So, why is this no surprise?
- It's simple: Control systems used to depend on total isolation as the key to their security. The systems were NOT connected, were physically secured, and therefore safe.
- Over the last 10 years, systems have lost that isolation, becoming connected to the intranet, which of course is connected to the internet
- New implementations even have "Secure" connections direct to the internet
- Overall, with a few exceptions, the strategy of the energy industry is to cover up, not talk about security risks and threats
What to do about it?
1) We need stronger regulation AND action to push real controls and regulations with teeth. We have more regulatory control over credit card numbers than our electrical grid.
2) We need greater focus and cooperation between IT Sec and Control systems professionals
3) We need more discussion and openness on the risks to our critical infrastructure and what to do about them
4) We need the mainstream media to take the time to understand and report on this threat, and push both industry and regulators to action (fat chance:)