
Curate's Egg
It's good that the hackers have stepped up to the plate, but a poor commentary on the water authorities. Also there is the risk they may now make even less effort (if that's possible) when they can get the job done for them.
A plan for hackers to help secure America's critical infrastructure has kicked off with six US water companies signing up to let coders kick the tires of their computer systems and fix any vulnerabilities. Launched at this year's DEF CON, the Franklin project is a scheme to shore up key systems by using the skills of top …
No work is done for them. These white-hats can only point out where the weaknesses are and suggest ways they might be mitigated but doing the actual work is still up to the water authorities. It also takes active steps from the water authorities themselves to be willing to step up and listen to find out the problems. It's highly unlikely they'd become MORE complacent as a result of this as they'd have to become active in the first place
Worked on this problem when they were switching the dams and levies from land-line to 3G control systems. i.e. Less weatherproof and more easily over-ridden.
No matter what tech they use a simple chemical poison in the tributary or a mortar in the floodgate will render it useless
As we saw in Texas, they couldn’t figure a way to stop their pumps from freezing when they were pumping HEATING gas. No genius system is idiot-proof.
"No matter what tech they use a simple chemical poison in the tributary or a mortar in the floodgate will render it useless"
There's a lot more risk to some entity committing an act in-person. Being able to do it from the other side of the world and at the same time coordinate a series of attacks induces more fear. There's also the aspect of the unseen enemy that can't be detected by a load of soldiers stationed around a water source or dam.
always thought this was the way to go TBH
even if there is no fiscal reward, sometimes, just being allowed to get inside infrastructure WITH BLESSINGS is reward enough
stop sniggering at the back ffs, serious talk going on here :o)
but anyway, I also couldn't imagine this a few short years back, when EVERYONE with any interest in Cyber Sec was considered a threat
but also, again, I know, so much vacillation going on :o)
my mind going over the obvious issues this could give rise to, what if they find a multitude of issues, and give out the fix to MOST, but the ones that look to be 'interesting' are not notified, nor fixed.
OR
finds a vuln that isn't on the list, makes a note for future reference, as maybe not all who offer assistance should be trusted
TL/DR
whatever the out come, it HAS to be tried, but it also opens up a box that even Pandora would be jealous of :o)
Aren't all bespoke, so finding a problem in one town's water system likely identifies that same problem in hundreds or thousands of others.
The question is will to fix it. With voting machines there was finally political will to put some money behind securing the voting machines, something the infosec community had been screaming about until all the ridiculous shortcomings of Diebold hardware was identified in 2004. But since it was owned by a big republican donor, nothing was done despite the comparisons between "they don't do these sorts of things with their ATMs, why should it be OK in voting machines?"
Unless the federal government makes some funding available for securing local water systems, many of them will decide "why would hackers target our little community of 15,000 in the middle of the nowhere, the people who live here don't want to see their water bill go up to pay for what is essentially insurance that provides no direct benefit to them". I certainly won't hold my breath for Trump's administration to care about this.
Are all these 50,000 systems on the Internet? I think some may be so "antiquated" that they are not. Yet they are still able to supply water. They may have other problems, but cybersecurity would hardly need considered.
Antiquated in quotes is because that is a viewpoint from some, and that is part of the problem. Modern does not require everything to be connected. If the only tool you have is a chainsaw, it doesn't mean you use it to hammer in screws.
"Are all these 50,000 systems on the Internet? I think some may be so "antiquated" that they are not."
The smallest ones won't be, but it's almost a guarantee that some executive wants instant access from his laptop/mobile or an accountant has worked out how much cheaper it would be to do things in a less secure way. In both examples, I highly doubt they'll solicit any input from IT other than an estimate on how long it will take to implement.
In my experience, water companies tend to be incredibly reactionary and less visionary when it comes to Cyber Security.
You only have to see the apathy applied to Sewage spills (Storm Overflows) in the UK industry, to realise something with that level of impact isn't being addressed to realise that's pretty much the approach to anything that could impact the bottom line!
It will be dealt with when the regulator is at the gates threatening action.