Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
posted by janrinok on Saturday March 23 2024, @12:42PM   Printer-friendly
from the weakest-link dept.

https://arstechnica.com/security/2024/03/critical-us-water-systems-face-disabling-cyberattacks-white-house-warns/

The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.

"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."

[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.

"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.

Related stories on SoylentNews:
An Online Dump of Chinese Hacking Documents Offers a Rare Window Into Pervasive State Surveillance - 20240229
US Says China's Volt Typhoon Is Readying Destructive Attacks - 20240216
The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying - 20231206
Teens With "Digital Bazookas" Are Winning the Ransomware War, Researcher Laments - 20231116
How China Gets Free Intel on Tech Companies' Vulnerabilities - 20230913
Microsoft Links Russia's Military to Cyberattacks in Poland and Ukraine - 20221113
U.S. Charges Four Russian Government Workers With Hacking Energy Sector - 20220327
Microsoft Warns of Destructive Disk Wiper Targeting Ukraine - 20220118
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
DOJ: Chinese Hackers Stole "Hundreds of Millions of Dollars" of Secrets - 20200722
Chinese Digital Spying is Becoming More Aggressive, Researchers Say - 20200326
Vietnam's Battalions of 'Cyber-Armies' Silencing Online Dissent - 20200117
A New Hardware Implant Shows How Easy It May be to Hide Malicious Chips - 20191013
Congress Mobilizes on Cyber Threats to Electric Grid - 20190715
How a Hacker Network Turned Stolen Press Releases into $100 Million - 20180826
U.S. State and Local Governments Receive Malware-Containing CDs Mailed from China - 20180731
Ukrainian DNC Hack-Author has Turned Himself in and is Cooperating with FBI - 20170816
FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry - 20170528
Interview with Cybersecurity Expert Jeffrey Carr about Crowdstrike's Russian Hacking Claims - 20170417
Hacker Rigged Elections in Nine Latin American Countries - 20170308
Chinese Businessman Pleads Guilty to Conspiring to Hack US Defense Contractors - 20160326
China Hacks on US Continue, Facebook to Warn Users About Potential State-sponsored Attacks - 20151019
CIA Officers Pulled from China Because of OPM Breach - 20151002
North Korean Defector Warns that Hackers Could Kill - 20150530


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by drussell on Saturday March 23 2024, @12:47PM (28 children)

    by drussell (2678) on Saturday March 23 2024, @12:47PM (#1349963) Journal

    Why in earth would a PLC involved with water plant operations be connected to the internet?

    Starting Score:    1  point
    Moderation   +2  
       Troll=1, Insightful=1, Interesting=2, Total=4
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2, Offtopic) by canopic jug on Saturday March 23 2024, @12:55PM (14 children)

    by canopic jug (3949) Subscriber Badge on Saturday March 23 2024, @12:55PM (#1349964) Journal

    And why would m$ products be in production environments, let alone networked production environments?

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: 4, Interesting) by drussell on Saturday March 23 2024, @02:10PM (9 children)

      by drussell (2678) on Saturday March 23 2024, @02:10PM (#1349968) Journal

      Why are you talking about Windows and TCO? This has nothing to do with Microsoft; we're talking about the logic controllers that operate equipment in industrial settings.

      Don't get me wrong, I'm no fan of Microsoft or their poor quality software, but that's not the issue being discussed in this article.

      • (Score: 2) by aafcac on Saturday March 23 2024, @02:35PM (3 children)

        by aafcac (17646) on Saturday March 23 2024, @02:35PM (#1349970)

        Yes, whether or not it's an MS product is at best a secondary issue here. Why are these being run over the internet? And is this a matter of them being run over an improperly secured VPN, or is there something even dumber going on.

        IMHO, it makes precisely no sense to run such security sensitive systems over a public internet, even with a VPN being involved. Given the number of people that could be sickened, it seems like there should be a better way of dealing with it.

