back to article Despite Russia warnings, Western critical infrastructure remains unprepared

As Russian special forces push more overtly into online operations, network defenders should be on the hunt for digital intruders looking to carry out cyberattacks that end in physical destruction and harm. "Unfortunately, if these actors are willing to carry out sabotage in the physical realm, they are likely willing to carry …

  1. Pascal Monett Silver badge

    An unfortunate necessity

    I absolutely do not approve this internet warfare, but one thing that is apparently even more certain is that critical infrastructure needs to be secured and never has been because nobody ever decided it was needed. So it's been available for attack since forever because who cared ?

    Well now, it is needed and everyone cares, so put up the money, get the training, and get those critical infrastructures secured. You've been coasting on ignorance and complacency long enough.

    1. Red Or Zed

      Re: An unfortunate necessity

      It's not going to happen without legislation and budget from the government. And none of those actually care enough to do something.

    2. amanfromMars 1 Silver badge

      One of those Sisyphean tasks so beloved of the mindless and clueless

      Securing critical infrastructure in this post-modern age of virtual shenanigans and relatively autonomous and practically anonymous and extremely able remote executive agents is going to be as successful as retaining and protecting water from escaping a sieve, Pascal Monett.

      But declaring that you can, and proclaiming that you have a program to enable it, is a nice little earner for some who really should, and maybe even do know better but obviously prefer to prey on the ignorance that abounds all around them.

      1. Clausewitz4.0 Bronze badge
        Devil

        Re: One of those Sisyphean tasks so beloved of the mindless and clueless

        It's just a dangerous game with dangerous people, comms interception and media manipulation, marketing and microwave remote torture.

        Nothing new.

    3. Zardoz2293

      Re: An unfortunate necessity

      Total Baloney-- These threats have been known since at least the early 1980's. The money has always been there, most by systems design, and programmer job security. I know, I've had intense arguments regarding the holes since then, and like clockwork, less than a decade later whatever specific concern or argument I presented becomes the next IT crisis. Focus on smaller teams and Management who actually cares with Executive approval. I doubt things will really change on a National level, unless and until, you get several more CloudStrike events. Expect 95 percent to claim they are doing something and effectively do nothing or marginal response, and 5 percent for effective security.

    4. EricB123 Silver badge

      Re: An unfortunate necessity

      What a silly suggestion! What next, develop a comprehensive plan to deal with the next pandemic?

  2. Will Godfrey Silver badge
    Unhappy

    They would not list...

    Gets boring doesn't it?

    I wonder just what it will take to make people actually take this seriously - then again, will they ever?

    1. Paul Crawford Silver badge

      Re: They would not list...

      Making the board of directors liable for failure to implement acceptable security?

      I don't mean falling to zero-day exploits and fancy attacks, but rather not using even basic levels of security and IT maintenance on all public facing systems.

    2. Stuart Castle Silver badge

      Re: They would not list...

      I think the problem is that good secutrity just isn't exciting..

      I *know* it is important. I work in an evironment where we do work hard at keeping everything up to date, and try and follow good security practices.

      The problem is, this costs money, and doesn't prodcue a visible result. Things will just work as the should, and people like to pretend bad stuff doesn't happen. A new system, or even a new version of an application costs money, but will also bring new features. New bling to excite people..

      Personally, I think people in business need to remember that if they don't test and implement patches (and enforce security measures like MFA) quickly, then the cost (reputational and financial) to their business may be considerably greater than the cost of implementing good security.

      1. I ain't Spartacus Gold badge

        Re: They would not list...

        One problem is also that there's nothing you can just go out and buy. You can have anti-malware software and backup software and all that good stuff - but there isn't just a budget for "buy this one shiny thing and all problems go away". You need good system design and consistent well-managed operation of your systems to keep it safe. Or at least safer. And then disaster recovery plans for if it doesn't work. Plans that most people are too scared to test. Plus consistent user-training - or idiot-proof systems. But they're always creating better idiots...

