Simulated Attack on Water Infrastructure – Google Paid Engineers so much They Left

 

What happens if you pay Google employees too much? They leave and compete with you. Also, Georgia Institute of Technology conducts Ransomware test on Infrastructure. Here’s what happened, and it isn’t good.

Related articles:

Researchers simulate a ransomware attack on industrial controls

http://craigpeterson.com/news/researchers-simulate-a-ransomware-attack-on-industrial-controls/11727

Engineers on Google’s self-driving car project were paid so much that they quit

http://craigpeterson.com/news/engineers-on-googles-self-driving-car-project-were-paid-so-much-that-they-quit/11730

More stories and tech updates at:
www.craigpeterson.com

Don’t miss an episode from Craig. Subscribe and give us a rating:

www.craigpeterson.com/itunes

Follow me on Twitter for the latest in tech at:
www.twitter.com/craigpeterson

For questions, call or text:
855-385-5553

Transcript

TTWCP-DAILY-35_2017-02-17_ Simulated-Attack-on-Water-Infrastructure

 

Below is a rush transcript of this segment, it might contain errors.

 

Airing date: 02/17/2017

Simulated Attack on Water Infrastructure – Google Paid Engineers So Much They Left

 

 

Craig Peterson: Welcome to today’s Daily TechSanity check. This is Craig Peterson here. I’ve been doing this podcast now for going on 15 years. We just started the dailies about 2 months ago and I’m at almost show number 900 for my weekly podcast. So I’ve been doing it a very, very long time. And I’m glad to be able to be here today. We talked about what is going on in the tech industry and try and give you a little bit of a sanity check. Because, believe me, there is not enough sanity out there. Everyone is blowing everything technology way out of proportion. So let’s bring it back. Let’s talk about the reality. I’ve got a good 40 years of experience in the hi-tech field designing systems, implementing systems. The code I wrote still runs parts of the internet today. I’ve been on the internet since about 1981, of course, it wasn’t called the internet back then. And I’ve been helping businesses get online. Secure their presences since 1981. Ever since it’s been legal to do business on the internet, I’ve been helping businesses and organizations get online. So I don’t usually give that much of a detail here when we start about what I am and what the show is about. But I figured, you know, I haven’t done this. I don’t think at all in any of the dailies. Although we talk about it a lot in my weekly shows. Now, my weekly are also broadcast on terrestrial radio. Yes indeed. Those of you too young to know what that is, that means those AM and FM radio stations, you know, that your car used to have? Do you realize most cars don’t even have AM radio anymore? What a difference over the years. So I’m on iHeartRadio Clear Channel every week as well. Every weekend.

 

Alright, we’re gonna get started today. We got 2 things we’re gonna talk about. First of all, Google had been overpaying some employees so bad they’ve lost their competitive advantage. We’re gonna talk about that. And also, some researchers here just simulated a ransomware attack on industrial control systems. Now think about that for a second. These are the types of systems that control our water, our electric, our… just kinda on and on. All these industrial control systems. So, we’ll talk a little bit about that. What did they find? What happened when they hacked them? Stick around. Got a lot more coming up and of course, you can find all kinds of information, every article we talked about today and its background and the podcasts and transcripts at http://CraigPeterson.com. Stick around, here we go.

 

(TTWCP EARWORM)

 

Hey, we got a lot to talk about today. And for, of course, next week. And tomorrow, don’t forget, I am live on the radio. And if you want to me in my insiders’ list, get reminders of that, just text my name Craig to me at 855-385-5553. And that is my number so you can text anything. You can text questions. Glad to answer them. I had another one lady approach me for another keynote speech, which I enjoy doing. And she just texted me. 855-385-5553 for bankers. In fact, this is a bank association.

 

Alright. So let’s get down to it today. A couple of different things. First of all, let’s talk about this ransomware attack and then we’ll get on to Google and some of their engineers and how they lost their competitive edge here. Researchers at the Georgia Institute of Technology created a whole new form of ransomware. Now, we know it’s rare. Nobody writes code from scratch anymore. And that’s particularly true when it comes to ransomware.  When it comes to all forms of malware because there’s so much of it available online. There’s so much that you can do by just taking pieces of code from this hacking group in Russia, that hacking group over in the Ukraine. These guys that did something and those gals that did something and pull it all together. Put it all together. And now you have some malware.

 

So they didn’t write it from scratch themselves, I’m sure of it. But what they did do is they attacked a different vector. Now, we know the United States has admitted to having a malware party that developed some malware that was designed to go after centrifuges. Remember that? And when we’re talking about these centrifuges, of course, that was Iran and we wanted to derail what we considered to be their nuclear program. So we developed this. We got it into their systems and it infected them and it destroyed the centrifuges. It was really quite clever the way it worked. The centrifuges, of course, just spun themselves to death and broke apart. But what was more interesting was that it also infected the control and monitoring systems for the centrifuges. So the control systems, everything was just hunky dory with the centrifuges when in fact, of course, they were destroying themselves.