        • (Score: 2) by drussell on Saturday March 23 2024, @03:12PM (2 children)

          by drussell (2678) on Saturday March 23 2024, @03:12PM (#1349974) Journal

          It's a PLC. It doesn't "run" over the internet. Do you even understand what a PLC is?

          You might want to perhaps monitor (or perhaps even control) some aspects of your system from a remote location, but you don't do this by directly connecting the damn PLC itself directly to the internet!!

          • (Score: 4, Informative) by GloomMower on Saturday March 23 2024, @03:44PM (1 child)

            by GloomMower (17961) on Saturday March 23 2024, @03:44PM (#1349978)

            There are many PLC's with ethernet. Or devices that are on the internet connected to a PLC through serial or RS485.

            don't do/shouldn't do not can't do.

            I'm pretty sure stuxnet infected the computers that connected to the plc. More and more system are not air gaped, it is too darn convenient for optimization of usage, and man-hour reduction.

            • (Score: 2) by drussell on Saturday March 23 2024, @03:52PM

              by drussell (2678) on Saturday March 23 2024, @03:52PM (#1349981) Journal

              Of course most modern PLCs have ethernet ports, not just serial ports, but ethernet interface ≠ connected to internet!!

      • (Score: 1, Informative) by canopic jug on Saturday March 23 2024, @04:53PM (4 children)

        by canopic jug (3949) Subscriber Badge on Saturday March 23 2024, @04:53PM (#1349988) Journal

        Why are you talking about Windows and TCO?

        The inner layer might be microcontrollers, but over the decades they have been networked and connected to Internet-facing Windoze systems, for the convenience of nation state attackers. Thus Windoze is part of the mix.

        The layer of industrial microcontrollers connected to the sensors, valves, and pumps is, obviously not Windoze. It can't be. Those devices have to work or people would notice. However, in the layers above that, the ones connected to the open Internet, you will find Windoze all too often [unitronics.com]. Thus the problems of the total cost of ownership [soylentnews.org] for Windoze are relevant as these breaches are not externalities but an integral, unavoidable component in foolishly placing Windoze in Internet-facing production environments while giving said same Windoze boxes direct access to industrial control systems.

        --
        Money is not free speech. Elections should not be auctions.
        • (Score: 4, Insightful) by Anonymous Coward on Saturday March 23 2024, @06:17PM (3 children)

          by Anonymous Coward on Saturday March 23 2024, @06:17PM (#1349996)

          Listen, I love to hate on Windows (and Microsoft) as much as the next soylentil around here, but using terms like 'windoze' does not make our side come across as particularly 'adult'. Secondly: redirecting everything even remotely related to vulnerabilities to microsoft, even though they are not the focus of the point attempting to be made in the article, deflects the blame from those who deserve it and where it could actually help by shining light, to a place (that also deserves it) that has no control over the main complaint in the article and thus makes zero difference.
          So please, knock it out and behave a bit more like an adult. You're making us serious people look like clowns by association.

          • (Score: 4, Touché) by Tork on Saturday March 23 2024, @07:51PM (1 child)

            by Tork (3914) Subscriber Badge on Saturday March 23 2024, @07:51PM (#1350003)

            ...but using terms like 'windoze' does not make our side come across as particularly 'adult'.

            Quoted for agreement. I don't know about the AC but I'm a green-site refugee and despite my daily headaches with Windows I still found too many people on that site, many using the same terminology canopic jug is, brought up MS tropes even where they weren't relevant because it earned karma.

            I'm not saying canopic jug isn't right, mainly I'm sticking my nose in because the redundant moderation was hasty.

            --
            🏳️‍🌈 Proud Ally 🏳️‍🌈
            • (Score: 4, Interesting) by canopic jug on Sunday March 24 2024, @05:40AM

              by canopic jug (3949) Subscriber Badge on Sunday March 24 2024, @05:40AM (#1350069) Journal

              [...] I'm a green-site refugee and despite my daily headaches with Windows [...]