        In my experience it's much harder to get this through peoples' heads - when what they want is to see a problem and to pay for it to go away.

      2. An_Old_Dog Silver badge

        Infosystems Security is Like Flood Insurance

        "This costs money"

        Yes, and so does flood insurance. Which, technically, you don't need until you are flooded. But, like flood insurance, purchasing good computer security after the disaster, and expecting it to cover the just-happened disaster, will not work.

        You need to have paid for it in advance.

    3. hammarbtyp

      Re: They would not list...

      I think people under estimate the challenge

      Lets assume you have a Nuclear Power Station. This takes 5 to 8 years to construct. The software system was almost certainly in development for 5 years before that, so is already 13 years old before it even starts, and will probably stay active for 20 years.

      So already you are running kit with all sort of vulnerabilities, which were not identified when the project started.

      So why not rewrite it? Well the software is bespoke. It has been customised to the vagaries of that system, gone through a long commissioning period. Updates and patches will have to go through a long testing period. We are not talking a PC update here

      Small patches and changes are low risk, but adding major changes especially cyber security additions will almost certainly mean restarting the commissioning from scratch

      The best you can do is add layers around the edges so that external access is controlled. However you really require physical security, because a nation state actor would easily compromise a system is given physical access to it

      Yes, cyber is very important, but things cannot change overnight, due to the nature of the beasts

      1. Paul Crawford Silver badge

        Re: They would not list...

        But in such an example you don't need anyone to connect in for any reason. You might want monitoring data, you might perhaps have some need to inform the operation of load changes, etc, but none of these need a direct connection to any of the old bespoke systems.

        Problem is, that costs money for security-cleared folks to physically visit the site, and most infrastructure is run for profit so that is the sort of "savings" they want to see from modern shiny.

      2. Clausewitz4.0 Bronze badge
        Devil

        Re: They would not list...

        You nailed it.

  3. Anonymous Coward
    Anonymous Coward

    Mind over hormones

    Rusky psyops are great at recruiting hormonal members of our populations for some reason, folks who readily scream in outrage at the purest of nonsenses, the frustrated testosterone singles, and basically anyone with triggerable hormones (just about everyone). They're turned into unaware willing assets with potential access to a wide range of critical systems. Edward Snowden is exhibit #1 in this -- his outside look of constant apparent sedation a remarkable hint.

    Beyond strong passwords, MFA, patches, encryption, and similar physical security measures, we sure need to also ensure that we secure our psyche, and its underlying flow of juicy hormones. As loose lips once sunk ships, loose peckers now burst pipelines (among other things), by remote actuation of hormonal triggers!

  4. Russell Chapman Esq.

    Time to Be Prepared

    The UK is potentially a massive target for hybrid warfare. If it were to happen and the electric grid went down and along with it the water network, how long could you last at home? After 3 days there would be next to nothing on supermarket shelves.It's worth having a bit of a back-up supply at home. As well as a wind-up radio.

    1. simkin

      Re: Time to Be Prepared

      You should always have enough food, water, and a way to stay warm, for a couple of weeks at least. If there's a source of fresh water nearby having a Berkey in your emergency kit is advisable. Most of us are carrying enough body fat to live for weeks or even months without much food, but clean water is essential.

  5. IGotOut Silver badge

    And in other news...

    ...the half arsed sanctions are not really having much of an effect.

    In Moscow, very little has changed, some prices have increased, but the Moscovites, who are the ones in Russia that have actual power, are hardly affected

    Many US and European brands still have manufacturing and sales in Russia, many brands that pulled out e.g. McDonald's have just been set up as local companies and rebranded while the others are just shipped in from abroad.

    We still buy petrol from Russia, just via the likes of India.

    We're happy to supply weapons, as that generates money, but soon as it comes to isolate Russia and possibly lose money that's a no-no.

