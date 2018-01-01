All the comments regarding "who puts these things on the internet" are missing the point completely. It doesn't matter if this stuff is on the Internet or not. It only makes it somewhat easier to get access to these networks and start causing outages. However you've got thousands of miles of converter stations and transformers and power lines dotting the country. It's not that hard to go to the middle of nowhere and get access to the backend networks that carry for example the DNP3 traffic. Once you're on there you can carry out these type of attacks too.
The fact that an enemy can just use the Internet to penetrate the power companies' networks and pivot from there to their back end networks and actually touch equipment is the icing on the cake; it means they don't need to bother with recruiting and sending spies who can get physical access somehow.
The cost and complexity of designing and tuning the process control software, and the lack of the detailed design calculations involved in figuring out what it needed to be written to do 20 or 30 years ago makes replacing that old tech stack nearly equivalent to replacing the entire installation.
Big power plants, refineries, and chemical plants truly are the worst of all legacy nightmares.
Partly, sometimes, people don't understand what systems are connected to which networks. Maybe it's a logical misunderstanding -- they're leasing a communications path that they don't realize is connected to the Internet. Sometimes it's a physical misunderstanding, they just never diagrammed everything and have no idea what's isolated and not.
-Physical security ranges from OK to non existent. A smile and a wave can get you lots of places. Many things that could be locked, aren't.
-I've seen many, many alarmed doors and areas where there is a large "Enter 12345 to disable alarm" taped to the alarm panel
-Default passwords are never changed on lots of equipment
-When default passwords aren't used, often times the passwords are taped or written on equipment
-Radio networks are often unsecured (authentication and encryption simply dont exist on lots of older radio equipment, a cheap SDR could let you discreetly access sensitive communications in some cases). Modern radio networks can be much better, though (this is my area of expertise).
Still, you'd need a lot of domain specific knowledge to pull off a successful attack.
It would be extremely expensive to replace all infrastructure ad once, so most will be upgraded as we go along, creating new problems but also hopefully mitigating older bugs.
