Segmenting networks with firewalls, improved access controls and patching are needed to better defend infrastructure sector firm from potential attack, he added.
Maybe I'm missing something but why not add, remove Internet access to such things as the generator controls, generator protection devices, etc. to the warnings? All the critical equipment should be on it's own network without access to the Internet.
All the critical equipment should be on it's own network without access to the Internet
You'd still need things like leased lines to run the SCADA. And against a nation state grade actor, tapping into a leased line is probably relatively easy. I'd expect that anybody wanting to target another country would have "plants" in the target country's telecom sector. Stuxnet didn't get into Iran's centrifuges via the internet, so it all begs the question, what are you seeking to protect from whom?
There are standards...
There are CIP (Critical Infrastructure Protection) standards in place today that address your concerns about network isolation, strong authentication, SCADA access, etc. (http://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx)
If you're feeling bored browse through the 11 "Subject to Enforcement" standards - they're actually quite good and many have roots in the NIST guidance. The real question is whether they are being followed, how often audits are occurring, and the effectiveness of deterrents (fines) for failing to comply.
Anyone who does get compromised and taken down is going to have some 'splaining to do, but that won't help those sitting in the dark.
Risks of coming to El Reg
I hope El Reg treats the 'watering hole' aspect with the attention it deserves.
Squirrels are still winning
With both Ukraine attacks + stuxnet, that's still only 3 successful cyberattacks... squirrels are at 1000+...