Utilities opening their infrastructure to the internet are creating an irresistible honeypot for criminals, says the US government's Industrial Control Systems Cyber Emergency Response Team. .
In spite of often being billion-dollar operations with long-standing experience in their industrial control networks, critical infrastructure owners seem to think they can take advantage of the public 'net for connectivity without a care for security.
While ICS-CERT's Marty Edwards, speaking to the S4 conference in Miami this week, didn't call such operators idiots, he may as well have done. According to Reuters, he came close, saying: “I am very dismayed at the accessibility of some of these networks … they are just hanging right off the tubes.”
Edwards also said the number of attacks on such networks is increasing. With such poor security – and with the number of vulnerabilities listed at ICS-CERT running along at around 100 per year in 2014 and 2015, by The Register's quick perusal of it advisories – a successful compromise is inevitable.
“We see more and more [attacks] that are gaining access to that control system layer”, Edwards told the conference.
Let's take the BlackEnergy malware, which was caught up in Ukraine's power outages in December. While it's been confirmed that the software nasty destroyed data on energy companies' networks, the US Department of Homeland Security said it's not been able to confirm whether the malware caused the blackouts.
If utilities decline to set up private networks for their control systems, The Register would at least direct their attention to the Australian Signals Directorate's list of dumb security mistakes to avoid. It reckons its top four strategies will fend off 85 per cent of attacks.
Even the ASD, however, assumes that nobody would be so stupid as to give critical systems an unsecured garden path to the internet. ®