Hack the Plant, Episode 38: Securing Embedded Systems 

September 25, 2024 – In this episode of Hack the Plant, host Bryson Bort sits down with MITRE EMB3D co-founder Niyo Little Thunder Pearson. For nearly 20 years, Niyo has been at the forefront of protecting critical infrastructure systems. He previously led incident response for American Express, directing the company’s Security Operations Center during the LulzSec and Anonymous attacks, and worked to develop an adversarial cyber defense program for the nation’s third largest gas utility at ONE Gas Oklahoma. Now, Niyo has co-founded MITRE EMB3D, a groundbreaking global threat network aimed at enhancing the security of embedded devices. 

What is MITRE EMB3D? Who is the intended audience? What problems is it trying to solve? 

“There is such a gap that exists today on what we understand and how risk averse these [embedded] devices are. They do well and they operate well. They’re built for what they’re doing in a safety context, but the security was never brought forward with it,” Niyo said. 

Join us for this and more on this episode of Hack the Plan[e]t. 

Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology. View transcript.

Transcript

I’m Bryson Bort and this is Hack the Plant. 

For today’s episode, I’m joined by Niyo Little Thunder Pearson, a renowned cybersecurity expert with a deep understanding of operational technology and industrial control systems. Niyo has been at the forefront of safeguarding critical infrastructure through his work leading incident response for American Express and developing an adversarial cyber defense program to defend the third largest natural gas utility in the US. Niyo is also the co-founder of MITRE EMB3D, a groundbreaking global threat framework that aims to enhance the security of embedded devices. 

“…MITRE EMB3D is a global threat framework. It’s a new one that is focused on embedded systems in critical infrastructure spaces, such as rail, oil, natural gas, water, wastewater, aerospace, autonomous, UAS. So everybody’s familiar with MITRE attack and MITRE attack for ICS. Those only actually record observed adversarial threats. That’s it. MITRE EMB3D follows everything from a theoretical, which is academic and theoretical to proof of concept, proof of exploit to then CWE because it was really meant to solve three things in embedded systems. One, give us a common language that we can talk about the threats that exist today.  Two, it removes the black box principle around an embedded system. We’re basically bringing transparency to the kind of threats that exist within this platform itself. And then three, it’s the ability to be able to really educate the space of like, how mature are we in this area right now?

We discuss the mechanics behind MITRE EMB3D and the problems it’s trying to solve. 

“… I think this whole conception in embedded systems was, Oh, you can’t get ahold of these devices. It’s really hard to get your hands on them. I was like, unfortunately go to eBay and you can find, you can get a lot of PLCs RTUs for about anywhere from 80 to a couple hundred dollars. It’s not hard. So we can’t take this approach like, ‘Oh, they’ll never see it. Like it’s a nuclear station, right?’ No, this just is not a reality anymore. You can find these things, you can get ahold of them. And if we’re talking about geopolitical adversaries, then from their standpoint, they have the money and the time and the resources, they can make these things happen quite easily. So I think in the end EMB3D is meant to finally put our hand on the dial from a defenders and industry, OEM, and manufacturers and turn the dial on the actors and continue to turn that maturity and continue to approach that at a more cutting edge pace rather than reactionary.

And dive into what he sees as the future of EMB3D.

“… I think there is such a gap that exists today on what we understand and how risk averse these devices are, right? They do well and they operate well. They’re built for what they’re doing in a safety context, but the security was never brought forward with it. And the problem is we perceive this in a very similar way. Well, it’s safe. So therefore it is secure, but that’s not true in these spaces. And we’re needing to lift that as a whole.”

Who is the intended audience for MITRE EMB3D, and how can they get the most out of the framework? What adoption has Niyo seen from the industry? And if he could wave a magic, non-internet-connected wand, what is one thing he would change? Join us for this and more on this episode of Hack the Plant. 

PART III: Episode

Bryson Bort: I’m Bryson Bort, and this is Hack the Plant, season four. Electricity, finance, transportation, our water supply. We take these critical infrastructure systems for granted. But they’re all becoming increasingly dependent on computers to function. We walk through the world of hackers working on front lines of cybersecurity and public safety to protect the systems you rely upon every day.

