WEBVTT 1 00:00:00.640 --> 00:00:02.560 I want you to picture your morning routine for just 2 00:00:02.600 --> 00:00:05.719 a second. You walk into the kitchen, right, maybe you're 3 00:00:05.719 --> 00:00:08.880 a little groggy. You turn the tap, and clean water 4 00:00:09.119 --> 00:00:10.759 just flows out instantly. 5 00:00:10.919 --> 00:00:11.199 Right. 6 00:00:11.480 --> 00:00:13.560 You plug in the toaster, push the lever down, the 7 00:00:13.560 --> 00:00:16.359 coils get hot, you flip a switch, the lights come on. 8 00:00:17.280 --> 00:00:20.719 We live our entire lives basically expecting these things to 9 00:00:20.800 --> 00:00:23.719 just happen. Yeah. Absolutely, But we never really stopped to 10 00:00:23.760 --> 00:00:28.640 think about the invisible machine that actually makes all of 11 00:00:28.640 --> 00:00:29.359 that possible. 12 00:00:29.559 --> 00:00:33.000 It is entirely the background noise of modern civilization. I mean, 13 00:00:33.039 --> 00:00:35.359 we really only notice it when it stops working, usually 14 00:00:35.399 --> 00:00:38.520 because the power is out and we can't charge our phones. 15 00:00:38.640 --> 00:00:41.560 That is exactly it. But today we are going to 16 00:00:41.600 --> 00:00:45.560 peel back the layers of that invisible machine. We are 17 00:00:45.600 --> 00:00:49.159 talking about the nervous system of our entire infrastructure, something 18 00:00:49.200 --> 00:00:53.280 called SCATA. Yes, And to help us navigate this, we 19 00:00:53.320 --> 00:00:56.320 are doing a deep dive into a really fascinating source. 20 00:00:57.039 --> 00:01:01.479 It's called Cybersecurity for SCATA Systems by William T. Shaw. 21 00:01:01.759 --> 00:01:04.760 We're specifically looking at the second edition here, which. 22 00:01:04.519 --> 00:01:07.879 Is important because it updates this whole landscape for the 23 00:01:07.879 --> 00:01:09.680 post twenty twenty world exactly. 24 00:01:09.959 --> 00:01:13.840 And I have to say Shaw's approach is great, It 25 00:01:13.879 --> 00:01:14.319 really is. 26 00:01:14.400 --> 00:01:17.200 Shaw is essentially the definitive guide here. And what I 27 00:01:17.239 --> 00:01:19.599 love about his approach is that he doesn't just you know, 28 00:01:20.000 --> 00:01:21.760 throw dry technical manuals at you. 29 00:01:21.840 --> 00:01:22.319 No, not all. 30 00:01:22.439 --> 00:01:26.599 He tells the story of how industrial automation actually evolved, 31 00:01:27.200 --> 00:01:29.439 and frankly, it's a bit of a horror story when 32 00:01:29.480 --> 00:01:31.840 you look at it through the lens of modern cybersecurity. 33 00:01:32.079 --> 00:01:34.599 It really is a horror story. I mean, the central 34 00:01:34.640 --> 00:01:38.560 tension that Shaw identifies right at the very beginning, it 35 00:01:38.680 --> 00:01:41.359 was the big aha moment of the whole source for me. Yeah, 36 00:01:41.400 --> 00:01:45.200 it's this idea that the systems controlling our water, our 37 00:01:45.239 --> 00:01:48.599 electricity are oil pipelines. They just weren't built for the 38 00:01:48.599 --> 00:01:49.879 world we live in today. 39 00:01:49.599 --> 00:01:51.560 Not even close. I mean, you have to remember these 40 00:01:51.599 --> 00:01:54.280 systems were designed in the nineteen sixties and seventies. They 41 00:01:54.280 --> 00:01:58.439 were built for a world of absolute trust and physical isolation. 42 00:01:58.920 --> 00:02:01.519 The engineers who built a power grid back then, they 43 00:02:01.560 --> 00:02:06.159 were worried about a relay failing, or maybe a squirrel 44 00:02:06.280 --> 00:02:09.680 chewing through a wire. A squirrel exactly. They were definitely 45 00:02:09.680 --> 00:02:12.400 not worried about a teenager in a basement in another 46 00:02:12.439 --> 00:02:15.240 country trying to intentionally turn off the city's lights. 47 00:02:15.479 --> 00:02:20.479 So we basically have these really trusting, innocent systems from 48 00:02:20.680 --> 00:02:23.520 like the classic rock era, and we've taken them and 49 00:02:23.520 --> 00:02:25.599 plugged them straight into the modern Internet, which. 50 00:02:25.479 --> 00:02:27.680 Is basically a dark alley full of pickpockets. 