Stories about computer security tend to go viral when they bridge the vast divide between geeks and luddites, and this week’s news about a hacker who tried to poison a Florida town’s water supply was understandably front-page material. But for security nerds who’ve been warning about this sort of thing for ages, the most surprising aspect of the incident seems to be that we learned about it at all.
Spend a few minutes searching Twitter, Reddit or any number of other social media sites and you’ll find countless examples of researchers posting proof of being able to access so-called “human-machine interfaces” — basically web pages designed to interact remotely with various complex systems, such as those that monitor and/or control things like power, water, sewage and manufacturing plants.
And yet, there have been precious few known incidents of malicious hackers abusing this access to disrupt these complex systems. That is, until this past Monday, when Florida county sheriff Bob Gualtieri held a remarkably clear-headed and fact-filled news conference about an attempt to poison the water supply of Oldsmar, a town of around 15,000 not far from Tampa.
Gualtieri told the media that someone (they don’t know who yet) remotely accessed a computer for the city’s water treatment system (using Teamviewer) and briefly increased the amount of sodium hydroxide (a.k.a. lye used to control acidity in the water) to 100 times the normal level.
“The city’s water supply was not affected,” The Tampa Bay Times reported. “A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it, Gualtieri said. City officials on Monday emphasized that several other safeguards are in place to prevent contaminated water from entering the water supply and said they’ve disabled the remote-access system used in the attack.”
In short, a likely inexperienced intruder somehow learned the credentials needed to remotely access Oldsmar’s water system, did little to hide his activity, and then tried to change settings by such a wide margin that the alterations would be hard to overlook.
“The system wasn’t capable of doing what the attacker wanted,” said Joe Weiss, managing partner at Applied Control Solutions, a consultancy for the control systems industry. “The system isn’t capable of going up by a factor of 100 because there are certain physics problems involved there. Also, the changes he tried to make wouldn’t happen instantaneously. The operators would have had plenty of time to do something about it.”
Weiss was just one of a half-dozen experts steeped in the cybersecurity aspects of industrial control systems that KrebsOnSecurity spoke with this week. While all of those interviewed echoed Weiss’s conclusion, most also said they were concerned about the prospects of a more advanced adversary.
Here are some of the sobering takeaways from those interviews:
- There are approximately 54,000 distinct drinking water systems in the United States.
- The vast majority of those systems serve fewer than 50,000 residents, with many serving just a few hundred or thousand.
- Virtually all of them rely on some type of remote access to monitor and/or administer these facilities.
- Many of these facilities are unattended, underfunded, and do not have someone watching the IT operations 24/7.
- Many facilities have not separated operational technology (the bits that control the switches and levers) from safety systems that might detect and alert on intrusions or potentially dangerous changes.
So, given how easy it is to search the web for and find ways to remotely interact with these HMI systems, why aren’t there more incidents like the one in Oldsmar making the news? One reason may be that these facilities don’t have to disclose such events when they do happen.
NO NEWS IS GOOD NEWS?
The only federal law that applies to the cybersecurity of water treatment facilities in the United States is America’s Water Infrastructure Act of 2018, which requires water systems serving more than 3,300 people “to develop or update risk assessments and emergency response plans.”
There is nothing in the law that requires such facilities to report cybersecurity incidents, such as the one that happened in Oldsmar this past weekend.
“It’s a difficult thing to get organizations to report cybersecurity incidents,” said Michael Arceneaux, managing director of the Water ISAC, an industry group that tries to facilitate information sharing and the adoption of best practices among utilities in the water sector. The Water ISAC’s 450 members serve roughly 200 million Americans, but its membership comprises less than one percent of the overall water utility industry.
“Some utilities are afraid that if their vulnerabilities are shared the hackers will have some inside knowledge on how to hack them,” Arceneaux said. “Utilities are rather hesitant to put that information in a public domain or have it in a database that could become public.”
Weiss said the federal agencies are equally reluctant to discuss such incidents.
“The only reason we knew about this incident in Florida was that the sheriff decided to hold a news conference,” Weiss said. “The FBI, Department of Homeland Security, none of them want to talk about this stuff publicly. Information sharing is broken.”
By way of example, Weiss said that not long ago he was contacted by a federal public defender representing a client who’d been convicted of hacking into a drinking water system. The attorney declined to share his client’s name, or divulge many details about the case. But he wanted to know if Weiss would be willing to serve as an expert witness who could help make the actions of a client sound less scary to a judge at sentencing time.