From the ransomware threats of Colonial Pipeline to the failure of the Texas power grid, it is clear our interconnectivity is also a significant source of risk. This season, we will continue to bring you a panoply of different insights across all of the different things happening in critical infrastructure.

In my day job, I’m the CEO and founder of Scythe and the co-founder with Tom VanNorman of the non profit ICS Village, where we educate people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded Grimm in 2013, a consultancy that works at the front lines of these problems every day for clients all over the world.

I’m also an adjunct senior advisor at the Institute for Security and Technology, a 501(c)(3) think tank dedicated to tackling technology-driven emerging security threats. This is Hack the Plant, brought to you by the Institute for Security and Technology and ICS Village. Subscribe wherever you find podcasts to get each episode when it drops.

Bryson: I’m Bryson Bort and this is Hack the Plant. For today’s episode, I’m joined by Niyo Little Thunder Pearson, a renowned cybersecurity expert with a deep understanding of operational technology and industrial control systems. Niyo has been at the forefront of safeguarding critical infrastructure through his work leading incident response for American Express and developing an adversarial cyber defense program to defend the third largest natural gas utility in the US. Niyo is also the co-founder of MITRE EMB3D, a groundbreaking global threat framework that aims to enhance the security of embedded devices. 

Niyo Little Thunder Pearson: MITRE EMB3D is a global threat framework. It’s a new one that is focused on embedded systems in critical infrastructure spaces, such as rail, oil, natural gas, water, wastewater, aerospace, autonomous, UAS. So everybody’s familiar with MITRE attack and MITRE attack for ICS. Those only actually record observed adversarial threats. That’s it. MITRE EMB3D follows everything from a theoretical, which is academic and theoretical to proof of concept, proof of exploit to then CWE because it was really meant to solve three things in embedded systems. One, give us a common language that we can talk about the threats that exist today.  Two, it removes the black box principle around an embedded system. We’re basically bringing transparency to the kind of threats that exist within this platform itself. And then three, it’s the ability to be able to really educate the space of like, how mature are we in this area right now?

Bryson: We discuss the mechanics behind MITRE EMB3D and the problems it’s trying to solve. 

Niyo: I think this whole conception in embedded systems was, Oh, you can’t get ahold of these devices. It’s really hard to get your hands on them. I was like, unfortunately go to eBay and you can find, you can get a lot of PLCs RTUs for about anywhere from 80 to a couple hundred dollars. It’s not hard. So we can’t take this approach like, ‘Oh, they’ll never see it. Like it’s a nuclear station, right?’ No, this just is not a reality anymore. You can find these things, you can get ahold of them. And if we’re talking about geopolitical adversaries, then from their standpoint, they have the money and the time and the resources, they can make these things happen quite easily. So I think in the end EMB3D is meant to finally put our hand on the dial from a defenders and industry, OEM, and manufacturers and turn the dial on the actors and continue to turn that maturity and continue to approach that at a more cutting edge pace rather than reactionary.

Bryson: And dive into what he sees as the future of EMB3D.

Niyo: I think there is such a gap that exists today on what we understand and how risk averse these devices are, right? They do well and they operate well. They’re built for what they’re doing in a safety context, but the security was never brought forward with it. And the problem is we perceive this in a very similar way. Well, it’s safe. So therefore it is secure, but that’s not true in these spaces. And we’re needing to lift that as a whole.”

Bryson: Who is the intended audience for MITRE EMB3D, and how can they get the most out of the framework? What adoption has Niyo seen from the industry? And if he could wave a magic, non-internet-connected wand, what is one thing he would change? Join us for this and more on this episode of Hack the Plant. 

Niyo: This is Niyo Little Thunder Pearson. I’ve started my career back when I was 19. I ended up transitioning out of the University of Oklahoma, not wanting to pursue a degree in computer science and decided to go work for a tribal entity. I had built computers and done a lot of things at that point, but really no exposure to cybersecurity.