51 00:02:28.400 --> 00:02:29.039 It's wild. 52 00:02:29.159 --> 00:02:32.039 It is a massive clash of eras. You're taking a 53 00:02:32.080 --> 00:02:35.560 system designed for total isolation and you're exposing it to 54 00:02:36.000 --> 00:02:39.680 literally the most hostile environment imaginable, and that disconnect that's 55 00:02:39.719 --> 00:02:43.560 what creates the massive vulnerability we are living with right now. 56 00:02:43.800 --> 00:02:46.560 It's just mind blowing to think that critical infrastructure runs 57 00:02:46.599 --> 00:02:49.680 on a philosophy that entirely predates the concept of a 58 00:02:49.680 --> 00:02:50.319 cyber attack. 59 00:02:50.520 --> 00:02:50.960 It does. 60 00:02:51.240 --> 00:02:53.479 Let's dig into that history a bit, because Shaw talks 61 00:02:53.479 --> 00:02:55.919 a lot about this pre nine to eleven mindset. Yeah, 62 00:02:55.960 --> 00:02:58.520 it feels like a completely different universe from how it 63 00:02:58.879 --> 00:02:59.520 works today. 64 00:02:59.639 --> 00:03:03.080 It really was. To understand the giant holes we have today, 65 00:03:03.080 --> 00:03:04.719 you kind of have to get inside the head of 66 00:03:04.759 --> 00:03:07.639 a design engineer in say nineteen seventy five. 67 00:03:07.719 --> 00:03:09.360 Okay, let's go to nineteen seventy five. 68 00:03:09.719 --> 00:03:13.960 Back then, security didn't mean firewalls, it didn't mean complex passwords, 69 00:03:14.159 --> 00:03:14.840 it just meant. 70 00:03:14.759 --> 00:03:16.520 Safety, safety from accidents. 71 00:03:16.560 --> 00:03:19.919 You mean, precisely, it meant making sure a tired operator 72 00:03:19.960 --> 00:03:22.800 on a night shift didn't accidentally open the wrong valve 73 00:03:22.840 --> 00:03:23.680 and blow a pipe. 74 00:03:24.039 --> 00:03:27.080 Right. It's the don't spill coffee on the control panel 75 00:03:27.120 --> 00:03:28.680 level of security exactly. 76 00:03:29.120 --> 00:03:31.400 The only way to actually mess with a system back 77 00:03:31.439 --> 00:03:34.439 then was to physically be standing in the room. Shaw 78 00:03:34.599 --> 00:03:37.960 uses this term security by obscurity, which I have. 79 00:03:37.960 --> 00:03:40.080 To admit always sounds like a bit of a cop 80 00:03:40.080 --> 00:03:42.599 out to me. I mean, is it security by obscurity 81 00:03:42.680 --> 00:03:45.639 just crossing your fingers and hoping nobody finds the instruction manual. 82 00:03:45.680 --> 00:03:48.439 Well, in a modern context, yes, it's a terrible strategy, 83 00:03:48.840 --> 00:03:52.879 but in nineteen seventy it was actually highly effective. Think 84 00:03:52.919 --> 00:03:56.680 about it. These were proprietary, custom built mainframes. 85 00:03:56.680 --> 00:03:59.080 They were massive, so they were basically one of a kind. 86 00:03:59.240 --> 00:04:02.240 Exactly. You wanted to hack a dam in nineteen eighty, 87 00:04:02.520 --> 00:04:05.080 you needed to know a programming language that maybe only 88 00:04:05.120 --> 00:04:07.719 fifty people in the entire world even knew, and you 89 00:04:07.800 --> 00:04:10.120 still needed to break into the physical server room to 90 00:04:10.120 --> 00:04:10.680 type it in. 91 00:04:11.120 --> 00:04:14.439 So the lock was just that the key was incredibly 92 00:04:14.560 --> 00:04:16.160 rare and impossibly heavy. 93 00:04:16.399 --> 00:04:18.600 That is a great way to put it. But then, obviously, 94 00:04:18.639 --> 00:04:21.560 September eleven happened, right and Shaw points out that this 95 00:04:21.759 --> 00:04:25.040 was the major pivot point for the industry. The Department 96 00:04:25.040 --> 00:04:27.839 of Homeland Security was formed, and they started doing these 97 00:04:28.040 --> 00:04:30.959 deep audits of our industrial infrastructure. 98 00:04:31.120 --> 00:04:34.399 They looked at SCATA and these distributed control. 99 00:04:34.079 --> 00:04:37.240 Systems, and they realized these things were completely naked. They 100 00:04:37.279 --> 00:04:41.120 had literally zero intrinsic protective mechanisms because they had never 101 00:04:41.240 --> 00:04:42.079 needed them before. 102 00:04:42.199 --> 00:04:45.399 Because suddenly the threat model was an accidental failure anymore. 