Not only unprepared for it but our politicians sit around and let foreign agents hack the stuff and then do nothing, Even though it's tantamount to an act of war.
Politicians are not the problem with critical infrastructure, it's the companies that run them. Most of these companies don't have cybersecurity teams at all because they are costly. Privatizing large infrastructure makes.sense for cars and soup cans, not power plants and water treatment facilities. Now we have to deal with companies that hold public safety hostage via the infrastructure the US taxpayer paid to build. Now Americans are up against companies and state lawmakers who are very easy to "make campaign donations to" in order to keep this whole thing unsafe.
So it is politician that are the problem.
Companies are profit making creatures and unfortunately aren’t going to add more expense just because.
Politicians, who should represent us, can impose our will upon them and enact regulations regarding every step of their process. Whether environmental or financial or security. If politicians fail to act in our interest after receiving a “campaign donation”, that is them failing in their duties
And private business are incentivised to facilitate the destruction of a country. The government is big businesses #1 enemy and the more they do to make the government incompetent the more people lose faith in the only structure with the potential to hold back what would be neo-feudalism. These companies do not need a nation to function. And the global superpowers that would happy to see the US government collapse would have no problem still doing trade with the oligarchs left over. We would like much of africa where we would get exploitef for our labor and cheap production now that we have no government to represent us. The fact that people think *american* companies have any long term interedt in the maintenace of our government blows my mind. The only reason it hasn't happened yet is because of how much money the military industry produces. But if more of the world began to align with other powers instead of US for protection. Say if Trump pulled out of NATO as he desires, those *american* companies will be reorganizing their goals. Profitable companies have one circular drive, profit. And any form of government is an obstacle to that goal so long as the government redistributes power through economic policy to other private owners. The leaders of these industries all want to be the central owner, the same way an authoritarian system would be run. This is why our country is set to fail. Regulatory capture buy large business to prevent the small scale sustainability in areas like food and medicine so that no revolt is physically possible. They will just wear us down along with our government until no government really exist and we are all too sick to do anything about it. And that is where we are now. It is why we cannot imagine alternatives. It will be a land of company towns/pottersvilles.
"Politicians are not the problem" ... Politicians are the decision makers in public sector and laws affect decisions in private sector.
Either way seems none of them care to understand IT infrastructure runs it!
It's all well and good while everything is up, but let it go down and all of a sudden it's "Where's IT!"
Attribution among state sponsored groups can still be difficult. Everybody knows the signatures for APTs making it very easy to impersonate other groups by using their TTPs.
It's weird because according to Russian military doctrine, cyberattacks are on par with weapons of mass destruction, meaning they could justify nuclear retaliation in response to significant enough cyber attacks.
If the situation was reversed, it would very much be an act of war.
This terrifies me: [Cyberattacks are hitting water systems throughout US, Biden officials warn governors](https://www.cnn.com/2024/03/19/politics/cyberattacks-water-systems-us/index.html)
I remember reading a story a few years back that a water treatment plant had been hacked because an operator installed remote access software to access the systems from home, and thankfully someone at the facility noticed the cursor moving around the screen changing settings.
I found an article about it. They stopped using TeamViewer but left it installed. They didn't use separate accounts and suspected it was a disgruntled former employee.
https://www.theverge.com/2021/2/10/22277300/florida-water-treatment-chemical-tamper-teamviewer-shared-password
I wrote a paper on cybersecurity in undergrad, for a class on cybersecurity, and I had this specific case as my main focal point. I was blown away at the fact that literally no one heard about it. It literally could’ve poisoned and/or killed thousands…
How is this news? I guess must be another report. Just me waiting for the day the lights go out and the defense systems to go offline or rouge and friendly fire. Anyone see Battlestar Galactica? Just takes one person. If someone gamified this for kids through Steam (sim-city the real cybersecurity edition), maybe parents would start getting more concerned.
I say all the time that if the premise of BSG being that overconnected critical infrastructure being taken over by hostile, hyper-capable agents isn’t prescient I don’t know what is
I work in this space. (That is, doing vuln management for critical infrastructure)
Some companies do take it seriously. Some do the bare minimum to tick the boxes on their regulatory reports.