And then all of a sudden I was building point to point technology integrations between a WAN infrastructure they never had. Dealing with the Cisco 525 PIX, which was an interesting piece of technology back then. And then I shifted through a career of going into security hardware and working for a firewall company, working for one of the biggest financial entities in the world, which would be American Express.

And then eventually shifting out of that, especially at a point where it was kind of critical for the financial realm, into a place of protecting people and spent the next basically eight years in the OT, ICS, cybersecurity space. So here’s where we are now.

Bryson: So what are you doing now?

Niyo: So now I am independent, which is a good word for: I’m not working.

So that’s a good approach. Well, with everything that was going on, I knew I would need to shift out. MITRE EMB3D was coming out. I knew that a lot of other project work that, again, was open and free to the community, and I needed to be able to kind of realign where I was going to go and how that made the most sense.

I did realize, I think, I needed to do that outside the industry. I think within industry, there’s still a lot of things and we’ll, we’ll talk about that later, but still a lot of things that make it hard to have that transparent conversation at times.

Bryson: There is a lot of meaning laden in those words, sir.

Niyo: Oh, there is, but here’s the thing. I love the community. I love who I’ve worked with and the relationships I’ve built in those spaces. It’s just that there always is political layers in everything. It’s unknown that the world saw that TSA, you know, issued regulation. I have my own thoughts and feelings about that, probably different from a lot of people in that space, and I would say that it’s one of those where there was a real need that required me to step out of that space. 

So I was like, I’m going to continue being in embedded system space. Whether that’s aerospace, whether that’s rail, whether that’s going back to water, wastewater management, we’ll see where that ends up landing. I just needed to be out of my particular space to elevate the conversation as a whole.

Bryson: I wasn’t expecting to get into this, but what is your different opinion on the security directive that started in oil, natural gas, and TSA and has since expanded to two additional critical infrastructure verticals?

Niyo: So, apologize to all my colleagues for the differing opinion, but when TSA actually issued its requirements and specifically the second set, which were very prescriptive, I was like, about time. I mean, and here’s the thing, and I’ll tell you why. I came out of the financial sector, having watched Anonymous and LulzSec take down PayPal, MasterCard, Visa, understanding that they didn’t understand what wave structures were in attacks. So much complexity around how cyber operations take place today and there was little understanding there. And I got to the side of critical infrastructure in the energy space, and found that that was even more lacking, and there was a lot of work to be done. I think that for me, I interpreted it as, we’re going to go ahead and raise the floor, which is going to tie into what EMB3D is meant to do, and we’ll talk more about that.

But I think they did. I think they made a good calculation gauge on raising the security floor for oil and natural gas, and I think that was the right approach. I know a lot of people did not like that. I know that’s why we had two different revisions that came out afterwards to try to make more performance based.

But the problem is in my, my side of things, when you get to performance, it tends to be again, more political versus more tactical approaches and strategic. Not that there aren’t companies doing that and doing good work around that, but there’s just a lot of leverage to be able to try to interpret that in certain ways or kind of steer the conversations in certain ways.

So in the end, I feel like the first approach, which was again, the second release. This was under, the Washington Post has now released it as a redacted version. You can see all the specific requirements that were given, and again, I feel like that was in line with what was needed.

Bryson: I actually hosted a panel with the TSA, the American Petroleum Association, and the Washington Post at RSA in 2022. And it was a combination of a little bit of a mea culpa, as well as an insight to a lot of the work that had been done on the security directive before Colonial Pipeline, although, because the impression in the public was, oh, this happened, here’s a reaction.

And it had actually been something that had been happening for some time. Now, certainly there was a catalyst to, we need to do more quickly. But I would summarize your point effectively as, it’s no surprise that when there’s only guidance, that’s not treated the same thing as mandatory regulation.

Niyo: Correct. And all I’ll say is that it’s something that everybody knew was coming. And then we knew this was coming because NERC FERC and all of our counterparts in electric told us that that was coming, right? You’re gonna see it. And we could predict that yeah, we would see something similar to what they had undergone in that process. So in the end, I think it just tried to help everybody else along if they weren’t there, and getting to that common, again, raised security floor.

