Cory Kujawski Of Digital Element On What We Must Do To Protect Critical Industrial Systems From Cyber Attacks

An Interview With David Leichner

Credit: istockphoto.com

Implement Strong Access Controls: We spoke before about the 2016 Industroyer malware attack against the Ukraine electrical grid. This attack caused a widespread blackout. It could have been prevented if the vendor had implemented stronger access controls, such as by creating an allow list on USB devices product ID or vendor ID, to limit access to the power grid.

Ransomware attacks have sadly become commonplace and increasingly brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack? In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about what we must do to protect critical industrial systems from cyber attacks. As a part of this series, I had the pleasure of interviewing Cory Kujawski.

Cory Kujawski is a Principal Research and Development Engineer at Digital Element. He is a security researcher, computer engineer, and developer. He specializes in the intersection of these disciplines, with particular expertise in Internet of Things (IoT), Industrial Control Systems, and Internet Protocols. With over 20 years working as a contractor to several US agencies, including the DoD, as well as the private sector, Cory has developed multiple tools which became essential to several companies’ core solutions. He has presented at several cyber security conferences around the world, bridging gaps in the cross-cultural understanding of cybersecurity. With extensive knowledge of threat intelligence techniques, penetration testing, and malware, he is well-versed in identifying and mitigating emerging threats.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born and raised in the agricultural district of Central New York, just 20 minutes away from the Cooperstown Farmers Museum and Baseball Hall of Fame. Growing up, I was surrounded by farmland and somewhat isolated from my peers, which led me to take a deep interest in technology, starting with the plain old telephone system (POTS) and later computer systems.

During high school, I attended the Oneida-Herkimer-Madison Board of Cooperative Educational Services (BOCES), where I studied for the A+ and CCNA certifications. It was during this time that I was given the opportunity to hold a conference and speak to the student body about my research into computer security, hacking, and the legal ramifications associated with these topics. This experience further solidified my passion for technology and security and set me on the path to my current career.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It was a few movies that initially sparked my interest in security. Watching “Hackers,” “Wargames,” and “Sneakers” was the beginning of my journey. As I joined security communities online, I had the opportunity to interact with security pioneers such as Jeremiah Brott, Adonis Sawan, Halvar Flake and Don Bailey. Together, we researched routing devices, protocols, binary exploitation, and learned various programming languages. A few of us also participated with the Anti-Childporn Online (ACPO). These experiences shaped my understanding of not only weaknesses in computer systems but also the failings in security products that were meant to defend against them.

As I saw deficits in intelligence about attackers and a lack of able-bodied researchers to identify attackers, I decided to take my knowledge in open-source intelligence collection, programming, and security, as well as my unique understanding of attackers’ methodologies, to develop a career in hunting down threat actors, such as terrorists and nation-state attackers. It was a natural progression from my passion for security and my desire to use my skills to make a difference in the world.

Can you share the most interesting story that happened to you since you began this fascinating career?

I am particularly proud of my achievement of infiltrating the ISIS Cyber Caliphate and ensuring that vital information was made available to the appropriate parties to help protect everyday people. This was a challenging and complex research project, as it involved overcoming language barriers, knowledge deficits in culture and creating bonafides without furthering the agenda of the group. It was uniquely difficult to appear active within such a group without providing them with anything useful. Nonetheless, I was able to navigate these challenges and obtain the information necessary to help protect innocent people from harm.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

I found that my strong technical skills were paramount to my success in my work. I gained knowledge of intricate details in protocols by reading RFCs, technical books, and applying research to find what usefulness hadn’t been considered for the underlying technology, which helped me to overcome obstacles and present challenges.

As someone with a passion for cybersecurity, I knew it was essential to continually engage in learning, as the field is forever growing and changing. I have kept up with the field by reading academic articles, research papers, and engaging with the community. Although the time investment has been immense, I find personal satisfaction in researching my passion for technology, which has made my success possible.

I have found that effective communication skills are crucial for anyone in the technology industry. I have honed my ability to explain complex ideas to a non-technical audience through various experiences such as holding online lectures to teach different technologies, speaking to audiences at conferences, and even sitting at intimidating tables with C-Level executives. These experiences have helped me to be successful in my work.

Are you working on any exciting new projects now? How do you think that will help people?

Jonathan Tomek and I are building a capture the flag (CTF) security competition with a focus on artificial intelligence for the upcoming CypherCon conference in Milwaukee. We are creating various challenges of varying difficulty for participants to solve, with each challenge offering a different point value. Our hope is that the CTF will give attendees the opportunity to test their skills, learn new technologies and promote interest in the field while strengthening their knowledge.

Following CypherCon, I will be collaborating with Marcelle Lee to conduct a workshop on CyberChef at Thotcon in Chicago. CyberChef is a versatile tool that enables users to quickly convert data formats, encryptions, and encodings into more readable formats. During the workshop, we will provide hands-on instruction to attendees on how to use CyberChef, including how to apply it to real-world applications for a unique learning experience.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks?