              More noticeably I see that defending m$, Windows, and Bill against all criticism, especially legitimate criticism, is also has become a trope, particularly on censorious sites like the two orange ones. I can't say about the green site, but it too was like that when I last logged in there it so very long ago. Whining about common writing styles is one way to distract from the actual topic, a topic which hurts m$ and its minions.

              Back to the topic at hand and leaving the debate about style aside, here, on SN, the fine article linked to in the very summary at the top includes mention by name of Unitronics [unitronics.com] which is most clearly a Windows problem. It is even named as a factor (aka problem) in the Florida, Pennsylvania, and other state water treatment facility breaches.

              The Windows deployments there and elsewhere did not occur spontaneously. Those misfit products were ordered purchased and ordered deployed by real people with names and addresses. If the US were serious about the network security problems surrounding water treatment, they could be solved quite quickly by any number of approaches, some faster some slower. But slow or fast, solving them is possible. If someone were to drill holes all over or blast a dam, the feds would swoop in probably even at the planning stage. If someone were to build a dam with knowingly substandard methods or materials or design, the feds would swoop in, probably even at the planning stage. Yet, although water treatment and management is essential, critical national infrastructure all knowledge and best practices are thrown out because of Windows and M$ exceptionalism. The products are not fit for purpose and everyone knows it, and those products have been that way for so many decades one can accurately say it is by design. However, since the pivot to politics and lobbying by M$ since back around the turn of the century, no one is allowed to say it or call them out. The government's announcements of memos, letters, and press releases are not going to solve the widespread managerial problems which lead to nation-crippling Windows deployments. Sending fines, jail sentences, or polished boots will.

              --
              Money is not free speech. Elections should not be auctions.
          • (Score: -1, Redundant) by Anonymous Coward on Sunday March 24 2024, @04:48AM

            by Anonymous Coward on Sunday March 24 2024, @04:48AM (#1350060)

            Fuck off.

    • (Score: 3, Informative) by RS3 on Sunday March 24 2024, @04:39AM (2 children)

      by RS3 (6367) on Sunday March 24 2024, @04:39AM (#1350056)

      Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.

      But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.

      The touchscreen modules often run Windows CE- the "embedded" versions of Windows, which are really quite stripped down, can be bloated up with stuff if needed, including software with libraries and modules that "talk" to the PLC.

      There exist touchscreen modules that run on other OSes including Linux, and there's pretty strong Linux support for many PLCs.

      In most cases it's somewhere between ignorance and laziness where all the Ethernet ports are all connected to one network segment, which is usually connected to Internet (through router / gateway / firewall).

      As you might imagine, those touchscreen modules running Windows CE may want, or need, to connect to the Internet for many reasons. That doesn't mean they open any incoming service ports, but it shows how they could be vulnerable.

      And it comes down to pretty much the main reason we all have and deal with the far too many vulnerabilities: people love to add features and functionality, but deprioritize security, if they consider it at all.

      Remote monitoring and control of industrial processes is a very good useful thing. I think, at the very least, people should use a good VPN if they're going to use the Internet for remote monitoring.

      • (Score: 4, Informative) by canopic jug on Sunday March 24 2024, @06:09AM (1 child)

        by canopic jug (3949) Subscriber Badge on Sunday March 24 2024, @06:09AM (#1350072) Journal

        Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.

        But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.

        I've seen enough evidence, even though looking at it from the outside: The method for controlling water treatment systems which I saw demoed to me used RS485, if I recall correctly, but that was more than 20 years ago. The designer was under increasing management pressure at that time to connect the control systems to the Internet via Windows computers. That was something he refused to do and, as a consultant, was in a position to refuse. Times and situations change. People move on.

        Now components with M$ requirements [epa.gov] are called out by name and are apparently common if not pervasive. Industrial control is serious business (in both meanings) but connecting the industrial control systems to the Internet via infamously insecure products in an even more insecure way is making those serious people look like clowns.