Bryson: So I’m going to throw a question on prediction then. Where’s this all going to go?

Niyo: I – We’re still in the beginnings of it. And matter of fact, I think EMB3D is meant to turn a lot of things on its head too, about how we perceive that we are protected or we’re doing the right things or, or we’re making it better. So I’m really excited about that. CISA is taking on the secure by design, secure by default. I got to see Jen at DEF CON, and hoping to have those discussions, she was amenable to that. So I think we’re at the beginnings. I think that was really, let’s try to catch us up from the ’90s to hopefully early 2000s. EMB3D is really meant to help us prepare and propel us further ahead.

Bryson: So that’s come up a few times now. What is EMB3D?

Niyo: MITRE EMB3D is a global threat framework. It’s a new one that is focused on embedded systems in critical infrastructure spaces, such as rail, oil, natural gas, water, wastewater, aerospace, autonomous, UAS. So anything that uses an embedded system, and it can be extended to like chipset manufacturers and others.

So I don’t want to exclude the ones that we’ve called out, and there’s a white paper, I think everybody should read on the actual website. We can talk about that later. But essentially, I would start with the white paper. I helped develop huge content within it. And I think it tells that story really well. I say this because I hate white papers. I generally hate reading them, but I would implore you to read that first before you look at the website, before you start digging into anything. 

And here’s really the biggest thing. Why did we do this? Why was this needed? Essentially before – I’m going to give a little bit of story – before 2020, there were a lot of things that were happening. It looked like we really had some momentum. You saw the DARPA RADICS program, which is a black start, being able to start the electrical grid in seven days. They were successful in testing technologies that could prevent these kinds of hacks and attacks from happening, as well as also showing what kind of preparedness was available at that moment.

There was also things going on with DHS with funding for LOGIIC, a kick and OTD. What I’ll tell you is that some of those things are out there, but if you want to look for one of them, logic is spelled with two is, and then you can see some of the things that they were able to produce. And then finally, you saw a lot of research and development into things like host based protections for embedded systems. You saw serial and analog-based monitoring for a lot of communications that sit on embedded systems, especially oil, natural gas, all in the energy space, as well as some ability to pull forensics in case you had any malicious rewrites of firmware or implants in the actual memory itself on the embedded system.

So, all that was going really well, right? Then all of a sudden, we had this huge reset, which again, we raised the security floor and you saw the regulation and everything, but there was so much detraction off the embedded system space. So let’s talk about why this is so huge. Is it that MMIs and HMIs and the actual SCADA control systems aren’t important? No, they are. But let’s be clear, when we’re talking about just the number aspect of your entire system in the energy grid, regardless of what it is, your embedded systems outweigh those systems at least three to one.

So when you look at it, especially from a cyber operations lens, and the way that I kind of approach this: I’m going to go after the things that you don’t protect, the things you don’t watch, the things you don’t monitor, the things that lack the ability to have any kind of security control around it. And that’s where I want to live and continue to operate, versus the things that have an EPP and EDR, and have attack management protocols and all these other things that are very complex that can reside on a Windows or Linux or a Mac OS box. So in that regard, it’s where I pivoted a lot of focus into that embedded system space.

Bryson: What exactly is EMB3D?

Niyo: EMB3D is broken into two areas. It’s the threat framework to be able to describe what attacks and threats exist for the embedded systems. And this is a new approach for MITRE. So MITRE and Red Balloon, myself, and NARF Industries have developed this framework. We’re all co-founders to it. The threat framework is something very new for MITRE.

So everybody’s familiar with MITRE ATT&CK and MITRE ATT&CK for ICS. Those only actually record observed adversarial threats. That’s it. It’s the end of the line. It’s what you see as the kinetic form of an attack in existence today. MITRE EMB3D follows everything from a theoretical, which is academic and theoretical, to proof of concept, proof of exploit, to then CWE.

