Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Iran Attacks US Organizations
Quick Take
On this episode of Compliance Unfiltered, The CU guys cover the contentious topic of the recent Iranian based cyber-attacks on US organizations.
Want to know what happened, who’s responsible, and whether or not it’s going to happen again? Then this is the episode for you. Adam breaks down all the critical details and walks the listener through how to look for signs that an organization might be in danger.
All this and more on this week’s episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in. Another edition of Compliance Unfiltered. I’m Todd Coshow alongside the marshmallows in your compliance lucky charms. Mr. Adam Gosselin, how the heck are you, sir? I’m doing good, Todd. How are you? Man, I can’t complain. I’m feeling pretty good about things, but today we’re going to talk about a situation that inspires a lot less confidence, and that is the Iran attacks on U .S. organizations.
So give us at a high level an overview of what happened in this case, Adam. Sure. So there was an instance where an Iran group was cyber -attacking U .S. water facilities. So an Iran -linked hacking group that’s called cyber -revengers attacked multiple U .S. water treatment facilities for using an Israeli -made computer system. That group, they took controls of video screens where they posted a statement that said, you’ve been hacked down with Israel. Every equipment made in Israel is cyber -avenger legal target. So this attack spanned multiple states, impacting about 10 different facilities. The compromised control systems were, were disabled But it didn’t actually impact the you know impact the water the water supply, you know supply system So I suppose that’s the only The only glimmer of light on this one Well, I mean speaking thereof like I have to ask is this kind of an exclusive issue to Iran Or is this simply an example of you know a more systemic issue? Well, you know in this case the. the, the US and actually just as a bystander, you know on the on this one You know the the attack was was targeted at you know, their discovery capability of you know, organ, you know organizations that used Israeli -made equipment and not, you know, the U .S. specifically. I’m pretty sure they knew that they knew these systems were in the U .S., but, you know, they’re ostensibly, their target was the Israeli -made equipment. So they weren’t, you know, it wasn’t necessarily a U .S. thing, you know, it was just, hey, let’s go out and, you know, scour the web for, you know, see if we can find any, you know, any equipment that, you know, happens to be this particular manufacturer and go target it.
And these 10 water facilities happen to be in the U .S. So, you know, it’s not uncommon for, you know, for even allies, you know, allies of a nation to become part of the target, you know, part of the ancillary target, you know, in these types of situations, you know, in the same sense. And it’s not that big of a stretch to think that they, you know, actually, you know, found, you know, a thousand of these devices and cherry -picked the ones out of the U .S. just because they knew they’d get a bunch of notoriety and media attention and, you know, and all of that fun stuff. So, I don’t know, there’s an upside down side here to being a popular and vocal, you know, vocal target will probably put notches us up on the, you know, on the list. If they were to find these particular control systems in, you know, much smaller, you know, much smaller, much less adept, you know, countries, then they probably wouldn’t have gotten as much press as they did either. So, kind of a double -edged sword. But, you know, at least they were just seeking to disrupt the Israeli -made equipment. They weren’t trying to shut down the water supply. You know, if their, you know, if their goal had been more destructive, I know this attack could have been, you know, could have been a disaster, you know, the, you know, as an example, those, you know, control devices, you know, they have, you know, kind of built -in safety loads. When I say control, devices. I literally mean the equipment that is controlling the water supply. Those devices that control the water supply, they’ve got safety limits on them.
What happens if the bad guys had gone in, either altered or turned off those safety limits type of thing? They could have possibly damaged or possibly destroyed a lot more equipment with the capabilities that they had in terms of the amount of control that they were able to gain access to. It could have been interesting. Back to the Iran issue here. Why did cyber Avengers actually attack the US infrastructure? What were they trying to gain here? Well, the, you know, these infrastructure control systems, they’ve got a lot of different components that are, you know, that are fairly old, you know, the people that, you know, know how to manage and maintain those that that equipment, they’re retiring, critical knowledge is floating out the door, you know, the atypical problems with aging, you know, kind of aging devices, aging equipment, right? Lack of documentation, lack of cross training, lack of, you know, even people coming into the space that would have any, you know, any idea, you know, how to manage and maintain this stuff. I actually had, I had a next door neighbor for a while that was, he was involved with, you know, kind of maintaining local, you know, local water systems, etc. And it was telling me, you know, about some of the equipment that they’ve got, how old it is, how hard it is to be able to find people that actually know what they’re doing, you know, on that equipment, etc. And the problem that that was a localized problem, but it’s really not a, not a different problem across the board. I mean, you think about, you know, how long has the, has the, you know, a lot of these US infrastructure elements been around, right?
