1 00:00:00,329 --> 00:00:10,460 [Music] 2 00:00:10,460 --> 00:00:13,618 Chain of events, cause and effect. We 3 00:00:13,618 --> 00:00:15,089 analyse what went right, and what went 4 00:00:15,089 --> 00:00:17,250 wrong, as we discover that many outcomes 5 00:00:17,250 --> 00:00:19,739 can be predicted, planned for, and even 6 00:00:19,739 --> 00:00:22,350 prevented. I'm John Chidgey, and this is 7 00:00:22,350 --> 00:00:24,838 Causality. Causality is supported by you: 8 00:00:24,838 --> 00:00:27,027 our listeners. If you'd like to support 9 00:00:27,027 --> 00:00:29,399 the show you can do so in via Patreon or 10 00:00:29,399 --> 00:00:32,039 by becoming a premium subscriber for 11 00:00:32,039 --> 00:00:33,899 early release high quality ad-free 12 00:00:33,899 --> 00:00:36,359 episodes. Visit https://engineered.network 13 00:00:36,359 --> 00:00:39,030 /causality to learn how you can 14 00:00:39,030 --> 00:00:44,640 help. Thank you. "Black Energy" On the 23rd 15 00:00:44,640 --> 00:00:47,509 of December 2015 in the late evening 16 00:00:47,509 --> 00:00:50,219 major sections of the Ukrainian power 17 00:00:50,219 --> 00:00:53,158 grid blacked out in quick succession. The 18 00:00:53,158 --> 00:00:57,149 blackouts impacted 225,000 residences 19 00:00:57,149 --> 00:01:00,350 over a huge physical area, shedding some 20 00:01:00,350 --> 00:01:02,939 170MW of load from the 21 00:01:02,939 --> 00:01:05,608 electrical power grid. There were no 22 00:01:05,608 --> 00:01:08,250 storms, no equipment failures, and no 23 00:01:08,250 --> 00:01:10,980 human error. Well, no human error at that 24 00:01:10,980 --> 00:01:14,640 moment in time anyway. Before you wonder 25 00:01:14,640 --> 00:01:16,858 why a power blackout is worthy of 26 00:01:16,858 --> 00:01:20,069 discussion, is that this particular power 27 00:01:20,069 --> 00:01:23,879 outage was the first, large-scale power 28 00:01:23,879 --> 00:01:27,468 disruption caused by a cyber intrusion. 29 00:01:27,468 --> 00:01:30,090 The incident has been referred to as 30 00:01:30,090 --> 00:01:33,090 "Black Energy" not to be confused with 31 00:01:33,090 --> 00:01:35,930 "Industroyer" which happened 1 year later. 32 00:01:35,930 --> 00:01:38,879 The name of the incident is linked to 33 00:01:38,879 --> 00:01:40,468 the name of the malware that the 34 00:01:40,468 --> 00:01:42,569 incident made well-known. Which 35 00:01:42,569 --> 00:01:44,578 interestingly, was actually the 3rd 36 00:01:44,578 --> 00:01:46,920 generation of the Black Energy malware 37 00:01:46,920 --> 00:01:50,727 that was identified first in 2014. The 38 00:01:50,727 --> 00:01:52,799 truth is that the Black Energy Three malware 39 00:01:52,799 --> 00:01:55,140 wasn't the cause of the outages, but 40 00:01:55,140 --> 00:01:57,870 rather it was the key that initially let 41 00:01:57,870 --> 00:02:00,477 the attackers in. But we're getting ahead 42 00:02:00,477 --> 00:02:02,299 of ourselves. 43 00:02:02,299 --> 00:02:05,849 Ukraine has 24 regions with each region 44 00:02:05,849 --> 00:02:08,127 varying from 11 to 20 seven provinces in 45 00:02:08,127 --> 00:02:10,500 each, and covering these to various 46 00:02:10,500 --> 00:02:12,658 scales, there is a different power 47 00:02:12,658 --> 00:02:14,908 distribution company serving that region, 48 00:02:14,908 --> 00:02:17,650 called Obelnergos. 49 00:02:17,650 --> 00:02:21,139 The Black Energy incident was targeted 50 00:02:21,139 --> 00:02:24,560 at multiple of those Obelnergos. At 51 00:02:24,560 --> 00:02:27,437 approximately 3:25pm Eastern European 52 00:02:27,437 --> 00:02:29,657 Time on Wednesday the 23rd of December, 53 00:02:29,657 --> 00:02:32,598 2015 the call centers for reporting 54 00:02:32,598 --> 00:02:34,519 power grid issues were flooded with a 55 00:02:34,519 --> 00:02:36,579 barrage of telephone calls, 56 00:02:36,579 --> 00:02:39,919 simultaneously. These calls appeared to 57 00:02:39,919 --> 00:02:41,530 have all originated from Moscow, 58 00:02:41,530 --> 00:02:43,218 overloading the telephone system 59 00:02:43,218 --> 00:02:47,657 completely. Five minutes later, in the 60 00:02:47,657 --> 00:02:50,598 Prykarpattya-oblenergo control center, the 61 00:02:50,598 --> 00:02:53,389 SCADA remote control system seemingly 62 00:02:53,389 --> 00:02:56,090 possessed, locked the operators out and 63 00:02:56,090 --> 00:02:58,519 began executing a manual isolation 64 00:02:58,519 --> 00:03:01,609 sequence. Thirty substations were 65 00:03:01,609 --> 00:03:04,489 systematically switched off one by one 66 00:03:04,489 --> 00:03:07,157 as massive segments of the power grid 67 00:03:07,157 --> 00:03:10,758 were sent into a blackout. Specifically x7 68 00:03:10,758 --> 00:03:16,218 110 kV (or kiloVolt) and x23 35 kV 69 00:03:16,218 --> 00:03:19,008 substations were disconnected. They were 70 00:03:19,008 --> 00:03:21,650 distribution substations, not major 71 00:03:21,650 --> 00:03:24,699 transmission and not generation plants. 72 00:03:24,699 --> 00:03:27,318 Approximately 1 minute later the same 73 00:03:27,318 --> 00:03:29,508 attack began on a second Oblenergo, 74 00:03:29,508 --> 00:03:33,949 and then a third at 4:00pm. Six 75 00:03:33,949 --> 00:03:35,900 Oblenergos were targeted in the 76 00:03:35,900 --> 00:03:39,229 attack though only three began to 77 00:03:39,229 --> 00:03:41,829 experience an operational impact. And 78 00:03:41,829 --> 00:03:46,157 they were Chernivtsi, Kyiv and the 79 00:03:46,157 --> 00:03:48,769 aforementioned Prykarpattya. Two of 80 00:03:48,769 --> 00:03:51,829 those three control rooms were also 81 00:03:51,829 --> 00:03:53,959 blacked out themselves despite having 82 00:03:53,959 --> 00:03:56,750 UPS's fitted with the third control room 83 00:03:56,750 --> 00:03:57,889 remaining powered through out the 84 00:03:57,889 --> 00:04:01,400 incident. At 4:10pm engineers disabled 85 00:04:01,400 --> 00:04:03,438 a HMI administrator account in an 86 00:04:03,438 --> 00:04:05,568 attempt to stop the attack and regain 87 00:04:05,568 --> 00:04:06,139 control. 