So any kind of material weakness that actually exists in a product to the observed adversarial threat. So it’s following the precursors all the way to the post-event structure, which was something very new, and took a lot of conversations for MITRE to get comfortable with, like, we’re going to go and articulate these kinds of things.

But then it is also giving you the security race floor. So we were talking about this with the TSA, my manifesto per se of like, what we think we need to do around the security race floor for embedded systems, along with the others that are involved in it. And what I mean by that is that we structured this into three phases.

We’ve structured it into a foundational tiering phase. We’ve structured it into an intermediate and a leading. And so on that foundational phase, it’s a whole-of, tier approach. In other words, anything you do, it is going to be based around your hardware. You’re essentially going to do those mitigations across the board. Then when you get to leading or intermediate, you’re figuring out what works for you, and you’re picking and choosing those things according to again, cost, according to what your product setup is or what your actual product space is.

Bryson: Who’s the intended audience and how would you recommend them to on ramp and use this framework?

Niyo: The intended audience was for OEM and manufacturers first. It was written for them. It has an additional audience for everyone else, as defenders, operators, any kind of researchers in the space, because it was really meant to solve three things in embedded systems. 

One, give us a common language that we can talk about the threats that exist today. The things that you see within EMB3D, the attacks and the threats, they’ve existed over decades. It’s not new research. Some of it is, some of it’s not. But essentially, it’s giving us a common language to be able to discuss these things. 

Two, it removes the black box principle around an embedded system. We’re basically bringing transparency to the kind of threats that exist within this platform itself. 

And then three, it’s the ability to be able to really educate the space of like, how mature are we in this area right now? Again, I think there’s a lot of assumptions around some of the marketing that’s gone on in the OT and ICS space about where we are and how mature we are.

I love these companies I’m about to name off, but I’m going to talk about how, it’s not something that’s purely abstracted from their message, is that, like you have your Claritys and the Azure for IOTs, and all these various products that are out there and they sit within a network stack. We’re not seeing a full visibility and they don’t always articulate that. And I don’t think that’s the actual subject matter experts in their area. I think it’s really the marketing place of all of these companies. And again, everyone wants to get more customers, more market share. And in the end, I think we evangelize a message like, oh, we’re covering everything when we really don’t.

So in the end, it’s meant to be across the board, but it was originally engineered for the OEMs and manufacturers. For them to work with their product security teams, their architectural cyber security teams for their OT product lines and ICS product lines, and be able to really go into a Secure by Design so that they’re running through the SDLC processes, the red teaming processes, and being able to design a product that it is a constantly evolving and being more secure by its design and development, rather than just dealing with bones that come out constantly, and basically playing what we call whack a mole.

I will say this: the way you would approach this is one, read the white paper. Second, look at the actual website and be able to download the actual properties, and be able to walk through your properties based on a hardware footprint first, and then really migrate into your software side.

Bryson: So where’s the framework going to go next? And what kind of adoption have you seen out in industry?

Niyo: Phase one release just had the threat framework, so we have not released the mitigations. The mitigations are coming out here at the end of September, but we’ve gotten great response across the board. I mean, we’ve seen things from military, automotive, aerospace. We’ve had a lot of people reach out and collaborate, give feedback. We’ve had industry insiders be able to provide us insights on this. 

Bryson was thankful enough to be able to – I appreciated his insight into looking at EMB3D and getting a gauge, a litmus test of say, did we actually do what we needed to do? Or is this more fluff? Because I don’t want to create more fluff, right? We need less of that in this space. 

So we’ve gotten a lot of great feedback across the board and we are set for a phase three. It’s meant to really crosswalk this, very side by side with industry experts, global researchers in the space of medical, in the space of rail, every single area, right? We want to be very intentional.

I’m not just touching on it a little bit, but actually getting with ISACs, and we’re getting with specific global researchers and specific leaders and OEMs and manufacturers in those spaces to be able to walk through these areas and actually map it out. What I will say is that before we ever released the first phase of EMB3D, which was just the threat framework, we did crosswalk it with a medical device, a couple actually, and it fit really well. We did not have to make any adjustments in order to accommodate the medical side. And this made us very happy because we felt like we did make it as agnostic as possible, right? We weren’t really trying to just gear it around my background, or some of the backgrounds that are involved in this, in the oil and natural gas, electrical, whatever. But we wanted to ensure that it really did encompass a system agnostic approach to embedded systems across the board. And that’s why I said, we want to even extend this out to the Chipset industry.

