I really like the point of this brief little article on a “cyber attack” against a power plant. The money quote highlighted from the Foreign Policy article, “A shooter could get 200 yards away with a .22 rifle and take the whole thing out…A metal sheet that would block the transformer from view…[is] a lot cheaper than billions the administration has spent in the past four years beefing up cyber security of critical infrastructure.”
A quick and dirty point can be made about waiting for the facts to come in before jumping to conclusions, but this tact is evident every time there is a terrorist or mass murder incident. This event brings to mind more important security concerns in light of how we protect vulnerable locations.
Often we make security more complicated than it needs to be. This is particularly true of cyber security. Many industrial controllers don’t even have passwords or are connected to the internet, yet we somehow are concerned with internet based attacks to critical infrastructure. Creating a modern viable OS platform for old and outdated industrial control facilities should probably be step one.
The idea that more protection could come from a sheet of metal rather than thousands spent on network security really hits home here. When the fear of attack threatens something very close to us, our basic power, we overreact.
There are simple measures than can be taken short of spending millions and giving life to thousands of vampire like internet security firms doing little more than making you incessantly change your password into random combinations of funny characters. Simple cyber hygiene is step one.
It’s also unclear what a dress rehearsal for a full scale attack would actually look like. Here the article quotes Mark Johnson saying, “My personal view is that this was a dress rehearsal.” Would not just running a dress rehearsal destroy the element of surprise? This is more of a tactic done by white hat security hackers trying to find vulnerabilities on a contract basis rather than a set of criminals planning their next heist. The world does work like Act 1 in Oceans 11.
This is a key point about cyber security, most seem to fear this domain suggesting it is our new number one threat, yet these weapons cannot be reused. Once used, everyone knows what exploit path was taken, how, and what steps need to be taken to cover up the security gap. There are simple and easy fixes once a plan is tried.
I look forward to a more rational debate about cyber security and vulnerabilities in our industrial control platforms, but if we depend on the news media and cyber security professionals to give us this debate, we continue to find that the discussion lacks real substance.