“He was defending this person who’d hacked into a drinking water system and had gotten all the way to the pumps and control systems,” Weiss recalled. “He said his client had only been in the system for about an hour, and he wanted to know how much damage could his client really could have done in that short a time. He was trying to get a more lenient sentence for the guy.”
Weiss said he’s tried to get more information about the defendant, but suspects the details of the case have been sealed.
Andrew Hildick-Smith is a consultant who served nearly 20 years managing remote access systems for the Massachusetts Water Resources Authority. Hildick-Smith said his experience working with numerous smaller water utilities has driven home the reality that most are severely under-staffed and underfunded.
“A decent portion of small water utilities depend on their community or town’s IT person to help them out with stuff,” he said. “When you’re running a water utility, there are so many things to take care of to keep it all running that there isn’t really enough time to improve what you have. That can spill over into the remote access side, and they may not have a IT person who can look at whether there’s a better way to do things, such as securing remote access and setting up things like two-factor authentication.”
Hildick-Smith said most of the cybersecurity incidents that he’s aware of involving water facilities fall into two categories. The most common are compromises where the systems affected were collateral damage from more opportunistic intrusions.
“There’ve been a bunch of times where water systems have had their control system breached, but it’s most often just sort of by chance, meaning whoever was doing it used the computer for setting up financial transactions, or it was a computer of convenience,” Hildick-Smith siad. “But attacks that involved the step of actually manipulating things is pretty short list.”
The other, increasingly common reason, he said, is of course ransomware attacks on the business side of water utilities.
“Separate from the sort of folks who wander into a SCADA system by mistake on the water side are a bunch of ransomware attacks against the business side of the water systems,” he said. “But even then you generally don’t get to hear the details of the attack.”
Hildick-Smith recalled a recent incident at a fairly large water utility that got hit with the Egregor ransomware strain.
“Things worked out internally for them, and they didn’t need to talk to the outside world or the press about it,” he said. “They made contact with the Water ISAC and the FBI, but it certainly didn’t become a press event, and any lessons they learned haven’t been able to be shared with folks.”
AN INTERNATIONAL CHALLENGE
The situation is no different in Europe and elsewhere, says Marcin Dudek, a control systems security researcher at CERT Polska, the computer emergency response team which handles cyber incident reporting in Poland.
Marcin said if water facilities have not been a major target of profit-minded criminal hackers, it is probably because most of these organizations have very little worth stealing and usually no resources for paying extortionists.
“The access part is quite easy,” he said. “There’s no business case for hacking these types of systems. Quite rarely do they have a proper VPN [virtual private network] for secure remote connection. I think it’s because there is not enough awareness of the problems of cybersecurity, but also because they are not financed enough. This goes not only for the US. It’s very similar here in Poland and different countries as well.”
Many security professionals have sounded off on social media saying public utilities have no business relying on remote access tools like Teamviewer, which by default allows complete control over the host system and is guarded by a simple password.
But Marcin says Teamviewer would actually be an improvement over the types of remote access systems he commonly finds in his own research, which involves HMI systems designed to be used via a publicly-facing website.
“I’ve seen a lot of cases where the HMI was directly available from a web page, where you just log in and are then able to change some parameters,” Marcin said. “This is particularly bad because web pages can have vulnerabilities, and those vulnerabilities can give the attacker full access to the panel.”
According to Marcin, utilities typically have multiple safety systems, and in an ideal environment those are separated from control systems so that a compromise of one will not cascade into the other.
“In reality, it’s not that easy to introduce toxins into the water treatment so that people will get sick, it’s not as easy as some people say,” he said. Still, he worries about more advanced attackers, such as those responsible for multiple incidents last year in which attackers gained access to some of Israel’s water treatment systems and tried to alter water chlorine levels before being detected and stopped.
“Remote access is something we cannot avoid today,” Marcin said. “Most installations are unmanned. If it is a very small water or sewage treatment plant, there will be no people inside and they just login whenever they need to change something.”
SELF EVALUTION TIME
Many smaller water treatment systems may soon be reevaluating their approach to securing remote access. Or at least that’s the hope of the Water Infrastructure Act of 2018, which gives utilities serving fewer than 50,000 residents until the end of June 2021 to complete a cybersecurity risk and resiliency assessment.
“The vast majority of these utilities have yet to really even think about where they stand in terms of cybersecurity,” said Hildick-Smith.