88 00:04:06,139 --> 00:04:08,389 However the hackers had installed an 89 00:04:08,389 --> 00:04:09,919 additional administrator account 90 00:04:09,919 --> 00:04:12,438 beforehand and hence this action had no 91 00:04:12,438 --> 00:04:15,709 impact. In the following minutes the 92 00:04:15,709 --> 00:04:18,737 Obelnergo engineers initiated a shutdown of 93 00:04:18,737 --> 00:04:21,199 the SCADA system and remote access VPN 94 00:04:21,199 --> 00:04:24,588 and were thus able to end the attack, 95 00:04:24,588 --> 00:04:27,050 however this occurred only in time to 96 00:04:27,050 --> 00:04:29,509 prevent the final blacking out of just 97 00:04:29,509 --> 00:04:30,949 one solitary sub-station 98 00:04:30,949 --> 00:04:33,709 that remained. All of the others had 99 00:04:33,709 --> 00:04:36,470 already been blacked out. At 5:00pm 100 00:04:36,470 --> 00:04:39,290 the Prykarpattya-oblenergo published a 101 00:04:39,290 --> 00:04:41,829 note on their site stating the following: 102 00:04:41,829 --> 00:04:44,540 (this is a Russian translation to English) 103 00:04:44,540 --> 00:04:49,838 "To the attention of consumers of PJSC, 104 00:04:49,838 --> 00:04:53,000 due to malfunctioning of telemechanics, 105 00:04:53,000 --> 00:04:56,209 a considerable part of the region and 106 00:04:56,209 --> 00:04:58,009 Ivano-Frankivsk 107 00:04:58,009 --> 00:05:01,209 remained without power supply. 108 00:05:01,209 --> 00:05:03,560 Specialists are currently searching for 109 00:05:03,560 --> 00:05:05,810 the causes and finding out the extent of 110 00:05:05,810 --> 00:05:08,420 the accident. We will provide more 111 00:05:08,420 --> 00:05:10,819 information as we receive it. Please 112 00:05:10,819 --> 00:05:12,709 refrain from making phone calls to the 113 00:05:12,709 --> 00:05:15,199 call center as the dispatchers do not 114 00:05:15,199 --> 00:05:18,019 have any information about the timing of 115 00:05:18,019 --> 00:05:20,149 the accident until the cause of the 116 00:05:20,149 --> 00:05:22,490 accident is known. Thank you for 117 00:05:22,490 --> 00:05:23,149 understanding." 118 00:05:23,149 --> 00:05:27,110 (end quote) At 5:30pm an additional 119 00:05:27,110 --> 00:05:30,079 note was also added. Each Oblenergo 120 00:05:30,079 --> 00:05:32,689 attempted remotely re-energizing their 121 00:05:32,689 --> 00:05:34,910 substations to no avail, and then 122 00:05:34,910 --> 00:05:36,500 systematically dispatched field 123 00:05:36,500 --> 00:05:39,019 operators to each substation one by one. 124 00:05:39,019 --> 00:05:42,199 Upon arrival at each substation the 125 00:05:42,199 --> 00:05:43,970 field operators systematically switched 126 00:05:43,970 --> 00:05:46,129 on each of the circuit breakers powering 127 00:05:46,129 --> 00:05:48,800 up sections of the power grid. The 128 00:05:48,800 --> 00:05:50,778 shortest full blackout period lasted 129 00:05:50,778 --> 00:05:53,000 approximately 1 hour, with the full 130 00:05:53,000 --> 00:05:55,610 power restoration taking approximately 131 00:05:55,610 --> 00:05:58,519 6 hours. In attempting to restore their 132 00:05:58,519 --> 00:06:00,860 control system infrastructure, Oblenergo 133 00:06:00,860 --> 00:06:02,660 engineers found most operator 134 00:06:02,660 --> 00:06:04,699 workstations were unable to be booted up 135 00:06:04,699 --> 00:06:07,250 and those that they could, they found 136 00:06:07,250 --> 00:06:08,838 operators were unable to login with 137 00:06:08,838 --> 00:06:10,699 their credentials and where they could 138 00:06:10,699 --> 00:06:13,310 login successfully, many of their remote 139 00:06:13,310 --> 00:06:15,379 sites remained unable to be monitored 140 00:06:15,379 --> 00:06:19,278 let alone controlled remotely. The attack 141 00:06:19,278 --> 00:06:21,709 had rendered them remotely blind and 142 00:06:21,709 --> 00:06:25,189 completely remotely incapacitated. So how 143 00:06:25,189 --> 00:06:27,829 did they get in? First of all it, started 144 00:06:27,829 --> 00:06:30,199 with a spear phishing attack focused on 145 00:06:30,199 --> 00:06:32,360 IT staff and sys-admins, 146 00:06:32,360 --> 00:06:35,120 (that's system administrators) that worked for 147 00:06:35,120 --> 00:06:36,709 several companies throughout the Ukraine 148 00:06:36,709 --> 00:06:38,509 that supported the Ukraine electricity 149 00:06:38,509 --> 00:06:41,660 network. They delivered an Email with a 150 00:06:41,660 --> 00:06:43,610 malicious attachment that appeared to 151 00:06:43,610 --> 00:06:44,689 have come from Ukraine 152 00:06:44,689 --> 00:06:48,170 energy ministry. 