I think the last thing is on the EMB3D side, understand that we – with the mitigation release, and then you’ll be able to dive in. These are going to be very detailed mitigations. We’re wanting to define the road. We don’t want to tell you how to do it because we don’t want to [stifle] innovation in this space about how to protect it better, but we are giving you the roadmap about how to do that, and what the road looks like, and how to make sure you are successful in that space. And understanding as the iterations of these maturity continues to evolve, we’re essentially wanting to see that the leading becomes the intermediate, the intermediate becomes foundational, right? That we’re controlling the dial per se of the maturity in this space, so that we are taking advantage of it over the attackers.

I think this whole conception in embedded systems was, oh, you can’t get a hold of these devices, it’s really hard to get your hands on them. I was like, unfortunately go to eBay and you can find, you can get a lot of PLCs, RTUs for about anywhere from eighty to a couple hundred dollars. It’s not hard. And unfortunately the hardware doesn’t change because these things go to be deployed for five, 10, 15, 20 years.

So in the end you get a good sense of what we’re actually running today, and the way that everything is structured today. So we can’t take this approach like, oh, they’ll never see it. Like it’s a nuclear station, right? You can’t go in and put hands on these things, or some of the airplane parts. No, this just is not a reality anymore.

You can find these things, you can get a hold of them. And if we’re talking about geo-political adversaries, then from their standpoint, they have the money and the time and the resources, they can make these things happen quite easily. So I think in the end, EMB3D is meant to finally put our hand on the dial – from defenders and industry OEM and manufacturers – and turn the dial on the actors, and continue to turn that maturity, and continue to approach that at a more cutting edge pace rather than reactionary.

So after the DevCon talk at the creator stage, afterwards, we saw someone from the automotive side that works on the global policy for automotive. They were super excited about using EMB3D and getting it bound into the processes that they were needing on the automotive side. We’re super excited about that, as well as interfacing with DARPA. We’re going to be working with them to get this out within all the ARPA areas, as well as DARPA itself. And also, uh, some collaborations with Jen Easterly and the EUCRA. So more to come on the, the EMB3D side.

Bryson: All roads lead to Rome. So we can either talk about Rome, or all the roads. You’re ready for it? This is how I end every episode.

Niyo: No, no, no, go ahead. 

Bryson: Alright You have a magic non-internet connected air gap, air gap, air gap, magical wand. You wave it. What’s one thing you would instantly change?

Niyo: I think there is such a gap that exists today on what we understand, and how risk-averse these devices are, right?

They do well and they operate well. They’re built for what they’re doing in a safety context, but the security was never brought forward with it, and the problem is we perceive this in a very similar way. Well, it’s safe, so therefore it is secure. But that’s not true in these spaces, and we’re needing to lift that as a whole case in point.

There was a lot of history that took place after 2020 that was involved in a lot of disappointing discussions, but it led to the development of a ransomware, and what we would consider infrastructure hostage as a service. When that proof of concept came out, when that was basically published and it’s under Snancy bear, you can go find this under RBS site and read about it. 

The reaction was a couple of blinks and everybody moved on. I mean, it’s still quoted as being one of the original pieces of ransomware for an embedded system. But to me, I was like, that’s the wake up and the aha moment. And no one even batted an eye. I was like, okay, well then that clearly shows us why we need to be able to go a step backwards.

It’s the reason why EMB3D became the thing I went after, and why we needed that before anything else. We clearly don’t have an education component around this, we clearly don’t understand the same risk levels across the board, and trying to fix that. I think anytime you talk about these spaces, people equate it to rainbows and unicorns. If you ever saw a rainbow, you couldn’t say the date and time that you ever saw the rainbow. But if you ever saw a unicorn, maybe you should talk to someone. If you see one in the cyber security space, talk to Bryson.