 

So, these researchers at Georgia Institute of Technology said, well, what would happen if someone created some malware that would take over the control systems in our industry, and more particularly here, our water supply? And think about how many of us rely on municipal water supplies? Now, this particular program installed itself into a water plant that GIT had created. It was just a model but it allowed the researchers to do the normal things you would do when you are running a water plant. You have the filtration. Of course you have the backwash to flush the plant out. You have chlorine levels to help keep the bacterial counts down. You have water valves that move the water from one area to another to holding ponds. Of course when you’re talking about water, it isn’t just freshwater, we also have black water that comes out of the sewage system that has to be treated, right? So it goes all over the place. Back and forth. The valves are controlled. The pumps are controlled. And of course the monitoring systems are controlled as well. So just like in Iran, if we can give the people running the plant the wrong information, we don’t even have to control the valves, the pumps, or anything else, right? We’ll let them control it. So we take over the monitoring systems and we indicate, hey, there’s not enough chlorine in the water so they, you know, crank up the chlorine and ‘til it gets to the “right level” and it turns out the right level is toxic to humans. Just as an example. Or maybe we have a wastewater treatment plant and the black water that’s still in the wastewater plant, of course you don’t want to overflow into a nearby river. But if you can go ahead and just modify the monitoring systems slightly so that they overfill these holding ponds for the sludge, and that sludge now ends up in the river, or even worse potentially into the water supply. Think what could happen here. It could be very, very bad.

 

So the study says we are expecting ransomware to go one step further. Be on the customer data to compromise the control systems themselves. That could allow attackers to hold hostage critical systems such as water treatment plants and manufacturing facilities. Compromising the programmable logic controllers in these systems I s the next logical step for these attackers. Now we heard about what happened over in Europe a few weeks ago where a hotel system was supposedly taken over, well the lock system, by some ransomware guys who demanded payment of the hotel in order to allow the hotel’s guests access to their rooms. I think, I’m just going to the top of my head here, I think it was a $15,000 bounty, ransom that they were holding it for. I’ll try and look that up and put it into the show notes for today. Let me see, hotel lock system held ransom. So, I’ll go ahead and I’ll put them into the show notes. So when you look at the podcast, you can see the show notes and you’ll see that.

 

Anyhow, this is gonna happen more and more. But in theory here, it really hasn’t happened but how many vulnerable systems are there? Well, this is amazing here because these researchers at Georgia Institute of Technology found 1400 of these PLCs, these Programmable Logic Controllers, connected to the internet. Now I designed a system, a few years ago, that is designed specifically for this type of thing, where you can hook up each one of your internet connected devices. Whether it’s a valve, controller, a pump, a pump controller, etcetera, etcetera. Hook them up to my little device, which create a virtual network on top of your network that isolates it entirely. So you don’t have to update all of these PLCs. I’m encapsulating it inside the secure network. It’s very, very cool. And this allowed you to work across multiple networks and everything else. Very, very cool. But I couldn’t get any traction, right? Everyone is saying no, no,

  1. Can’t happen, can’t happen. Well, 1400, that’s just amazing, of these devices they found easily that were open to hacking.

 

So, the report goes on to say there are common misconceptions about what is connected to the internet. Operators may believe their systems are air-gapped and there’s no way to access controllers but these systems are often connected in some way. Air-gapped means there’s no physical connection to the internet and literally there’s air between the device and the internet.  So you just can’t get through. So, they’re still working on the research. They presented it at the RSA conference in San Francisco. And we’re talking about, you know, some of those issues about what’s going on. I think that’s a very, very big thing. If you’re in business, you gotta pay attention to this. And it’s something the government is paying more attention to as they realize, wow. Things could be very, very bad out there for the country.

 

Engineers work at Google, right? A lot of them. Software engineers, hardware engineers, real engineers have real engineering degree. And Google has spent a lot of money on its self-driving car project. I’m sure it’s in the billions right now. According to a report I’ve read online, right now, it’s saying that Google’s parent company Alphabet spent 3.5 billion dollars on their kinda X projects. Their other bets. Like the self-driving car project. And lost another billion dollar in the last quarter of 2016 alone. Isn’t that amazing? Well here’s what’s kinda interesting. Google, of course, as you know has gotten a out of the self-driving car business. It has spun off another company to make the self-driving cars. It turns out that they have spent so much money on the self-driving car project that things have kinda flipped on them. This is from Bloomberg. It says that early staffers of Google in the self-driving car project had an unusual compensation system that multiplied the staffers’ salaries and bonuses based on the performance of the self-driving project. Now that doesn’t sound too weird to you, does it? Well, the payments accumulated as milestones were reached. Even though Waymo, who’s the new company Google spun off, even though Waymo remains years away from generating revenue. One staffer eventually had a multiplier of 16 applied to bonuses and equity amassed over 4 years. Think about that kind of money. The huge amounts of compensation worked for a while. But eventually, it gave many staffers such financial security that they were willing to leave the confines of Google. So they took their accumulated cash, some of them started some other firms. One of them is in competition here. Chris Urmson co-founded a startup with an ex-Tesla employee Sterling Anderson. Others, they got a self-driving truck company called Otto, purchased by Uber last year. Another one went and founded Argo AI, which received a billion dollar investment from Ford last week.

 

So a little bit of word of caution here, you know. I’m in the process of hiring more people over at Mainstream. And this makes me think too about compensation plans. Looks like Google really messed up.

 

Hey, we’ve got a couple of things coming down the pipe. Next week, we’re gonna start having daily tips, a special newsletter of daily tips really quick. Little things that are gonna help your business, help your life. Everything from apps through security and what to do. So I’ll let you know more about it when that comes. In the meantime, make sure you are on my main mailing list to get my weekly update. http://CraigPeterson.com. You’ll find everything there. I even publish my cell number right there. It’s a toll-free number. And you can text me at that number. How’s that for amazing? How many people do you know have a toll-free text number? Only me. Only the tech guy, right? http://CraigPeterson.com. Have a great day and we’ll talk tomorrow. And for those of you who are asking, obviously no. I’m not over this cold yet. It’s still congested. Take care. Bye.

—-

Don’t miss any episode from Craig. Visit http://CraigPeterson.com/itunes Subscribe and give us a rating!

Thanks, everyone, for listening and sharing our podcasts. We’re really hitting it out of the park. This will be a great year!

Malcare WordPress Security