6 of the Ukraine power 153 00:06:48,170 --> 00:06:50,149 companies were targeted with an 154 00:06:50,149 --> 00:06:52,459 old-fashioned Word or Excel document 155 00:06:52,459 --> 00:06:55,850 with a macro embedded in them, that once 156 00:06:55,850 --> 00:06:57,740 the user opened and enabled macros, 157 00:06:57,740 --> 00:07:01,550 delivered the Black Energy 3 payload. In 158 00:07:01,550 --> 00:07:03,170 this case the attachments were 159 00:07:03,170 --> 00:07:06,230 predominantly Excel files. Black Energy 3 160 00:07:06,230 --> 00:07:07,699 then allowed the installation of key 161 00:07:07,699 --> 00:07:09,829 loggers to capture credentials, allowing 162 00:07:09,829 --> 00:07:11,838 further system access laterally until 163 00:07:11,838 --> 00:07:14,689 reaching the domain controllers. This 164 00:07:14,689 --> 00:07:17,689 began more than 6 months before the 165 00:07:17,689 --> 00:07:20,750 actual attack would take place. None of 166 00:07:20,750 --> 00:07:23,060 the companies had any capability to 167 00:07:23,060 --> 00:07:25,459 continually monitor their control system 168 00:07:25,459 --> 00:07:28,459 network logs. The Oblenergos actually 169 00:07:28,459 --> 00:07:30,649 had significant logging enabled on most 170 00:07:30,649 --> 00:07:32,660 of their systems, server and network 171 00:07:32,660 --> 00:07:35,329 devices, however it was not centrally 172 00:07:35,329 --> 00:07:38,180 aggregated. Moreover none of it was 173 00:07:38,180 --> 00:07:40,610 checked manually or semi-automatically. 174 00:07:40,610 --> 00:07:42,620 There was also no system network 175 00:07:42,620 --> 00:07:44,449 monitoring at all, with no tools 176 00:07:44,449 --> 00:07:45,889 installed for that purpose. 177 00:07:45,889 --> 00:07:48,769 In addition, remote access to the control 178 00:07:48,769 --> 00:07:52,670 network was via VPN and that VPN had no 179 00:07:52,670 --> 00:07:55,490 multi-factor authentication. The 180 00:07:55,490 --> 00:07:57,470 Ukrainian power grid did have remote 181 00:07:57,470 --> 00:07:59,689 access for engineers and with the 182 00:07:59,689 --> 00:08:01,338 intention of being able to access 183 00:08:01,338 --> 00:08:04,579 monitor and remotely support the system, 184 00:08:04,579 --> 00:08:07,430 but it did not have MFA (or Multi-Factor 185 00:08:07,430 --> 00:08:09,290 Authentication). For those that don't know 186 00:08:09,290 --> 00:08:11,540 what MFA is the intention is simple 187 00:08:11,540 --> 00:08:14,509 enough: log in to a secure site or an 188 00:08:14,509 --> 00:08:16,009 access portal with a username and a 189 00:08:16,009 --> 00:08:18,379 password. The system will then send a 190 00:08:18,379 --> 00:08:20,990 notification, a message, SMS, text or 191 00:08:20,990 --> 00:08:23,629 similar, to a secondary device that is 192 00:08:23,629 --> 00:08:27,079 known to be owned by the user, to confirm 193 00:08:27,079 --> 00:08:29,329 that that specific login attempt was 194 00:08:29,329 --> 00:08:32,840 coming from that specific user. Once that 195 00:08:32,840 --> 00:08:35,240 user independently approves or accepts, 196 00:08:35,240 --> 00:08:39,620 access is finally granted. MFA, were it in 197 00:08:39,620 --> 00:08:41,538 place, would have alerted those with a 198 00:08:41,538 --> 00:08:43,849 compromised account that someone was 199 00:08:43,849 --> 00:08:45,649 attempting to remotely log in using 200 00:08:45,649 --> 00:08:47,538 their credentials. How the hackers got 201 00:08:47,538 --> 00:08:48,678 the right credentials? 202 00:08:48,678 --> 00:08:51,470 Each company segregated their control 203 00:08:51,470 --> 00:08:53,360 network from their corporate network 204 00:08:53,360 --> 00:08:55,908 using a firewall. So the hackers spent 205 00:08:55,908 --> 00:08:57,879 months incrementally infecting more 206 00:08:57,879 --> 00:08:59,980 machines on the corporate side with a 207 00:08:59,980 --> 00:09:01,960 variety of different exploits until they 208 00:09:01,960 --> 00:09:03,639 were able to get access to the active 209 00:09:03,639 --> 00:09:06,580 directory controller. Once in the AD 210 00:09:06,580 --> 00:09:08,470 controller they had access to the domain 211 00:09:08,470 --> 00:09:11,080 credentials, they obtained credentials for 212 00:09:11,080 --> 00:09:13,000 control systems engineers with remote 213 00:09:13,000 --> 00:09:14,889 access privileges and were able to 214 00:09:14,889 --> 00:09:17,139 access the control network at will 215 00:09:17,139 --> 00:09:19,808 without detection. They compromised a 216 00:09:19,808 --> 00:09:22,690 total of 17 operator work stations 217 00:09:22,690 --> 00:09:25,480 across the organization's. They installed 218 00:09:25,480 --> 00:09:27,278 a variety of back doors including GCat, 219 00:09:27,278 --> 00:09:29,918 DropBear and Kryptik, to ensure that 220 00:09:29,918 --> 00:09:31,658 there were multiple paths available to 221 00:09:31,658 --> 00:09:33,519 get in, should one of them be discovered. 222 00:09:33,519 --> 00:09:36,370 So how they set up the outage itself, now 223 00:09:36,370 --> 00:09:39,639 that they're in? First of all the control 224 00:09:39,639 --> 00:09:42,580 room UPS's. All the control centers in 225 00:09:42,580 --> 00:09:44,259 the Ukraine as is standard practice 226 00:09:44,259 --> 00:09:46,450 worldwide, are fully backed up with 227 00:09:46,450 --> 00:09:49,149 uninterruptible power supplies, such that 228 00:09:49,149 --> 00:09:50,830 if the grid power goes out the control 229 00:09:50,830 --> 00:09:52,870 room will remain powered and functional. 230 00:09:52,870 --> 00:09:55,090 The same applies to the dial-in call 231 00:09:55,090 --> 00:09:57,759 centers. In the first step the hackers 232 00:09:57,759 --> 00:10:00,038 took out 2 of the 3 UPS's such 233 00:10:00,038 --> 00:10:02,320 that when the power was turned off to 234 00:10:02,320 --> 00:10:04,600 their own power grids those control 235 00:10:04,600 --> 00:10:06,700 rooms would also be blacked out. Then 236 00:10:06,700 --> 00:10:09,840 they disabled remote SCADA commands. 