103 00:04:45.439 --> 00:04:47.560 It was intentional destruction exactly. 104 00:04:47.639 --> 00:04:50.920 We moved from worrying about mechanical breakdown to worrying about 105 00:04:51.079 --> 00:04:55.600 nation states and true believers who actively wanted to cause 106 00:04:55.600 --> 00:04:57.839 physical destruction through digital means. 107 00:04:58.199 --> 00:05:01.319 And this all happened right after as the technology itself 108 00:05:01.399 --> 00:05:02.720 was going through a massive shift. 109 00:05:03.000 --> 00:05:05.360 Yes, the timing couldn't have been worse in a way. 110 00:05:05.480 --> 00:05:10.600 Because we didn't keep those big, secure, mysterious mainframes. We 111 00:05:10.680 --> 00:05:14.040 actually swapped them out for well, basically the same kind 112 00:05:14.040 --> 00:05:15.839 of computer I have sitting on my desk right now. 113 00:05:16.279 --> 00:05:19.959 Right what they called it takeover. In the eighties and nineties, 114 00:05:20.000 --> 00:05:25.000 the industrial sector realized that building custom mainframes was incredibly expensive. 115 00:05:25.120 --> 00:05:27.959 Sure, but you know what was getting really cheap PCs 116 00:05:28.240 --> 00:05:35.600 exactly PCs Windows Operating systems, Intel Chips, standard Ethernet cables. 117 00:05:35.639 --> 00:05:38.800 So the whole logic behind this massive shift was just 118 00:05:38.839 --> 00:05:40.759 financial almost entirely. 119 00:05:40.959 --> 00:05:45.600 It's technological convergence. Why would a company spend millions to 120 00:05:45.639 --> 00:05:48.360 build a custom networking cable when you can just buy 121 00:05:48.360 --> 00:05:50.160 an Ethernet cable for pennies on the dollar. 122 00:05:50.279 --> 00:05:52.399 That makes sense from a business standpoint. 123 00:05:51.920 --> 00:05:55.199 And staffing too. Why train your staff on a weird, 124 00:05:55.439 --> 00:05:58.279 isolated proprietary language when you can just hire any IT 125 00:05:58.639 --> 00:06:00.000 guy who knows how to run Windows. 126 00:06:00.360 --> 00:06:02.199 Okay, but that sounds like a deal with the devil. 127 00:06:03.000 --> 00:06:05.319 I mean, sure, it's cheaper and it's way easier to staff, 128 00:06:05.560 --> 00:06:08.199 but doesn't that inherently mean the bad guys now have 129 00:06:08.279 --> 00:06:09.240 all the tools they need. 130 00:06:09.360 --> 00:06:11.120 That is the double edged sword right there. 131 00:06:11.199 --> 00:06:11.480 Yeah. 132 00:06:11.560 --> 00:06:14.480 By moving to standard IT technology, we completely lost that 133 00:06:14.560 --> 00:06:16.920 obscurity protection we were just talking about. 134 00:06:16.680 --> 00:06:18.399 Because the rare key isn't rare anymore. 135 00:06:18.720 --> 00:06:21.839 Exactly, if you know how to hack a bank's website 136 00:06:21.959 --> 00:06:25.560 or just a corporate email server, you now basically possess 137 00:06:25.639 --> 00:06:29.319 the exact toolkit needed to attack a power grid because 138 00:06:29.399 --> 00:06:32.040 underneath the hood, they are speaking the exact same language. 139 00:06:32.079 --> 00:06:36.040 Now, wow, we lowered the barrier to entry for attackers 140 00:06:36.079 --> 00:06:39.879 significantly massively. That makes this invisible machine feel a lot 141 00:06:39.920 --> 00:06:44.279 more fragile. Yeah, okay, so we've established the big picture 142 00:06:44.279 --> 00:06:46.480 of vulnerability. But I want to get my hands dirty 143 00:06:46.519 --> 00:06:48.519 for a second. We keep seeing SCATA, but what is 144 00:06:48.639 --> 00:06:52.120 actually out there in the real world doing the physical work. 145 00:06:52.199 --> 00:06:54.160 Shaw spends a lot of time talking about the hands 146 00:06:54.160 --> 00:06:54.600 in the field. 147 00:06:54.839 --> 00:06:57.759 Right, So if the SCATA host computer is the brain, 148 00:06:57.920 --> 00:07:01.720 usually sitting in a nice, secure, air conditioned control room, 149 00:07:02.040 --> 00:07:05.319 the hands are what we call the RTUs remote terminal units. 150 00:07:05.319 --> 00:07:07.680 So these are the rugged little boxes you see sitting 151 00:07:07.680 --> 00:07:09.199 out in the desert or maybe on top of a 152 00:07:09.240 --> 00:07:11.160 mountain or inside an electrical substation. 