Kinetic and cyberwarfare: Twins, siblings, or distant relatives?

[Music] [Applause] [Music] um good morning everybody so first of all i really would like to thank the besides team for having me here and uh it's really i am really so happy to be back to israel i absolutely love the country and i am especially pleased of course like that i was given this fantastic opportunity to open this event so thank you very much um so um as you probably have could have guessed so i am from ukraine and this war of course concerns me more like like directly and uh this is where we will talk a little bit about this hybrid war you know a term which existed already like probably for 10 years while not having a war and is actually for the first time we actually have the hybrid war even though it's in the newspapers has been forever and we will understand so there have been a large anticipation so um that um cyber will have like one of the cardinal or main role in this war and it's just like did not happen so why and this is what i will talk to you about so um you know i left ukraine so i was born i grew up and i spent all of my most of my adult life in ukraine so when i left ukraine in 2005 it became to me painfully i became painfully aware of the times the only one ukrainian on the international scene so i felt like it was always my maybe a role to explain people who ukrainians are to be you know like a good representative of this nation and you know like you recognize a t-shirt so when i was at the ccc camp in 2019 it was coincide with ukrainian independence day so i've put my t-shirt march through the camp and if you have never been in the ccc camp it's fantastic it's international it's really fantastic place to go it's whole week so just to say like well this country exists and then of course on the uh february 24 the our life has changed and i speak a little bit more like uh how i interacted with ukraine before and during the war but you know like um i just stopped even putting my makeup because like day by day i was just crying and actually the first six days i was in such a shock i did not sleep i did not eat at all and in barr one of the organizers of the event he told me like marina you know what i really highly recommend you to sleep and to eat i say like i'm fine he says you will craft no and guess what like few days later i just crashed terribly so sometimes i often ask like somewhere from where you are i am in ukraine so that is like i circled it for you and you know like normally you would not even hear ever those names but now like even the state secretary of the usa know that exactly place why because two days ago or three days ago russia has launched a rocket on the shopping mall uh and it's my native town and two of my relatives one of my relatives like my sister-in-law was on the parking lot as it happened she was just heading toward the shopping mall and my sister was working in the office next to this mall so and as my sister was joking like well that's a mall where we bought your underwear before you uh got back to europe like for great now the state secretary of the usa aware of the shopping mall where i bought my last pair of the underwear surrealistic so um i always been working closely with ukraine um so i left with then because nothing was really much happening with security in ukraine and then i returned back to ukraine as security started happening so i've been always having strong ties with the government with the industry with the private sector with cyber security companies and this year like i even like signed a contract on them and a lot of governmental projects where right now ukraine is doing really a lot of fantastic work in security and you know like the war and the danger was already in the air so the organized science grids war where i was allowed to participate as assistant to the teams to help them to play because uh grids war include hacking critical industrial systems so it was beautifully organized even a lot of fun um like really and um so one of the also directions which i was leading is that developing the national ot racial security training so where i wanted to work together with the phoenix contract to create the lab stance and as you can see you ukraine always wanted to be in european union and just you know like sometimes just like as a affirmation like put a flag and maybe someday it will happen and now it did so this is what's like i was planning to build such stands you know like this is people from whom i've been working in ukraine it was before new year we are all happy my family is happy we had a lot of plans for 2000 for 2022. it was all fun and i even left my pajama and my flip-flops in ukraine because i was supposed to return in january but then i could not because already starting from the middle of january uh it was advised not to fly and basically it was advice for everybody who can leave ukraine to start leaving like especially if you have foreign so and then my sister started sending me pictures as she is hiding from the bombs so now let's go back a little bit now to the hybrid war warfare yes no is it happening has it been before is it something is it now a new format is it old is it like what it is and the problem is that you know like there is a lot of of course over hype as my very good friend manuel artuc says like this war is conducted on the ppts i say it's conducted in the newspapers you know like we overuse and abuse wrong terms just to create a little bit of more excitement consultants needs to also create a little bit of fun and danger you know so that they can could sell consultancy services vendors need to sell their appliances but the very definition war is intense armed conflict so anything that we've been experiencing before you can call it political crisis maybe even military crisis but mostly political crisis but it is no war by definition and this is why everything what we've learned before like any any events which was happening in peaceful time it was considered as impactful and maybe unacceptable is actually innocent and negligible in the war and this is why we've got it completely wrong about how this hybrid warfare is actually going to happen when it's really will be uh happening as a military conflict with all of those components which belongs to the hybrid warfare and again now if you look in the definition of hybrid warfare it is a military strategy so hybrid warfare is simply not applicable to the peaceful times and then you know like so hybrid warfare it has a lot of components political diplomacy influencing masses blah blah blah there is a lot of components so cyber is just one of them