Blithering idiots.
Ah, well. More loot for me, cleaning up the mess. Still, it's getting rather old. You'd think after a couple decades they'd notice something wasn't working exactly as planned.
The number of industrial control systems (ICS) connected to the internet has increased year on year – meaning more and more infrastructure is sitting on the 'net potentially open to attack. Of the 175,632 internet-accessible ICS equipment detected, approximately 42 per cent were in the US, marking a 10 per cent increase over …
Perhaps it is the herbivores herd tenancy? With all those other herbivores to take I should be safe in the middle of the crowd of unprotected herbivores. The problem is that large collections of prey, do attract larger packs of hunters throughout nature that rule is the same. Initially even minimal protection can help but in the end prey has to get real and cease sitting on a plate for the next taker. Getting things right is not a cost of doing business, it is the only way to stay in business. Some constructive guidance for those in charge of receiving the bonuses might be useful, fining the right people who fail is an obvious first step.
I have never seen a so-called "robot" or CNC machine come into contact with a human where it wasn't the complete, total and utter fault of the idiot human getting themselves into space where they shouldn't have been. I don't get called in to clean up those cases as it's not the equipment/process that is at fault.
Ever hear phrase "Stupidity SHOULD hurt!"? Machines aren't capable of stupidity. So the old saw "To err is human, but to really foul things up requires a computer." is actually wrong. Machines are only capable of doing what they are told. It's always a human that is at fault.
I now fully expect to cut myself while prepping dinner ... the Universe is funny that way.
Strangely, theres a video wandering about the internet somewhere about people hacking a CNC machine so that it machines ellipses instead of circles....
So lets take cheapo machine tool maker designing a safety circuit, the old days it would be a hardwired switch leading to a relay that fires the e-stop circuits... open the gate and the thing stops.
But switches, relays and wires cost money to install/maintain... lets just make it a magnetic sensor linked to the PLC. oh and put the machine on the internet so our service dept can remotely view the machine if the customer reports any problems.. cheaper than sending a repair guy.
You see where this is going?
Hacker breaks into the machine, alters the PLC ladder for the lolz, cleaning labourer is told to clean up ... opens the gate, machine does'nt stop, blood and guts everywhere....
If it is to remotely view the machine, there is no need to wire the machine. Install a CCTV to monitor it. If hackers take that over, big deal.
But of course, one does not just want to monitor, one wants control. Convenience is what will be the downfall of the IT industry. Because security is most definitely not convenient, we have the basic human tendency to get fed up with security instead of scrapping the convenience.
is that, in terms of the Gartner Hype Cycle, we still haven't got to the top of the 'Peak of Inflated Expectation' for all things 'IoT'.
It will probably take more than one serious breach at a Utility that causes fatalities and general discomfort to the public before we are thrown into the 'Trough of Disillusionment' and ignorant managers stop trying to sound clever and hip by suggesting that everything must be connected.
Perhaps then we can get to the 'Slope of Enlightenment' where there needs to be a clear case for infrastructure to be (securely) connected and if there is a critical control function to the device, there should be at least two and probably three factor login security.
It will only get worse as long as there are MBAs that think they know it all and want it now, bean counters that only think about the bottom line and marketing wonks that never have any logical thoughts running things.
The only way out of the problem is to ensure that the final say about connecting to anything outside the plant is left to the engineers that actually work there.
The most concerning aspect for me is that these types of control systems typically don't deal with malformed packets very well, so if they are directly connected to the internet* then there is a very real possibility that they could be DoS'd by accident from one of the many ongoing port scans that are happening all the time.
*If the firewall port is opened and the connection isn't proxied, then it doesn't matter if it's 'behind the network firewall so it's safe'.
I never would for very obvious reasons, but part of me would love to play with this stuff and go see what's out there that you can log in to and control remotely. Of course there are people without such scruples that would be on Shodan all the time doing precisely that.
It shocks me that it's still a thing and more so that you don't hear about companies suffering attacks all the time. Surely some company somewhere in the world is having some scrote log in and turn their heating up full whack or some industrial control system had gone aywire thanks to an external actor. Where are all the stories about this? I would like to hear the real world impact of these net facing systems being compromised.
We're all doomed, doomed I tell you !
https://www.theregister.co.uk/2018/01/31/auto_hacking_tool/
The days of sneezing at a screen and declaring it software code need to be resgined to the past
Take some bloody responsibilty for the shit you produce
It's all in the name, really. Say "SCADA" and people think security.
Say "Internet of Things" and people think, "Dear god, why would anyone want THAT insecure piece of ____ on their network?"
The solution? Stop saying "SCADA" and start saying "Internet of Industrial Things".
Sure it's a little disingenuous. The security is better than that. However, when hackers get more bang for their buck, especially when it is a nuclear power plant (hence the icon), it makes you think, at least for a moment, "What if..." And that one horrifying moment of thought is where security consciousness truly begins.