237 00:10:09,840 --> 00:10:12,490 Serial to Ethernet converters are used 238 00:10:12,490 --> 00:10:14,168 for address translation between the 239 00:10:14,168 --> 00:10:15,370 SCADA system and the high-voltage 240 00:10:15,370 --> 00:10:17,788 circuit breakers and that was remotely 241 00:10:17,788 --> 00:10:21,450 upgraded to an invalid firmware revision, 242 00:10:21,450 --> 00:10:24,428 awaiting a remote reboot request, after 243 00:10:24,428 --> 00:10:27,070 which the device, being unable to boot 244 00:10:27,070 --> 00:10:29,019 because the firmware was invalid, was 245 00:10:29,019 --> 00:10:31,178 effectively bricked and completely 246 00:10:31,178 --> 00:10:34,509 inoperable. The 2 devices that they 247 00:10:34,509 --> 00:10:39,360 targeted were the MOXA UC7408 LX-plus: 248 00:10:39,360 --> 00:10:42,220 that is a Universal Communicator with an 249 00:10:42,220 --> 00:10:44,830 IXP425. It has 8 250 00:10:44,830 --> 00:10:48,700 configurable RS-232, -422 or -485 ports, 251 00:10:48,700 --> 00:10:51,428 8 Digital Ins, 8 Digital Outs, and 252 00:10:51,428 --> 00:10:55,269 a dual LAN. Importantly it's running an 253 00:10:55,269 --> 00:10:59,019 embedded Linux version. MOXA is a company 254 00:10:59,019 --> 00:11:00,940 based in Taiwan and they make a large 255 00:11:00,940 --> 00:11:02,528 number of industrial communications 256 00:11:02,528 --> 00:11:04,750 products. There is scarcely a plant that 257 00:11:04,750 --> 00:11:06,700 I've worked on, that does not have 258 00:11:06,700 --> 00:11:09,009 something made by MOXA, somewhere in it. 259 00:11:09,009 --> 00:11:12,460 The 2nd device was an iRZ RUH2 260 00:11:12,460 --> 00:11:16,000 3G. This is a 3G router, industrially 261 00:11:16,000 --> 00:11:18,548 hardened. It supports dual SIM cards and 262 00:11:18,548 --> 00:11:21,100 10/100 Ethernet and again runs an 263 00:11:21,100 --> 00:11:23,980 embedded Linux version. iRZ is a 264 00:11:23,980 --> 00:11:25,330 company based in Russia. 265 00:11:25,330 --> 00:11:27,340 So whilst they are popular in Europe, 266 00:11:27,340 --> 00:11:29,408 outside of Europe they are rarely found. 267 00:11:29,408 --> 00:11:32,110 By disabling these with these firmware 268 00:11:32,110 --> 00:11:34,840 hacks, this meant that any recovery of 269 00:11:34,840 --> 00:11:36,610 SCADA workstations would be ineffective 270 00:11:36,610 --> 00:11:38,200 because there would be no communication 271 00:11:38,200 --> 00:11:40,960 converter between SCADA and the circuit 272 00:11:40,960 --> 00:11:42,548 breakers for remote operation or 273 00:11:42,548 --> 00:11:45,490 monitoring. Essentially they were cutting 274 00:11:45,490 --> 00:11:47,889 off the intermediary and severing that 275 00:11:47,889 --> 00:11:51,220 link. Disabling the SCADA workstations. 276 00:11:51,220 --> 00:11:53,980 KillDisk on the operator workstations 277 00:11:53,980 --> 00:11:56,649 will overwrite the MBR (that's the Master 278 00:11:56,649 --> 00:11:59,259 Boot Record) as well as key system files 279 00:11:59,259 --> 00:12:01,330 rendering the computer inoperable and 280 00:12:01,330 --> 00:12:04,200 unable to reboot to recover. Effectively 281 00:12:04,200 --> 00:12:06,460 disabling the SCADA operator 282 00:12:06,460 --> 00:12:09,668 workstations completely. For several 283 00:12:09,668 --> 00:12:11,379 machines KillDisk was manually 284 00:12:11,379 --> 00:12:13,808 triggered, by whereas for others there 285 00:12:13,808 --> 00:12:15,759 was a time trigger delay to launch at 286 00:12:15,759 --> 00:12:18,399 about 5:00pm, an hour and a half into 287 00:12:18,399 --> 00:12:19,528 the start of the attacks. 288 00:12:19,528 --> 00:12:22,600 Finally they disabled an RTU on an 289 00:12:22,600 --> 00:12:27,278 embedded PC. An ABB RTU560 CMU-02 is a 290 00:12:27,278 --> 00:12:29,408 chassis mounted daughter card that runs 291 00:12:29,408 --> 00:12:31,019 an embedded Windows CE. 292 00:12:31,019 --> 00:12:34,000 One of these, and only one was discovered 293 00:12:34,000 --> 00:12:37,298 also corrupted by KillDisk. There been 294 00:12:37,298 --> 00:12:39,340 many suggestions as to how this could 295 00:12:39,340 --> 00:12:41,470 have been prevented, but before we talk 296 00:12:41,470 --> 00:12:43,720 about that a few things that wouldn't 297 00:12:43,720 --> 00:12:46,629 have stopped it. Application whitelisting, 298 00:12:46,629 --> 00:12:49,720 for example at the firewall would not 299 00:12:49,720 --> 00:12:52,178 have changed the outcome. Non-obvious 300 00:12:52,178 --> 00:12:55,690 passwords were actually used so that was 301 00:12:55,690 --> 00:12:57,820 not a case of having weak passwords that 302 00:12:57,820 --> 00:13:00,808 were easily guessed. They weren't. 303 00:13:00,808 --> 00:13:03,399 Significant logging did actually exist, 304 00:13:03,399 --> 00:13:06,730 and firewalls existed. 305 00:13:06,730 --> 00:13:08,918 Adding more firewalls would not have 306 00:13:08,918 --> 00:13:11,759 changed the outcome. Before we talk about 307 00:13:11,759 --> 00:13:13,690 what could have been done to prevent 308 00:13:13,690 --> 00:13:16,330 this, let's look at the fallout from the 309 00:13:16,330 --> 00:13:19,840 incident. In total about 73MWh 310 00:13:19,840 --> 00:13:22,269 of electricity was not supplied 311 00:13:22,269 --> 00:13:24,580 during the blackout period. That 312 00:13:24,580 --> 00:13:25,870 represents a somewhat 313 00:13:25,870 --> 00:13:28,899 insignificant amount, representing a 314 00:13:28,899 --> 00:13:33,490 mere 0.015% of the Ukraine's daily 315 00:13:33,490 --> 00:13:37,149 electricity consumption. Fractionally 316 00:13:37,149 --> 00:13:40,240 speaking that's 1/6,600th 317 00:13:40,240 --> 00:13:43,120 of their total daily supply. 