While horrifying, this is just the tip of the iceberg.
Huge amounts of important infrastructure sits internet connected due to individual laziness, coupled with a lack of willingness to understand and think about cyber security. Often it seems simply from a lack of willingness to spend money on an ongoing basis to maintain anything.
There's a culture and mindset in ICS that you don't change what isn't broken. And stability and reliability is important - this is an industry where you don't install patches due to the fear of breakage or regression.
When the world shifted towards "code fast and break things", the ICS world didn't accept this change. They can't have Windows (yes, Windows) reboot unexpectedly to do an update. That pretty much rules out the supported versions like Windows 10. I mention consumer versions, because a culture of multi layer outsourcing means nobody wants to pay for a server version - an OEM Pro version of Windows saves a subcontractor some money.
That OS won't be patched, unless the SCADA software vendor has validated the patch with the software being run. Expect crazy things like Windows XP SP2 (not 3) to be requirements. Everything is about stability and using tested configurations.
You could be forgiven for thinking this is less scary, as you can airgap this, and treat it like a fixed appliance. Often that doesn't last, and (if you're lucky) an unpatched VPN box gets thrown in front of it with a weak password. More commonly, some consumer grade remote access software gets installed, so a bean counter can count how many beans they're making or spending. Airgap eliminated.
The fix isn't single step - there's a need for more understanding about safety critical engineering in the IT world - the lack of testing and regression validation isn't acceptable to this industry. The ICS industry needs to be willing to pay for software maintenance and assured development processes. Simpler code that isn't running on full consumer operating systems is needed. And ultimately we need to go and replace systems that "ain't broke", but are insecure. And that's going to be expensive. No security appliances are needed here, just some basic common sense.
Expect to see versions of Windows you didn't even know existed in use in very important places... Seeing pre-NT or very early NT wasn't a huge surprise...
Huge amounts of important infrastructure sits internet connected due to individual laziness, coupled with a lack of willingness to understand and think about cyber security. Often it seems simply from a lack of willingness to spend money on an ongoing basis to maintain anything.
There's a culture and mindset in ICS that you don't change what isn't broken. And stability and reliability is important - this is an industry where you don't install patches due to the fear of breakage or regression.
When the world shifted towards "code fast and break things", the ICS world didn't accept this change. They can't have Windows (yes, Windows) reboot unexpectedly to do an update. That pretty much rules out the supported versions like Windows 10. I mention consumer versions, because a culture of multi layer outsourcing means nobody wants to pay for a server version - an OEM Pro version of Windows saves a subcontractor some money.
That OS won't be patched, unless the SCADA software vendor has validated the patch with the software being run. Expect crazy things like Windows XP SP2 (not 3) to be requirements. Everything is about stability and using tested configurations.
You could be forgiven for thinking this is less scary, as you can airgap this, and treat it like a fixed appliance. Often that doesn't last, and (if you're lucky) an unpatched VPN box gets thrown in front of it with a weak password. More commonly, some consumer grade remote access software gets installed, so a bean counter can count how many beans they're making or spending. Airgap eliminated.
The fix isn't single step - there's a need for more understanding about safety critical engineering in the IT world - the lack of testing and regression validation isn't acceptable to this industry. The ICS industry needs to be willing to pay for software maintenance and assured development processes. Simpler code that isn't running on full consumer operating systems is needed. And ultimately we need to go and replace systems that "ain't broke", but are insecure. And that's going to be expensive. No security appliances are needed here, just some basic common sense.
Expect to see versions of Windows you didn't even know existed in use in very important places... Seeing pre-NT or very early NT wasn't a huge surprise...