What part of the statement "ABB has issued a patch for the bug" was confusing to you?

We don't allow this stuff to be connected to the Internet - do we?

"Only ABB" Is a bit like saying "Only Microsoft". ABB significantly dominate this space.

Still, most SCADA exploits are probably more theoretical than practical. SCADA systems don't just live on the Great Wild Web. They're almost all in private networks and well partitioned, particularly when designed and installed by ABB or similar. Any that are exploitable are because they were installed by idiots. HR and bean counters can't get ethernet access to the Big Machines and unless you're sitting in the control room you're unlikely to be able to access any knob-twiddling.

Your Facebook-hacking script kiddy just does not stand a chance of getting access.

Nice to see Dan back at his usual form this week. I was worried that his Hot Clue injection was permanent.

We would have seen an electrical grid knocked out by now. Osama Bin Virus can't take down an electrical grid with a laptop and a 56k modem, sorry. It's not in the state of the art.

Friad not old boy - I know for a fact that at least one UK utility company has quite a lot of SCADA type systems hooked together via the internet.

Anon, cos I'm not supposed to say owt...

Well we've allowed the beancounters to push SCADA servers off secure but untrendy operating systems like VMS and (ahem) OS/2 onto desktop OSes like Windows, so where's Windows going to get its AV updates and OS updates and the like if it's not connected to (an SMS server which is connected to ...) the Internerd.

We're all doomed.

I don't know any large-scale SCADA system that doesn't have at least two emergency backdoors, usually with rudimentary authentication because of necessity. Typically, you'll have one PLC (Private Leased Circuit) style backdoor from a secure facility; could be 2-wire, could be fiber-optics, could be long-haul RS232, don't matter too much. The number two? Remote accessible dial-in, for when that secure facility goes kaboom for whatever reason. Whether or not the supposed vulnerability can be exploited from that side, I don't know. What I do know is that thankfully, these days, the average script kiddie doesn't even know what a modem is, much less how to setup the requisite tools for such activities.

Also, don't underestimate organized criminals. They love a soft target, and plenty of beancounters are stupid enough to think money actually will make the problem go away. Then again, they likely employ modern script kiddies instead of the bearded guru.

Posted as AC because I don't want to be responsible when some kid finds a substation with a login and password of 'login' and 'password,' and accidentally takes an entire country offline.

"But they wouldn't connect them to the internet would they?"

A small thought exercise:

Privatised companies are ALL about the money - when they are privatised it is inevitably sold to the public as "Private companies are somehow magically more efficient and will cut costs for the consumer", if you believe that stop reading now - you need the kind of help I can't provide in a few paragraphs. Otherwise if you are prepared to accept that that's bollocks and it's all about the money - read on

Would connecting a companies power stations, substations and other assets to the internet save money? YES - large savings are possible as you can centralise all the numpty work and reporting , having 24x7 teams in place or even on call for every location is very expensive - you can reduce this drastically by having as much of this work done remotely as possible. Using 'civilian' internet connections is way cheaper than dedicated lines (bear in mind the sheer number of locations you are probably talking about here)

Is it a good idea? Well no, not really for all the reasons you probably know already if you read el'reg

Would removing large amounts of fall back redundant systems, lines and power stations and other assets save money? Well obviously yes, much less to maintain and support - the cost saving is obvious

Is it a good idea? Again no, obviously no - these are your backup, your fall back and emergency systems, these are what you rely on in the case of a major problem at one of your primary sites. America did this already (remember the east coast blackout? Been to California lately?) So it's obviously a bad idea with no benefit other than cost saving (odd that my bills still go up...)

They already got rid of most of the redundancy in the network as far as I am aware, now go back and re-read question 1 - would they do it?