6 comments

[ 3.6 ms ] story [ 21.2 ms ] thread
> If … this many systems have been online without the knowledge of the people in charge…

...then they aren't in charge. I'm being flip, but do we really need a Fukushima size hacker-induced failure to wake people up.

do we really need a Fukushima size hacker-induced failure to wake people up.

There's no incentive to install the systems correctly or to ensure that they remain secure. It isn't illegal to operate a vulnerable system. A Fukushima-like event won't make a difference. The specter of preemptive financial penalties might give pause, but an accounting after the fact? That only matters if something goes awry.

"Criminal negligence" really is a category of crime. If damage is done or lives lost because you failed to take obvious or reasonable measures to avoid it, you can be held criminally responsible for the result. http://en.wikipedia.org/wiki/Criminal_negligence
If damage is done...you can be held criminally responsible

I was very careful to condition my statement. If something happens, then there is a probability of penalty. The current system conditions operators to gamble. The perceived risk of something bad happening is low. So, it doesn't matter what, if any, penalty may be associated with shirking responsibility. Without the risk of damage dramatically increasing or criminalizing the cause rather than the result, the behavior will not change.

One of the companies I worked for had control systems where the vendor hooked them up to the internet so that they could provide support if the need arose. They were disconnected, the vendor complained that they wouldn't be able to provide support then. So a specific network was created, these systems put on that network, and then a single firewall/router was configured that could be used with an SSH session to connect to this isolated network.

Its a lot simpler for folks to just connect them to the internet.

And while 10,000 seems like a lot, there are billions of these systems out there. Of course the article would not sound great if someone said .01% of the Industrial Systems installed are connected to the Internet.

The central claim by the researcher is dubious: that its easy by a lone attacker to find a 'vulnerable' ICS.

If so, why aren't ICS sabotaged all the time?