        --
        Money is not free speech. Elections should not be auctions.
        • (Score: 3, Insightful) by RS3 on Sunday March 24 2024, @03:30PM

          by RS3 (6367) on Sunday March 24 2024, @03:30PM (#1350104)

          Yeah, at this point pretty much everyone who isn't super hands-on with details of technology thinks it's just the thing to do to connect everything to the Internet. TBF, subsystem / component designers usually include Internet connectivity in the feature / functionality brag list. Then they pass the buck saying it's someone else's job to secure everything.

          My most recent full-time job was at a small-ish food factory- maybe 200 employees. There was no IT person. They contracted out for IT services (total joke / waste of $). There were several very savvy people who did much IT work. One of the most awesome and smartest people I've ever met was many roles there, including he did much IT work. He had a degree in CS, but wore many hats well. The _only_ thing he was very wrong about: he and others had plugged all PLC / SCADA systems into a building-wide Ethernet. Many times he said the production machines (PLCs) were "air-gapped". Hmmm, then why could I run nmap and see most of the PLCs through WiFi? It's possible someone plugged in an Ethernet jumper between some of the Ethernet switches. Things weren't documented, were somewhat physically locked, and many years of learning the hard way taught me to just leave it alone, play dumb. Normally I'm wired for proactive action, but people always seem to have "reasons" for why I shouldn't touch things (in spite of me alone more than doubling the company's productivity) and I'm conflict-averse so again I've learned to back off and do other things.

          Much bigger-picture problem of non-existing management. IMHO, good management would identify all talents in everyone, and apportion things based on needs, prioritizing, efficiency, productivity, etc. IE, I had, by far, the most general IT / networking talent, but was relegated to other roles. If I had stayed there I would have done more to inventory everything, including Etherenet stuff, then present a comprehensive plan to give everyone a full SCADA system of the entire production.

          Yes, various forms of RS458 have been used for many control and monitoring systems for many many years. There have been many adaptations, including CAN bus [wikipedia.org]. RS485 is the basis for DMX512 which is used to control stage / show lighting systems, pyrotechnics, etc. For years Allen-Bradley (now owned by Rockwell Automation) PLCs used DeviceNet [wikipedia.org] which is based on CAN bus.

          Another angle, or cake layer, is that most people can only handle so much complexity. Most people I've met / worked with in the PLC world are quite intelligent, and dealing with much complexity in the PLC world, struggling to keep up with the ever-changing PLC platforms, and have no bandwidth to deal with increasing IT complexity. IE, IT generalists and IT security specialists are needed to work with PLC people. Of course big corporations can afford such staff, but tiny producers can't afford such staff. 3rd-party providers are very expensive, might do some things well, but maybe won't do a comprehensive design. Someone onsite might make some changes, then expensive contractor gets even more expensive trying to figure out what's happened (and I've seen this many many times). It all starts to get into costs and economics and management and business-speak BS. Meanwhile, as too often, IT and IT security gets ignored until there's a break-in and panic.

          Thanks for that interesting link, btw.

    • (Score: 2) by RS3 on Sunday March 24 2024, @04:58AM

      by RS3 (6367) on Sunday March 24 2024, @04:58AM (#1350062)

      I forgot to mention SCADA, as "Thesis" does below. Generally the software that runs on the touchscreen is considered SCADA, which can also run on PCs, hence the possibility of connecting a PLC to a PC somewhere else, possibly far away.

  • (Score: -1, Troll) by aafcac on Saturday March 23 2024, @01:50PM (8 children)

    by aafcac (17646) on Saturday March 23 2024, @01:50PM (#1349966)

    A combination of it being cheaper and it allowing whatever President is in charge at the time to rationalize further erosion of our civil liberties in order to get the bad guys. Things being leaked via the internet that shouldn't be connected to the internet has been an issue for decades at this point. There's no justification for it.

    • (Score: 0, Insightful) by Anonymous Coward on Saturday March 23 2024, @02:33PM (7 children)

      by Anonymous Coward on Saturday March 23 2024, @02:33PM (#1349969)

      It's nice to know that we haven't prevented dumb people from modding around here.

