The only person I know with the name Grady is also a civil engineer.......must be name related lol

Watch "Dan Tentler - Defcon 2015 - Comedy Inception Panel" for 100 industrial devices he found exposed on the internet. Petrifying.

Why is there is a platinum ball hanging by a chain in a water tower.

That Ad transition was so smooth it’s criminal

Hey Grady, the wording you used to describe zero-day seems a little odd. Defining a zero-day: a zero-day vulnerability is a security flaw in software or hardware that is unknown to the vendor and has no patch available. Cybercriminals can exploit these vulnerabilities to steal data, compromise systems, or launch other cyberattacks before the vendor is aware of the issue. This is an exploit previously unknown to anyone, but it was found by a bad-actor. Sometimes its still not even known by consulting groups either. Once they get caught (if ever) they spill the beans. Digital Forensic investigations require systems to be brought offline so they can inspect the systems that were compromised. Most of the time, especially with a water system like this video, is just not possible. So they only noticed it after and then started to investigate further. If these bad-actors compromised the system and then laid low leaving access open to it in the future they would have had a far more nefarious goal in mind. Clearly not military like you suggested. I would like to see where you got that bit of information from.

Hey that’s what I do! Access audits are a necessity I hadn’t considered before this job

I've been absolutely astounded by how many companies fall flat in this area. Hell, even data protection is often overlooked. The number of clients I've had to tell "I'm sorry, without proper backups, that data is just gone" and they're out tons of money because someone in the chain decided that some software license wasn't worth the cost because they had never had need to use it...

whole world is a house of cards.

@@breakupgoogle It doesn't have to be, we have lots of systems to back up and protect cyber infrastructure but it's a hard thing for a lot of people to see so they don't spend the money on it, despite the fact that the services can cost $10-100,000 and ransoms cost $1-10 million

​@FlesHBoX I've not seen that exact thing but I've seen small mistakes by low-mid level folks cost companies thousands and thousands per individual incident and still not correct the access levels that allowed it to happen. Even simple stuff like that gets ignored. Much less real security issues.

Airgap the world

Say hello to Industry 4.0

this. thats just logical if u have the slightest clue about how computers work. u can run seperate networks without endangering one or the other

NONE of it has to be on the public internet. Also NO controls for the critical infrastructure should be connected to any computers that have a route to the internet and machines with any wireless infrastructure. And NO MS O/S's at all. Only hardened nix machines.

This is wrong and would be extremely expensive. Your idea would require someone sitting at a control panel all day monitoring the equipment. The reason for automation is 99% about monitoring, not about control. But you need control in order to act immediately on monitored output. What they need to do is assume that they will be attacked and harden the connections through VPNs, firewalls, encryption, and 2-factor authentication.

We run a full review every year to verify that our SCADA is still air gapped. Each year we find new breaches that have gotten installed. On one new project I told the manufacturer's rep that he was NOT allowed to connect his equipment to the internet. He pointed out the value of his factory being able to monitor the equipment 24/7. He thought I was joking when I told him to call me any time of the day of night that he wanted to come onsite and check his equipment. He never did get his internet connection.

The only ones I head of that actually lock down their physical cat 5 outles are defense industry and the university. You can still attack that if you spoof the Mac address, but it is a little bit harder than just getting access and plugging in your own device.

that's hilarious...until it isn't.

I found a WIFI device on our office network that one of the secretaties had put there so she could use WIFI on her phone in the lunchroom...

@@57thorns Universities don't know how to properly secure their network.

Good move.

Next step is social engineering training for anybody with access, including everyone up the chain. I've seen some very confidently wrong c-suite execs who would plug in that usb from the parking lot in a minute.

Additionally should setup least functionality and least access controls. Having seen first hand the affects of someone breaking an air-gaped system unintentionally and the resulting incident when someone found out the system had little to no controls in place to limit access.

I'm a licensed operator of a rural water system (volunteer) as well as an IT systems engineer. My PLC isn't even capable of being networked... short of disassembling it, installing a GSM modem, and adding function blocks. Changes must be made via physical access and RS232 serial, from a laptop that contains the original decrypted program layout.

