Failures of Imagination – from 9-11 to The Aurora Test | Episode 116

Aaron Turner
…go down the path some like this How how often does it actually work and we really had the budget for one try at this so we didn’t have the ability to to do you know multiple tries and so it was amazing to see it get pulled off and.

Aaron Turner
Okay, so that was the the test you know when I talked to people about Aurora I talked to them years later. Um, you know they there there are there are voices in the community who were who were critical about how the. Aftermath was handled I’ve been I mean I wasn’t there I wasn’t part of this but I’ve been told that um the details of the test were immediately I don’t know either classified or made for official use only and and basically hidden away. Um, you know, very superficial details were were. You know became public knowledge and it experts were shown some of the details and bluntly they they weren’t physicists they weren’t engineers. They didn’t understand the physical characteristics of of what happened and there were accusations of the whole thing being a ah you know a fake. Um, like I said it was the the public reception was very Confused. Can you tell us anything about what what happened behind the scenes.

Aaron Turner
That yeah, whenever you do something for the first time. No one knows how to handle it and and that’s the situation. We found ourselves in that the test had been conducted without necessarily. You know like a top secret classification around it. Test was put together in a way where you know so many people were involved. It didn’t necessarily have the same level of classification like a pure dod project would and so you know by it by the way it was designed that. And I think Mike did this on purpose he wanted to share the information to help people protect themselves and I think that’s why Mike designed it that way. He could have designed the test to be ultra-high classified that sort of thing so it was it was designed from the beginning something where mike wanted to share that information and and because of my background doing vulnerability. Reporting at Microsoft he asked me to lead the report to write the report of sort of what was going to get sent upstream to the sponsors. The people who had you know helped to support the the test financially and eventually to dhs because they were the they were positioning themselves as the industrial control. Systems cert right? So so we we get the report written and and the report was written on you know, non-classified systems on my laptop sitting on just the enterprise network at I l and we took that report and sent it up the chain and exactly as you said.

Aaron Turner
People who are on the rec receiving arm of that. The folks at Dhs were much more accustomed to traditional cybersecurity problems. Not industrial security problems and that’s where there was some confusion about well is this real What’s the impact like how should this be treated. And because you know we at at inl. We didn’t really have good guidance about what we should do. We wanted to balance protecting the information so it didn’t enable malicious use of what we just just just discovered but still providing guidance to infrastructure owners to protect themselves from these types of attacks and that. Began almost ninety days of really really crazy conflicts between people and and whenever there’s uncertainty people tend to become their worst selves self-protecting territorial. Um.

Aaron Turner
Egotistical in some of the things that happened and and I think that really set back. What was the potential to be able to to talk about this now once the video leaked to CNN. There was immediately a witch hunt to say okay who who leaked this thing it was the one that leaked this thing to CNN. Um. And lots of fingers were pointed all sorts of directions. But I think that was probably the best thing that could have happened because it it basically allowed for other people to look at it to go wait a second. This could make sense you you had people from other disciplines outside of the typical cybersecurity domain that we’re looking at it. And I think once that video was leaked. It basically took a lot of the pressure off of us at INL because at that point the horse had left the barn train left the station and that’s when more we got drug along for the ride. The ride at times was not fun because again there was. There’s politics involved. There’s egos involved and and whenever something new happens within the government. There are vested interests to say well I want to own that I want to own that program and so there was some competition that went down between the labs about who got who was going to get new funding and what was going to happen and and. And that’s where there was ah a huge tax on us as a team and and there were and and it showed in people’s personal lives like you take a look at what was happening you know outside of work and it just wasn’t a fun situation and all of that that great team that we would put together that cross-domain.

Aaron Turner
Interdisciplinary team people from all over the world and all over the the country who are working Together. You know it wasn’t fun anymore and so myself included I I sort of separated myself to say you know maybe maybe this isn’t what I’m cutting out from what I’m cut out for. Maybe. Maybe there’s better ways I can you know go after my desire to protect the world and the universe by you know, following by promoting cybersecurity in other ways and so you know by by the 2008 timeframe we had lost probably about half the team and and. And and that’s when I left I know it was in late 2008 and I went on to go do a series of Cyber security startups focusing on everything from mobile to Cloud and everything in between and and you look at that team that was there. Excellent. Great people that went on to do great things sometimes within the industrial community sometimes Outside. Um. But it was sort of sad to see it get torn apart because of the uncertainty about how to handle this and I think that’s the danger of whenever you do something New. You know people don’t know how to handle it.