      • (Score: 5, Insightful) by drussell on Saturday March 23 2024, @02:56PM (6 children)

        by drussell (2678) on Saturday March 23 2024, @02:56PM (#1349972) Journal

        It's nice to know that we haven't prevented dumb people from modding around here.

        The comment in question is currently scored +1 Troll

        While I would say it is probably actually more like Flamebait, a comment like this:

        A combination of it being cheaper and it allowing whatever President is in charge at the time to rationalize further erosion of our civil liberties in order to get the bad guys.

        ... is absurd on it's face. Poster apparently believes that the designers / implementers of the water plant intentionally implemented it in such a was as to be easily vulnerable to attack so that the government would be able to use the occurrence of such an attack as an excuse to implement policies which further curtail civillians' civil liberties?! Really?

        Additionally, why would it be "cheaper" to have a PLC connected to the internet? Cheaper how, in what way?

        Too bad there isn't a -1 Absurd mod. That would be highly appropriate, IMHO.

        • (Score: 3, Troll) by EJ on Saturday March 23 2024, @04:17PM (3 children)

          by EJ (2452) on Saturday March 23 2024, @04:17PM (#1349986)

          I'm not reading the rest of the posts, but it is cheaper because you can have one guy in India monitoring multiple plants for $0.50/hr instead of having to pay for someone to work at the physical site.

          • (Score: 2, Troll) by drussell on Saturday March 23 2024, @09:45PM (2 children)

            by drussell (2678) on Saturday March 23 2024, @09:45PM (#1350008) Journal

            That may be the way the telephone company operates their customer service these days, but do you actually have any evidence that your local water utility is being run and monitored by some schmoo in a cubicle in India?!

            I'm pretty sure that's not a thing!!

            Offshoring hundreds or thousands of call-centre jobs for customer "service" is one thing, but the couple of operations dudes wandering around the local water filtration facility, power station or sewage treatment plant monitoring things plus a few maintenance and engineering staff are probably not being magically outsourced offshore. 🙄

            Anything that requires "$0.50/hr monitoring" is already being taken care of by the PLC itself. Nobody is sitting there, just actively watching some level gauge.

            Water level in tank X gets above level A, open valve Y until level is below setpoint B. If limit switch L,M,N,O,or P is reached at any time, shut down that subsystem and show an alert on the maintenance crew anomaly display panel or whatever. It's all still basically just ladder logic, perhaps with a cellphone dialer at the end in a pinch, I guess...

            • (Score: 2, Interesting) by EJ on Sunday March 24 2024, @01:17AM

              by EJ (2452) on Sunday March 24 2024, @01:17AM (#1350026)

              Reading comprehension is a fundamental skill.

              My response was only to the question of how it COULD make things cheaper.

            • (Score: 2, Interesting) by wArlOrd on Sunday March 24 2024, @10:29PM

              by wArlOrd (2142) on Sunday March 24 2024, @10:29PM (#1350140)

              Sunday, May 8, 1988, a fire broke out in the main switching room of the Hinsdale Central Office of Illinois Bell

              Who was on site to notice?

        • (Score: 1, Offtopic) by canopic jug on Sunday March 24 2024, @06:26AM (1 child)

          by canopic jug (3949) Subscriber Badge on Sunday March 24 2024, @06:26AM (#1350075) Journal

          Poster apparently believes that the designers / implementers of the water plant intentionally implemented it in such a was as to be easily vulnerable to attack

          Yet, that is, in practice, what is actually happening. The egregious design of Windows and the shoddy workmanship have both been known for decades and is common knowledge. The difference is whether bad engineering is acceptable or not, and to whom it is or isn't, and whether security is part of design or merely and after market add-on provided by expensive snakeoil^w third party packages. But to deploy or maintain m$ products in a Internet-facing production environment in 2024 is to intentionally deploy systems which are easily vulnerable to actual compromise, not just log futile, ineffective attacks.

          so that the government would be able to use the occurrence of such an attack as an excuse to implement policies which further curtail civillians' civil liberties?! Really?

