Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks

Re: Firewall updates

Danish IT projects are renowned for failing spectacularly, nobody would dare install anything and in any case they couldn't afford it :).

Re: Sounds about par for the course

Never ever use MS Active Directory for your firewall :/ vpn logins

It is so easy, so convenient, etc. - for the hackers. I have seen this so many times in compromised networks.

In one fail swoop they have the email address and passwords for all in your org.

Don’t allow management to short you on PFYs to properly maintain your border.

Re: Zyxel firewalls

"Is this a joke"? - Probably, but...

I live in a retirement village and the builder used Zyxel modems (bog standard VDSL with no WiFi) to attach each house to our central comms room about 10 years ago. Mine just kept running, with typical uptimes of about 3 months (external contractor remote upgrades?), with no problems at - Until it died last year. The supplied replacement is a cheapish TP-Link with WiFi. The standard installation is in a small metal comms box in the garage (As expected, WiFi Performance is "poor"; so normally turned off).

Re: Zyxel firewalls

> Does this mean there are no competent network engineers in Denmark?

None who are willing to work for the peanuts that these organisations might occasionally fling their way.

Re: Zyxel firewalls

A bad workman blames their tools. Whether it's Cisco, Checkpoint, Sonicwall or ZyXel gear vulnerabilities are a fact of life. The unforgiveable part is either assuming that your supplier is applying updates or opting out of the update program altogether due to cost.

Unfortunately, it's a common oversight, especially in heavy industry and CNI where they apply the same patch and vulnerability policies to IT infrastructure as they do to OT/ICS/SCADA; in other words not actually having patch and vulnerability policy.

Re: Zyxel firewalls

In all fairness, if you don't patch the software (in this case because not wanting to pay for the updates), it doesn't matter who the manufacturer is - at some point in time it will almost always become vulnerable.

Re: Zyxel firewalls

In all fairness, Cisco's "SoHo" router of a number of years ago (RV110) was an out-of-date piece of junk that was still being slogged well, well after it's sell-by date (and was foisted on me by the supplier by boss chose).

So just because it has a nice manufacturer's label doesn't mean much nowadays...

Re: Zyxel firewalls

I have installed VOIP solutions in many companies and you would be surprised how bad many companies network are. As they often just have someone assigned to IT with no knowledge. Just that they have firewall is hugh compared to others i have seen. They are were never happy when i told them that they had to rip out everything before i could start.

The 1990's are calling and want there comment back.

There are many good reasons for a powerplant to be on the internet. For example you may want to combine power predictions with weather data

The issue is not that it is connected to the internet, it is how it is connected and how the control system is isolated from say the enterprise system. For example you may want to connect a data diode to ensure data is only going outwards.

The problem tends not to be the internet, but the fact that organizations get lazy. The original Sandworm attack on Ukraine infrastructure was due to someone decided to bypass the firewall with a dedicated link (I'm guessing because all the security stuff was getting in the way of their day job)

Mainly because pretty much everything needs some sort of Internet connection to work.

You need updates

Metrics and alerting "Phone home"

Remote support

Now add in all the office infrastructure that simply cannot function without an Internet connecting and you see why we are where we are.

Almost all business applications are online or some sort of cloud SaaS service. There is very little that is not.

Whilst you wouldn't directly connect the SCADA to the internet, the site as a whole needs some way of receiving and transmitting data.

Data-In:

Demand level from the national grid

Weather and weather forecasts

At least in the past: TV programming, with scheduled break times and predicted viewing figures

Data-Out:

Status (off, warming up, on, spinning down)

Current Power produced

etcetera.

You could do this with say fax (which may have been the case in the past, any former power station engineers here?) but for a modern grid you may as well use IP.

It's a question of DMZs and isolation that determines the security, not the connectivity itself.

Where do you start?

You have infrastructure with a service lifecycle far in excess of Enterprise IT equipment. Some of this kit makes mainframes and mid range systems look positively spritely and youthful.

Most of these environments have evolved over time and more and more complexity has been bolted on. Some of the underlying infrastructure still uses serial and closed protocols to communicate. As for secure communications - forget it.

So, against that backdrop, deploying lots of smaller edge firewalls to protect such networks seems logical

re: Isolation

Isolation may be acceptable for some CNI, but the telecommunications network is also CNI, as are the mains services (water / sewerage, electricity, gas), blue light services (Police, Fire, Ambulance, Mountain rescue, Coast Guard) and supermarket stocking and ordering systems.