Bryson: Okay, last question. You waved your magic wand. Now you have a crystal ball. Looking into the future, one good thing and one bad thing that’s going to happen.

Niyo: I think the one good thing that’s going to happen is we will see a whole-of approach with getting better in the Secure by Design space. I think we will see OEMs and manufacturers step forward and really embrace this. We’re hoping that EMB3D is kind of that cornerstone, foundation for that. And it’s meant to align with existing global standards that we have today, 62443, and others that are out there. It is meant to bring and elevate past that, and keep that maturity phase going. But I think that we will see that. I say that because I’ve had conversations with OEMs and manufacturers and their product teams, product security teams, or their cybersecurity architects. And they are interested in doing that. 

What they’ve said is that, we didn’t know what to use, what was going to be the guiding principle to do that. It was really hard to be able to tack down specific principle, because so many of them were written around the IT space, or they’re written for a post-event space, right? And none of them were written in the space of really following a product security line, and all these things that they need to cover as they’re developing these things, especially from hardware, as well as the software elements that exist within the hardware that they produce for the embedded systems.

The bad is, I mentioned this before. We’re going to see a rise of what’s going to be what I describe as infrastructure hostage as service. So let’s talk about today we know ransomware, and all that is is another iteration or evolution of ransomware. But in ransomware today it’s opportunistic. No one’s going to nickel and dime a computer or server, and I’m talking about the actors. They’re not going to sit there and go back and forth with their victims about, hey, we’ll get 50 servers. You got to pay 50 million here and these servers, you need to pay whatever here. Because why? At the end of the day, they can go and restore them. And they know that they’re working a process in which an organization could be restoring or building new, their infrastructure, to put back in place.

When you do this in embedded systems, it becomes a whole different approach. Every single entity that you have rewritten, and you’ve ransomware within an infrastructure, this critical infrastructure embedded system space, becomes a single point of negotiation. Why? Because you could change flows. You could be able to change pressures. You could falsely provide data to the operator in their operations. Whether that’s electric operations, gas operations, water operations. You could do any number of things. 

And by the way, do we have the ability to actually see these things today? Are we monitoring for when the serial communication is showing a compromise, or the analog data is showing compromise? We’re not. We’re not picking those things up. So if there’s peer to peer infections, if there’s other infections, you’re basically running around like a chicken with its head cut off, trying to figure out what else is infected. 

And at the end of the day, a lot of organizations don’t have these devices on their shelves. They don’t have them ready. It takes a really massive order and a really a momentum effort for an OEM and provider to crank out a hundred of them. I’ve had conversations about what it takes and how long that takes in order to do those kinds of orders. 

So we get into this, unfortunately, the next phase is going to be where we see negotiations around single points, or specific points in a SCADA infrastructure, where they’re manipulating or again, sending false data and doing these things. And yet they’re sprawling around the whole system. And it becomes this really cat and mouse kind of situation, where we’re trying to figure out what are the things that we know are known good, and how can we remove what we potentially don’t know, or maybe know bad. So I unfortunately see that being the evolution of the bad in the future of where we’re going.

Bryson: The GRF just came out with a semi annual threat report and manufacturing was the number one target in their report for ransomware.

Niyo: Yeah, again, this space, we’re going to see it continue to evolve and it’s going to get worse. And really, I think the critical point is, so much of the ransomware discussion is still computer based, right? It’s still that, that personal computing, whether it’s a server, it’s the cloud environment, it’s the, laptop or desktop. But again, seeing that pure migration out of that space into those embedded systems. You saw another instance outside of smancy bear?,  that actually occurred in Ukraine with a multi router slash ICS device that they had ransomware, and that was supplanted with a different firmware that was basically sending other commands.

Again, there’s a history of these things taking place, but we’re going to see the prevalence and that change of how that threat is developing in these spaces.

Bryson: Congrats, Niyo, you just hacked the plant.

Niyo: Thank you.

Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they’re released. Thanks for listening.