153 00:07:11.319 --> 00:07:14.000 Exactly. They are the frontline workers of the grid. They 154 00:07:14.000 --> 00:07:17.639 physically connect to the real world machinery. They're the things 155 00:07:17.639 --> 00:07:21.240 that actually open the valves, read the line voltages, measure 156 00:07:21.319 --> 00:07:24.519 the flow rates in a pipe, and shop breaks down 157 00:07:24.560 --> 00:07:27.920 their evolution from dumb to smart, and honestly, the dumb 158 00:07:27.959 --> 00:07:30.319 ones were fascinating just in their raw simplicity. 159 00:07:30.439 --> 00:07:32.560 I mean, I wouldn't want to be called a dumb RTU, 160 00:07:32.720 --> 00:07:36.319 but I get the point. There was essentially just relays, right. 161 00:07:36.240 --> 00:07:40.399 Cure hardwired logic, no brain, no software whatsoever. Just if 162 00:07:40.519 --> 00:07:43.160 wire A has power, then turn on swich B. They 163 00:07:43.160 --> 00:07:47.160 were entirely reactive, right. But then along came the microprocessor, 164 00:07:47.279 --> 00:07:50.360 specifically things like the old Intel eighty eighty chips, and 165 00:07:50.480 --> 00:07:52.480 suddenly the RTU became smart. 166 00:07:52.680 --> 00:07:54.480 It got a tiny brain exactly. 167 00:07:54.560 --> 00:07:57.360 It could suddenly think, it could store data locally, and 168 00:07:57.439 --> 00:08:00.000 it could handle complex tasks on its own without having 169 00:08:00.199 --> 00:08:02.240 to constantly ask the main control room for help. 170 00:08:02.560 --> 00:08:04.920 Okay, so there was one specific detail in this hardware 171 00:08:04.920 --> 00:08:06.800 section that I really need you to explain to me, 172 00:08:07.199 --> 00:08:09.439 because I think I completely missed the brilliance of it 173 00:08:09.480 --> 00:08:12.439 at first glance. Which part the four to twenty million signal? 174 00:08:12.519 --> 00:08:15.600 Oh? Yeah, this is a classic piece of industrial engineering. 175 00:08:15.759 --> 00:08:19.279 It's the industry standard for measuring analog things things like 176 00:08:19.360 --> 00:08:22.759 pressure or temperature or the level of water in a tank. 177 00:08:23.639 --> 00:08:26.240 You send a continuous electrical current down the wire. 178 00:08:26.600 --> 00:08:29.680 Right, But why that's specific range? I mean, why start 179 00:08:29.720 --> 00:08:32.039 at four million amps? Why not just go zero to twenty? 180 00:08:32.639 --> 00:08:36.240 In my head zero should mean empty or off, and that. 181 00:08:36.320 --> 00:08:39.360 Right, there is the logical trap of it thinking, Oh, 182 00:08:39.919 --> 00:08:43.679 in a purely digital software world, zero means off. That 183 00:08:43.759 --> 00:08:47.679 works fine, But these systems live in the physical world, 184 00:08:48.039 --> 00:08:50.159 and in the physical world, wire's break. 185 00:08:50.360 --> 00:08:52.120 Oh, I see where this is going, right. 186 00:08:52.279 --> 00:08:55.440 Imagine you set zero amps to mean empty tank, and 187 00:08:55.480 --> 00:08:58.440 then some guy with a backo accidentally cuts the wire 188 00:08:58.639 --> 00:09:00.320 connecting the sensor to the art to. 189 00:09:00.240 --> 00:09:03.519 You, the signal on that wire drops to zero amps exactly, 190 00:09:03.679 --> 00:09:06.200 and the control room looks at the screen and thinks 191 00:09:06.200 --> 00:09:09.000 the tank is empty, but really the sensor. 192 00:09:08.679 --> 00:09:12.039 Is just dead precisely, So the operator starts pumping water 193 00:09:12.120 --> 00:09:14.519 into a tank that's already full because they think it's empty, 194 00:09:14.600 --> 00:09:16.960 and suddenly you have a massive disaster of flood and 195 00:09:17.039 --> 00:09:17.960 explosion whatever. 196 00:09:18.039 --> 00:09:19.840 But with a four to twenty system with four. 197 00:09:19.720 --> 00:09:21.840 To twenty four million ams is what means empty. 