You cavemen! that will lead to recession and economical chaos

lmao thats why i loved my old windows xp i used it for so long that i ended up being forced to use windows seven. never even had a antivirus, just a computer too old to get sick

​@@RichardsNicknameSorry, this malware isn't compatible with your operating system

@Cyanfox3006 Please run this virus in Compatibility Mode

​@@RichardsNicknamekzbin.info/www/bejne/bKa2h4l5orR7a9k

My former utility had our analog tone system in place until the early 2000s...but then the telecom went digital and encouraged their old school techs to retire...and our system became entirely unreliable. Now, I believe that the US DHS will no longer allow truly secure communications systems and software to exist; even in the United States.

I agree as that was my experience working as a public water system regulator for almost 14 years. Yours is the most salient point relative to other comments herein, as air-gaps can still be penetrated if an unsecured thumb drive with a virus is connected to the air-gapped network.

@@jaymacpherson8167 That's why you fill all the USB ports with superglue. It's only going to get worse as the market is now flooded with devices that use USB-PD to charge.

I find your field fascfascinating. I listen to a podcast where they talk to folks like you and others in the industry. Sometimes it's hackers that have even been convicted of stuff. It really gave me a cool insight into your industry. It's way over my head but it's fascinating. Simple USB drives and devices seem to have begun to pose a much higher risk over the last handful of years or so.

Oh the podcast is called Darknet Diaries, I find it interesting, maybe someone else will too.

Cybersecurity Architect here - industrial control systems are a serious issue. It's scary how outdated (and insecure as a result) many of these systems are.

How an overzealous admin is to blame?

In every system I've seen, things are ALWAYS setup with remote access. In over 20 years, I've not been in a Class A office that didn't have complete remote access to everything... fire alarm, security doors, elevators, HVAC... the f'ing clock in the lobby... (The scary part... a _nuclear power station_ can be remotely controlled. Protected only by an RSA SecureID token.)

Or remote maintenance vendors / third party

I didn’t say secure connections don’t exist. I’m saying the issues exist because of people. Just because some aspects or overhead systems can be remotely controlled, I assure everyone there are still air-gapped, physically separated or unbridged networks in most facilities… even nuke plants. You think you are going to reconfigure the motor drives or vibration monitor calibrations on the reactor jet pumps from your home office, you are mistaken.

​@@_ata_3because they want it to be under THEIR control - read, they can't stand the idea of an asset they don't have full time physical and remote access, so they take measures to "take ownership" of said assets. Be it have it somehow connected to the network with "I put this on Network isolation source trust me bro" or badgering management so they gain unrestricted physical access. Last serious place I saw we were told someone earned a writeup for just requesting access to The Vault, for they should know better.

He did cover that in the sewer video too

No, but I do kind of feel like a slacker now for not wondering that.

This is currently changing. I work as a SCADA engineer in the water industry and there has been a huge emphasis in cyber security for critical infrastructure. It is not obviously up to par as it needs to be, but examples like Mulshoe and the colonial pipeline has really shaken the industry to take this stuff seriously.

Seriously it's like they haven't heard of 2FA before.

UFW deny

Yep. And better than corporate networks. They all use spyware that the C-suites got duped into using to spy on everything done on employee devices and try and stop malware, instead of properly using VLANs to stop said malware from spreading far once it inevitably evades detection.

If it costs more money to fix than it makes then capitalism doesn't care heh

Amen!

Do you have to be a civil engineer or a coding engineer to be able to do that? I find cyber security really interesting and am thinking about maybe doing a traineeship in it after graduating university - but my strengths are definitely more in critical thinking, planning diagrams of systems/layers (not actual coding), and human interactions. So I'd love to explore whether it would be something for me, but I'd absolutely go insane if I just spent the entire day looking at lines of code that _somehow_ refuse to compile.... 🥲 Anyhow, thanks for youe hard work and keeping us all a tiny bit safer ^^

Which is

Grady is the real deal, he is great.

I understand the subject at hand and I concur. This is amazingly explained, proper vocabulary is used and simply introduced, incredible. This is giving me so much confidence in how this channel covers other areas and fields I know nothing about. Well done.

Did you just find this channel? That's standard. Same with about another couple hundred YT'ers I follow. I swear, most of my sub list should be the default sublist for any new YT accounts, at least if you like science and math.

That's why I try to get my trainees into the production floor for a tour. I also encourage colleagues who haven't been there in years that they should join.

I'm a board operator at a Refinery. I always think of my outside guys first before i make any moves. Especially on natural draft furnaces.

Sounds like people that aren't qualified hiring and training people who aren't qualified.