and the problem is also that a majority like in in the past like in the peaceful times we mostly when we spoke about cyber warfare mostly people were referencing two to information warfare which is disinformation fake information like fake news and so on but information warfare is a completely separate component it's not even cyber warfare so in the past we completely spoke about these terms wrongly we are overestimating them and this is why there was anticipation uh about role of cyber and cyber buffet in the military conflict or in real hybrid warfare was overestimated and what got wrong so you maybe think like well who is she like how she even can talk about this topic what does she know about this so this is about a little bit about myself so i'm specializing about on the degradation and destruction of industrial or any basically automation processes or physical equipment by the means of cyber attacks so what you know like about the saboteurs in the um normal like regular army i do the same by the but by the means of the cyber attack so it's basically i'm specializing in offensive side by physical security and as i was preparing the slides i figured apparently there is even a term for that like cyborgs so i am a cyber terror apparently and i have more than 10 years in in this field so i'm probably can call myself veteran so if you know like there is a book of milk gladwell who says like you become an expert if you put into something like more than 10 10 000 hours so in my field of work i probably put like at least seven times more so as i was like learning and discovering this field and i was pretty much as i started working in this field i was almost pretty much hello nobody been specializing on this so i've been discovering a lot of different ways or components like which exploits i need to develop what is the difficulty challenges hurdles and so on it was extremely difficult because i have to learn obtain a lot of knowledge which are multidisciplinary and basically so the point which i want to leave you like with this next this slide the next slide is that development of cyber physical exploits and i put in brackets even high precision because typically we have in mind what damage scenario we want to cause uh requires really significant of amount of specialized knowledge and skills so um as i was like working towards like writing like individual exploits for specific tasks i really came up with this idea but i would like to execute this cyber physical attract attack from start to end like this is a chemical plant i know nothing about it and at the end i need something like a stuxnet a payload uh where it it does what i need with that chemical process and if you remember stuxness was like more than five like around seven years to develop because then they kept it a little bit uh before they deployed so and interestingly enough so i'm celebrating seventh year uni anniversary of this research even though like on the big stage i presented at blackhead in the same year i actually pioneered the talk here at tel aviv seven years ago at cyber week exactly basically seven years ago and so i presented this cyber physical attack life cycle and it was like really the first time ever anybody spoke about exploitation like this and i received a really giant like feedback from like all kinds of people from all over the world and as i kept specializing in this field i a little bit upgraded my cyber physical attack life cycle i figured out that these two stages feedback and response i need to add them because they're individual stages and i don't know if anybody here a fan of mainly an attack attack life cycle and you think that this looks like it it does and the reason i i've done it intentionally because i wanted like i.t security professionals to kind of feel a little bit as if it is something familiar just different stages so this is my specialization and so um as january came and it was really became apparent that the war is going to happen so the national security and defense council of ukraine has asked me to conduct a cyber security training for all owners for all people responsible for critical infrastructure in the country which was a difficult task because i needed to put something together very tactical but i also have to teach this training online which is again extremely difficult like sitting all day long and communicating just with your pc but you know like we already all felt that war is coming and um to be honest atmosphere was like through that computer i could literally feel every heart and i had like heads of security starting from railways national railways to nuclear and everything in between so oops i did something wrong right uh so yeah basically we've been really strategically preparing to so that everybody of them could understand which scenarios are possible what risks their infrastructure having can they quickly prepare for the war what to anticipate and so on and as the war started one of the first tasks which i was asked to assist is that like okay so we have a lot of critical infrastructure like oil and gas and power and whatnot like what scenarios and i was given a giant list of scenarios which was let's say people in charge let's call them that way were afraid that it could happen to our infrastructures and they wanted to anticipate shall we expect this or happen or not how do they build the rest of the strategies and as i was going through that long list it's just like no that's not possible that's not possible there will be safety there will be precautions that will take a lot of time that is will probably they will be able to execute in three months and for us so as we were going through that list it became apparent like we shall not be even expecting uh any cyber attacks and especially because uh if you remember there have been those giant waves of attack in 2015 and 16 where they've been executing russia was in security like more than 2 000 attacks like over the course of two months but to execute that amount of volume of attacks they've been preparing the whole year because they need to penetrate or get into the gigantic number of infrastructures they need have persistent foothold they need to be there so that at the time when they needed they will not be kicked out so it takes a lot of time so obviously especially after those attacks now a lot of infrastructures are monitored so we've seen nothing in the telemetry so we knew that they don't have even that excess so we have a very good anticipation which was exactly right so i predicted correctly that there will be uh the infrastructure will be destroyed physically and uh here this