
Thousands of Industrial Systems Unwittingly Hooked Up to Internet - ukdm
http://blogs.scientificamerican.com/observations/2012/01/24/thousands-of-industrial-systems-unwittingly-hooked-up-to-internet/
======
ChuckMcM
One of the companies I worked for had control systems where the vendor hooked
them up to the internet so that they could provide support if the need arose.
They were disconnected, the vendor complained that they wouldn't be able to
provide support then. So a specific network was created, these systems put on
that network, and then a single firewall/router was configured that could be
used with an SSH session to connect to this isolated network.

Its a lot simpler for folks to just connect them to the internet.

And while 10,000 seems like a lot, there are billions of these systems out
there. Of course the article would not sound great if someone said .01% of the
Industrial Systems installed are connected to the Internet.

------
dimitar
The central claim by the researcher is dubious: that its easy by a lone
attacker to find a 'vulnerable' ICS.

If so, why aren't ICS sabotaged all the time?

------
toddsundsted
> If … this many systems have been online without the knowledge of the people
> in charge…

...then they aren't in charge. I'm being flip, but do we really need a
Fukushima size hacker-induced failure to wake people up.

~~~
worren
_do we really need a Fukushima size hacker-induced failure to wake people up._

There's no incentive to install the systems correctly or to ensure that they
remain secure. It isn't illegal to operate a vulnerable system. A Fukushima-
like event won't make a difference. The specter of preemptive financial
penalties might give pause, but an accounting after the fact? That only
matters _if_ something goes awry.

~~~
sp332
"Criminal negligence" really is a category of crime. If damage is done or
lives lost because you failed to take obvious or reasonable measures to avoid
it, you can be held criminally responsible for the result.
<http://en.wikipedia.org/wiki/Criminal_negligence>

~~~
worren
_If damage is done...you can be held criminally responsible_

I was very careful to condition my statement. _If_ something happens, then
there is a probability of penalty. The current system conditions operators to
gamble. The perceived risk of something bad happening is low. So, it doesn't
matter what, if any, penalty may be associated with shirking responsibility.
Without the risk of damage dramatically increasing or criminalizing the cause
rather than the result, the behavior will not change.

