back to article Hey, you know what the internet needs? Yup, more industrial control systems for kids to hack

The number of industrial control systems (ICS) connected to the internet has increased year on year – meaning more and more infrastructure is sitting on the 'net potentially open to attack. Of the 175,632 internet-accessible ICS equipment detected, approximately 42 per cent were in the US, marking a 10 per cent increase over …

  1. jake Silver badge

    Blithering idiots.

    Ah, well. More loot for me, cleaning up the mess. Still, it's getting rather old. You'd think after a couple decades they'd notice something wasn't working exactly as planned.

    1. Richard Jones 1
      FAIL

      Re: Blithering idiots.

      Perhaps it is the herbivores herd tenancy? With all those other herbivores to take I should be safe in the middle of the crowd of unprotected herbivores. The problem is that large collections of prey, do attract larger packs of hunters throughout nature that rule is the same. Initially even minimal protection can help but in the end prey has to get real and cease sitting on a plate for the next taker. Getting things right is not a cost of doing business, it is the only way to stay in business. Some constructive guidance for those in charge of receiving the bonuses might be useful, fining the right people who fail is an obvious first step.

    2. Boris the Cockroach Silver badge
      Happy

      Re: Blithering idiots.

      When you're cleaning up the mess, can you make sure you bring a mop and bucket along with you.

      Comes in handy for cleaning the body parts and blood off the robots/cnc machines...

      1. jake Silver badge

        Re: Blithering idiots.

        I have never seen a so-called "robot" or CNC machine come into contact with a human where it wasn't the complete, total and utter fault of the idiot human getting themselves into space where they shouldn't have been. I don't get called in to clean up those cases as it's not the equipment/process that is at fault.

        Ever hear phrase "Stupidity SHOULD hurt!"? Machines aren't capable of stupidity. So the old saw "To err is human, but to really foul things up requires a computer." is actually wrong. Machines are only capable of doing what they are told. It's always a human that is at fault.

        I now fully expect to cut myself while prepping dinner ... the Universe is funny that way.

        1. Boris the Cockroach Silver badge
          FAIL

          Re: Blithering idiots.

          Strangely, theres a video wandering about the internet somewhere about people hacking a CNC machine so that it machines ellipses instead of circles....

          So lets take cheapo machine tool maker designing a safety circuit, the old days it would be a hardwired switch leading to a relay that fires the e-stop circuits... open the gate and the thing stops.

          But switches, relays and wires cost money to install/maintain... lets just make it a magnetic sensor linked to the PLC. oh and put the machine on the internet so our service dept can remotely view the machine if the customer reports any problems.. cheaper than sending a repair guy.

          You see where this is going?

          Hacker breaks into the machine, alters the PLC ladder for the lolz, cleaning labourer is told to clean up ... opens the gate, machine does'nt stop, blood and guts everywhere....

          1. Pascal Monett Silver badge

            If it is to remotely view the machine, there is no need to wire the machine. Install a CCTV to monitor it. If hackers take that over, big deal.

            But of course, one does not just want to monitor, one wants control. Convenience is what will be the downfall of the IT industry. Because security is most definitely not convenient, we have the basic human tendency to get fed up with security instead of scrapping the convenience.

  2. sitta_europea Silver badge

    I can live without electricity. I don't want my water supply system on the Internet. Full stop.

  3. Redstone

    Part of the Problem

    is that, in terms of the Gartner Hype Cycle, we still haven't got to the top of the 'Peak of Inflated Expectation' for all things 'IoT'.

    It will probably take more than one serious breach at a Utility that causes fatalities and general discomfort to the public before we are thrown into the 'Trough of Disillusionment' and ignorant managers stop trying to sound clever and hip by suggesting that everything must be connected.

    Perhaps then we can get to the 'Slope of Enlightenment' where there needs to be a clear case for infrastructure to be (securely) connected and if there is a critical control function to the device, there should be at least two and probably three factor login security.

    1. jake Silver badge

      Re: Part of the Problem

      I think in these here parts, Gartner fell out the bottom of the Trough of Disillusionment over a decade ago ...

      1. Alistair
        Windows

        Re: Part of the Problem

        I'm sorry Jake, I thought Gartner *was* the trough of disillusionment.

  4. Anonymous Coward
    Anonymous Coward

    It will only get worse as long as there are MBAs that think they know it all and want it now, bean counters that only think about the bottom line and marketing wonks that never have any logical thoughts running things.

    The only way out of the problem is to ensure that the final say about connecting to anything outside the plant is left to the engineers that actually work there.

  5. Sir Runcible Spoon
    FAIL

    Sir

    The most concerning aspect for me is that these types of control systems typically don't deal with malformed packets very well, so if they are directly connected to the internet* then there is a very real possibility that they could be DoS'd by accident from one of the many ongoing port scans that are happening all the time.

    *If the firewall port is opened and the connection isn't proxied, then it doesn't matter if it's 'behind the network firewall so it's safe'.

  6. Martin Summers Silver badge

    I never would for very obvious reasons, but part of me would love to play with this stuff and go see what's out there that you can log in to and control remotely. Of course there are people without such scruples that would be on Shodan all the time doing precisely that.

    It shocks me that it's still a thing and more so that you don't hear about companies suffering attacks all the time. Surely some company somewhere in the world is having some scrote log in and turn their heating up full whack or some industrial control system had gone aywire thanks to an external actor. Where are all the stories about this? I would like to hear the real world impact of these net facing systems being compromised.

  7. Paul Hovnanian Silver badge

    On the other hand ...

    ... if you are in the SCADA security consulting business, Shodan and AutoSploit are quite useful for generating new customer leads.

  8. Yet Another Anonymous coward Silver badge

    UK 6th

    And I'm betting almost all of those systems are AC/Heating for some call centers

    Thanks to the brilliant foresight of the last 30years of UK governments - British industry is uniquely safe from all kinds of attack.

  9. FlamingDeath Silver badge

    We're all doomed, doomed I tell you !

    https://www.theregister.co.uk/2018/01/31/auto_hacking_tool/

    The days of sneezing at a screen and declaring it software code need to be resgined to the past

    Take some bloody responsibilty for the shit you produce

  10. Nimby
    Mushroom

    A SCADA by any other name...

    It's all in the name, really. Say "SCADA" and people think security.

    Say "Internet of Things" and people think, "Dear god, why would anyone want THAT insecure piece of ____ on their network?"

    The solution? Stop saying "SCADA" and start saying "Internet of Industrial Things".

    Sure it's a little disingenuous. The security is better than that. However, when hackers get more bang for their buck, especially when it is a nuclear power plant (hence the icon), it makes you think, at least for a moment, "What if..." And that one horrifying moment of thought is where security consciousness truly begins.

  11. Anonymous Coward
    Anonymous Coward

    More Problems, But Less Help

    What's ironic about this is just a the rate of incidents increases, the US DHS ICS-CERT has had it's funding dramatically cut. Apparently some senior executives wanted more "administrative support" and increased travel budgets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon