back to article Is critical infrastructure prepared for OT ransomware?

The Colonial Pipeline ransomware infection has become a cautionary tale about how borking critical infrastructure can cause real-world pain, with fuel shortages leading to long lines and fistfights breaking out at gas stations.  Or as Jen Easterly, boss of Uncle Sam's Cybersecurity and Infrastructure Security Agency, warned …

  1. Anonymous Coward
    Anonymous Coward

    Only a few percent of your military budget

    Iran, Russia, North Korea, maybe China - are the usual suspects.

    Help Ukraine, who is fighting this war RIGHT NOW for you, so you do not have to send your soldiers or think how to protect your infrastructure.

    It would only cost a few percent of your military budget to end this war. Such might be a much cheaper approach.

    1. Throatwarbler Mangrove Silver badge
      Meh

      Re: Only a few percent of your military budget

      On the one hand, I agree with helping Ukraine. On the other hand, I don't believe that Ukraine winning its war will abate these ransomware threats. If anything, Ukraine is drawing fire from the ransomware gangs as well as literal weapons fire, which means there's at least some incentive for the US and EU to keep the Ukraine war dragging on. Whether there's incentive to keep Ukraine from losing altogether is a different matter.

      1. Anonymous Coward
        Anonymous Coward

        Re: Only a few percent of your military budget

        Something else to consider is that whilst helping plucky little Ukraine against unwarranted aggression might be seen as the right thing to do for strategic reasons, Ukraine is still home to all the same types of civilian criminal activity as Russia - cyber crime, sex trafficking, drugs, extortion, asset misappropriation, and corruption. In terms of criminality, Ukraine is on a par with Belarus, Russia, and it's interesting that the people running the EU want to accelerate the process to give Ukraine EU membership.

        1. Throatwarbler Mangrove Silver badge
          Unhappy

          Re: Only a few percent of your military budget

          In re: the point about Ukrainian corruption (a subtle form of whataboutery if ever there was one), I'm never able to see the logical link between the country being as you describe and a justification of the Russian invasion, in particular the rape and murder of Ukrainian civilians, the kidnapping of children, and the wholesale destruction of entire cities. Perhaps you can help me see the connection.

        2. Alan Brown Silver badge

          Re: Only a few percent of your military budget

          As we saw with Nigeria, what stops corruption is a burgeoning Middle Class and that won't happen if things are left as-is

          The accession process is _long_ and membership won't be granted until Ukraine meets all criteria - however better economic ties to the West will go a long way towards stabilising the country

          It wasn't that long ago (2010) that the ONLY way Internet traffic got into Ukraine was via Moscow

      2. doublelayer Silver badge

        Re: Only a few percent of your military budget

        That is probably true in the short term, but what you accurately describe as "drawing fire from the ransomware gangs" can also be viewed as training their abilities. If they didn't have plans to attack OT, as the article calls it, then Ukraine has given them a reason to learn how, possibly some incentives to do just that, and plenty of acceptable testing targets. If the war drags on long enough, they may have more of those skills and fewer targets in Ukraine on which to use them, which cannot be a good thing. Unless we're willing to hold the Russian government accountable whenever we're pretty sure that the attack came from a group Russia could break up, which I don't think our governments or, unfortunately, our fellow citizens are willing to do, we will want to reduce their skills and their ability to use them to make money.

  2. HuBo Silver badge
    Headmaster

    His Majesty doing something right?

    Apparently we're just 3 months (April 29, 2024) to the UK's new IoT cybersecurity law coming into effect (ETSI EN 303 645), which requires elimination of universal default passwords (among other things). This could be an example to follow in lands where such legislation does not yet exist in relation to critical infrastructure's OT processes.

    1. Anonymous Coward
      Anonymous Coward

      Re: His Majesty doing something right?

      Except that how much resource and pro-active investigation will there be? I'm guessing not much, and as a result thousands of container-loads of cheap, non-compliant tat will continue to flood into the UK from China. Much like they already do.

      1. Alan Brown Silver badge

        Re: His Majesty doing something right?

        I'm more worried about the non-compliant tat from Cisco

    2. amanfromMars 1 Silver badge

      Re: His Majesty drops a right clanger ... if giving Royal Assent to a fascist type policy proposal?

      When critical infrastructure is under attack from hostile enemy forces embedded and presiding over dodgy systems administrations within, and the following information from elsewhere suggesting such is a present ongoing desperate situation delivering a crooked playing field for losers, is overwhelmingly popular, and if necessary at times in certain spaces, almighty sinister resistance from A.N.Others designed Relatively Autonomous and Previously Anonymous and Virtually Untouchable, to be fully expected enthusiastically supported ..........

      Welcome to the UK where it’s now official government policy that you CAN’T publish “misinformation”, but The Guardian, the BBC, Disney and Netflix CAN...

      Yes, it’s true – the recently signed “Online Safety Act” brands the publication of “false information” a criminal offense punishable by up to a year in prison…

      …unless you’re an MSM outlet, when it’s totally fine

      Think even the corrupt & bloated criminal class that rules over us would never dare be that blatant?