@@Smokeisprogress couldn’t be further from the truth, guys work 20+ years sometimes just to get into the control room. You’re put in charge of hundreds of millions of dollars of equipment that unlocks stored energy & converts it to extremely high pressure superheated steam to drive turbine/generator units & power the grid with hundreds of Megawatts, sometimes Gigawatts of electricity. It’s a dangerous environment. Nothing unqualified about us. We’re humans, humans become complacent, it’s in our nature. I was just saying I can relate to what he said about it & I bring it up to anyone I train in here.

Have there been accidents where someone thought they were running a test/training system, but it actually ran on the live hardware? I think every computer company has managed to accidentally do this at one point or another.

So true

So was it windows? yuck

When I was a network guy, we put a lot of stress on out-of-band management to prevent this kind of scenario. In my current job, I've noticed they don't bother with that, and as a result I have had the network guy call me and ask me what the equipment was doing. For something critical, you should have a way to get in when all else fails. It really isn't all that hard to do. Even for a management computer losing all network connectivity like this, there are solutions. You have some second device that is a console server connected by some other means (say, a serial connection that is impossible to misconfigure), and you give that device its own external network connection -- preferably dial-up or something else that doesn't share any dependencies with your usual network access. A four hour drive makes for a good story, but there are cases where a mistake like this could involve getting on a plane.

@@MushookieMan Not a lot of options in the SCADA world, unfortunately. Linux is becoming more of an option these days, but you'd still be hard pressed to build anything beyond a basic system on just Linux. All the software runs on Windows.

Was that tied in with the Crowdstrike incident?

@@Elrog3I can't answer that for obvious reasons lol

Lots of vendors are pushing that sort of thing these days. "Manage everything from your phone! Monitor the state of your plant while you're having dinner with your family!" The important thing to remember is that those vendors don't care about your security, they care about their sales.

And only some of those malicious actors are your own users 😂

Exactly what I wanted to comment right now. Can't believe those systems have no protection against accidental or intentional operator error. It's like using 2 contractors to change the direction of a motor and allowing both to be powered at the same time. Or allowing a traffic light to have the option "all green*. Absolutely unacceptable.

The problem here: the HMI is often generated by engineers who are NOT specialists in software. Even 15+ years ago it was easy to build a custom HMI interface using tools provided by the manufacturer of the HMI. That means the process engineer ( who probably has little to no software experience) can easily set up the HMI to do what they want, and they probably won't be thinking of sanity checks.

@@neosenshi the PLC should have the checks, if you only have them on the HMI, the part between two machines or machine parts also won't be protected. When I had PLC stuff during my apprenticeship, the teacher always told how important it is to prevent wrong inputs to cause dangerous situations. We also had to consider breaking wires for safety features and other things. I absolutely agree with you that the operator always should be able to configure the HMI in a way, that makes sure they can do their job in the best way and that the safety of the machine should be their job. The machine should already be safe enough by default.

Actually, no. There haven't been additional pipe bursts. Those "wire snaps" reported are not pipe breaks. (They aren't good, but they aren't breaks.) Water restrictions were lifted for a while and then fully reinstituted near the end of August when they took the pipe back out of operation to do *preventive* repairs at additional locations they identified as weak. Additionally, they were already gearing up to take the pipe out of service to do a full offline inspection at the end of 2024 (presumably when water usage is lowest) so it wasn't just "worry when it fails".

​@@lostwizard 1/4 (at least) of ALL CANADIAN WATER INFRA in major cities is past its useful life and due for replacement. We didn't have acustic monitoring or other systems in place to properly monitor the wires snapping on the main/feeder - this was preventable. We were sold equipment which has a USEFUL lifespan of 50-70 years but only managed 49 - which is expected.

​@@lostwizardWe hadn't inspected the bearpaw in over a DECADE. It's okay to admit we need to do better instead of licking boots.

@@joeeeyyyyyy Stating facts =/= licking boots.

i remember images of idiots filling up plastic bags with gasoline at the gas stations 🤦‍♀

@@moos5221 lmao

self-inflected stupidity is a c-suit trait.

@@moos5221 The weird thing is that the most famous video actually came from 2019 and had nothing to do with the pipeline. Some wackjob filling plastic bags with gasoline and putting them in the trunk for no clear reason.

I fully understand why you would shut down all your systems as soon as possible when you discover you are infected. The risk of critical hardware getting damaged (pumps running dry, pressure buildup, oil overflow) is just not worth it. Especially since there is always some slack in the supply-line which gives you time to deploy emergency solutions such as wheeled transport.