Sure. You know, a lot of these, you know, had heavy investments 30, 40, 50, 60 years ago, you know, type of thing. And hey, you know, it’s, it’s, it’s going to bastard at this point in the game. So, you know, replacing and modernizing all that equipment would be amazingly expensive. You know, it would, you know, involve water supply, water treatment, traffic control, gas, electrical grid, railroad, you know, you name it, right? For every single community across the country. You know, all of this, you know, leads to a scenario where it’s not easy for critical infrastructure entities to just go in and, you know, hey, we’re going to go quick, you know, whatever, slap on a patch or fix this hole or, you know, whatever it may be, in many cases, if not a maintain the equipment. you know, especially from an IT security perspective, may know how to operate it, right? But, you know, now translate that into an IT security arena. You know, honestly, you know, regular old businesses can, you know, move a hell of a lot quicker to go protect themselves, you know, replace equipment, apply patches, et cetera. You know, and it’s a challenging problem for critical infrastructure.
And, you know, this relatively minor cyber avenger attack should serve as a wake up call. You know, there’s a lot of basic hygiene improvements that could be made, you know, all of these attacks occurred because the facilities were still using default factory installed passwords, right? So, you know, if we simply went to, hey, let’s go ahead and set, you know, strong unique passwords on all of these various devices, well, you know, that would have prevented these particular attacks from the cyber avenger crew and, you know, also falls into the realm of kind of, you know, security and compliance 101, right?
Well, just how vulnerable is the US infrastructure with these older situations that they have? Well, there’s definitely lessons to be learned from this experience. You know, it’s always important to be, you know, cognizant of your affiliations, you know, in relation to world conflict. The recent attack, you know, brought a shining example of, you know, how these could attack, you know, attacks could occur, you know, if a nation organization is associated with a certain, you know, a group or political entity, et cetera. So, you know, in the one sense for organizations kind of keeping an eye on, you know, on the world stage and considering ripple impacts that could potentially occur if your organization happened to be caught up in, you know, in, you know, in a third party sense to some other conflict going on, you know, you might own equipment that was built by one of these parties. You might have a vendor who’s directly or indirectly associated with a particular party, you know, building, you know, building that type of a lens into your business continuity disaster recovery planning would certainly be, you know, something to consider. I’d be guaranteed to you that there’s phenomenally few. companies or organizations that bother right now, but depending on who you are and your level of exposure, etc., it might be time to do that. I don’t think this is some holy moly panic moment and sky is falling and all that fun stuff, but if you’re doing your due diligence to help protect the organization, then you’re already placing yourself in an otherwise improved position over where you would have been otherwise.
That’s a good shot. So are the listeners possibly vulnerable to the cyber avengers breach themselves? That’s my real question. I think that’s probably their question too. Yeah, well, I mean, certainly the blanket statement, the no -brainer really is if your organization isn’t already taking cybersecurity seriously and going up against some type of a robust compliance standard, then you’re at risk.
There are a lot of companies out there that are in denial or simply don’t have the knowledge to be able to pull off what they otherwise should be doing. They think they won’t be a target because they’re too small or they don’t have anything of value, but the reality is that every organization that has equipment that’s connected to the internet is in danger at the end of the day. It’s one of the things, especially for those companies that run under the misnomer that, well, we don’t have anything of interest or we’re too small. What they don’t realize is that in a lot of cases, the way that the targets end up being selected, it’s less often a deliberate bullseye placed on these big billion dollar organizations. So they go at it from the perspective of, hey, I’m going to go try to specifically find stuff for this company. Sometimes that happens. But more often than not, and I’ve explained this on prior pods, is that every single device that connects to the internet effectively has an address. And it’s a series of four sets of numbers separated by three dots. Well, what do the bad guys do when they’re saying, hey, let’s try to see if we can see a traffic pattern for this Israeli equipment.