As someone who works in the field of cybersecurity, I want to focus on the most common types of cyber attacks that I have encountered in Critical Industrial Systems. These attacks include Phishing attacks, Ransomware attacks, Distributed Denial of Service (DDoS) attacks, Insider threats and Nation state attacks.

As an observer of phishing attacks, I have noticed that attackers primarily target employees. They focus on stealing login credentials and other sensitive information, which they can use to gain access to industrial control systems. This leads to pivoting throughout a network attacking exposed assets. I have also observed that the malware installed through phishing attacks can do more than just harvest credentials; it can also grant the attacker network access.

Ransomware attacks target critical industrial systems. The attackers use a virus that encrypts files and demands payment for the keys. These attacks result in significant downtimes and can cause extensive financial losses.

Distributed Denial of Service attacks (DDoS) work to overwhelm systems with requests making them unavailable to legitimate users. These systems can be responsible for controlling critical infrastructure such as water treatment facilities, power grids, and even transportation systems.

Insider threats are employees who already have access to critical industrial systems that intentionally or unintentionally cause damage or disruption to these systems. An example of this would be Stuxnet, a virus used to physically break centrifuges which were used to produce enriched uranium. It is believed infected USB flash drives were used to infect the drives of computer systems. It relied on human curiosity or an insider threat. Someone plugged in the malicious flash drive resulting in the malware getting access to the CIS.

For the benefit of our readers, how would you define a critical industrial system? Can you please explain with some examples?

Critical Industrial System (CIS) are computer controlled systems which are used for safe and reliable control of critical infrastructure. They are relied upon to ensure equipment operates efficiently and securely. These are systems that are designed to control and monitor complex, and often interdependent processes such as the stages of systems used in water treatment plants. When I think of systems that are CIS, I think of oil and gas refineries, power plants, water treatment facilities, manufacturing plants and transportation systems.

Can you share some examples of recent and notable attacks against critical industrial systems? Why do you think these attacks were so significant?

Pipedream

Pipedream is a type of malware that has been used to target various industrial control systems. Although there is only circumstantial evidence, Mandiant suspects that the malware may be of Russian origin. In April of 2022, the Cybersecurity & Infrastructure Security Agency (CISA) issued an alert about the use of Pipedream. The tooling is designed to target Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers.

Pipedream is a versatile tool with a range of modules that are capable of scanning, conducting reconnaissance on devices, uploading malicious configurations and code to targeted devices, backing up or restoring device contents, and modifying device parameters. It can manipulate the control of the affected devices, giving the attacker significant leverage over the systems it compromises. This makes Pipedream significant because it targets such a diverse range of ICS using multiple attack vectors, highlighting the need for strong cybersecurity measures to protect critical infrastructure against such advanced threats.

Industroyer2
The Sandworm Russian state-sponsored group created the Industroyer2 malware, which targeted Ukraine’s power grid in 2022. In 2016, the group also created the highly sophisticated Industroyer/Crashoverride malware, which targeted industrial control systems. The original Industroyer caused a significant blackout in Ukraine. However, the newer Industroyer2 malware was much more advanced than its predecessor. It was designed as a single executable with hardcoded configurations that disabled circuit-breaker failure protections. It’s significant because it shows that even highly sophisticated attacks like Industroyer2 can be thwarted with proper security controls in place.

Why are critical industrial systems particularly vulnerable to attack?

Critical industrial systems are particularly vulnerable because they are often the most accessible and exposed components of an industrial network. They are the backbone of an organization’s operations and are typically the most heavily utilized and frequently accessed components of the network. Because of this, they are often the most exposed to potential cyber threats. Additionally, these systems are highly interconnected, which makes them an ideal target for attackers, as they can be used to gain access to an entire network. Critical industrial systems also often have limited security protections, leaving them vulnerable. Another common issue is that these systems are generally managed by multiple vendors and organizations, which makes it difficult to identify the source of an attack and coordinate a response.

What makes critical industrial systems such an attractive target for bad actors?

They’re attractive because they have such a large potential for widespread disruption. A skilled attacker can also make this look like an accident. These systems store massive amounts of sensitive information and control all sorts of automated processes, including energy distribution and water supply. Successful attacks on these types of systems have the potential to cause significant economic damage and threaten widespread public safety. We also see that the data stored on these systems provide access to confidential information and information on how to access tangible assets; unfortunately, these systems are generally not designed with security in mind and are more easily exploited by bad actors.

Who has to be most concerned about cyber attacks? Is it primarily businesses or even private individuals?

Everyone has a dog in this race. Businesses and private individuals should be concerned about attacks on industrial control systems. They can have far-reaching and devastating consequences, such as widespread power outages, water supply disruptions, and can even result in catastrophic disasters like flooding should a Levie be attacked.

Industries such as energy, transportation, and manufacturing would be affected by significant financial losses, damage to both their reputations and customer trust. The loss of critical infrastructure could lead to significant economic and social disruptions, affecting entire communities.