          That's the outcome not the reason. The government does take advantage of each attack as an excuse to implement policies which curtail citizens' civil liberties. The PATRIO Act is the quintessential example of that. Take a step back and notice that the PATRIOT Act I was all written and ready and waiting on the shelf for an opportunity to push it through congress unexamined. If you need a detailed walk through with other examples, check out the book Shock Doctrine by Naomi Klein [naomiklein.org] or other analysis of disaster capitalism.

          That some groups inside the borders perceive selfish benefit from these incidents gets in the way of straightening things out.

          --
          Money is not free speech. Elections should not be auctions.
          • (Score: 1, Redundant) by canopic jug on Monday March 25 2024, @07:07PM

            by canopic jug (3949) Subscriber Badge on Monday March 25 2024, @07:07PM (#1350313) Journal

            Good, I hit a nerve by pointing out that the government takes advantage of each major attack as an excuse to implement policies [theguardian.com], such as the PATRIOT Act [naomiklein.org], which curtail citizens' civil liberties.

            However, I would be remiss in neglecting the role of private companies and their lobbyists in all that. They draft contingency plans to have schemes for control and profit ready when the relevant, exploitable disasters strike [thenation.com]. In this case, it is Windows-connected water treatment plants which provide the opening (pun intended) for such schemes. The lowest layers of those plants are not going to be running Windows. They can't because people would notice the immediate failure. However, upper layers do and that's where things fall over because in Windows, security is a hasty afterthought and not considered part of the design process [expertinsights.com].

            One more time: the PLCs are not running Windows, but the layers above, where the compromises are taking place, most definitely are. It's in the system requirements description in their marketing brochures.

            --
            Money is not free speech. Elections should not be auctions.
  • (Score: 4, Insightful) by quietus on Saturday March 23 2024, @06:01PM

    by quietus (6328) on Saturday March 23 2024, @06:01PM (#1349992) Journal

    For the same reason all other infrastructure is connected to the Internet: because the number of technical specialists who know what they are doing is severely limited in comparison to the number of infrastructure items that need to be managed.

    To prevent you having to type your next reply: yes, I agree completely that this should be an out-of-band connection, separate from the Internet (e.g. plain old telephony & dial-up modem).

    To that, the answer is ... [drum-roll] ... silo's. As in: every industry sits in its own silo, not looking at what has happened to other industries. As a relevant example, the networking world had to relearn the lessons learned in the 60s-70s by. telco's with their phreaker problem: use a separate line for command-and-control. Took them until the 2000s before the realisation dawned.

    Not so bad, if you realize that, according to rumor (cough..2600..cough) you could still call internationally for free (i.e. phreaking) from select airports in the United States.

    Plus ca change, plus ca reste.

  • (Score: 3, Insightful) by Thexalon on Saturday March 23 2024, @06:01PM (1 child)

    by Thexalon (636) on Saturday March 23 2024, @06:01PM (#1349993)

    Presumably, one reason would be to help plant staff manage things during the stage in the pandemic where leaving your home was considered dangerous, or to be able to help out in emergencies without having to go into the office in the middle of the night. A not-totally-unreasonable desire that unfortunately has to contend with bad software and the fact that water systems are more of a target of bad guys than you might think.

    --
    Vote for Pedro
    • (Score: 4, Insightful) by drussell on Saturday March 23 2024, @09:51PM

      by drussell (2678) on Saturday March 23 2024, @09:51PM (#1350010) Journal

      Nobody operating a seriously essential service like running the water filtration and pumping station was ever told not to go to the plant to perform their job, at any point, be it middle of the night or otherwise.

      That's absolutely ridiculous. That was never considered too "dangerous."

      You still don't connect the actual PLC to the internet, for fuck sakes!

  • (Score: 3, Interesting) by krishnoid on Saturday March 23 2024, @06:11PM

    by krishnoid (1156) on Saturday March 23 2024, @06:11PM (#1349995)

    I post this a lot, but ... it describes the problem [youtu.be] with networking and infrastructure better than I can.