The only problem with this process is there aren’t any consequences for utilities that fail to complete their assessments by that deadline.
Hildick-Smith said while water systems are required to periodically report data about water quality to the U.S. Environmental Protection Agency (EPA), the agency has no real authority to enforce the cybersecurity assessments.
“The EPA has made some kind of vague threats, but they have no enforcement ability here,” he said. “Most water systems are going to wait until close the deadline, and then hire someone to do it for them. Others will probably just self-certify, raise their hands and say, ‘Yeah, we’re good.'”
Update, Feb. 11, 4:15 p.m. ET: Hildick-Smith has asked to qualify his last statement about the EPA’s authority. He says while the EPA is not collecting copies of the risk and resilience assessments and emergency response plans, or enforcing quality controls on the documents, they can fine utilities for not complying with the process and certifying that they have completed the requirements. The EPA explains more here (PDF).
Very well laid out. We look at the grid and say we need to protect it, but we can go without electricity for a period of time. We can’t do that with water but we have not paid the same amount of attention to it….time to make some changes…
…well yes and no…
…until the rate payers (us) demand that public utility commissions authorize the utility to spend our money (i. e., pass the cost on to the rate payers) nothing will happen…
…does not matter how many laws, regulations, common sense, etc…
…this is an age old problem…
I agree with your comments. We need to do something to protect the safety our water and the reliability of our electricity. This bit is a tad off-comment but there’s a classic 1950’s Twilight Zone TV show episode “The Monsters Are Due on Maple Street” and that often comes to mind when I read stories like this one.
…precisely! just enough to panic them…
It works every time.
My guess is it’s some young gamer with autism who got lucky with credential stuffing against team viewer
login’s Curiosity got the best of the person , until he or she realized that people where watching what was going on with the interface changes.
…technically Asperger’s – but’s now on autism spectrum…
…many/most hackers have it…
“…technically Asperger’s – but’s now on autism spectrum…
…many/most hackers have it…”
Umm, we’re gonna need a source on that, Chief…otherwise you’re just spewing nonsense.
…not that you would understand any of it…
…DSM 5… (Diagnostic and Statistical Manual Version 5 for those who don’t know…
…how long must I do simple searches for them?…
As long as misinformation exists. In other words, forever.
Come on, man, there’s so much wrong with what you wrote that I don’t even know where to start. Lots of (unfounded and ignorant) assumptions being made there.
…time for your meds…
…show me your evidence as I showed you mine…
The problem is attempting to make a neurotypical see what they are unable to see. They read the DSM-5 (or similar this that and the other) and suddenly think they know what it is to live inside an autistic self.
It takes a lifetime to know an autistic individual, and there are things you won’t get to. But neurotypicals have been making erroneous and asinine assumptions about special needs individuals for eons. Nothing new. IME, I don’t ever see this changing.
…clearly your therapist has not sufficiently explained the idea of having symptoms that are on the spectrum…
…your loss, not mine…
When the news first hit, I decided to look for CVEs for TeamViewer.
It seemed to be secure for a while then buggy of late. I also noticed private equity was involved. Then the company went public. If TeamViewer was hacked, I could see the old game of private equity messing up a company to make the books look good (fire people deemed unnecessary like QA) before going public.
If these was a real SCADA attack, that is some hacker flipped the valve directly instead of with a software control panel, the safeguards probably would have worked but that doesn’t necessarily mean there would be any damage to the water supply. However the supply could be turned off if need be.
Regarding water being necessary for life, people do stockpile water. Very common if you live in earthquake country. I even leave a case in the car. Yeah I have MREs too.
I once tried backpacking with MRE’s exclusively. Way too much sugar and no endurance. I think you’d be better off stashing some fig bars and powdered milk in your car. Bunch of G7 3-in-1 couldn’t hurt
You have to remember, a mre is meant for a 20 something year old in an extreme situation. The excess calories and caffeine are ment to keep you alert and on edge ready to fight. Not exactly a dietary regium. And some actually taste good.
We keep a stockpile of water in two ways.
One refilling gallon water jugs and storing them in the garage fridge. It helps keep water cold and helps keep other things cold in there when the power goes out. Win-Win.
We are on a well so we store rainwater in rain barrels with an overflow to the ground. When the power goes out we will use this for animals, toilets, and, if need be, ourselves.
For a couple hundred bucks many of you zone 6-9 folks can have a secure source of rain water. If it is colder you probably ought to bury it and keep a hand pump on hand. What are you waiting for?