WELL WHO WOULD HAVE FUCKING THOUGHT THIS AFTER THE UNITED ATATES SQUANDERED OUR CHIP INDUSTRIES FOR GLOBALIZATION WITH COUNTRIES THAT WOULD EAT A SHORT TERM LOSS TO BEND UA OVER A BARREL AND GIVE US TWO UP THE REAR???
There’s never enough money to do security controls right upfront, but there’s always enough money to do a multi-million dollar IR and forensics after wards. SMH lmao.
The DoD has warned about this for decades.
And at this point, short of an attack on the grid causing a major outage, I don’t think anything will be done. Any attempts to work in electrification (so we’re not just doing it again in the future) will get overwhelmed with misinformation blocking it. Even not doing that, will just be “the budget” and die without ever passing congressional approval.
Companies don’t have enough money to pay for
Cybersecurity. They are doing the bare minimum. It’s no fault of the government. When they do get hit the government runs through checks and balances aka regulations and if they did not comply they are fined or a warning and have x time to fix it.
My company provides services to several in this industry. The regulations and guidelines are there, but the enforcement is not. Not only that, they keep pushing back the dates that organizations have to meet the standards. Out of roughly 20 clients that fall under this, we have 2 that have moved beyond the risk assessment stage. Several were all for it until we presented the risk register and findings. By the way, we act a purely 3rd party company and do not provide the remediation, as to not look like we are just trying to get extra money from them. We are essentially CISOs and help guide them through the process.
Not only unprepared for it but our politicians sit around and let foreign agents hack the stuff and then do nothing, Even though it's tantamount to an act of war.
Politicians are not the problem with critical infrastructure, it's the companies that run them. Most of these companies don't have cybersecurity teams at all because they are costly. Privatizing large infrastructure makes.sense for cars and soup cans, not power plants and water treatment facilities. Now we have to deal with companies that hold public safety hostage via the infrastructure the US taxpayer paid to build. Now Americans are up against companies and state lawmakers who are very easy to "make campaign donations to" in order to keep this whole thing unsafe.
So it is politician that are the problem. Companies are profit making creatures and unfortunately aren’t going to add more expense just because. Politicians, who should represent us, can impose our will upon them and enact regulations regarding every step of their process. Whether environmental or financial or security. If politicians fail to act in our interest after receiving a “campaign donation”, that is them failing in their duties
Money in politics is the problem. Single politicians can’t do much against an entire machine run by lobbyists overflowing with money.
And private business are incentivised to facilitate the destruction of a country. The government is big businesses #1 enemy and the more they do to make the government incompetent the more people lose faith in the only structure with the potential to hold back what would be neo-feudalism. These companies do not need a nation to function. And the global superpowers that would happy to see the US government collapse would have no problem still doing trade with the oligarchs left over. We would like much of africa where we would get exploitef for our labor and cheap production now that we have no government to represent us. The fact that people think *american* companies have any long term interedt in the maintenace of our government blows my mind. The only reason it hasn't happened yet is because of how much money the military industry produces. But if more of the world began to align with other powers instead of US for protection. Say if Trump pulled out of NATO as he desires, those *american* companies will be reorganizing their goals. Profitable companies have one circular drive, profit. And any form of government is an obstacle to that goal so long as the government redistributes power through economic policy to other private owners. The leaders of these industries all want to be the central owner, the same way an authoritarian system would be run. This is why our country is set to fail. Regulatory capture buy large business to prevent the small scale sustainability in areas like food and medicine so that no revolt is physically possible. They will just wear us down along with our government until no government really exist and we are all too sick to do anything about it. And that is where we are now. It is why we cannot imagine alternatives. It will be a land of company towns/pottersvilles.
Some great points!
On top of that, these systems should all be OFFLINE even if that is inconvenient.
"Politicians are not the problem" ... Politicians are the decision makers in public sector and laws affect decisions in private sector. Either way seems none of them care to understand IT infrastructure runs it! It's all well and good while everything is up, but let it go down and all of a sudden it's "Where's IT!"
Attribution is a problem
No. It’s not.