Nathaniel Nelson
Pause Andrew I must have seen the grainy footage of the Aurora generator test by now dozens of times just because it comes up so often when you’re talking about ot cyber security. Um, with stuxnet being the big overall attack that everybody knows about but Aurora being that progenitor of this whole conversation and and so it’s sort of interesting to me just to hear Aaron’s background on it as somebody who is directly involved. Um. Um, even just watching the video now it’s it’s sort of it’s a very interesting case because you see this giant hulking green metal machine of a thing. Um, that is clearly in distress and then creating black smoke and it it almost seems like it’s about to blow up. Um, the notion that that could happen just from a cyber incident as much as I can understand that academically is still to this day. Interesting.

Andrew Ginter
Very much so and you know in in the moment. What? what? I remember when it was released the information or at least the video in ah 7 I mean the the rest of the detail didn’t become public knowledge until years later in 7 there was there was you know it was released on the news it was on Cnn. Um, you had cybersec security experts weighing in on Cnn on you know, social media. What social media existed in the day. Um a lot of the feedback that you know a lot of the the experts weighing in were cybersecurity experts not physicists not engineers with really. Little or no understanding of the physical process and some of them were coming in saying it’s all fake. It didn’t couldn’t really have happened that way without again without understanding the physical process and in my understanding in terms of the the physical process. What happened was um, inl has a full. Power grid it’s a massive test installation that ah the generator was connected to as one of many generators on this simulated power grid and what they did was trip. The breaker so disconnect the generator from the grid for.

Andrew Ginter
A short period of time I Assume a fraction of a second and what happens I mean the generator is under load. It’s supplying energy to the grid. The grid is consuming the energy. The generator is working the moment you disconnect it from the grid. It has no load any more but there’s still energy in terms of the diesel engine. Spinning the generator still energy going into the generator the generator speeds up and now the power. It’s producing and going nowhere. You know, just heating up the wires. The power. It’s producing is out of phase with the power in the the simulated Grid a fraction of a second later you reconnect it and now there’s enormous.

Andrew Ginter
Stress Torque They call it on the generator because when you’ve got you know a generator and the grid fighting it out for who’s going to win I’m sorry the grid always wins. The generator is forced back into phase in in nothing flat I know with enormous stress enough stress to. Destroy the generator you you saw the video there and the you know the so we we saw that in the public sphere. What I didn’t realize was sort of a different debate happening in the in the in in in confidence in government where people are saying oh it is real. Um, you know I want to own. This problem going forward I I didn’t realize that that that that was happening.

Nathaniel Nelson
I don’t want to preempt anything you ended up discussing with Aaron but from your perspective was there any major shift in the way that government worked with ot sites or the way that ot sites worked on their own. Um, that may have directly resulted from this.

Andrew Ginter
Um, the general I mean the the the incident was was widely reported. It was people talked about it for half a decade or longer. Um, after the incident you know the the big news that that. The biggest news that happened after that was sort of Stuxnet that sort of preempted it. But you know there weren’t a lot of examples in the public domain of cyber attacks that could or did cause physical consequences and so you know the the incident was was influential. Um. And you know in in Aaron’s estimation you know the the turf war that took place within the government. Um, you know was it turf war for funding and responsibility. It was you know when when that turf war settled out. There was funding. There was ah.

Andrew Ginter
An initiative and you know it was It was sort of instrumental in cementing that initiative going forward is my understanding.

Nathaniel Nelson
Pause But now coming back to the test itself you maybe I’m misremembering mentioned that the generator was destroyed now from the publicly available video that I’ve seen over and Over. Um, you do see a ton of black smoke. Coming out of it and it’s sort of shaking and it seems like it’s in a state of real panic this machine? Um, but the notion of this thing being destroyed and if anybody’s interested just look up a picture of this aurorer generator or a blowing up in any meaningful way. Still sort of Unbelievable. You’re telling me that there is more damage than what we see in this video or you’re just using a different word for it.

Andrew Ginter
No, so I mean the the generator did not blow up. It did not explode. You know the the video says the smoke rose out of the generator there. There was obvious vibration and the analysis of the generator afterwards The you know the the internal report to the government was the generator was destroyed. When you open that generator up. There’s nothing useful inside anymore you can’t generate power with it. You have to throw it Away. It was It was a ah write-off I Yeah I don’t I don’t know that the diesel engine was affected as badly, but the generator was shot. Ah and you know the diesel engine provides.