Oftentimes what they’ll do is they’ll set an attack approach. So I’m going to try to connect on this port and try to execute this, issue this command, etc. And if I get this response, then thumbs up. I know that I now have one of these pieces of equipment. And what they’ll do is they’ll just start going through the IP addresses, 1 .1 .1 .1, 1 .1 .1 .2, 1 .1 .1 .3, et cetera, and basically run through the iterations of every single IP address that exists. And as a result of going about it that way, it’s less often this directed attack. And for the most part is you just happen to just get caught up in whatever the bad guy, bad girl, whatever bad actor was going out and trying to find targets for.
So the way for organizations to look at the cyberspace these days is that you can’t sit there under this notion that well, we don’t have anything of interest or we’re not big enough or whatever. The bad guys don’t care. These attacks are random and certainly small businesses get caught up in this just like global enterprises do. Certainly it makes it a juicier target when you find out, when you end up finding out that the device that I’m hitting happens to be with some big country or big organization. But you got to move past this notion that you don’t have anything of interest because most of the time it doesn’t have anything to do with it. When it comes to these politically motivated attacks, as was kind of highlighted in this case, anybody could be associated just because of kind of who they know. Anybody can get it. Well, what are some of the signs that an organization could be in danger? Well, I mean, when it comes to these attacks and knowing that pretty much anybody could be in it. You know, we’ve got, you know, we’ve got a, you know, we’ve got the, you know, the notion of, you know, the quality, if you will, of their, you know, of their existing program. I mean, you know, if you’re not already, you know, up to snuff, up to speed, doing, you know, doing the, you know, all the things that you can do to secure and protect the organization, you know, and, you know, validating that you’re really taking this stuff. Seriously, you know, you’ve got, you know, you’ve got a lot of, you know, a lot of potential. areas that could be at risk. Certainly for companies that don’t have their ducks in the row, if you’re hearing things like, well, we’re too small, we don’t need to worry about it. If you’re not, as somebody at an organization, if you’re not hearing the conversations happening internally about upcoming security and compliance audits, or what are we doing for information security, if it just doesn’t seem to be on the radar, those are going to be all good indicators of potential issues. Another one that just kind of was coming to me as I was talking this through is another big one is go find out as an organization who in your company is the one that’s filling out your stuff for your cyber liability insurance. More often than not, what I’ve seen is that it’s somebody in the finance team, because they’re associated with getting the insurance line up and blah, blah, blah. They’re getting questionnaires from the insurance company. Are you doing this? Are you doing that? No offense to most of the people in the finance arena, but they really don’t know what it is that they’re signing up for. So if you’ve got someone that is filling those things out that really shouldn’t be, because they don’t know what they’re filling out, that’s another key indicator. There’s a lot of signs and symptoms, but if you don’t have that sense that within the DNA of the organization that they are actively taking this stuff seriously, those are some of the big signs that we’ve got some things that we can go get bought enough.
Parting shots and thoughts for the folks this week, Adam. Well, the most sophisticated and destructive of the cyber attacks are those that are, you know, kind of sponsored by nation states. You know, we’re talking, we’re talking in this case about, you know, an Iran, you know, an Iran, you know, a directed Iran attack type of thing. But there’s a lot of nation states that have a lot of programs in place, not the least of which is the Russians, Chinese, etc. And others, you know, the, you don’t want to to get compliant, making it a priority to integrate. the kind of cybersecurity and protective steps into the DNA of the organization, those are all just amazingly important steps for companies. TCT happens to be the second organization I’m basically founded from the ground up. And for me as a business owner, the way that I look at our TCT security and compliance program is it’s a protective mechanism. It is a protective mechanism for number one for all of the clients and customers that depend on TCT for doing what we’re doing. It’s a protective mechanism for all of the personnel of TCT that depend on its existence. And it’s a protective mechanism for my investment in making this company and putting all this blood, sweat and tears into making this dream a reality of helping people make compliance management suck less. And really that is the thing that I would probably most encourage mid to upper level leadership, certainly C -level board members, owners, etc, is you need to change your mindset towards security and compliance. You need to not look at it as an expense. You need to look at it instead as quite frankly, the best tool in your toolbox to help to protect the organization that you are responsible for protecting. And that right there, that’s the good stuff.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.