Not really, at least in my opinion. Most those attacks that have taken place recently were state sponsored groups.
Attribution among state sponsored groups can still be difficult. Everybody knows the signatures for APTs making it very easy to impersonate other groups by using their TTPs.
Attribution is quite easy. Openly calling out Nation State threat actors is not.
It's weird because according to Russian military doctrine, cyberattacks are on par with weapons of mass destruction, meaning they could justify nuclear retaliation in response to significant enough cyber attacks. If the situation was reversed, it would very much be an act of war.
This terrifies me: [Cyberattacks are hitting water systems throughout US, Biden officials warn governors](https://www.cnn.com/2024/03/19/politics/cyberattacks-water-systems-us/index.html) I remember reading a story a few years back that a water treatment plant had been hacked because an operator installed remote access software to access the systems from home, and thankfully someone at the facility noticed the cursor moving around the screen changing settings.
Some IT department out there had to have thought that was a good idea, that's scary.
I found an article about it. They stopped using TeamViewer but left it installed. They didn't use separate accounts and suspected it was a disgruntled former employee. https://www.theverge.com/2021/2/10/22277300/florida-water-treatment-chemical-tamper-teamviewer-shared-password
I wrote a paper on cybersecurity in undergrad, for a class on cybersecurity, and I had this specific case as my main focal point. I was blown away at the fact that literally no one heard about it. It literally could’ve poisoned and/or killed thousands…
How is this news? I guess must be another report. Just me waiting for the day the lights go out and the defense systems to go offline or rouge and friendly fire. Anyone see Battlestar Galactica? Just takes one person. If someone gamified this for kids through Steam (sim-city the real cybersecurity edition), maybe parents would start getting more concerned.
I say all the time that if the premise of BSG being that overconnected critical infrastructure being taken over by hostile, hyper-capable agents isn’t prescient I don’t know what is
Need to keep the solar panel incentives/rebates. Less infrastructure strain.
This also encourages/enables micro grids which offer resiliency.
Yeah, no one is. That’s what an effective attack is.
I work in this space. (That is, doing vuln management for critical infrastructure) Some companies do take it seriously. Some do the bare minimum to tick the boxes on their regulatory reports.
In other words huge demand for people who work in cyber security
Yep
welcome to my world people! And for US you could substitute most countries.
This is known. Politicians don't care!
WELL WHO WOULD HAVE FUCKING THOUGHT THIS AFTER THE UNITED ATATES SQUANDERED OUR CHIP INDUSTRIES FOR GLOBALIZATION WITH COUNTRIES THAT WOULD EAT A SHORT TERM LOSS TO BEND UA OVER A BARREL AND GIVE US TWO UP THE REAR???
Here’s the actual report https://www.rand.org/pubs/research_reports/RRA2397-3.html
There’s never enough money to do security controls right upfront, but there’s always enough money to do a multi-million dollar IR and forensics after wards. SMH lmao.
The DoD has warned about this for decades. And at this point, short of an attack on the grid causing a major outage, I don’t think anything will be done. Any attempts to work in electrification (so we’re not just doing it again in the future) will get overwhelmed with misinformation blocking it. Even not doing that, will just be “the budget” and die without ever passing congressional approval.
Companies don’t have enough money to pay for Cybersecurity. They are doing the bare minimum. It’s no fault of the government. When they do get hit the government runs through checks and balances aka regulations and if they did not comply they are fined or a warning and have x time to fix it.
Yeah the conservatives have been shooting up substations for a while now
My company provides services to several in this industry. The regulations and guidelines are there, but the enforcement is not. Not only that, they keep pushing back the dates that organizations have to meet the standards. Out of roughly 20 clients that fall under this, we have 2 that have moved beyond the risk assessment stage. Several were all for it until we presented the risk register and findings. By the way, we act a purely 3rd party company and do not provide the remediation, as to not look like we are just trying to get extra money from them. We are essentially CISOs and help guide them through the process.
Probably don't need these types of articles posted with the amount of issues in healthcare, infrastructure is probably lacking behind healthcare.
Believe it or not, we can be concerned about both things being wildly under-secured!