318 00:13:43,120 --> 00:13:45,428 There were no documented economic 319 00:13:45,428 --> 00:13:48,610 impacts, health or medical complications 320 00:13:48,610 --> 00:13:51,908 or spoilage losses as a result of this 321 00:13:51,908 --> 00:13:54,908 blackout incident. The Obelnergos 322 00:13:54,908 --> 00:13:56,710 themselves however, they were more 323 00:13:56,710 --> 00:13:59,379 heavily impacted in terms of cost to 324 00:13:59,379 --> 00:14:01,330 rectify the mess left behind by the 325 00:14:01,330 --> 00:14:05,080 hackers. It took months to rebuild the 326 00:14:05,080 --> 00:14:07,240 destroyed work stations due to a lack of 327 00:14:07,240 --> 00:14:09,759 regular backups. It took months to 328 00:14:09,759 --> 00:14:11,589 replace Serial to Ethernet converters 329 00:14:11,589 --> 00:14:14,200 due to a lack of spare parts and a lack 330 00:14:14,200 --> 00:14:16,918 of backups with the MOXA and IRZ units 331 00:14:16,918 --> 00:14:19,389 completely unrecoverable, requiring 332 00:14:19,389 --> 00:14:21,339 physical replacement and complete 333 00:14:21,339 --> 00:14:24,668 reprogramming from scratch. During the 334 00:14:24,668 --> 00:14:27,038 rebuilding time the system was mostly 335 00:14:27,038 --> 00:14:29,558 run manually, with a significantly 336 00:14:29,558 --> 00:14:32,139 increased staff presence on the ground 337 00:14:32,139 --> 00:14:34,808 at substations. The additional costs of 338 00:14:34,808 --> 00:14:36,850 this rebuilding have not been publicly 339 00:14:36,850 --> 00:14:39,759 released although parts and labor for 340 00:14:39,759 --> 00:14:41,470 the engineering rebuild were likely to 341 00:14:41,470 --> 00:14:43,629 be at least a $1/4M USD 342 00:14:43,629 --> 00:14:46,750 in parts and labor. Whilst 343 00:14:46,750 --> 00:14:49,418 StuxNet demonstrated that hacking by 344 00:14:49,418 --> 00:14:51,548 well-funded and highly motivated hackers 345 00:14:51,548 --> 00:14:53,470 could physically damage equipment 346 00:14:53,470 --> 00:14:55,110 connected to a control system, 347 00:14:55,110 --> 00:14:57,700 interruption of a power grid on a scale 348 00:14:57,700 --> 00:15:01,450 like this had never been seen before. The 349 00:15:01,450 --> 00:15:03,399 Ukrainian companies were well practiced 350 00:15:03,399 --> 00:15:05,860 in manual override controls and given 351 00:15:05,860 --> 00:15:07,990 their staffing structure and training 352 00:15:07,990 --> 00:15:10,000 they were able to restore power and run 353 00:15:10,000 --> 00:15:12,220 the system manually very quickly and for 354 00:15:12,220 --> 00:15:14,139 several weeks until the remote control 355 00:15:14,139 --> 00:15:16,690 infrastructure could be fixed. Other 356 00:15:16,690 --> 00:15:18,788 countries around the world have been 357 00:15:18,788 --> 00:15:20,980 progressively relying more and more on 358 00:15:20,980 --> 00:15:23,019 control systems infrastructure to 359 00:15:23,019 --> 00:15:25,389 operate their facilities remotely to 360 00:15:25,389 --> 00:15:28,720 reduce operating costs. In many cases 361 00:15:28,720 --> 00:15:31,149 local controls are also being sacrificed 362 00:15:31,149 --> 00:15:33,759 entirely to save on manufacturing and 363 00:15:33,759 --> 00:15:36,610 ongoing maintenance costs. In such cases 364 00:15:36,610 --> 00:15:38,707 an attack like this one would have been 365 00:15:38,707 --> 00:15:39,610 far more devastating. 366 00:15:39,610 --> 00:15:42,428 Without sufficient manual 367 00:15:42,428 --> 00:15:45,038 override control or without enough 368 00:15:45,038 --> 00:15:47,288 trained personnel to operate substations 369 00:15:47,288 --> 00:15:49,450 manually the outage could have lasted 370 00:15:49,450 --> 00:15:51,519 for days, or even a week in some 371 00:15:51,519 --> 00:15:53,620 countries around the world. The 372 00:15:53,620 --> 00:15:56,320 ramifications of Black Energy have 373 00:15:56,320 --> 00:15:58,269 actually been a strengthening of the 374 00:15:58,269 --> 00:15:59,759 application of cybersecurity 375 00:15:59,759 --> 00:16:00,879 defense-in-depth 376 00:16:00,879 --> 00:16:03,308 architectures in utilities around the 377 00:16:03,308 --> 00:16:06,399 world. Driving a huge spike in investment 378 00:16:06,399 --> 00:16:07,899 in software for monitoring logs, 379 00:16:07,899 --> 00:16:09,970 detecting abnormal network communication 380 00:16:09,970 --> 00:16:12,580 and the identification of data traffic 381 00:16:12,580 --> 00:16:14,620 specifically between SCADA systems and 382 00:16:14,620 --> 00:16:18,308 equipment controllers. Four months ago 383 00:16:18,308 --> 00:16:22,808 in mid-2019 the SEIA bill or 384 00:16:22,808 --> 00:16:24,970 Secure Energy Infrastructure Act in the 385 00:16:24,970 --> 00:16:26,860 United States passed through the Senate. 386 00:16:26,860 --> 00:16:29,740 It mandates sufficient manual controls 387 00:16:29,740 --> 00:16:32,019 to ensure manual control overrides and 388 00:16:32,019 --> 00:16:34,389 procedures exist to operate the 389 00:16:34,389 --> 00:16:36,460 electrical grid infrastructure in the 390 00:16:36,460 --> 00:16:39,000 event of a failure or a compromise of 391 00:16:39,000 --> 00:16:42,278 automated control systems. The Act 392 00:16:42,278 --> 00:16:44,860 attempts to counter the growing trend of 393 00:16:44,860 --> 00:16:47,350 cost reduction by removing full manual 394 00:16:47,350 --> 00:16:49,720 controls in favor of automation and to 395 00:16:49,720 --> 00:16:51,759 mandate that those controls must be 396 00:16:51,759 --> 00:16:54,908 installed, inspired in large by the 397 00:16:54,908 --> 00:16:58,629 Ukraine attack in 2015. So what lessons 398 00:16:58,629 --> 00:17:00,610 have we