198 00:09:22.080 --> 00:09:23.960 So if the back hoe cuts the wire, the. 199 00:09:23.960 --> 00:09:27.399 Signal drops to absolute zero, and the computer instantly knows wait, 200 00:09:27.440 --> 00:09:29.879 the signal is below four. This isn't an empty tank. 201 00:09:29.960 --> 00:09:31.200 This is a broken wire. 202 00:09:31.000 --> 00:09:33.799 That is so incredibly smart it's called a live zero. 203 00:09:34.320 --> 00:09:38.440 It allows the system to diagnose its own physical health instantly. 204 00:09:38.559 --> 00:09:41.360 It's a failsafe built entirely into the math itself. You 205 00:09:41.360 --> 00:09:42.840 don't even need extra software for. 206 00:09:42.840 --> 00:09:46.759 It exactly, and it's why that specific standard has survived 207 00:09:46.799 --> 00:09:50.039 for literally decades, even as all the other computers got 208 00:09:50.039 --> 00:09:51.159 millions of times faster. 209 00:09:51.679 --> 00:09:54.120 Now, speaking of things surviving from the old days, there 210 00:09:54.159 --> 00:09:57.000 was another protocol that sounded straight out of a Cold 211 00:09:57.039 --> 00:10:00.519 war submarine movie, the select check operates sequence. 212 00:10:00.879 --> 00:10:01.399 Ah. 213 00:10:01.480 --> 00:10:06.320 Yes, this was specifically for controlling things right, not just 214 00:10:06.399 --> 00:10:07.159 measuring them right. 215 00:10:07.279 --> 00:10:10.559 This comes directly from the era where communication lines were 216 00:10:10.639 --> 00:10:14.879 incredibly noisy, just bad copper phone lines. Static on the 217 00:10:14.919 --> 00:10:17.240 line a lot of static, and static on a digital 218 00:10:17.240 --> 00:10:18.279 line can easily. 219 00:10:17.960 --> 00:10:20.159 Flip a zero to a one, which is a big deal. 220 00:10:19.960 --> 00:10:22.799 A massive deal. If you send a simple direct command 221 00:10:22.879 --> 00:10:26.799 like open valve, a tiny burst of static might corrupt 222 00:10:26.919 --> 00:10:30.159 that packet and change it to closed valve or open gate. 223 00:10:30.240 --> 00:10:32.399 Which if you're running a nuclear power plant or a 224 00:10:32.399 --> 00:10:34.840 gas pipeline, could be absolutely catastrophic. 225 00:10:35.200 --> 00:10:39.159 Right, So the engineers built a handshake. It's a literal conversation. 226 00:10:39.679 --> 00:10:42.480 The host computer doesn't just bark orders at the r TOU. 227 00:10:42.799 --> 00:10:46.360 It says I would like to select valve number. 228 00:10:46.039 --> 00:10:48.000 One, and the RTU actually talks back. 229 00:10:47.960 --> 00:10:51.639 The RTU replies okay, valve number one is selected. Then 230 00:10:51.679 --> 00:10:55.639 the host says prepare to open, The RTU replies ready 231 00:10:55.679 --> 00:10:58.919 to open. And only after all of that confirmation does 232 00:10:58.960 --> 00:11:02.519 the host send the fine actual command execute. 233 00:11:02.559 --> 00:11:05.639 Wow. It's like a triple check. It's literally are you sure? 234 00:11:05.679 --> 00:11:06.399 Are you really sure? 235 00:11:06.480 --> 00:11:09.200 Okay, do it exactly, And if any single part of 236 00:11:09.240 --> 00:11:12.519 that conversation gets garbled by static, the whole sequence just 237 00:11:12.559 --> 00:11:15.639 aborts safely. It prevented countless industrial accidents. 238 00:11:15.720 --> 00:11:18.159 That makes perfect sense. Now, there was one term in 239 00:11:18.200 --> 00:11:22.600 the hardware section that stopped me cold de bouncing de bouncing. Yeah, 240 00:11:22.799 --> 00:11:24.679 I assume we aren't talking about basketballs here. 241 00:11:24.879 --> 00:11:25.120 Huh. 242 00:11:25.240 --> 00:11:27.240 Why does a computer need to debounce a switch? 243 00:11:27.519 --> 00:11:29.559 This is one of my favorite concepts because it's where 244 00:11:29.600 --> 00:11:32.240 pristine software smashes into messy physics. 245 00:11:32.320 --> 00:11:33.360 Okay, paint me a picture. 246 00:11:33.679 --> 00:11:35.799 You think of a physical switch as binary. It's either 247 00:11:35.840 --> 00:11:38.320 on or it's off, right, like a light switch. Like 248 00:11:38.360 --> 00:11:41.799 a light switch, But when you physically slam a heavy 249 00:11:41.799 --> 00:11:45.639 metal industrial breaker shut, the metal contacts don't just connect 250 00:11:45.679 --> 00:11:46.799 perfectly instantly. 