Because computers are great for productivity, and automating these systems made them more profitable. Utilities are deeply regulated, and regulators want to hold rates as low as possible. Nobody gets punished when there is a cyber attack, so it’s not something either the company or its regulators want to spend customers money on. People were outraged in CA when the electric company wanted more money for upgrades so that it wouldn’t burn down as many towns. They didn’t get the rate increases, so now they turn the power off in times of high fire danger.
Think of it like a big game of six degrees of Kevin Bacon – most critical systems are only ever a few steps away from the internet.
Many critical devices, like those that control utilities, are not directly on the internet. But the machine that controls them is. Or maybe they are fully separated from the internet, but they may still be in some kind of risk if the rest of the network at a location were to be compromised.
Because it’s difficult not to in some respect.
Keep in mind that pipeline issue wasn’t an attack on the pipeline itself, it was an attack on the billing and administrative systems of the pipeline company–it was more like a shop shutting down for a bit because all it’s cash registers and payment terminals are broken–they could find a way to operate, I guess, but it’s easier not to until it’s all fixed.
More directly, you have a monitoring problem. Anything like that is going to have a lot of devices reporting status and alarm situations back to some sort of central network monitoring center that monitors alarms and can do some things remotely. Even before COVID, but particularly with COVID, you need some way for people at home or otherwise in non-company locations to access, and thus you now have an internet connection.
And then you have the problems with parallel networks that probably shouldn’t be able to cross-communicate but can due to a design error somewhere. The Target hack, for example, was because the building’s AC monitoring system was hacked, and once the hackers got in there, they were able to find their way over to the billing systems. There’s also the famous report of a Casino where there was an aquarium thermometer that had internet access because an external company maintained the tank, that thermometer got compromised, from there the hackers found some other device or server that could be exploited, etc, until they got their way to financial information for casino high rollers.
This kind of stuff is easy to say “they shouldn’t do that,” but also often sufficiently complex that one engineer making a mistake can cause a problem.
Most of them aren’t or shouldn’t be. The really critical systems are air gapped. This means that they aren’t physically connected to the internet. You need to physically be there to access them.
Edit:
Even air gapped systems need to have things put on them and things taken off them. This is where the vulnerability lies. If you can get malware onto something that’s going to be put onto an air gapped system then you can make it do things. You don’t even need to be there yourself. You can hack one of the systems that they’ll be putting a USB into to transfer data to and from the air gapped system. An IT guy might take some work home with him and you hack his home computer and compromise that and then anything he takes from home to the air gapped system at work is now compromised. And so on.
Latest Answers