Convenience (and cost cutting) will trump security every bloody time.
Power plants, utilities 'just hanging right off the internet's tubes'
Utilities opening their infrastructure to the internet are creating an irresistible honeypot for criminals, says the US government's Industrial Control Systems Cyber Emergency Response Team. . In spite of often being billion-dollar operations with long-standing experience in their industrial control networks, critical …
-
-
Thursday 14th January 2016 12:20 GMT Anonymous Coward
There is only one way to fix this - replace the MBAs that are impersonating engineers with real engineers
You really think that true engineers are all security experts, or sufficiently security conscious as to know who to consult? Rose tinted spectacles, mate.
I'll wager just as many security and SCADA disasters are caused by engineers without PHB assistance as those with. I know of a product being developed at the moment in my company, and it's engineers playing god who are the root of the inevitable security problem. The commercial guys want a product that works, our engineers (all fully qualified chartered engineers) simply don't have the expertise in security and in software to know the right questions to ask.
-
Thursday 14th January 2016 18:04 GMT Preston Munchensonton
I know of a product being developed at the moment in my company, and it's engineers playing god who are the root of the inevitable security problem. The commercial guys want a product that works, our engineers (all fully qualified chartered engineers) simply don't have the expertise in security and in software to know the right questions to ask.
How fortunately for your company that you're available to point all of this out. #sarcasm
-
-
-
Thursday 14th January 2016 03:03 GMT Oengus
Accountants are the issue
While the accountants run the show, and all the C-suites care about is the Share price, there will continue to be a focus on short term thinking. They will do anything that is cheap and expedient. They want to be able to show the decision makers determining their next role how well they did in increasing shareholder value so they can "jump ship" and collect a huge salary increase in the process. Ideally they will be two jobs up the line before the S**t hits the fan.
It will be the "front-line" staff that are left behind who are blamed and that have to cleanup the mess that results from the penetration. This will be a bigger issue if (as seems to happen more and more now-a-days) most of the local "front-line" staff are off-shored/outsourced as part of the "cost savings".
-
Thursday 14th January 2016 06:37 GMT Medixstiff
Re: Accountants are the issue
Toothless tiger laws are equally responsible.
Make it that C level executives and Board members are financially responsible in the event of a hack or utility outage and see how quickly things change.
It's no point just fining a company, all they will do is pay the fine and continue doing nothing, fine the people at the top, they get paid the big bucks, they should take the responsibility.
-
Thursday 14th January 2016 12:23 GMT Tom 13
Re: Accountants are the issue
I wouldn't say the accountants per se. Accountants are a predictable bunch and will do whatever the numbers tell them to do. What is necessary is to an input into their system that monetizes the risk of compromise. Once you do that the accountants will line up neatly behind or possibly even in front of the engineers insisting the appropriate measures be taken.
I will grant this is the one place where it will be necessary for governments to act to create the financial incentive. It is actually fairly simple:
1) The corporation will be responsible for all damages that result from a compromise of their systems. This will include not only the cost of repair but the total cost of down time for any and all of their customers who are affected by the compromise.
2) While the corporation may engage in risk pooling, it may never completely transfer the risk to another corporation.
3) In the event the corporation does not have sufficient means to fulfill its responsibilities under item #1, the officers of the corporation and its board of directors will be held personally liable for the uncovered damages.
Even with the typical lead times for infrastructure improvements in these industries, I expect that were laws specifying this enacted, 85% of the problems would be fixed within a year, and in excess of 95% would be fixed in two. By year three we'd be approaching several sigmas of assurance.
-
-
-
Monday 18th January 2016 15:09 GMT Michael Wojcik
Re: Die Hard 4.0
I'm sorry, but are you saying that something about Live Free or Die Hard is even vaguely accurate?
Pretty much any idea from that film beyond "some things are controlled using computers that have Internet connections" is a wild fantasy.
Also, the "super hacker controls all the infrastructure" theme is a long-standing and extremely tired Hollywood cliche. There were elements of it in 1995's waste-of-Sandra-Bullock The Net and painfully-dumb Hackers. It was featured in the overrated '92 Sneakers.
TV Tropes refers to this as Everything Is Online, and they have film references going back as far as 1983's awful Superman III. (TV Tropes says this last example comes from "before the Internet as we know it"; the TCP/IP Internet had been around for several months when the film was released, but not when it was being written, of course. On the other hand, there was the NCP Internet and various other large networks, such as IBM's HONE network, which was bigger than the Internet for some years. At any rate, the point stands - this theme is so obvious that pop culture anticipated it before it was technically feasible.)
-
-
Thursday 14th January 2016 12:28 GMT Tom 13
I've looked over those Aussie recommendations
Three of them look very good to me. But I must confess, even as a Windows guy I have some concerns about the 4th:
patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
Not so much in the advice per se (patching is usually good), as in the assumption that any critical system with all/any of this software installed can be made safe in the first place. Yes we run all of this software on the corporate network where I work (God help us), but we aren't a critical system. Okay, you might be able to find a web browser that isn't a high risk, but add in any of the rest and you're pretty much toast.
Biting the hand that feeds IT