      Take a look at section 179 making it illegal to publish false information with intent to cause harm:

      Section 179 – False communications offence

      30. A person commits the false communications offence if they send a message conveying information that they know to be false, and at the time of sending it they intend the message to cause non-trivial psychological or physical harm to a likely audience (i.e. someone who could reasonably be foreseen to encounter the message or its content) and they have no reasonable excuse for sending the message.

      31. This offence is intended to replace the offence in section 1(a)(iii) of the Malicious Communications Act 1988 and (for England, Wales and Northern Ireland) the offence in section 127(2)(a) and (b) of the Communications Act 2003, which have been repealed by section 189 of the Act.

      32. If several or many people are the “likely audience” then it is not necessary that the person intended to cause non-trivial psychological or physical harm to any of them in particular (or to all of them).

      33. Proceedings for the false communications offence may be brought within 6 months of sufficient evidence in the opinion of the prosecutor, and after no more than 3 years after an offence has been committed.

      34. This offence extends to England, Wales and Northern Ireland, and is devolved. It is a summary only offence, which carries a maximum penalty of 51 weeks imprisonment or a fine (or both).

      …and then look at section 180, which exempts all MSM outlets from this new law:

      Section 180 – Exemptions from offences under section 179

      35. This section sets out exemptions for the false communications offence, including an exemption for recognised news publishers and exemptions for holders of broadcast or multiplex licences, and providers of an on-demand programming service. This section also provides that the offence cannot be committed in connection with the showing of a film made for cinema to members of the public.

      Welcome to the modern definition of “freedom of speech”, where the MSM are directly and explicitly permitted to “knowingly publish false information with intent to cause non-trivial harm”, and you can be sent to jail for a year for calling out their lies.

      Oh, and it looks like our friends across the pond might not be far behind. The Big Tech Senate hearings started yesterday, and social media executives are already throwing their support behind the new “Kids Online Safety Act”.

      With the EU’s own Digital Services Act coming into force later this month, and all the focus on “misinformation and disinformation” at Davos two weeks ago, we can see the real crackdown on internet free speech is about to kick into gear.

      Good times.

      Certainly nowadays are internetworking things delivering changed times, and whenever done well to crash and crush the cause of bad times, are good times guaranteed for all ...... so logically surely something widely to be supported by anyone and everything with a titter of wit, for what is not to like?!

      1. amanfromMars 1 Silver badge

        Re: His Majesty drops a right clanger ... if giving Royal Assent to a fascist type policy proposal?

        Here’s a pertinent question to answer to scupper any possible future nonsense and malevolent skullduggery before some officious tosser in a failed office of state full of failed officious officers of state asks it ....... Is The Register an MSM outlet?

  3. M7S
    Terminator

    Adama was right about networking

    Alas the possible fear of being mocked as a crossbow wielding “prepper” hinders rational discussion of, and planning for, events of this nature.

    1. Throatwarbler Mangrove Silver badge
      Meh

      Re: Adama was right about networking

      If you review comment threads on this sort of issue, you will find many people wondering why critical infrastructure control systems are exposed to the Internet, especially with little-to-no security in place.

      In re: BSG, my question was why Galactica's systems were exposed via wireless networking. The issue of having an internal network on the ship seems like it could have been mitigated by turning off Wi-Fi to prevent remote intrusions. (I know: it's just a show, and I should really just relax.)

  4. Zack Mollusc

    Needs better phrasing

    "If this is critical infrastructure, protect it like it's critical infrastructure,"

    Useless advice when all infrastructure, critical or otherwise has any maintenance, security or redundancy removed by accountants in the name of efficiency.

    1. Anonymous Coward
      Anonymous Coward

      Re: Needs better phrasing

      "A big accountant did it and ran away" is a very popular comment about software failings, but last time I worked for a software house, the accountants didn't actually tell the developers what to do. The commercial teams might have said what price the market would take, the accountants might have encouraged the development team to meet the development budget they had signed off, but any decisions about the functionality, resilience and security sit with the CIO or product owner. Perhaps those people need to own the failings.

      1. amanfromMars 1 Silver badge

        Re: Needs better phrasing @Anonymous Coward

        ... but any decisions about the functionality, resilience and security sit with the CIO or product owner. Perhaps those people need to own the failings. ..... Anonymous Coward

        Quite so, AC. Well said, Sir and/or Madam or it.

        [Well nowadays, who knows for certain whom or what you are talking to ..... whenever one can be so easily cloaked in the moniker of a he or a she or a them or an it ..... and with some able to be mistaken for all, and then something else altogether quite different and disconcerting/exciting too.]

      2. Alan Brown Silver badge

        Re: Needs better phrasing

        "the accountants didn't actually tell the developers what to do"

        That's usually done by Manglers who want to make their bottom lines look good

        Accountants WILL tell developers (and those managers) what to do if insecure product opens up large liability risks or trashes intangibles like goodwill

        The real problem in most organisations is sales and marketing. They frequently develop into a dictatorial clique (C-level staff who are immune to the sales BS helps a lot)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like