I'm hoping that @thecityofcalgary and @Editorpurenews (Pure Technologies) will share some of the findings of the PipeDiver and how they correlate to what they uncovered during excavation (e.g. wire snaps in the prestressed concrete pipes). Through all these water restrictions, I was thinking it would be awesome for Grady to cover this topic in a video. He was bang on the money -- when the infrastructure is out of sight and out of mind, we (as Calgarians) didn't give it much though; little did we know we'd learn so much about our the source of our drinking water and how it's treated/delivered, and now, I'm eager to find out more!

Seconded. It's crazy because that pipe was only halfway through it's service life, which makes you wonder how much other critical infrastructure is close to failing without notice.

I think I remember you from Mastodon!

It's kind of crazy. It's like leaving the door for a control room open, and front facing the road. These are no "hackers" it was most likely just some bored kid scanning the internet for open VNC ports and messing with the values. This is no sophisticated attack, this is quite literally someone walking through a door that was left open. They should be punished by all means, but come on, leaving an unprotected VNC server open on critical infrastructure is such an easily preventable mistake...

@@ado3247 yep, exactly

​@@ado3247Similar to the many instances of open MariaDB server with default authentication (no password) and then blaming "hackers" once some kid uses Shodan to find it. How Equifax got in zero trouble for this is ridiculous.

yea - worldofvnc and vncresolver are fun to watch... and scary at the same time

Okay, so you've just about took 95% of businesses and critical infrastructure offline. What's your plan now?

Probably hire a network security engineer or consultant or what have you ​@Stealth86651

@@Stealth86651 Only because they're cheap.

@@Stealth86651 Change the norms (regulations?) so that businesses invest in cybersecurity. Just because things are bad across the board doesn't mean we can't or shouldn't improve them.

Do wonder where they're getting the money for it. The service doesn't seem like something that'd make much on its own so they're getting donations or investments from somewhere.

@@killsode4760 Probably venture capitalists. Same thing happened with VPNs only a half decade ago.

@@killsode4760 They work on a massive problem that the avg joe has no idea is happening, I expect there will be more awareness and more revenue in it in the future. I'm concerned that the bad actors will start a misinformation campaign that they are secretly controlled by one political side or the other. That could even happen organically amongst certain types just due to their constant conspiratorial expectations.

​@@LoganChristiansonYep, spending all there money they earn on more adds to get more customers. So they generate lots of cashflow, which increases they value of the company and than sell the company for a few 100 million to something like Google or Facebook

@@LoganChristianson If that's what's going on, the promise of neutrality won't hold true for long.

Love the handle

@@davide803sc thanks Brother!

A high-vis vest, hardhat, and a clipboard will get you far. :)

@@nitehawk86 no doubt! Act like you belong, and they'll think you do!

​​@@nitehawk86you should try a ladder, you think clipboards get you places. A ladder people will hold the door open and you don't even have to ask. If you really need in somewhere though, a wheelchair. Nobody is going to tell the disabled person no.

Season 7 episode 7, "King-Size Homer".

More accurate than you might imagine, the chemical plant control rooms in S Texas are scary places, Luckily the systems are smarter than the operators these days; but fires, spills & explosions are still regular occurrences behind the gates, only reported when they can't hide it.

Well, have a single outside door. Have multiple internal walls too, so that someone can't just do whatever once they get in.

I think generally the law regarding fire safety gets in the way of that, like, imagine if someone lost control of their truck and crashed into it, or some bad guy blew it up, or a fire breaks out and now that area is a firestorm, that kind of thing.

@@Xannthas Well, I was thinking it more as an analogy for cybersecurity (don't connect everything to the internet). Don't have more access than strictly necessary to critical components.

That's awesome, Iran had that. They had no access at all. Didn't really help them much did it.

@@zyeborm When your threat model includes the CIA and the NSA, you are indeed in trouble. (Though not allowing thumb drive would have helped.)

That romantic "hacking" rarely ever happens anyways.

Time to get my paint bucket dispensing drone out then!

Those ports can be physically clocked with specially designed locks. A contractor told me that he could just disable the jacks using software, to which I pointed out that they could also be re-enabled using software.

This is actually normal process. Put crazy clue to usb ports so no devices can be inserted

@@ghost307 or epoxy

Specially designed locks... or glue.

@@ghost307 Some motherboards have a setting to disable USB ports, which is a little bit harder with other measures like BIOS password and Secure Boot.

Also, a network's worst security threat is it's own users.

