back to article Power plants, utilities 'just hanging right off the internet's tubes'

Utilities opening their infrastructure to the internet are creating an irresistible honeypot for criminals, says the US government's Industrial Control Systems Cyber Emergency Response Team. . In spite of often being billion-dollar operations with long-standing experience in their industrial control networks, critical …

  1. allthecoolshortnamesweretaken

    Convenience (and cost cutting) will trump security every bloody time.

    1. Destroy All Monsters Silver badge

      Trump?

      MAKE AMERICA GREAT AGAIN!

  2. Preston Munchensonton
    Coat

    That's not how this should work

    Only the NSA should have such open access...

  3. Anonymous Coward
    Anonymous Coward

    There is only one way to fix this - replace the MBAs that are impersonating engineers with real engineers and give them the authority to do the job correctly.

    1. Adam McCormack
      Coat

      They replaced engineers with MacBook Air's? unplug the little blighters

      1. John Bailey

        "They replaced engineers with MacBook Air's? unplug the little blighters"

        Well.. Macbook wielding air heads.

        But yes, your plan has some merit.

    2. Anonymous Coward
      Anonymous Coward

      There is only one way to fix this - replace the MBAs that are impersonating engineers with real engineers

      You really think that true engineers are all security experts, or sufficiently security conscious as to know who to consult? Rose tinted spectacles, mate.

      I'll wager just as many security and SCADA disasters are caused by engineers without PHB assistance as those with. I know of a product being developed at the moment in my company, and it's engineers playing god who are the root of the inevitable security problem. The commercial guys want a product that works, our engineers (all fully qualified chartered engineers) simply don't have the expertise in security and in software to know the right questions to ask.

      1. Preston Munchensonton

        I know of a product being developed at the moment in my company, and it's engineers playing god who are the root of the inevitable security problem. The commercial guys want a product that works, our engineers (all fully qualified chartered engineers) simply don't have the expertise in security and in software to know the right questions to ask.

        How fortunately for your company that you're available to point all of this out. #sarcasm

      2. JonP

        The commercial guys want the moon on a stick, our engineers (all fully qualified chartered engineers) simply don't have the budget...

        FTFY. ;-)

    3. Mpeler
      Mushroom

      Replace the MBAs that are impersonating engineers with REAL engineers

      And while you're at it, do that at HP(E), IBM, and flagellant (barf, Keysight) too!!!

  4. Destroy All Monsters Silver badge
    Windows

    The solution will be to add a few "Priority 1" projects to the engineer's desks, to add to the pile of the other "priority 1" projects, some of which are even "urgent".

  5. Destroy All Monsters Silver badge
    Headmaster

    On the correct usage of vocabulary

    creating an irresistible honeypot for criminals

    That would mean this attackable infrastructure was actually a trap.

    But it's actually the real deal: a low-hanging fruit.

  6. Oengus
    FAIL

    Accountants are the issue

    While the accountants run the show, and all the C-suites care about is the Share price, there will continue to be a focus on short term thinking. They will do anything that is cheap and expedient. They want to be able to show the decision makers determining their next role how well they did in increasing shareholder value so they can "jump ship" and collect a huge salary increase in the process. Ideally they will be two jobs up the line before the S**t hits the fan.

    It will be the "front-line" staff that are left behind who are blamed and that have to cleanup the mess that results from the penetration. This will be a bigger issue if (as seems to happen more and more now-a-days) most of the local "front-line" staff are off-shored/outsourced as part of the "cost savings".

    1. Medixstiff

      Re: Accountants are the issue

      Toothless tiger laws are equally responsible.

      Make it that C level executives and Board members are financially responsible in the event of a hack or utility outage and see how quickly things change.

      It's no point just fining a company, all they will do is pay the fine and continue doing nothing, fine the people at the top, they get paid the big bucks, they should take the responsibility.

      1. Mark 85 Silver badge

        Re: Accountants are the issue

        Well... they also have lobbyists to ensure that nothing like this ever happens. If a CongressCritter or other elected official even suggested it, their career would be over in a flash.

    2. Tom 13

      Re: Accountants are the issue

      I wouldn't say the accountants per se. Accountants are a predictable bunch and will do whatever the numbers tell them to do. What is necessary is to an input into their system that monetizes the risk of compromise. Once you do that the accountants will line up neatly behind or possibly even in front of the engineers insisting the appropriate measures be taken.

      I will grant this is the one place where it will be necessary for governments to act to create the financial incentive. It is actually fairly simple:

      1) The corporation will be responsible for all damages that result from a compromise of their systems. This will include not only the cost of repair but the total cost of down time for any and all of their customers who are affected by the compromise.

      2) While the corporation may engage in risk pooling, it may never completely transfer the risk to another corporation.

      3) In the event the corporation does not have sufficient means to fulfill its responsibilities under item #1, the officers of the corporation and its board of directors will be held personally liable for the uncovered damages.

      Even with the typical lead times for infrastructure improvements in these industries, I expect that were laws specifying this enacted, 85% of the problems would be fixed within a year, and in excess of 95% would be fixed in two. By year three we'd be approaching several sigmas of assurance.

  7. tony2heads
    Unhappy

    Die Hard 4.0

    Did anybody else see that film? Apart from Bruce Willis saving the day, the basic idea is reasonable.

    Thinking of getting a generator and a borehole installed at home.

    1. Michael Wojcik Silver badge

      Re: Die Hard 4.0

      I'm sorry, but are you saying that something about Live Free or Die Hard is even vaguely accurate?

      Pretty much any idea from that film beyond "some things are controlled using computers that have Internet connections" is a wild fantasy.

      Also, the "super hacker controls all the infrastructure" theme is a long-standing and extremely tired Hollywood cliche. There were elements of it in 1995's waste-of-Sandra-Bullock The Net and painfully-dumb Hackers. It was featured in the overrated '92 Sneakers.

      TV Tropes refers to this as Everything Is Online, and they have film references going back as far as 1983's awful Superman III. (TV Tropes says this last example comes from "before the Internet as we know it"; the TCP/IP Internet had been around for several months when the film was released, but not when it was being written, of course. On the other hand, there was the NCP Internet and various other large networks, such as IBM's HONE network, which was bigger than the Internet for some years. At any rate, the point stands - this theme is so obvious that pop culture anticipated it before it was technically feasible.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Die Hard 4.0 - generator and borehole

      "Thinking of getting a generator and a borehole installed at home"...

      What, you're not married?

  8. Tom 13

    I've looked over those Aussie recommendations

    Three of them look very good to me. But I must confess, even as a Windows guy I have some concerns about the 4th:

    patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office

    Not so much in the advice per se (patching is usually good), as in the assumption that any critical system with all/any of this software installed can be made safe in the first place. Yes we run all of this software on the corporate network where I work (God help us), but we aren't a critical system. Okay, you might be able to find a web browser that isn't a high risk, but add in any of the rest and you're pretty much toast.

  9. DeanB

    The internet has tubes? Really?

    1. Mpeler
      Paris Hilton

      O Danny Boy, the tubes, the tubes are glowing...

      Nah, the internet has valves...

      and Paris is checking her B+ voltage...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021