It was never ‘secure’ lol.
Some years ago major power substations in several states were hit. It was a coordinated attack. It was also done very professionally. The field people said they saw “certain signs” that the people who did the attack were highly trained professionals. It was scary, we were really worried. Then it just ended. To my knowledge nothing else happened. The hit on a substation near San Jose actually made the news, and then was quickly forgotten. No one in GOV seems to want to talk about how weak our infrastructure is. It’s like an unspoken forbidden topic.
It will probably take a 9/11 type of cyber attack to wake people up and get active defences against such intrusions.
Perhaps the reason you hear nothing is because the systems in this country have already been penetrated by a foreign state and they are just waiting for a time when they will decide to activate their attack. I have no doubt that infrastructure attacks by foreign actors is a tool of war and that all the sophisticated countries do this including us. Would seem silly if it were not the case. Seems like an easy way to cripple the enemy.
“I have no doubt that infrastructure attacks by foreign actors is a tool of war”
Russian attack of a Ukrainian power plant in 2015:
What is the *real* need for these systems to be connected to the internet? Won’t they work fine without this conductivity?
…cost – otherwise you’d have to have a qualified person at every site, or incur the travel costs…
…see my post re: the public utility commissions…
As always Brian, great information! I enjoyed the article (at least as much as one could enjoy someone tampering with our water supply) Really appreciate the work and information you put out.
Why are all of the posts labeled February 21? Didn’t I tell you last time to stop messing around with the time machine?? 🙂
That’s February of 2021
Very good job on this article. Thanks for reaching out to experts for more information about the topic. I’m adding you to my rss feed 😉
Security would increase greatly if critical infrastructure would close down alle external interfaces except for VPN.
No, disable all access INCLUDING VPN. Show your ass up to work when its critical infrastructure, whether theirs a pandemic or not.
“There is nothing in the law that requires such facilities to report cybersecurity incidents”
“The situation is no different in Europe and elsewhere”
Well, regarding the first quote things can be different. In the Netherlands you *are* required by law to report breaches (and IIRC in some other countries too).
But it takes a government wanting to do that and a population willing to accept a govermnent doing that.
So living off the grid, including water and power is the only semi safe way to escape hackers, crazy, not that I have to worry about it as I’m almost dead anyways.
But it’s funny, even water can be used against people by cyber murderers,,, oh you don’t want to call them that, what if they had succeeded, yah, maybe next they will make dams fail to drown people, pop transformers to start fires,,, just turn all stop lights green at the same time in Boston, will you just call them poor misguided children, or will you call them by their real intent?
I like that you speak bluntly. Evil exists. We should never coddle it but get to the point and call it out like it is.
A ball peen hammer is a great tool for removing dents, slag and loosening stuck bolts.
If someone takes it and hits another upside the head and kills them does that make the tool bad? No, not at all. It means the tool was used irresponsibly and maliciously.
Should we lock up all of the ball peen hammers? If so, in a free society, how do we “allow” some to use the tool and “prohibit” others from using it?
What should be done with the person that killed another with the ball peen hammer? Take his hammer away? Lock him up? What if he was angry or jealous? What if he has killed three others with ball peen hammers?
Its not the tools’ fault. Its not the dams’ fault. Its not the electrically controlled water and chemical mixing valves’ fault. It is not the fault of the guy that only put a single lock on the web site to prevent access. It is the fault of the person misusing the tool for malicious purposes.
Malice can only be dealt with in one way because it only understands one thing. Swift decisive punishment.
Teach your children when they are young and when they are old they won’t wander from your instruction.
” It is not the fault of the guy that only put a single lock on the web site to prevent access. ”
It is partially for the person in charge once known-bad is known.
There are best practices and known bad ones. Malice is one thing, but opportunity for malice made easy via incompetence or denial works hand in hand with it in the real world. You have a critical system and you decide to put it on the open web?
That’s on you. You had best make sure you do it right, knowing that malice is out there trying to get in – or you’re incompetent,
and malice’s ‘partner in crime’.
” In addition to running Windows 7 on computers at the plant, all devices used the same password for remote access.”
– Hammer analogy is not forthcoming.
Great article, thanks Brian.
Actually, the Water sector has done more cybersecurity tests than any other CI sector (at least as of a few years ago according to government data). Also, the EPA offers free tools to help the Water Secctor and Waste Water Treatment facilities assess the security of their systems. DHS will also send a team out to help water facilities asses their security posture…for free (well, it’s paid for by taxes).