Andrew Ginter
Energy to the generator. The generator turns rotational energy into electricity. Um, and you know I’ve I’ve had the privilege of visiting large power plants in the past when I see a large generator. That was ah a ten megawatt generator. It’s nothing by the scale of the grid a large generator is three hundred five hundred eight hundred Megawatts so it’s you know between between thirty and eighty times as big I I saw a five hundred Megawatt generator once and it’s you know it’s as big as a bungalow um and it looks like a very large lump of molten metal. You know it just looked like you took a big drop of metal and dropped it and you know it it landed it hardened and that’s what it looks like and I’m going. That’s not what I expected you know I expected a generator to be rounder. You know I expected sort of sort of and and they said no no, you don’t understand Andrew they said all of that mental on the outside of the generator is to protect you and me standing here because if that generator fails in the worst case and you know an out-of-phase reconnect is is pretty close to a worst case.

Andrew Ginter
Um, but you know I was told if that generator fails in the worst case it it basically blows up it. It’s turning at at least 60 cycles a second 60 rpm um, and if it flies apart this is three hundred tons of metal that’s flown apart and. All of that metal. You see on the outside is to prevent that metal inside flying apart from striking you and me in the building and all of the other generators that you see down the the massive building so you know it’s ah it’s a real concern and in the modern world like I said people protect. These generators there have been cases in the past where generators have blown up. Um or turbines have blown up. Um I think it was a hydroturbine in 2009 killed 75 people so these are very large pieces of equipment. They’re dangerous pieces of equipment. This little demonstration. Managed to destroy a 10 megawatt generator but you know the the concern everyone has is that much worse is is clearly possible. Pause. So need you know as I said in the in the interview I remember.

Andrew Ginter
So that you know that begs the question here we are um, going on fifteen years later than 2008 you know there’s a lot of water under the bridge since then industrial cybersecurity is ah is a mainstream activity. You know we still have we still have lots of engineering teams who are. Just beginning to come up to to speed. But there’s widespread recognition that that you know this is a thing. It’s real. Um, we have to you know we have to act on it. Um, did you you know did you stay in touch with the community. Um, you know in in your sort of. Contacts your your view of the of the history. You know how? how was all of this confusion resolved. How did we wind up sort of on a track to get to where we are today.

Aaron Turner
And well again I think we need to pay tribute to Mike for being courageous enough to stay the course like he he could have bowed out and said hey I’m going to go do something else but he leaned in with with FERC and NERC and said look. We’ve got to do something about this and. And as the result he spent some time researching where would be the best place to land to keep driving this this forward and the other person I think we should really pay tribute to who also unfortunately is not with us is Alan Pallor the founder of SANS. So. Mike and Alan had known each other through other you know training relationships and alan really put himself out there to say you know what? because sans has this platform to to provide meaningful technical training because sans has this great certification mechanism where you go for this training and and SANS certificates. You know, still to this day really stand above others because of the the depth of technical training that you get through those those courses and so Alan and Mike basically agreed to say you know what? let’s create an industrial control curriculum and. And that was the best thing that could have happened because at that point Allen had the resources to push it forward to basically fund the creation of a bender neutral um forum for people to go and learn meaningful things but Aen also had the political connections because.

Aaron Turner
Allen and and I had known alan from the time when he first started sands when I was working at Microsoft we collaborated on sharing course materials around windows security because Microsoft needed some folks to go teach the US military about how to secure windows systems and Microsoft didn’t wanted to maintain ah an. Arms like relationship there so sands became a great channel that I collaborated with there and so so with that connection with SANS. That’s really where what I’ll call the flowering of public knowledge in a proactive you know, well-defined way. And as a result of that SANS curriculum doe sort of I guess there was ah there was a peace movement between what had happened between the Aurora ah test and and some of the DHS stuff that had gone on and so DHS and DOE.

Aaron Turner
Went along with that and created their own course materials and to this day you can still go out to the Idaho National Laboratory and participate in hands-on technical training around industrial control and so I think that was really the the combination of stands plus the ability of DOE and DHS to put together a curriculum there. That was really what what put this in the position where we’re at today and now you take a look and there’s been a flowering of startups you know folks like Dragos and others that are out there that have really tried their best to help this community and and I think that’s what really gives me. puts us in the situation we’re in today which is a much much healthier one where people can have open and honest discussions about the convergence of control systems, cyber physical attacks and you know the price we have to pay now is that we’ve seen several but I mean just in the last year. Or two years probably the ones that are most interesting to me or what happened with the belo russianian railroad system as a result of some probably ukrainian attacks against that railroad system to stop the delivery of tanks to their northern border. But you know there’s there’s been some terrifying things what you’ve seen as a result of cyber-physical convergence. But it’s the world. We live in now. And I think now we have the ability to have open and um, honest conversations about what we can actually do about it and so that’s really interesting I mean I yeah I knew Mike I knew Mike Assante to see him. Um, you know he was. He was a fixture at ah Dhs and and other events I kind of. I kind of knew him as the the he was one of the the senior managers at NERC. Um, and you know he he yeah was infamous. He I think he was only there a couple of years but he was infamous for sending out a letter saying guys. Ah, you know this version of NERC CIP says that.