251 00:11:47.240 --> 00:11:51.320 They bounce, wait, microscopic bounces like physically bouncing. 252 00:11:51.000 --> 00:11:54.960 Yes, physically bouncing off each other, connect, disconnect, connect, disconnect 253 00:11:55.240 --> 00:11:56.480 just for a few milliseconds. 254 00:11:56.519 --> 00:11:57.039 Oh wow. 255 00:11:57.600 --> 00:12:01.399 Now to a human eye it looks completely instant. But 256 00:12:01.480 --> 00:12:05.960 a modern computer is so incredibly fast it reads every 257 00:12:06.039 --> 00:12:09.080 single one of those bounces, so it sees on off, 258 00:12:09.159 --> 00:12:11.679 on off, on off in the span of a millisecond. 259 00:12:11.799 --> 00:12:15.000 So the computer thinks the breaker is just totally freaking out. 260 00:12:15.080 --> 00:12:17.279 It thinks the human operator is flipping the switch one 261 00:12:17.320 --> 00:12:20.120 hundred times a second. So debouncing is a filter. It 262 00:12:20.120 --> 00:12:23.240 can be hardware or software, but it basically tells the computer, hey, 263 00:12:23.320 --> 00:12:26.440 ignore the total chaos for the first ten milliseconds, just 264 00:12:26.519 --> 00:12:28.799 wait until the heavy metal physically settles down. 265 00:12:29.200 --> 00:12:31.360 It's a great reminder that SCATA isn't just you know, 266 00:12:31.399 --> 00:12:36.240 abstract code floating in the cloud. It's code interacting with heavy, dirty, 267 00:12:36.320 --> 00:12:37.759 physical reality. 268 00:12:37.639 --> 00:12:42.200 Constantly, and that reality changes drastically depending on what exact 269 00:12:42.200 --> 00:12:45.639 industry you're looking at. Shaw makes a really big distinction 270 00:12:45.879 --> 00:12:50.679 between how an electric utility uses these systems versus say, 271 00:12:51.000 --> 00:12:52.799 an oil pipeline. 272 00:12:52.320 --> 00:12:54.519 Company, different strokes for different folks. 273 00:12:54.600 --> 00:12:58.720 Exactly, electric utilities live and die by sheer speed. 274 00:12:58.639 --> 00:13:00.399 Because electrons move at the speed of light. 275 00:13:00.600 --> 00:13:03.960 Exactly, if a massive breaker trips at a substation. They 276 00:13:03.960 --> 00:13:06.679 need to know exactly when it happened to understand what 277 00:13:06.759 --> 00:13:10.480 went wrong on the grid. They track things in literal milliseconds. 278 00:13:10.519 --> 00:13:13.000 They call it sequence of events or SOE. 279 00:13:13.320 --> 00:13:16.200 But pipelines are different. Oil and water don't move at 280 00:13:16.240 --> 00:13:16.960 the speed of light. 281 00:13:17.240 --> 00:13:20.960 No, they move relatively slowly, But pipelines have a completely 282 00:13:20.960 --> 00:13:25.120 different headache accounting. Accounting, yes, and this leads to one 283 00:13:25.120 --> 00:13:27.879 of the most critical concepts Shaw talks about in the book, 284 00:13:28.039 --> 00:13:29.440 the accumulator freeze. 285 00:13:29.679 --> 00:13:32.600 Okay, yes, when I read a cumulator freeze, it honestly 286 00:13:32.639 --> 00:13:35.039 sounded like a sci fi weapon to me. But you're 287 00:13:35.039 --> 00:13:36.200 saying it's actually about money. 288 00:13:36.399 --> 00:13:40.639 It's entirely about money and safety. Of course. Imagine a 289 00:13:40.759 --> 00:13:44.279 natural gas pipeline that's five hundred miles long. You have 290 00:13:44.360 --> 00:13:46.759 a smart sensor at the start of the pipe measuring 291 00:13:46.799 --> 00:13:49.399 exactly how much gas goes in, and you have another 292 00:13:49.480 --> 00:13:52.519 sensor five hundred miles away measuring how much comes out. 293 00:13:52.639 --> 00:13:54.679 You need those two numbers to match exactly, or. 294 00:13:54.639 --> 00:13:57.279 You have a leak, or someone is actively siphoning it 295 00:13:57.279 --> 00:14:00.000 off and stealing it. Right, but the gas is common 296 00:14:00.000 --> 00:14:03.240 instantly moving. If you ask the first sensor for its tally, 297 00:14:03.600 --> 00:14:06.200 and then ten seconds later you ask the last sensor 298 00:14:06.240 --> 00:14:09.360 for its tally. The gas has moved during those ten seconds, 299 00:14:09.559 --> 00:14:10.600 your math will be wrong. 