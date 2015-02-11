[1]
Despite all the "IIoT" buzzwords their marketing may spout, industrial vendors operate a decade behind the software curve at best. Arcane proprietary stacks running atop XP, CE, ActiveX, and various flavors of DOS are still getting deployed in new industrial installations...often supported by vendors staffed by a hundred salescritters to every engineer, if they're lucky enough to have any staff remaining that wrote or understand the original product in the first place.
It's filled with dozens of mini-Oracles, each with licensing more insane than the next because your typical integrator will either run for the hills at the first sign of anything that isn't ladder logic or spew forth spaghetti garbage that makes INTERCAL look like the most pretentiously elegant Lisp. When you're the lone programmer on the team that even knows what Git is, you start to realize why nobody ever got fired for just buying Rockwell.
At least the plant network was sufficiently airgapped.
The Iranians thought that as well.
"Firstly, a lot of infrastructure and data is in civilian hands. The people and organizations responsible for securing things are not the ones responsible for retaliating against attacks. They can’t do it anyway because they lack the resources, capability, and legal authority to do so.
As for investing in securing their systems, there is no regulatory requirement to do so. Indeed, for a board of directors, I’ve seen it suggested that they have a fiduciary duty to shareholders not to bear the cost burden of securing critical national infrastructure. It’s not their business to directly bear the costs of defending the nation, that’s what the nation state is for in the first place!"
Rather than use a unsecured raspberry pi3 with it's wifi left on, why not have a closed system specifically built instead. Something not casually running embedded Windows XP, rather maybe a barebones OS written in assembly with minimal networking functionality on minimal hardware.
The best bet in my opinion is to use commodity stuff but reduce the attack surface as much as possible by simply disabling, firewalling and physically restricting everything possible. In many cases like this, you could probably get away with absolutely minimalist control systems run on microcontrollers and similar with monitoring only over an isolated unidirectional interface (think fiber optic connection with no physical receiver on the other side).
You're right that locked down embedded industrial (Linux) PCs are the best option, but your control platform has to run on them...
We recently bought a manegement software for our translators, which somehow made it through all the business and management layers revolving public contracts without anyone questioning the fact that none of it was encrypted. Meaning anyone snooping on our network could get anything from private data to system logins with absolutely no effort.
Things are getting better, but IT is still a subsection of the economy department in a lot of places, and a lot of execs still think it's magic. Couple this with most developers and entrepreneurs being hackers who want to toy around with cool world changing features, and, no one is left to worry about security.
Security through obscurity. Just because a system is closed doesn't make it safer.
In fact, generally the opposite. Look at the security fiasco over in medical device land.
Imagine this in different contexts though. Why go to IKEA for furniture when you can just build your own of higher quality in your garage shop? Or why bother going to a mechanic when you can just rebuild your car's engine yourself at home?
The fact is, of these three examples the software one is actually the most unrealistic. Having someone on staff with software expertise is a hard problem, and an expensive one too. If you don't already have a group of folks with software expertise on staff then hiring for it becomes a massively difficult problem. This is why there's still so much business in the build-for-hire software biz. Most companies in the world who need software based solutions are not themselves software companies. They need to use objective measures to determine the quality of the companies they farm out these projects to as well as the software that results.
Additionally, software built on commodity systems (like Windows XP) is often a better choice for these companies because it means there's a much larger group of folks they can hire if they need to make changes or perform service on the system in the future (which is inevitable). As much as a custom solution built on a microcontroller or small linux based embedded system might be technically superior, cheaper, and more robust, it might not be a sustainable solution for a given company.
I'm curious about the provenance of the name, as the article seems to suggest the security researchers provided the name.
[Edit]: I show my cultural ignorance -- it appears both are likely a reference to Hackers, based on the responses below.
