homes in the area had no power for about 2 weeks, which was miserable. It was miserable to the point that after a few days, we just drove out of town. We just left. We’re close enough to family to be able to do that. Hotels, and motels, 20 plus miles away are all filled up. I mean, people left.

For me, when I own a home form here on out, I’m always going to have a generator of some kind to keep some basic stuff working so that it remains habitable. It’s habitable without electricity, but you don’t realize how nice it is to have a refrigerator, this was in the summer, air conditioner, have some temperature controls over the water used for things like laundry and bathing, until they’re gone. Yeah, now we’re going down a different path. We’re getting into the specifics of not having electricity, but no, it’s cyber. It’s the potential for cyber attacks really exhibited at a large scale, and in a way that can affect us, our life on a day-to-day basis.

Now, to be fair, there was this BlackEnergy malware that was detected on US services, and it didn’t take down any US services, despite the fact that it was present on some machines there. That makes you feel better about US cyber security. At the same time, the distance between this fantasy where the cyber attack occurs, the distance between that and reality is closer than we all think, which begs the question, how cautious do we need to be about rolling out industrial systems on the Internet of Things?

Now, you can isolate systems and you can try your very best to protect them from attack, but basically, the attack surface of the IoT is quite broad. There’s all sorts of whether you’re talking about the individual device, or you’re talking about aspects of the network that are exposed. There’s all sorts of opportunities for systems that are coming online via the Internet of Things to be maliciously abused like this Ukrainian power system.

I think this event is going to bring to the forefront, at least for the folks who are planning things like smart cities, who are planning things like municipal services using IoT technologies who are doing things for manufacturing to take a second look and to realize, yes, this Ukrainian system might have been very, very easily exposed, but I don’t know how many degrees better off corporate security can be. You only need to look at the Sony hack recently where a lot of sensitive email information was exposed to realize that corporate security is some good, some not so good.

As we’re in this awkward teenage stage of the IoT where we’re getting our legs and learning what the world is like, I think there’s going to be some nasty events to come as the systems role out. What’s your take on that?

Yeah. There will be nasty events. The question is, were there be a few nasty events because things have been locked down properly in advanced, or were there be many nasty events because we’re going to learn more from the school of harnack’s than we might like. The part of it that I’m most concerned about has to do with implantables.

The smart city stuff, there’s not a lot there that can kill people. That can have that type of an impact, but I’m concerned about the things that could take life by virtue of a virtual hack. We’re going to have to be very diligent in protecting against those because it’s going to be evermore seductive to implant things in or on our body for people with maybe diabetes to regulate our endocrinology, regulate endocrinology even for other not just diseases, but just conditions and states of being, or more advanced tools for regulating the heart. All these thing that a hack could directly end up taking a life. We’re heading towards that.

I think there will be moments where hacks do take people’s lives. That’s where it get really hairy.

I do think, just a follow up on that point. I do think that smart cities have potential for life endangering havoc. You can imagine all the green lights turn on in a city could cause a significant mess pretty quickly if you consider the traffic optimization systems that are part and parcel of a smart city solution. We’re going to reduce the smug, and get people to work faster, but at the same time, if you’re switching lights on and off, you know how people drive in Boston anyway. We’re likely to be pushing those signals to begin with.

That’s true.

I could see some frightening scenarios.

I want to talk a little bit about the way our culture and our society is digesting these cyber threats and cyber dangers. We call the show The Digital Life, and of course, The Digital Life is evolving so much more quickly than we might expect. These books by science fiction authors like William Gibson, like Neuromancer for example. There’s this underlying understanding of the online, and the offline culture like the way those things intersects in science fiction. There’s a certain way of viewing online culture that I don’t think that we’ve quite absorbed as a society.

I don’t know whether it’s a level of seriousness where we’re not equating the level of danger and evaluating it properly, or we talk about the digital divide. The digital haves, and the haves nots. I think there is a baring levels of access and understanding of what the online world is like.

Additionally, folks like you and I might be very naïve about what’s present on the dark net. The criminal aspects of the digital life. We have familiarity with these things in reality. We understand how these things work in the physical world, but the digital world is still patch work misunderstood. From a policy standpoint, from a suicidal standpoint, I don’t think we’ve fully digested the digital life quite frankly.

I’m almost looking to this works of science fiction to give us some kind of grounding, some kind of footing in terms of how should we be considering this dangerous elements now. Do we need cyber police. God knows we have regular police to patrol the physical world. How do we address the online environment here when it’s really like the wild west?

I’m not sure how many of those answers we’re going to get from science fiction. The books that are canonical and predicting this stuff are 20 and 30 years old now. The realities of these things have changed quite a bit from the worlds that they were imagining. There’s some interesting things that I don’t know if we’re going to get. Social solutions from science fiction in that way, it’s still early.

The other thing too is the real world is simple. We can see and understand the real world pretty well with our senses, just going through it. To understand this wild west of the dark net and all of these stuff, you need technical skills, and training, and knowledge. Not just anybody going through the world can understand it and have some intuitive sense of how to react to it and protect themselves from it.

To me, that’s the biggest challenge is that you need so much knowledge and training to compete, participate, protect whatever vector you want to take on it that it’s just a small slice of all people who are able to even contemplate that. That becomes really dangerous from the standpoint of power, and control, and influence over the world, not just from the bad guys, but from the good guys as well.

That’s right. We’ll live that topic here for today, but you can rest assured that we’re going to be diving back into this in future podcast. Listeners, remember that while you’re listening to this show, you can follow along with the things we’re mentioning here in real time. Just head over thedigitalife.com. That’s just 1 L in the digital life, and go to the page for this episode.

We’ve included links to pretty much everything mentioned by everybody. It’s a rich information resource to take advantage of while you’re listening, or afterward if you’re trying to remember something that you liked. If you want to follow us outside of the show, you can follow me on Twitter at jonfollett, that’s J-O-N F-O-L-L-E-T-T. Of course, the whole show is brought to you by Involution Studios, which you can check out at goinvo.com, that’s G-O-I-N-V-O.com. Dirk?

You can follow me of Twitter at dknemeyer, that’s D-K-N-E-M-E-Y-E-R, or email me dirk@goinvo.com.

That’s it for episode 139, The Digital Life. For Dirk Knemeyer, I’m Jon Follett. We’ll see you next time.

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *