cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion

Why aren't the Operational Sides of Public Utilities airgapped from the Internet?

Announced yesterday (09 Sept 2019) was an infiltration of a public utility through a known firewall vulnerability.  

 

Why? How can public utilities logically defend having their operational services ever having access to the internet?  

 

Just baffles me.

4 Replies
CraginS
Defender I


@Flyslinger2 wrote:

Announced yesterday (09 Sept 2019) was an infiltration of a public utility through a known firewall vulnerability.  

 

Why? How can public utilities logically defend having their operational services ever having access to the internet?  

 

Just baffles me.


Mark,

No surprise here: remote management. Saves going out in the middle of the night in a thunder storm to monitor status. Ease of use always supersedes security; you knew that.

 

 

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Flyslinger2
Community Champion

@CraginS I knew you would read and comment and you know me too well already. Of course I was being facetious and the answer is obvious.  It is the lowest common denominator, man's laziness, that usually drives most decisions. No one wants to do what is hard (and right!).  No one wants to go against the current culture. No one wants to spend a dime more then what they have to and usually two dimes less.

 

The ElecPowCo that my son works for has their backoffice totally separated from their operations.  They are never in the news for these type of events.

Shannon
Community Champion

 

I can't help but wonder why critical systems were published solely to facilitate remote management.

 

Ideally, connections from outside should be made though a VPN gateway that uses AAA.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
mgorman
Contributor II

I recall reading an article a year or two ago about this very topic.  Their fundamental assertion was that utilities, and other industrial control systems are primarily SCADA.  SCADA systems were never intended to be "networked".  An instance may well have internal connections extending the geography, but it was a closed system overall.  Then, along comes the Internet, and everybody just slaps a web interface on their product and calls it good.  This leaves years of built up security issues that were never important enough to address, as the air gap protected them sufficiently.  Things like hard coded support passwords from the vendor, little things, you know.  Makes a lot of sense in an economics and general evolution of tech sort of way, terrifying in the actual outcome.