A tank is designed for war. Infrastructure is designed to serve some other utility. Claiming it should also be hardened against (cyber) war is acknowledging that there is an aggressor performing an attack of war, not that the infrastructure is failing the utility it was designed for.
It's fine to have this view that software should be defect free and hardened against sophisticated nation-state attackers, but it stretches the meaning of "defect" to me. A defect would be serving to fulfill that utility it had been designed for, not succumbing to malicious attackers.
okay, so you think just attaching PLCs to an rs485-to-ethernet adapter and connecting it straight unauthenticated to the internet, and then calling it a day is simply perfectly reasonable, since "well.. cant expect to harden against cyber warfare!! no defect!!!" ?
because this is the kind of stuff infrastructure things do, along with MANY other things. Im sure not all infrastructure does it, but plenty do.
This is not hardening, its BASIC security. any scriptkiddie from same country could find it and cause problems.
How far would you say they should go to stop domestic script kiddies from messing with it? and if script kiddies from other countries mess with it, is it now cyber warfare?
no, thats not the same. If you for example leave your front door open, and the insurance finds out, do you think they will be doing "victim blaming" ?
so lets turn this logic around on those megacorps that leaks personal data, suppose they run an open postgres or mongodb with ALL the customer data, no password or default password, on the open ipv6, is it victimblaming to go after them for this? after all, its the big bad criminals that stole the data?
the truth of the matter is that yes, the ones that take the data are criminals, but so are the one that doesnt take proper pracautions.
Have you actually seen how these infrastructure things operate? many of them have open scada systems directly coupled to the internet. Many of them have sms gateways that just accepts messages from _ANY_ phone number to issue shutdowns.
I know because I have been brought in to look at some of those things as a consultant
Software with vulnerabilities was defectively written.
If someone makes tanks with paper for armour, because it cuts costs, they are to blame if those tanks catch fire.
A tank is designed for war. Infrastructure is designed to serve some other utility. Claiming it should also be hardened against (cyber) war is acknowledging that there is an aggressor performing an attack of war, not that the infrastructure is failing the utility it was designed for.
It's fine to have this view that software should be defect free and hardened against sophisticated nation-state attackers, but it stretches the meaning of "defect" to me. A defect would be serving to fulfill that utility it had been designed for, not succumbing to malicious attackers.
okay, so you think just attaching PLCs to an rs485-to-ethernet adapter and connecting it straight unauthenticated to the internet, and then calling it a day is simply perfectly reasonable, since "well.. cant expect to harden against cyber warfare!! no defect!!!" ?
because this is the kind of stuff infrastructure things do, along with MANY other things. Im sure not all infrastructure does it, but plenty do.
This is not hardening, its BASIC security. any scriptkiddie from same country could find it and cause problems.
How far would you say they should go to stop domestic script kiddies from messing with it? and if script kiddies from other countries mess with it, is it now cyber warfare?
no, thats not the same. If you for example leave your front door open, and the insurance finds out, do you think they will be doing "victim blaming" ?
so lets turn this logic around on those megacorps that leaks personal data, suppose they run an open postgres or mongodb with ALL the customer data, no password or default password, on the open ipv6, is it victimblaming to go after them for this? after all, its the big bad criminals that stole the data?
the truth of the matter is that yes, the ones that take the data are criminals, but so are the one that doesnt take proper pracautions.
Have you actually seen how these infrastructure things operate? many of them have open scada systems directly coupled to the internet. Many of them have sms gateways that just accepts messages from _ANY_ phone number to issue shutdowns.
I know because I have been brought in to look at some of those things as a consultant