@@wcntech "Hey I found this usb stick in the parking lot. I'm going to plug it in to my computer at work." lol

The issue is that many of these who cares low hanging fruit, when you add them up, it stops being who cares situation.

@@ikocheratcr not only that, but successfully picking low hanging fruit might teach you a lot about how to pick the fruit that’s higher up on the tree

A lot of these attacks on low value targets are either proof of concept or for refining techniques before going after higher value installations.

Okay but it can’t be imposed by software. Something physical like a bushing that physically can’t transfer more than a certain amount, or a pump that physically can’t move more than a certain amount of material, or have the equipment run on a trickle charged battery that shuts down if it runs extra long.

​@@twestgard2ideally there would be redundant protections, both software and hardware. Hardware costs a lot more to change, so software is easier, but yes less safe/more vulnerable to hacking.

I would guess that those checks were in place. It was just within the limits. Maybe there are occasions where this amount is needed. Or maybe you need it for very short period of time. I don't know to be honest. But what I do know, is this is such a trivial thing to add, that it for sure was there. Although... Maybe nobody implemented it, as it wasn't specified in docs. Yeah, probably specification and communication hell, as it's common in projects like this.

@@twestgard2 Why can't it be imposed by software? The hacker had access to the user, not direct access to app parameters. If those software constraints existed or set off alarms or required group approval to exceed maximum threshold that would have prevented this. Your solution is way more complex, expensive, and cumbersome. Machinery isn't built to hit specific limits, that's not reality. You can certainly have more physical fail safes, but for complexity and cost and long term maintenance I think software constraints and an escalation system to go over those limits in weird situations is more than enough IMO.

@@thepunisherxxx6804 Physical limit implementation is hardly complex, expensive, and cumbersome, it's basic design.

What happened this time? 😭

@@oolureoo probably the pagers exploding in lebanon

@@CaptainZavec Yeah, just read about it, it's crazy

Looks like it’s non-cyber

@@leenevin8451 Maybe no hacking involved as it originally appeared. Either way they still detonated them all remotely at the same time using the network so it's still cyber.

Lmaoooo pH of “2”. Good catch!

"Any man who must say, 'I am the king,' is no true king"

If you're a fan of Thor NEVER look up Maldavius Figtree

not only is it a cool job, its also important.

Kinda different in a way. If your opponent is an advanced persistent threat (IE your group has pissed off a nation state actor) you have a whole mess of other problems especially when your supply chain is vulnerable. (And everyone's supply chains are vulnerable, why do the bolts on an f35 cost so much? Because we are pretty sure no-one has hollowed one out, put something spicy in there with a little radio reciever in it.) This water attack was leaving the front door open, the pagers you will need to pull them down to components to find that. Military's do that kind of thing. I know of a few times that backdoors were found in devices coming from supposed allies.

His most recent video prior to this had garage demos though?

I think that present day KZbin videos tend to start immediately. The intro music may lead to less retention, and therefore watch time.

Those Russians !

For systems designed now, that is a thing people consider! I've seen a few talks on it at conferences, generally under the name "cyber-informed engineering." A good example is the sodium hydroxide thing mentioned in the video: if the tank that holds the concentrated hydroxide is small enough compared to the amount of water in the mixing tank that even if it were completely opened up it wouldn't reach a dangerous level then it doesn't matter if somebody hacks the HMI to open it up (as much)! A big part of the problem though is how long these systems live. Infrastructure lives for 20, 30, 40+ years so even if we start building everything with perfect security now it's still going to be a long time until all the old stuff is phased out.

The problems with easily foreseeable and mitigated are: 1) We have the benefit of hindsight, which makes it hard to be objective about how easily it really was foreseeable. 2) 10,000 easily foreseeable things aren't easily foreseen anymore unless you have the time to think of 10,000 things, which we almost never do.

@@Renegade605 Thus why I asked my real question and gave examples. Are we as a nation being proactive enough?

@@msromike123 no, no one is. But also, what is "enough"? Enough to prevent any possible attack from ever happening? Well that probably isn't even possible. Enough to prevent loss of life due to a cyber attack? That didn't happen here, so by that metric it was enough, right? Just like every other engineering decision Grady ever talks about, there has to be a balance between cost and risk.

They never are. There’s no money in prevention and maintenance. It’s all wasted on those giant scissors for the ribbon cutting on the big new thing

Bingo, always keep in mind the obvious thing could be a distraction.