learned from this? Social 399 00:17:00,610 --> 00:17:03,250 targeting is a big problem that a lot of 400 00:17:03,250 --> 00:17:06,250 people don't appreciate. When I used to 401 00:17:06,250 --> 00:17:08,140 work at Nortel Networks in the late 402 00:17:08,140 --> 00:17:11,170 1990s organizational charts (or Org 403 00:17:11,170 --> 00:17:13,150 Charts) were relabeled as "Commercial in 404 00:17:13,150 --> 00:17:15,250 Confidence" documents because there had 405 00:17:15,250 --> 00:17:17,140 been several incidents of targeted 406 00:17:17,140 --> 00:17:18,788 poaching attempts from other Tech 407 00:17:18,788 --> 00:17:22,150 companies. In essence it was a map to the 408 00:17:22,150 --> 00:17:24,818 structure internally and those wishing 409 00:17:24,818 --> 00:17:26,230 to poach people would know straight who 410 00:17:26,230 --> 00:17:29,769 to speak to. Today social media and the 411 00:17:29,769 --> 00:17:31,778 over-sharing of information has made it 412 00:17:31,778 --> 00:17:33,578 difficult for companies to protect this 413 00:17:33,578 --> 00:17:35,828 sort of information let alone from 414 00:17:35,828 --> 00:17:38,259 poaching attempts but from hackers as 415 00:17:38,259 --> 00:17:41,200 well, and today companies like LinkedIn 416 00:17:41,200 --> 00:17:43,210 make it incredibly easy for a hacker to 417 00:17:43,210 --> 00:17:45,519 craft a highly targeted phishing or 418 00:17:45,519 --> 00:17:48,640 spear-phishing Email to exactly the 419 00:17:48,640 --> 00:17:50,528 right group of people they need to get 420 00:17:50,528 --> 00:17:53,288 access. As previously mentioned 421 00:17:53,288 --> 00:17:55,328 spear-phishing campaigns or attacks are 422 00:17:55,328 --> 00:17:57,519 the first volley from those trying to 423 00:17:57,519 --> 00:17:58,990 penetrate a network and they're becoming 424 00:17:58,990 --> 00:18:01,720 harder to detect and block, and are 425 00:18:01,720 --> 00:18:04,328 becoming far more frequent. If I'm a 426 00:18:04,328 --> 00:18:06,190 hacker and I want to disrupt a company 427 00:18:06,190 --> 00:18:07,660 that runs industrial equipment like 428 00:18:07,660 --> 00:18:10,210 electricity generation or electricity 429 00:18:10,210 --> 00:18:13,298 supply, Oil & Gas, mining, water supplies 430 00:18:13,298 --> 00:18:16,690 even hospitals. Many employ control 431 00:18:16,690 --> 00:18:19,028 systems engineers like me to maintain 432 00:18:19,028 --> 00:18:20,650 and support their control system 433 00:18:20,650 --> 00:18:22,838 infrastructure. If I post that I'm a 434 00:18:22,838 --> 00:18:24,848 control systems engineer on LinkedIn, I'm 435 00:18:24,848 --> 00:18:26,828 working for the target company someone 436 00:18:26,828 --> 00:18:28,868 wants to disrupt, they then draw up a 437 00:18:28,868 --> 00:18:29,640 short list. 438 00:18:29,640 --> 00:18:32,380 Sometimes people over share the projects 439 00:18:32,380 --> 00:18:34,210 that they've worked on. Perhaps they've 440 00:18:34,210 --> 00:18:35,680 worked on a safety system for an 441 00:18:35,680 --> 00:18:38,440 explosives plant, which might make it 442 00:18:38,440 --> 00:18:40,058 easier to target those people 443 00:18:40,058 --> 00:18:42,130 specifically in a spear-phishing attack, 444 00:18:42,130 --> 00:18:44,108 since those people are the most likely 445 00:18:44,108 --> 00:18:46,538 to have credentials that have access to 446 00:18:46,538 --> 00:18:48,098 those safety systems you're trying to 447 00:18:48,098 --> 00:18:51,220 disrupt. From a shortlist constructed 448 00:18:51,220 --> 00:18:53,588 from LinkedIn it stands to reason that I 449 00:18:53,588 --> 00:18:55,690 would know other control systems engineers 450 00:18:55,690 --> 00:18:57,880 also working at the same company so now 451 00:18:57,880 --> 00:19:00,190 they're able to send an Email to me that 452 00:19:00,190 --> 00:19:02,019 at first glance appears to come from one 453 00:19:02,019 --> 00:19:04,778 of my co-workers someone that I know but 454 00:19:04,778 --> 00:19:06,430 has a malicious attachment that I'm less 455 00:19:06,430 --> 00:19:09,098 suspicious of. So I open it 456 00:19:09,098 --> 00:19:11,380 unsuspectingly then they have access to 457 00:19:11,380 --> 00:19:14,170 my machine, and you might think LinkedIn 458 00:19:14,170 --> 00:19:16,720 restricts access to my list of 459 00:19:16,720 --> 00:19:19,058 connections if I select that, and if 460 00:19:19,058 --> 00:19:20,588 you're not a connection of mine then 461 00:19:20,588 --> 00:19:22,240 that's true (certainly the way I've got 462 00:19:22,240 --> 00:19:24,400 it set) but all it takes is for someone 463 00:19:24,400 --> 00:19:26,500 to pose as a recruitment consultant, a 464 00:19:26,500 --> 00:19:29,470 headhunter, an agent, and if you're in the 465 00:19:29,470 --> 00:19:31,150 market for a new job even if you're 466 00:19:31,150 --> 00:19:33,130 strict about only connecting with people 467 00:19:33,130 --> 00:19:35,410 that you've personally met, you might 468 00:19:35,410 --> 00:19:37,298 just accept one or two requests like 469 00:19:37,298 --> 00:19:40,210 that and if one is malicious then they 470 00:19:40,210 --> 00:19:42,460 have everything they need with all of 471 00:19:42,460 --> 00:19:44,500 your connections to find who to target. 472 00:19:44,500 --> 00:19:46,690 The hackers know that the control 473 00:19:46,690 --> 00:19:47,890 systems engineers have elevated 474 00:19:47,890 --> 00:19:49,450 privileges in the control system and 475 00:19:49,450 --> 00:19:51,130 might even have remote access rights as 476 00:19:51,130 --> 00:19:53,318 well if that exists, so once they've got 477 00:19:53,318 --> 00:19:55,358 on to my machine a key logger lays-in-wait 478 00:19:55,358 --> 00:19:57,098 for me to log into remote access gateway 479 00:19:57,098 --> 00:19:58,390 to the control network and then they 480 00:19:58,390 --> 00:20:00,068 have my credentials and it's open season. 