    If we were actually serious,the whole of the EU, USA and others could simply make it illegal to do business with Russia, but nope, money

  6. DS999 Silver badge

    Easily deniable targets

    Whoever is attacking a vulnerable target in an "easily deniable" way become an easily deniable target themselves.

  7. cantankerous swineherd

    I'm old enough to remember the reg biting the hand that fed it rather than regurgitating spooks talking points.

    1. ecofeco Silver badge

      Do you actually see the articles here about hacks and breeches that happen almost every week?

      We are past "threats" and well into cyber-warfare. Have been for some time.

      1. amanfromMars 1 Silver badge

        NEUKlearer HyperRadioProACTive SpookSpeak Talking Points to Mistake for Nonsense and Stealth

        Re: the earlier conversation here on this thread ....

        I'm old enough to remember the reg biting the hand that fed it rather than regurgitating spooks talking points. ..... cantankerous swineherd

        Do you actually see the articles here about hacks and breeches that happen almost every week?

        We are past "threats" and well into cyber-warfare. Have been for some time. .... ecofeco

        Quite so, ecofeco, El Reg is a prime premium asset with evidence continually displayed of it being well able to be far ahead of peer competition or opposition in the cyber situation publishing game ...... whilst also aiding and abetting toleration of many a hosted virtual reality denier luddite and future Advanced IntelAIgent operating systems dinosaur engaging in defence of the indefensible and obnoxious and vainglorious attack against the inevitable and clearly evident and present human and market leading technology ...... with many doggedly constantly suggesting it a precarious bubble rather than realising it an Almighty Intervention to be enthusiastically fed in order that Earth based humanity can further survive to strive and thrive beyond their wildest of traditional conservative dreams following something which they would have you believe is a glitch/myth/fraud/vapourware ....... but which does appear to have a charmed life all of its own, but it is not without its influential friends in high places as evidenced here according to the Financial Times ..... The "Next AI Trade" Plays Out: Microsoft And BlackRock Join Forces On $30 Billion AI Infrastructure Fund

        Does such not make you wonder and ponder on who and/or what is leading whom and/or what and taking everyone and everything to where ...... and whether there is anything other than diddly squat you can do about it ????? ‽ ‽

  8. Kev99 Silver badge

    When will these idiot bean counters realise the internet and cloud are NOT safe, NOT secure, and not the place to store confidential, proprietary, mission critical data? No matter what any IT "expert" says, if there's a connection between a human and the data, it will be hacked, cracked, and smacked. Even governments with all their resources cannot make 100% secure and safe internet connections.

    Way back in pre-internet days, companies used dedicated phone lines. JC Penney had its data center in Atlanta and transaction were just as fast as today. Sears, Federated, and others had the same set up. And many electric companies used their power lines for their data and communication/telephone service. Instead, some PFY bean counter said the internet was FREE. And how many tens of millions in dollars/pounds/euros have been lost to scammers, phishers, DoSers, et cetera?

    Remember, a net is just a bunch holes held together with string, and a cloud just a bunch of holes held together with vapor.

    1. An_Old_Dog Silver badge
      Thumb Up

      Point-to-Point Non-Internet Comm Links

      @Kev99:

      You posted before I did, and said what I wanted to say.

  9. Anonymous Coward
    Anonymous Coward

    We can't even get people to do reliable f*cking backups

    They sure as hell aren't going to spend on security.

    They all think computer security is something only the military or big defense contractors need.

    1. Anonymous Coward
      Anonymous Coward

      Re: We can't even get people to do reliable f*cking backups

      "They all think computer security is something only the military or big defense contractors need."

      The military and other ministries have more power and can negotiate in a more flexible, diplomatic way.

      Anonymous for obvious reasons.

  10. An_Old_Dog Silver badge
    FAIL

    As Forseen in Science Fiction

    [Blue Max, a sentient systems-intrusion aid, speaking to Han Solo]: "They have an integrated network. Great cost savings, but lousy security, huh, Cap'n?"

    -- Han Solo at Stars' End, by Brian Daley, 1979.

