https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/28432#M3508 <P>I recall reading an article a year or two ago about this very topic.&nbsp; Their fundamental assertion was that utilities, and other industrial control systems are primarily SCADA.&nbsp; SCADA systems were never intended to be "networked".&nbsp; An instance may well have internal connections extending the geography, but it was a closed system overall.&nbsp; Then, along comes the Internet, and everybody just slaps a web interface on their product and calls it good.&nbsp; This leaves years of built up security issues that were never important enough to address, as the air gap protected them sufficiently.&nbsp; Things like hard coded support passwords from the vendor, little things, you know.&nbsp; Makes a lot of sense in an economics and general evolution of tech sort of way, terrifying in the actual outcome.</P> Fri, 27 Sep 2019 17:27:17 GMT mgorman 2019-09-27T17:27:17Z https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/27895#M3441 <P><A href="https://www.utilitydive.com/news/nerc-finds-first-remote-hacker-interference-on-us-grid-from-cyberattack/562478/" target="_blank" rel="noopener">Announced</A> yesterday (09 Sept 2019) was an infiltration of a public utility through a known firewall vulnerability.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Why? How can public utilities logically defend having their operational services ever having access to the internet?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Just baffles me.</P> Tue, 10 Sep 2019 14:37:54 GMT https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/27895#M3441 Flyslinger2 2019-09-10T14:37:54Z https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/27904#M3442 <BLOCKQUOTE><HR /><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/297159657">@Flyslinger2</a>&nbsp;wrote:<BR /><P><A href="https://www.utilitydive.com/news/nerc-finds-first-remote-hacker-interference-on-us-grid-from-cyberattack/562478/" target="_blank" rel="noopener">Announced</A> yesterday (09 Sept 2019) was an infiltration of a public utility through a known firewall vulnerability.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Why? How can public utilities logically defend having their operational services ever having access to the internet?&nbsp;&nbsp;</P><P>&nbsp;</P><P>Just baffles me.</P><HR /></BLOCKQUOTE><P>Mark,</P><P>No surprise here: remote management. Saves going out in the middle of the night in a thunder storm to monitor status. Ease of use always supersedes security; you knew that.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Sep 2019 16:02:47 GMT https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/27904#M3442 CraginS 2019-09-10T16:02:47Z https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/27909#M3443 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/780103681">@CraginS</a>&nbsp;I knew you would read and comment and you know me too well already. Of course I was being facetious and the answer is obvious.&nbsp; It is the lowest common denominator, man's laziness, that usually drives most decisions. No one wants to do what is hard (and right!).&nbsp; No one wants to go against the current culture. No one wants to spend a dime more then what they have to and usually two dimes less.</P><P>&nbsp;</P><P>The ElecPowCo that my son works for has their backoffice totally separated from their operations.&nbsp; They are never in the news for these type of events.</P> Tue, 10 Sep 2019 16:39:01 GMT https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/27909#M3443 Flyslinger2 2019-09-10T16:39:01Z https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/28063#M3466 <P>&nbsp;</P><P>I can't help but wonder why critical systems were published solely to facilitate remote management.</P><P>&nbsp;</P><P>Ideally, connections from outside should be made though a VPN gateway that uses AAA.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 14 Sep 2019 20:00:22 GMT https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/28063#M3466 Shannon 2019-09-14T20:00:22Z https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/28432#M3508 <P>I recall reading an article a year or two ago about this very topic.&nbsp; Their fundamental assertion was that utilities, and other industrial control systems are primarily SCADA.&nbsp; SCADA systems were never intended to be "networked".&nbsp; An instance may well have internal connections extending the geography, but it was a closed system overall.&nbsp; Then, along comes the Internet, and everybody just slaps a web interface on their product and calls it good.&nbsp; This leaves years of built up security issues that were never important enough to address, as the air gap protected them sufficiently.&nbsp; Things like hard coded support passwords from the vendor, little things, you know.&nbsp; Makes a lot of sense in an economics and general evolution of tech sort of way, terrifying in the actual outcome.</P> Fri, 27 Sep 2019 17:27:17 GMT https://community.isc2.org/t5/Industry-News/Why-aren-t-the-Operational-Sides-of-Public-Utilities-airgapped/m-p/28432#M3508 mgorman 2019-09-27T17:27:17Z