481 00:20:00,068 --> 00:20:02,230 If that access portal is internet 482 00:20:02,230 --> 00:20:03,940 exposed they can get in and out anytime 483 00:20:03,940 --> 00:20:05,200 they want and if no one is 484 00:20:05,200 --> 00:20:06,700 cross-checking when I'm 485 00:20:06,700 --> 00:20:08,558 logging in and when I'm not, and if 486 00:20:08,558 --> 00:20:09,759 there's no other mechanism like 487 00:20:09,759 --> 00:20:11,528 Multi-Factor Authentication then it's an 488 00:20:11,528 --> 00:20:13,838 open door and they can poke and prod and 489 00:20:13,838 --> 00:20:15,098 look for weaknesses from within the 490 00:20:15,098 --> 00:20:17,650 system to the extent my credentials let 491 00:20:17,650 --> 00:20:19,900 them. In the case of Black Energy the 492 00:20:19,900 --> 00:20:22,900 original attack wasn't quite as targeted 493 00:20:22,900 --> 00:20:24,880 but ultimately they still achieved their 494 00:20:24,880 --> 00:20:26,348 goal by gaining access to the domain 495 00:20:26,348 --> 00:20:28,019 controller, it just took a little longer. 496 00:20:28,019 --> 00:20:30,759 But undetected they could take as long 497 00:20:30,759 --> 00:20:33,578 as they liked. There have been a lot of 498 00:20:33,578 --> 00:20:35,259 reports digging into the incident and 499 00:20:35,259 --> 00:20:38,950 many lessons can be learned from it. ISA 500 00:20:38,950 --> 00:20:42,098 or IEC 62443-3-3 501 00:20:42,098 --> 00:20:45,160 lists 51 system requirements that 502 00:20:45,160 --> 00:20:47,470 are recommended to improve resilience to 503 00:20:47,470 --> 00:20:49,660 cyber intrusion in Operational 504 00:20:49,660 --> 00:20:52,170 Technology (or OT) systems. An 505 00:20:52,170 --> 00:20:54,548 International Society of Automation (or 506 00:20:54,548 --> 00:20:57,308 ISA) report highlighted 7 significant 507 00:20:57,308 --> 00:20:59,980 SR breaches in this incident which I'll 508 00:20:59,980 --> 00:21:01,930 cover only three of them that I consider 509 00:21:01,930 --> 00:21:06,278 key. 2.4: The transfer of malware 510 00:21:06,278 --> 00:21:07,960 between systems on the OT network 511 00:21:07,960 --> 00:21:10,028 clearly demonstrated that there were no 512 00:21:10,028 --> 00:21:12,009 substantial controls restricting file 513 00:21:12,009 --> 00:21:13,690 transfer throughout the control system 514 00:21:13,690 --> 00:21:16,630 network. It's common practice to have a 515 00:21:16,630 --> 00:21:19,480 so-called secure gateway for all file 516 00:21:19,480 --> 00:21:21,490 access between machines on an OT network. 517 00:21:21,490 --> 00:21:23,890 That gateway or Dropbox is heavily 518 00:21:23,890 --> 00:21:25,180 scanned and logged and reviewed 519 00:21:25,180 --> 00:21:27,670 regularly. All other file transfer 520 00:21:27,670 --> 00:21:29,680 pathways are then restricted or disabled 521 00:21:29,680 --> 00:21:31,240 completely making it significantly 522 00:21:31,240 --> 00:21:33,848 harder to spread malware through the OT 523 00:21:33,848 --> 00:21:36,608 system if you do get in. People complain 524 00:21:36,608 --> 00:21:38,950 (that use the system every day) it's hard 525 00:21:38,950 --> 00:21:40,598 to get data in or out of the system 526 00:21:40,598 --> 00:21:42,190 without that additional intermediate 527 00:21:42,190 --> 00:21:45,278 step, but it does stop the hackers from 528 00:21:45,278 --> 00:21:47,528 easily cross-infecting machines on the 529 00:21:47,528 --> 00:21:50,558 network. Point 5: Whilst a firewall 530 00:21:50,558 --> 00:21:52,420 existed lacking sufficient additional 531 00:21:52,420 --> 00:21:55,180 controls it was rendered mostly 532 00:21:55,180 --> 00:21:58,538 ineffective. The essence of this comment: 533 00:21:58,538 --> 00:22:00,548 for a firewall to be useful there also 534 00:22:00,548 --> 00:22:03,220 has to be strong authentication. Also 535 00:22:03,220 --> 00:22:05,288 detection via an automated or manual log 536 00:22:05,288 --> 00:22:07,000 review method of some kind would have 537 00:22:07,000 --> 00:22:08,858 uncovered the hackers activity quite 538 00:22:08,858 --> 00:22:13,660 easily. Item 6.2: Lack of overall network 539 00:22:13,660 --> 00:22:16,058 monitoring. Without any monitoring tools 540 00:22:16,058 --> 00:22:17,710 the attackers could surveil the network 541 00:22:17,710 --> 00:22:19,720 extensively completely undetected for 542 00:22:19,720 --> 00:22:20,470 weeks and in this 543 00:22:20,470 --> 00:22:22,838 case, months. So what do we conclude from 544 00:22:22,838 --> 00:22:26,019 all of this? If you're working with 545 00:22:26,019 --> 00:22:29,169 critical infrastructure and there are 546 00:22:29,169 --> 00:22:31,598 remote access pathways to your control 547 00:22:31,598 --> 00:22:34,328 system infrastructure then be warned, you 548 00:22:34,328 --> 00:22:38,650 are or will be (someday) a target. If you're 549 00:22:38,650 --> 00:22:41,230 part of an IT or OT department, make sure 550 00:22:41,230 --> 00:22:43,750 you have a centralized log collection 551 00:22:43,750 --> 00:22:47,230 and analysis tool, and have eyes on glass 552 00:22:47,230 --> 00:22:49,000 looking over those logs for any 553 00:22:49,000 --> 00:22:51,519 suspicious activity because that is part 554 00:22:51,519 --> 00:22:54,400 of your job. If you're able to install 555 00:22:54,400 --> 