For Private individuals, an attack may result in loss of access to basic utilities such as water, and electricity. Preparing for potential issues is key to success. Thinking through how you would go for a time without power or water and other essential services like raising bridges.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

When addressing a cyber attack, the first step should be proactive. Utilizing a cybersecurity expert and including them in a business continuity plan would be a great first step in addressing a cyber attack. If you prepare now, you can do so with security in mind. Working with an MSSP can help you orchestrate your preparedness and save you money in the long run. Part of that plan should be developing relationships with programs such as the FBI’s Infragard program. Not only does that give businesses the ability to see emerging threats but contacts within the government to call on for assistance.

In the event of an attack another great step would be contacting external cybersecurity experts who specialize in helping businesses in the middle of a crisis to develop future plans to further protect themselves. Having access to specialized industry experts who handle incidents on a daily basis can be a pivotal move.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

There are quite a few common mistakes I have seen being made in the past. Failing to implement software and security updates is a major issue. As is password reuse. Utilize a password manager to generate unique passwords for every system you have access to.

Patch management, I feel, is one of the most important pieces to securing a business from ransomware attacks. A lack of network segmentation is another issue I have witnessed. Failing to properly segment allows an attack to spread throughout a network leading to a more devastating attack.

Something I have seen since the 90’s is insufficient employee training. Employees who are not trained in good cybersecurity practices fall for phishing attacks and other social engineering attacks which introduce malware into networks.

We have all heard how important backing up data can be, but we still see businesses that have fallen prey to ransomware attacks lacking backups which might give them better options. Even then we have seen companies fall victim to ransomware in their backups themselves. Good cybersecurity hygiene can go a long way in defending yourself against ransomware.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Fostering collaboration through efforts such as the FBI Infragard program. The program is not advertised enough to the general public, but it allows stakeholders from different sectors of government, industry, and academia to share information and best practices for mitigating cyber threats.

Promoting information sharing I see as another obstacle. Companies that have been affected by ransomware often don’t want to talk about it too publicly. I have sat in on closed sessions given amongst close peers where a ransomware attack was discussed. It was closed due to the company not wanting too much of the attack publicly harming customer trust. As a society we have to work at allowing businesses to discuss their weaknesses as much as their strengths.

Legislation should also become part of the solution. Companies are not held accountable for failing to meet what some of us in the industry see as due diligence. When all it costs a company is some reputation for failing to invest in adequate security measures, perhaps a fine like we see with GDPR might incentivize companies to take security measures more seriously.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect Critical Industrial Systems From Cyber Attacks” and why?

1. Conduct Regular Risk Assessments: Back in 2014 an unnamed German Steel Mill was attacked by cyber criminals. After gaining access to the ICS the hackers manipulated the control system preventing a blast furnace from shutting down. This caused massive damage to the plant. It could have been prevented had the company conducted regular risk assessments with a focus on identifying vulnerabilities in their industrial control system.
2. Implement Strong Access Controls: We spoke before about the 2016 Industroyer malware attack against the Ukraine electrical grid. This attack caused a widespread blackout. It could have been prevented if the vendor had implemented stronger access controls, such as by creating an allow list on USB devices product ID or vendor ID, to limit access to the power grid.
3. Regularly Update Software and Systems: Wannacry ransomware came out in 2017. It infected thousands of computers in more than 150 countries. Wannacry worked by exploiting a vulnerability in the Windows operating system that had been patched 2 months prior. The incident could have been avoided had affected organizations promptly installed the security patch.
4. Implement 2FA or SSO with strong passwords: This will prevent an account breach which attackers could use as a pivot point to access other systems. These pivots could include phishing, scanning the network, or collecting information on a user’s account. Many incidents begin with a compromised account, this makes it much more difficult for an attacker to get in.
5. Develop an Incident Response Plan: Norsk hydro was attacked with ransomware. The attack cost them about $71 million dollars. Their response was the most transparent I have seen which makes it a good example. They quickly decided that they would not pay the ransom, to involve Microsoft’s cybersecurity team to help clean up the mess, and that they would make this as transparent as they could for future companies facing the same issue. After the incident the company spoke about the value of their new improved incident response plan that would make them better equipped to limit damage in the future.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Complacency is a huge concern I have with the cybersecurity industry. Many people believe they are not the actual target and that they have no control over preventing risks. This couldn’t be further from the truth. To address the issue of complacency further education and awareness is needed. Educating people on potential risks of cyber attacks and the steps they can take to protect themselves and businesses can reduce complacency and overall increase security. I personally would love to see a TV show focused on incident response using real world incidents and compelling stories like we see with CSI and Mr. Robot. This would result in people being more aware of risks and how to mitigate them, and being given the tools to take action can only help overall security.

How can our readers further follow your work online?

You can find us on LinkedIn. I also have a personal blog at www.cyberhumint.com.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.