Re: Company selling security consultancy find security flaws shocker
My experience so far is that security is still often an afterthought. The other problem is, a lot of the IoT stuff is tacked onto existing hardware, which has often been in the production for over a decade, so it is irrelevant, whether the next generation hardware has some security baked in, the majority of industrial systems are unprotected by design.
I agree, however, that the wording from Godfrey is a little misleading, there is certainly some work going on in this area, but you only have to look at the **** that is coming out today in cars, for example, where they are online, but the CANBUS is still pretty much unprotected! Industrial PLCs aren't much better, in my experience.
But their attack requires local access. Physical security is as important as cyber security in these situations. If you can just walk in and install a box on a critical infrastructure, cyber security is the least of your woirries
We don't know what their remit was. And getting through the firewall and hacking a PC on the network isn't that hard, but might have been outside the remit for the case in question, which would have made it illegal try such a scenario.
It is also not a "local" attack, which means on the device(s) in question, it was an attack within the network, so internal but not local.
And the industrial networks tend to be very fragile. I worked for a company producing vulnderability scanners and they had extra documentation and modes for scanning SCADA and PLC networks, so that you don't bring them crashing down during an initial scan. Their systems started in a "light touch" mode and gradually worked up. It was also recommended that the customer make a replica of their production environment to test on, before scanning the real thing.