300 00:14:10.679 --> 00:14:13.360 Oh, I see, You'll think you lost gas, but really 301 00:14:13.360 --> 00:14:15.639 you just counted at two different times exactly. 302 00:14:15.679 --> 00:14:18.919 You're basically chasing a ghost in the math, and I'm guessing. 303 00:14:18.919 --> 00:14:22.360 In the oil and gas industry, chasing a ghost is expensive. 304 00:14:21.960 --> 00:14:25.440 Incredibly expensive. It means shutting down a major pipeline because 305 00:14:25.440 --> 00:14:28.519 you think there's a leak sending out cruise, losing millions 306 00:14:28.559 --> 00:14:32.399 of dollars a day. So they invented the accumulator freeze. 307 00:14:32.440 --> 00:14:36.519 It's a broadcast command. The central computer essentially shouts over 308 00:14:36.559 --> 00:14:39.320 the network to every single RTU at the exact same 309 00:14:39.399 --> 00:14:41.000 time freeze. 310 00:14:40.720 --> 00:14:42.559 And they all just take a snapshot at. 311 00:14:42.480 --> 00:14:45.879 The exact same millisecond. They keep counting the actual gas 312 00:14:45.919 --> 00:14:48.919 in the background, of course, but they save that specific 313 00:14:49.039 --> 00:14:51.519 moment's number in a frozen memory register. 314 00:14:51.720 --> 00:14:52.399 Oh that's smart. 315 00:14:52.559 --> 00:14:55.960 Then the central computer can just casually collect those snapshots 316 00:14:56.000 --> 00:14:59.120 one by one over the next few minutes. It ensures 317 00:14:59.120 --> 00:15:02.679 that the accounting balance is perfectly across five hundred miles 318 00:15:02.720 --> 00:15:06.159 of moving product. It's literally like pausing time for the 319 00:15:06.320 --> 00:15:08.200 entire pipeline just to check the books. 320 00:15:08.519 --> 00:15:11.559 That is incredibly clever. It really highlights how these systems 321 00:15:11.600 --> 00:15:15.840 have to solve massive physical problems that standard it people 322 00:15:16.159 --> 00:15:19.399 never even have to dream of. I mean, my WiFi 323 00:15:19.480 --> 00:15:21.720 router doesn't care about the laws of physics or the 324 00:15:21.759 --> 00:15:22.919 flow rate of natural gas. 325 00:15:23.000 --> 00:15:26.360 No, it doesn't. And your WiFi router also isn't sitting 326 00:15:26.360 --> 00:15:29.159 on top of a freezing mountain running exclusively on a 327 00:15:29.200 --> 00:15:29.879 solar panel. 328 00:15:30.080 --> 00:15:31.919 That's another thing, the power constraints. 329 00:15:32.360 --> 00:15:34.919 Shaw talks about this at length. Some of these remote 330 00:15:34.960 --> 00:15:39.720 RTUs run on thermoelectric generators, which means they literally burn 331 00:15:39.919 --> 00:15:42.879 a tiny, tiny bit of the natural gas from the 332 00:15:43.000 --> 00:15:46.559 very pipeline they are measuring just to generate enough raw 333 00:15:46.600 --> 00:15:47.879 electricity to stay alive. 334 00:15:48.200 --> 00:15:51.360 Wow, it's like a lonely little robot out in the 335 00:15:51.399 --> 00:15:52.879 tundra keeping itself warm. 336 00:15:53.159 --> 00:15:55.799 It really is. And because power out there is so precious, 337 00:15:55.919 --> 00:15:58.519 they sleep ninety nine percent of the time. They wake up, 338 00:15:58.679 --> 00:16:00.799 burst a quick packet of data back to base, and 339 00:16:00.840 --> 00:16:01.919 go immediately back to. 340 00:16:01.879 --> 00:16:04.559 Sleep, which has to be a nightmare for cybersecurity. Right, 341 00:16:04.840 --> 00:16:07.600 how do you patch or monitor a device that is 342 00:16:07.639 --> 00:16:09.759 technically turned off? Most of the day. 343 00:16:09.919 --> 00:16:13.440 It is a massive headache. But eventually those sleeping devices 344 00:16:13.519 --> 00:16:15.799 have to wake up and talk to the brain. And 345 00:16:15.840 --> 00:16:17.720 that brings us to the tower of Babel. 346 00:16:17.799 --> 00:16:20.080 The networking protocols, the language of the grid. 347 00:16:20.279 --> 00:16:23.720 Yes, and this is where the history gets really, really messy. 348 00:16:23.799 --> 00:16:26.840 In the early days, every single manufacturer just made up 349 00:16:26.840 --> 00:16:30.679 their own language. Shaw calls these bit oriented protocols. 