After interviewing a site manager at one treatment facility, it was apparent they were understaffed to deal with cybersecurity and were less concerned about it than about providing their service to end users. The majority of their expenses were for disposal of waste; very little was left over for funding cyber security assessments and strengthening their posture.
WaterISAC is a free resource that water facilities can join but it is a matter of time and resources and the ability to implement any recommended changes. Although the HetchHetchy in San Francisco is a good example of where an impact to a huge population if their water is compromised, the majority (over 70%) of water facilities are in rural areas of less than 10,000 people being supported. Smaller, local impact per site but if an adversary infects 100’s of systems, could have a greater psychological impact.
Like anything of importance, people pay no attention to it until it’s too late. People are lazy in general and don’t care for most things unless it affects them. Only way they’ll change is when it happens to them and by that time, the damage will already have been done. In end, I won’t feel sorry for those folks since they didn’t put the care needed to solve the issue in the first place. I guess we can say it’s just a ticking timebomb for something more malicious in nature to happen in the near future. All we can do is hope for the best and /shrug if and when it does since, ‘we told you so’.
The small town ones I’m familiar with may have some remote monitoring, but most don’t. There’s DEC required daily testing, so someone show up once a day and does the tests. Everything else is pretty much run by that German kid, Otto. (Old joke – it’s all in some kind of automatic operation.) There may or may not be some alarm on the side of the pump building that will flash red so the local police driving by on their rounds can call the plant operator and say “Hey, there’s red lights flashing on your building.”
Most small town towers hold enough water for a few days. The pumps kick on and off to maintain a level within a few feet to keep system pressure constant. The chlorinators all have manual adjustments and calibrated every now and again. There’s no0 need for any controls to be internet connected, and most aren’t- and shouldn’t be.
Which just made me think of something. We’re going to be replacing boilers here in a few years. We (the operators) are probably going to have to fight to keep the controls off the internet. Bringing up the security issue should be enough.
Forgot to mention- the village area of my town has a water system. My water system is a pump 700 feet from the house about 70 feet down the hill, some wires and piping, a pressure switch and a pressure tank, and some filters and a softener. 90% of the town residents are their own water and sewer company. Water quality from house to house varies greatly.
Its always amazing to me what a $4.5 Trillion Federal government doesn’t have enough money for. Though it seems the staff at the Department of Excuses, Incompetence and Corruption is well funded.
This isn’t federal government.
This is small municipality government, filled with people who don’t like paying taxes because they can’t personally see, understand and agree with every dollar spent.
I’m happy to see the issue is now solved. Thank you for updating us with the outcome. Yeah this is one of the most requested feature from the community but not sure when will the idea be implemented.
Hi is this is true cardimg is scam and only rippers now
No legit cc shops either ?
I ask i think here is many fraudsters .
What is a preferred method to provide Remote Interactive Access?
One problem is Windows 7 specifically has RDP issues that aren’t getting fixed (really) and that’s always going to be a superfund issue in terms of places that won’t upgrade from 7 for ‘legacy’ reasons.
Another is using the same password everywhere for remote.
That’s… a complete non-security, really. No walls, no tiers.
They had installed remote desktop commercial clients for convenience. There are ways of doing it homebrew but the issue is the end user and what they’re comfortable using, their knowledge. You can’t get around this problem at the low-lying fruit end.
But to your question I think that’s an open question as even the big enterprise networking companies have MASSSSSIVE lists of ongoing vulns that THEY know about, you don’t want to imagine the list that they don’t, considering all chain-attack possibilities and all the actors in the world. Really, there is no one answer but if you’re doing critical system stuff -like a dam/etc- you either need to have a REAL GOOD IDEA how things are SUPPOSED TO WORK, (passwords shared across all devices omg why not?) or you’re basically doing the devil’s work for him, ‘for convenience’.
You and I have seen it work that way thousands of times in a row.
Sorry I sidestepped your basic question like a jerk.
“SSH or teamviewer?” (does that not depend?) Dang, did it again.
Ah, water treatment …
In 2007, Nokia (the town, not the company) poisoned its population because of a cross-connect . Apparently that same valve was found in a bunch of other locations later .
But, yes, it was nice to hear of some sun-light on the industry.
Why are all of these cities going it on their own? The City of Oldmar has 156 employees at 12 facilities including the water treatment plant. Their IT department consists of one supervisor, a GIS analyst, an IT analyst and a support person and their budget does not have much room for outside support.
