Ah, the impolite response...
...good good, I was getting worried by how civil things were.
"Yes agree with NT, but there is no such thing as a secure OS. Someone, somewhere will find a hole."
I never said "Secure" (Implied binary options: Secure / Insecure). I said "Highly secure" (Implied sliding scale).
The point I was trying to make is that we should not be using a general purpose operating system for this but a dedicated, highly secure etc. one. This is a tech site with a tech readership, I didn't think I needed to push the point.
"You will NEVER find a contractor / supplier willing to sign up to that. So who will supply it?"
Did you read the title of my post? "Never gonna happen". The points I listed are what, in my opinion, are required (minimum) for a system that we could have confidence in, not how politically / commercially feasible it is.
"WTF? Seriously WTF? 1. Running penertration testing againt live CRITICAL infrastructure could be very dangerous, what happens if the take it off grid? Will they pay? And as for shutting down? you are kidding right, you are going to shut down a hydro-dam, Major power plant, water works, for a bug? F**k off. You may find it a great idea, but the 1/2/ million people without electric or water may disagree.."
You seem to have taken my general point. fleshed it out with your own ideas and then declared it "WTF" so I could just ignore it but I shall try and answer the points you came up with.
1. Please go and look up penetration testing. Penetration testing != destroying the system. Breaking through an external firewall will not wreck the turbine control computer.
1b. You can use test or simulated environments depending on what you are trying to break in to.
1c. If you want to go against the live system you can do so during scheduled maintenance to avoid further impact.
1d. Tests may not be done without co-operation of facility staff to further reduce risk.
1e. Other ways of doing things that smarter people than I would think of.
In summary, I am not saying that we should tell Lulzsec to go and try to rf -rf / every computer they gain access to.
2. Regarding shutting down. Facilities shutdown all the time for maintenance. There are very few facilities (if any) which if shut down will totally wipe out a service to an area, there is redundancy built into these large scale systems. Selective shut-down would also be an option ("Your reporting system which links to X Y Z is shit, shut it down while you fix it, doesn't affect the main systems")
A good example is Japan running ~25 Nuclear reactors shy of full compliment yet still has enough power to function almost normally. Shutting down 1 to fix bad security will not bring the country to a stand-still.
"No computer system will be 100% secure, anyone that thinks so is an idiot. After all, idiots are often the ones using it."
The point of the above was not to make a 100% secure system but to create something we can at least have a greater degree of confidence in rather than the current crappy setup we have going now.