is where it's important to understand like um that in general you see again so just because in the news of writer when we find some piece of script of malware which is maybe related to the ot it's immediately predicted oh my god we have like something like stuxnet and tomorrow like i don't know blackout is happening no first of all to begin with even to deliver the payload you need actually to reach the assets where you need to deploy your payload and it's a gigantic lengthy process to move laterally those assets are so far away on the network segment so like i bring you here an example on the case where i wasn't the incident response and forensic the triton attack on the middle east just to get to the needed assets to the safety systems it took the attacker 12 months not only because it's a gigantic network which you need to discover and i'm sure this this audience knows very well what i'm talking about but also you need to stay silent like you need to stay uh stealth so that you will not be discovered so it took them 12 months even to get to the assets and then even though like when i was doing the forensic i could see the frustration of the god of the guy he does not understand why his exploit is not working he has like 100 percent expectation it should it just does not and he's just trying to make it and he was debugging his implant on the live controller so and this is where uh as you can see uh as he was debugging the payload so he failed the plan so it went to shutdowns eventually they were discovered so all of that multi-month effort which is can you imagine how expensive it is also to keep those people busy it was just simply wasted so um and the point is also that even if you successfully uh find the damage scenario which will allow you to achieve maybe some prolonged effect on the equipment and you even successfully cyber executed it's not necessarily that physics of the process will allow you to achieve what you want you can try so if you remember they've been last year i think it was a attack on the water plant in florida the attacker just got in just press couple of buttons on the hmi game it was over hype oh my gosh all the attackers can poison us no that was absolutely new sense so i've decided like to show like okay if you really want to have like for example if you take again war in mind and you want to have a prolonged uh disruption of the water supply you really need some smart scenario and the smartest scenario would be of course you need to damage water filters because without water filters you can't produce the water so i really wanted to implement the scenario i got access to the realistic like complete like one-to-one replica of the water treatment facility and now i will just jump through them a lot of slides because you know the whole network was of course complex it took a lot of time blah blah blah blah blah so if i jump it even in a simplified form uh and it is this is also presented in a simplified form eventually so um so filter is uh get damaged if you uh reach the overpressure on the membrane membrane of the uh inside of the filter and the damage is is happening if the pressure is exceeding two bars so it doesn't matter what you do as much as you only if you use every possibility to rise pressure in that with a lot of tricks and gimmicks to raise the pressure in that filter you still the only pressure which we were able to achieve is was one bar which is not even nearly enough to damage the filter so imagine if the attacker is having this anticipation there is a war they need to interrupt water they maybe have already persistent foothold they know exactly what to do they've already studied the control logic and everything the moment has come they execute it like oops and it's not damaging so and this is the point that we still did not learn how to strategically sum the reliability so they only can there is no way for them to learn this information what pressures they will be able to achieve unless trying it on a live process no documentation will tell you if they try to try to learn it on the live process before the war or let's say before the tactical moment they run into risk to be discovered and if they try to do this during their tactical moment when they need it they run into risks not to achieve effect what they need so here's the point so several points which i want to just basically leave you with is that in the war when we talk about the kinetic war we have strategy and tactics we have very time time constant you know like you sometimes like make a decision in the next five minutes you have you need to uh you need to have an effect so cyber because of the lower reliability because of the long time to execute it does not work very well with those expected uh needs in the normal like uh kinetic warfare and um even if you try to like even if you will be developing exploit for the same industry let's say we take water and it will be completely different uh water facilities you need completely different sets of engineers different sets of exploits because there will be different uh equipment different sensor signal will have different noise and so on tuning those exploits sometimes you know simply to get processing of the sensor noise and get all the like parameterize your payload sometimes i test up to two three months and that is valid only for a specific facility so time to delivery time to execute for cyber um let's say warfare or exploits is very very long and you can never know in advance whether it will be successful or not too many edge cases and in addition the problem with the cyber of course that it is one time use weapon once you show how you like a strategy how you ex like exploit certain piece of equipment you can protect it even if you try to execute an attack for example in an energy sector you know every facility in the energy sector will start immediately threat hunting they will try to find them somebody in the networks so cyber so you basically really need to use cyber sparsely and it's expensive to develop such capabilities really expensive in terms of it takes a lot of time and a lot of people specialize people and actually um during this armed conflict the international institute of strategic studies also published a paper where they studied they actually studied the knowledge what different national state nations are thinking about cyber their cyber capabilities and it is it's basically not the even like conclusions of the analyst but this is what nation state think about their sub capabilities and i highlighted you a couple of words that at the moment they still don't they don't have enough knowledge