Cyber security scales and Oldmar is way too small to be able to afford the protection it needs on its own. Why isn’t there a state level network for the municipalities that provides an umbrella for its cities? For the sum of all of the “business class” connections these cities are paying for they can probably get faster networks and better protection as a group. Governments need to re-think how they go about getting their network connections.
Usually comes down to taxes.
People don’t want to pay for services statewide.
Even if it would save money in the long run. The local politicians don’t want to give up any control to the state government.
Until there is a breach… many think they are just fine running their town without such resources.
First line of defense, (just to keep honest people honest) design the HMI/MMI/OIT as if anyone on the street could approach and attempt to use it. The screens/pages will have user name and password security setting available to prevent accessing critical control interfaces by someone without the proper credentials. Cover any abnormal or dangerous set point changes with proper alarming and alarm notification.
@mealy, you are absolutely correct. However, I have heard it said that no mater how idiot-proof you make it they will just come up with a better idiot. To that point, people giving out their credentials happens often without even considering that security logs will show their cred’s. associated with someone else’s manipulations.
So the water isn’t considered critical infrastructure in the US to be covered by Critical Infrastructure Informaion Act and 42 U.S. Code § 5195c – Critical infrastructures protection? Surprise, surprise. Bureocracy tend to make these kind of surprises. In Russia I was very surprised when a senator announced that measures to protect critical infrastructure are yet to be legally defined. What FSTEC and FSB were issuing orders about then, for the past 12 years, I thought. And now it turns out people in the US are seemingly in the same state of unawareness regarding how to implement their own laws. What a mess.
Water is covered.
It is pretty standard that the law text does not try explicitly define things that may change over time.
Electricity and the nuclear arsenal are also not stated explicitly in law.
“the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
This is broad enough for agencies to continuously update what is critical infrastructure.
Environmental Protection Agency — drinking water and water treatment systems;
Department of Energy — energy, including the production refining, storage, and distribution of oil and gas, and electric power except for commercial nuclear power facilities;
Then why there’s a statement that “The only federal law that applies to the cybersecurity of water treatment facilities in the United States is America’s Water Infrastructure Act of 2018” in the article? What you have told hints me I’m right at the assumption about critical infrastructure laws being able to cover these systems.
Probably a case of two things both being true.
The laws regarding US critical infrastructure don’t provide much details about what is included as critical infrastructure. They leave that to the sector specific agencies. The text of the critical infrastructure laws certainly do not define rules regarding specifics like cybersecurity.
That is why it may be true that the “Water Infrastructure Act of 2018” may be only “law” that “applies to the cybersecurity of water treatment facilities”.
While it can also be true that the “laws” only delegate responsibilities for “critical infrastructure” to other agencies. And the requirements for cybersecurity are not codified in those laws, but rather in policy and directives under the appropriate agency, the EPA in the case of water.
Excellent article. This is good journalism. Makes me miss the days when writers and publications valued critical thinking and real news and journalism.
>“A supervisor working remotely saw the concentration being changed on his computer screen and immediately reverted it
Nominate this guy for the medal of freedom, this is amazing!!!!!
Recently, I was involved with a hospital installing a $300k upgrade to some HVAC equipment. The equipment, installed by a large commercial contractor, has a NIC interface which allows remote internet access. The instructions from the contractor told us (MSP) to simply plugin the NIC to a switch on the trusted network, then “whitelist the device” in the firewall. I politely stated the HVAC will not be on a trusted interface and asked what ports their NIC needs, the contractor acted like he’s never been asked this before. This is the state of things. The Target hack happened years ago, and we still have industrial systems being made like IOT, being installed by contractors who put it on the trusted side, with an allow Any, Any, Any firewall policy. Same problem I’ve seen in machine shops with cc cutters and mills, same problem I’ve seen with Drs offices and hospitals, with half-million dollar, still-working MRI and xray machinery which was never supported beyond Windows 7. Nobodies going to scrap a half-million dollar machine if it still runs, upgrading the OS does not justify the replacement cost, so itll run insecure and unsupported until it mechanically dies. I wouldn’t be suprised if hostile foriegn powers have permanent, persistent access to all our utilities. Sad.
Way back in time I worked for Motorola, we had the CAD system at a major city police and fire dept. We had dial in access but we had to call the shift supervisor to have them plug the silver satin into the RJ-11 jack to get access. That was real security.