Andrew Ginter
Ah, you have to self-assess as to which of your assets are critical to the reliability of the bulk electric system some large power utilities out there have identified you know dozens or even hundreds of ah you know, physical assets and cyber systemsstems that control them as. Critical to the grid and have taken measures to protect them other utilities just as large have come back and said absolutely none of our equipment is critical. We all know that these both can’t be true. You know fix this I remember the. I’m paraphrasing that that was what I the the sort of the the takeaway that I recall from the letter that was sort of where I I was introduced to Mike and then you know I saw him later on at at sands. Um, you know I had I had I had none of this this background before.

Aaron Turner
Now. So if you think about you know what? the what Mike did is he put himself out there to basically say we’ve got to make a change and I think that letter was part of it. You know. He he continued to work closely with congress to you know motivate folks to make sure that the right at least partial legislation was in place to try to and say hey we’ve got to do better about protecting critical systems. Ah he did a ton of lobbying with the hs to make sure that they were empowered with knowledge so that they could. Build the right working groups and keep moving it forward and so he he was critical to it and and I think what a lot of folks don’t understand is that you know he he was a cancer survivor and that was one of the things that attracted me to work with him I’m also a cancer survivor and so you know whenever you face death. You know both he and I got. Ah, terminal diagnoses where we were supposed to die sometime in 2006 and that also motivated us to go out the inl because if if the diagnosis is right? We kind of both wanted to go out with the bank. Well um, you know fortunately I have continued to fight mine I was I suffered from melanoma and. But he suffered from non-Hogkins Lymphoma and unfortunately he had a reoccurrance and that’s reason why he passed away a couple years ago but I think the the thing that we look at now is you know Mike’s ability to focus people to get people on the right path and that’s why we are where we are today.

Aaron Turner
Because he had the courage to write letters like he did at andr to basically stand up in people’s faces and say we’ve got to do something about this and and that’s reason why there’s scholarships named after him and awards in the Cyber Security community and it’s all it’s It’s all merit like there’s we. There’s a whole bunch of stuff that Mike did that no one will probably ever know because he wasn’t a bragart. He wasn’t a guy who wore all of his achievements on his sleeve will probably never know the full extent to which he dedicated his life to make the world. A better place. Um, and I just got myself as lucky that I got to go I got to work with him and got to know him.

Andrew Ginter
So yeah, Nate as I as I said on the on the interview you know I knew Mike Assante from his days at nirk I think he was the chief security officer the officer there for like two or three years um and you know then he moved on and I remember him eventually you know in. Before he passed away. He was in charge of the industrial control system training program at sans. Um, but you know what little I knew about him personally is that you know he wasn’t afraid to to make waves I remember that letter that came out and I think it was 2009 um, talked about look you know sip version. 3 says you’re required to um, you know these power utilities are required to define a risk assessment methodology. You’re required to apply the methodology to your physical assets the generators and the the transformers of the substation. <unk>re required to identify which of these physical assets are essential to the the reliability of the grid you are required then to figure out which computers if any are essential to the correct operation of those physical assets those are your critical cyber assets you have to apply the rules in merc sip to the critical sideber assets. He said a lot of you. Large power utilities that you know probably have c critical assets and critical cyber assets have come back and said we have none. Um, you know this is going to have to change and you know it was controversial I think because.

Andrew Ginter
People interpreted it as you know, accusing the power companies of not caring about the reliability of the grid. Um, and you know I I reread the letter. Um, and you know I don’t I don’t see that um I mean he’s identified a problem. He says this methodology has been applied inconsistently um and you know he gives he gives you know the power companies now he says look um you know in his estimation from talking to the utilities. It has to do with redundancy. The grid is massively redundant if a generator goes down. There’s other generators that can pick up the load. If ah, if a substation goes down. There’s other paths through the mesh that is the transmission grid to get power from sources to destinations and he says that you know the fact that you have redundancy does not make these devices not critical. Yes, any 1 of them can fail and the grid keeps going. But. He says these devices are still critical to the grid because in in the world of sort of random equipment failures you can count on redundancy in the world of cyber attacks deliberate attacks. You might have an attack that takes down multiple similar assets that are similarly defended and now the redundancy has been bypassed and so. You know to me it was it was it was reasonable. But again it it was controversial in the day because he pointed out this inconsistency in a very public way.