  11. Anonymous Coward
    Anonymous Coward

    Security of a resource is invisible, unquantifiable unless you know what you're talking about. Humans do really poorly with risk estimation over time with risks as low as 1/1000 or lower, especially humans distracted by short term greed.

    It matters nothing for a board or the accounting department if their choices are responsible for societal damage after a breach, because when are they held accountable?

    Instead it'll be the Russians or the IT dept that somehow couldn't do magic with the peanuts they had in a budget.

    There is no driving factor for the capitalist market to secure resources from nation state interference, because, they'll say, they're not bound by old fashion concepts like nation states, and isn't their supposed to protect them from the others.

  12. amanfromMars 1 Silver badge

    It's not a Good News Week* whenever Everything Worsen and Turns to Bad and Fades to Black

    Jessica, Hi, .... and the news today for many tomorrows is ...

    As bad as things are nowadays, they are failsafe guaranteed to very quickly turn a great deal uglier, and especially so for the previously thought immune to existential shock West, for despite clear enough warnings in the West, which they and their mainstream media virtual reality presentation apparatus and propaganda machine systems operations appear to choose to ignore and remain deadly silent upon, their critical infrastructure continues to remain catastrophically vulnerable and totally unprepared for remote offensive cyber unit infiltration and exploitation in an invasive intervention for takeover and makeover of serially failing Exclusive Executive Officer SCADA management Operating Systems in which lives are being lost and livings destroyed.

    Such is clearly a situation for publishing which even the slowest of fools would agree would be a self-destructive madness to allow continue, hence the following novel breaking news fit to print.

    GrahamC [2409211558] ...... airs on https://www.nationaldefensemagazine.org/articles/2024/9/20/viewpoint-accelerating-defense-innovation-requires-changes-to-acquisition-approach

    [Thank you. Your comment will be may not be displayed soon after reviewing.]

    Hi, National DEFENSE Magazine readers,

    With particular regard to ....

    While not appropriate for all capabilities such as military essential capabilities that must be controlled under the Uniform Code of Military Justice, as-a-service capabilities can be much more broadly embraced.

    ..... it may be wholly appropriate and essentially vital whenever one ponders on the likes of the current and expanding belligerent and even genocidal acts in middle Eastern lands, and there can also be other foreign fields and alien theatres of military and paramilitary engagement equally suitable to be included in what follows, which are enthusiastically and unequivocably supported and materially supplied with weapons and munitions and financial aid by all manner of assorted allies, surely has one considering and concluding the above quoted sentence suggesting there is any effective control exercised under the Uniform Code of Military Justice, an absolute nonsense and fantastically convenient fiction behind which are stores of evidence of wanton crimes against humanity and society ..... for as unpleasant and unfortunate as it may be to admit, military essential capabilities in order to overwhelmingly succeed in mission objectives invariably always break and ignore the Uniform Code of Military Justice whenever facing peer or near peer adversary resistance and/or competition and/or opposition

    All wars are dirty wars with ground rules based in fiction to be ignored and with aggressors initially in the ascendant but then always destined to painfully fail in disorder and chaos in trying to justify their continued aggression and occupation of seized territory in the name of trying to maintain and retain an overwhelming inequitable peaceful advantage, and in so doing to become increasingly aware of their own toxic, self-defeating dilemma, would you not say ‽

    And in this postmodern age of Remote Anonymous Virtualised Command and AI Control which is capable of realising combat is for CyberIntelAIgent Warrior Forces with Immaculately Resources Assets, only a certifiable fool entertaining and pimping madness would seek to do battle and go to war against that which has always, since time in spaces began, ended up in one's own ignominious defeat ...... although it does appear to be a lesson that humans struggle spectacularly to learn in order to avoid the result ...... which does more than just suggest that they may not be as intelligent as they need to be to move on to the next higher stages of their and Earth's development.

    And that is a real live, clear and presently dangerous existential threat.

    * ...... It's Good News Week

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like