350 00:16:30.759 --> 00:16:32.559 Is there an easy way for us to visualize that? 351 00:16:32.840 --> 00:16:35.000 Think of it a lot like Morse code. It's just 352 00:16:35.039 --> 00:16:37.879 a raw stream of dots and dashes, ones and zeros. 353 00:16:38.159 --> 00:16:41.240 It's incredibly efficient for the machine, but you need a 354 00:16:41.320 --> 00:16:44.159 highly trained specialist to understand it. You can't just read 355 00:16:44.159 --> 00:16:46.360 it off a screen. It requires custom hardware just to 356 00:16:46.360 --> 00:16:46.960 decode it. 357 00:16:47.039 --> 00:16:50.080 But then, just like with the hardware moving to standard 358 00:16:50.120 --> 00:16:53.720 Windows PCs, the protocols eventually moved to what he calls 359 00:16:54.000 --> 00:16:55.039 character oriented. 360 00:16:55.279 --> 00:16:59.039 Right, think of character oriented protocols like sending a standard email. 361 00:16:59.440 --> 00:17:05.880 You are sending recognizable human characters, ABC numbers text standard 362 00:17:05.920 --> 00:17:08.599 off the shelf. Computers can read it easily. It's much 363 00:17:08.640 --> 00:17:10.519 more user friendly for the operators. 364 00:17:10.880 --> 00:17:14.160 But here is the massive trap that Shaw warns us about. 365 00:17:14.519 --> 00:17:17.759 Just because it's user friendly, doesn't mean it's safe. In fact, 366 00:17:18.000 --> 00:17:20.920 it seems like making it readable just made it easier 367 00:17:20.920 --> 00:17:22.319 for the bad guys to listen in. 368 00:17:22.480 --> 00:17:24.799 You've hit on the clear text problem. Most of these 369 00:17:24.799 --> 00:17:28.000 industrial protocols, things like mod bus or DANP three, they 370 00:17:28.000 --> 00:17:30.839 were designed for that innocent, trusting era we talked about 371 00:17:30.839 --> 00:17:32.920 at the beginning. So they send their commands in clear text. 372 00:17:33.039 --> 00:17:34.799 Wait, so if I'm a hacker and I managed to 373 00:17:34.799 --> 00:17:35.480 tap into. 374 00:17:35.279 --> 00:17:37.160 That wire, you can read exactly what it says. 375 00:17:37.240 --> 00:17:38.640 Anyone can just read it, not just. 376 00:17:38.640 --> 00:17:39.960 Read it, write it. 377 00:17:40.119 --> 00:17:41.119 Oh wow. Yeah. 378 00:17:41.200 --> 00:17:44.880 There is no encryption, There is no password authentication. It 379 00:17:44.960 --> 00:17:48.279 is exactly like standing across a crowded room and shouting 380 00:17:48.440 --> 00:17:51.319 your atm PI and code at the top of your lungs. 381 00:17:51.319 --> 00:17:54.160 If anyone is listening, they have it and they can 382 00:17:54.279 --> 00:17:55.680 use it immediately and now. 383 00:17:55.759 --> 00:17:57.200 And this is the part of the deep dive that 384 00:17:57.279 --> 00:18:02.039 genuinely scares me. We are taking these insecure, clear text 385 00:18:02.039 --> 00:18:04.480 protocols and we are putting them on the cloud. 386 00:18:04.759 --> 00:18:08.599 Yes. Shaw talks about this huge trend SCATA as a service. 387 00:18:09.160 --> 00:18:11.839 Explain that because it sounds like a terrible idea. 388 00:18:11.640 --> 00:18:14.160 Well, financially, it makes sense. If you are a small 389 00:18:14.200 --> 00:18:16.720 water utility in a rural town. You just can't afford 390 00:18:16.720 --> 00:18:19.319 to build a million dollar secure server farm. You don't 391 00:18:19.359 --> 00:18:22.160 have the budget. So outside vendors come in and say, hey, 392 00:18:22.200 --> 00:18:25.160 we'll host your entire SCATA system in the crowd for 393 00:18:25.240 --> 00:18:26.400 a flat monthly fee. 394 00:18:26.640 --> 00:18:29.519 So the actual control room for my town's drinking water 395 00:18:29.559 --> 00:18:32.039 supply is essentially just a website. 396 00:18:32.079 --> 00:18:35.279 Functionally, yes, the critical data travels over the public Internet, 397 00:18:35.279 --> 00:18:37.680 and I sure they use firewalls and VPNs, but you 398 00:18:37.720 --> 00:18:41.279 are effectively putting critical physical control functions on the exact 399 00:18:41.359 --> 00:18:45.519 same network infrastructure that carries Netflix streams and spam emails. 400 00:18:45.759 --> 00:18:49.799 And if that's small utilities, one it guy clicks on 401 00:18:49.839 --> 00:18:50.559