Andrew Ginter
Wow. Well thank you for that. Um, and thank you for joining us I mean this has been ah, ah you know insights I didn’t have into you know the history the the beginnings of of the the industry that now has thousands and thousands of of practitioners in it. Um. You know before we let you go um, can you sum up for us what you know? What should we? What? What should we all take away from the history. What what lessons should we should we you know carry around with us.

Aaron Turner
It. So I think the first thing is is that the older we get the more rigid our thinking becomes and luckily Mike and I were both young kids who are willing to challenge the status quo we were willing to challenge the the incumbents. And basically think evilly right? We we were the ones who really started to say look what’s the worst thing we can do and I think that’s something that we always have to be willing to consume and whether that’s you know, inviting, you know outside folks to come and do penetration tests and. And be able to evolve threat models I think that is so so important and so I would say you know if you’re a security leader someone who’s been around in the industry for a while someone who owns large infrastructure systems or whatever be willing to bring young folks in who have new thinking about new ways to approach. How do you compromise these systems. How do you How do you turn a protection. What what was maybe a control designs of protection into a weapon and we always need that fresh thinking. So I think step 1 always makes sure that you’re open to critical thinking and to evolving threat models so that you can understand. You know how to go about doing things the next thing I would recommend to folks is as you make investments in cybersecurity sometimes simpler is better so over the last thirty years there’s been several phases of my career where I’ve seen people say you know what.

Aaron Turner
I’m going to go out and buy every security tool on the planet and just start layering this stuff all over the place because more is better. Well the situation we find ourselves in now is more may not be better because it’s too noisy because it’s too. It’s giving you telemetry. It’s maybe false positives and you know. You know as much as sometimes we we want to avoid single points of failure want to avoid situations where we don’t have great resiliency through through distributed or or diversification and you know we’re nearing a time now where we’re seeing. Proliferation of attacks especially through identity control systems where you know, even ah, very supposedly strong identity systems that have features like multifactor authentication that identity system itself is compromised thereby eliminating the need for Mfa to get into the system and so sometimes those. Complex identity systems come back to vias because we’ve cobbled these things together so simplification in things like identity ecosystems simplification in things like network segmentation I think those are things that we need to engineer towards as as system owners of How do we simplify to get better security results and the last thing that I that I’ll put out there for for the community is we need to find the next version of Mike I don’t know where that person sits very likely not within the cyber security domain. The.

Aaron Turner
Think the the diversity of thought that comes from other ah from other disciplines is what we need to keep ourselves fresh in cybersecurity and we’ve got to be looking for those people and giving them chances to come in and participate in meaningful ways and and I think with those 3 things we can. We can. Keep moving forward to what got started fifteen twenty years ago.

Nathaniel Nelson
Pause enter that was your interview with Aaron Turner do you have any final thoughts that you might want to end with today.

Andrew Ginter
Yeah I mean um, let me repeat his his 3 points he he went on for a little bit. You know he said in my recollection be paranoid challenge The the status quo in terms of of you know, bad stuff that could happen. He said simplify you know. Simpler is better. He said you know diversity Cross-disciplines Ah you know, bring bring fresh knowledge in especially when we’re talking you know he didn’t say it but in my mind especially when we’re talking about physical consequences. You can’t You cannot really get an understanding of the physical consequences without bringing in. People who are experts on the physics experts on the engineering so you know be paranoid challenge the status quo simplify and you know bring people in who know about you know how things work makes great Sense. You know the. Lately I’ve been very involved in the the cyber informed engineering initiative and it’s saying some of the same things he’s saying it’s saying that you know, um, we have to teach engineers to be more Paranoid. We have to ah you know, use powerful simple tools that Engineers have you know. Over Pressure. Relief Valves Mechanical Overspe Governors use these simple tools as lastditch stop gaps so that even if all of our cyber defenses Fail We still have physical protection from Catastrophe and you know diversify you know, bring in the physical experts.

Andrew Ginter
Um, there’s a lot of knowledge that’s needed in in the space. A lot of it’s in the head of engineers some of it’s in the head of you know chemists and physicists this all makes this all makes perfect sense. So you know I think you know Aaron has sort of not been active in the field in in. Most of a decade but but his advice is right on the money.

Nathaniel Nelson
All right? Well then thank you to Aaron for sharing all this with us and Andrew thank you as always for speak with me. This has been the industrial security podcast from waterfall. Thanks to everybody out there listening.

Andrew Ginter
Thank you very much Nate.