00:22:56,048 software tools that can monitor network 556 00:22:56,048 --> 00:22:58,929 traffic, learn standard behaviors and 557 00:22:58,929 --> 00:23:01,298 then report on exceptions or suspect 558 00:23:01,298 --> 00:23:03,788 traffic patterns, then invest in it and 559 00:23:03,788 --> 00:23:06,759 use it. If you have a remote access 560 00:23:06,759 --> 00:23:08,519 portal for goodness sake install 561 00:23:08,519 --> 00:23:11,440 Multi-Factor Authentication. We humans 562 00:23:11,440 --> 00:23:13,720 are sometimes too clever for our own 563 00:23:13,720 --> 00:23:16,480 good. We use our intelligence to build 564 00:23:16,480 --> 00:23:18,730 machines that require less and less work 565 00:23:18,730 --> 00:23:21,578 for us to do. It's easier to monitor, 566 00:23:21,578 --> 00:23:23,769 reset, open and closed circuit breakers 567 00:23:23,769 --> 00:23:25,900 from a room hundreds of kilometers away. 568 00:23:25,900 --> 00:23:28,419 Why drive there when you can just click 569 00:23:28,419 --> 00:23:31,900 a button. It's easier and it's cheaper to 570 00:23:31,900 --> 00:23:33,608 build things with no physical buttons, no 571 00:23:33,608 --> 00:23:35,650 indicator lights, no manual overrides and 572 00:23:35,650 --> 00:23:38,169 that's fine until something goes wrong 573 00:23:38,169 --> 00:23:42,250 and you need them. Cyber-security is a 574 00:23:42,250 --> 00:23:45,220 never-ending tug of war between company 575 00:23:45,220 --> 00:23:47,588 convenience and the risk of cyber 576 00:23:47,588 --> 00:23:50,528 inconvenience. The more convenient that 577 00:23:50,528 --> 00:23:52,900 we make it for ourselves, the more 578 00:23:52,900 --> 00:23:54,608 convenient we make it for hackers to 579 00:23:54,608 --> 00:23:57,970 make our lives inconvenient. In the case 580 00:23:57,970 --> 00:24:01,690 of Black Energy only 0.015% 581 00:24:01,690 --> 00:24:03,519 of the power grid was inconvenienced 582 00:24:03,519 --> 00:24:06,519 that evening. Next time though, the 583 00:24:06,519 --> 00:24:09,098 consequences could be much much more 584 00:24:09,098 --> 00:24:12,490 severe. If you're involved with OT 585 00:24:12,490 --> 00:24:15,788 systems: pay attention. Those people 586 00:24:15,788 --> 00:24:18,460 intent on wreaking havoc throughout the 587 00:24:18,460 --> 00:24:21,368 world, they might be watching you and 588 00:24:21,368 --> 00:24:23,858 waiting for you to choose that 589 00:24:23,858 --> 00:24:27,400 convenience and laziness over security. 590 00:24:27,400 --> 00:24:29,710 If you're enjoying Causality and want to 591 00:24:29,710 --> 00:24:31,990 support the show you can: by subscribing 592 00:24:31,990 --> 00:24:34,000 to the Premium site via Breaker or via 593 00:24:34,000 --> 00:24:34,548 Patreon. 594 00:24:34,548 --> 00:24:37,068 You can find details at https://engineered.network/ 595 00:24:37,068 --> 00:24:39,288 /causality with a thank you to all 596 00:24:39,288 --> 00:24:41,088 of our patrons and a special thank you 597 00:24:41,088 --> 00:24:42,950 to our Silver Producers Carsten Hanson, 598 00:24:42,950 --> 00:24:45,440 John Whitlow, Joseph Antonio and Kevin 599 00:24:45,440 --> 00:24:47,750 Kosh, and an extra special thank you to 600 00:24:47,750 --> 00:24:49,960 our Gold Producer known only as "r". 601 00:24:49,960 --> 00:24:52,190 Patron rewards include a name thank you 602 00:24:52,190 --> 00:24:53,509 on the website, a name thank you at the 603 00:24:53,509 --> 00:24:55,848 end of episodes and access to detail 604 00:24:55,848 --> 00:24:58,640 raw show notes too. Premium rewards also 605 00:24:58,640 --> 00:25:00,588 include add free high-quality releases 606 00:25:00,588 --> 00:25:01,880 of every episode, so if you'd like to 607 00:25:01,880 --> 00:25:04,068 subscribe you can help make sure the 608 00:25:04,068 --> 00:25:06,380 show continues to be produced and above 609 00:25:06,380 --> 00:25:07,700 all else it's all really, really 610 00:25:07,700 --> 00:25:10,130 appreciated. Of course there's lots of 611 00:25:10,130 --> 00:25:11,630 other ways to help like favoriting this 612 00:25:11,630 --> 00:25:13,430 episode in your podcast player app or 613 00:25:13,430 --> 00:25:15,618 sharing the episode or the show with 614 00:25:15,618 --> 00:25:18,650 your friends or via social. Some podcast 615 00:25:18,650 --> 00:25:20,058 players that you share audio clips of 616 00:25:20,058 --> 00:25:21,170 episodes so if you have a favourite 617 00:25:21,170 --> 00:25:23,660 segment, feel free to share that too. All 618 00:25:23,660 --> 00:25:25,338 of these things help others to discover 619 00:25:25,338 --> 00:25:27,278 the show and can make a big difference. 620 00:25:27,278 --> 00:25:29,690 Causality is heavily researched and 621 00:25:29,690 --> 00:25:31,308 links to all materials used for the 622 00:25:31,308 --> 00:25:32,838 creation of this episode are contained 623 00:25:32,838 --> 00:25:34,430 in the show notes. You can find them in 624 00:25:34,430 --> 00:25:35,778 the text of the episode description of 625 00:25:35,778 --> 00:25:37,778 your podcast player or on our website. 626 00:25:37,778 --> 00:25:40,308 You can follow me on the Fediverse 627 00:25:40,308 --> 00:25:42,798 @chidgey@engineered.space on Twitter 628 00:25:42,798 --> 00:25:45,078 @johnchidgey (all one word) or the 629 00:25:45,078 --> 00:25:47,410 network @Engineered_Net. 630 00:25:47,410 --> 00:25:51,920 This was Causality. I'm John Chidgey. Thanks so 631 00:25:51,920 --> 00:25:52,358 much for listening. 632 00:25:52,358 --> 00:26:10,249 [Music] 633 00:26:10,788 --> 00:26:11,670 [Music] 634 00:26:11,670 --> 00:26:16,107 [Music]