For years, researchers have warned that the systems that run critical infrastructure have systemic and serious code-based vulnerabilities. Unfortunately, governments have tended to use such warnings as a platform to raise ‘cyber-warfare’ arguments. Many such arguments are thinly-disguised efforts to assert more substantive government surveillance and control over citizens’ rights and expressions of freedom. Few of these arguments genuinely address the concerns researchers raise.
In the face of governmental lacklustre efforts to secure infrastructure, researchers have disclosed critical vulnerabilities in many of the systems responsible for manufacturing facilities, water and waste management plants, oil and gas refineries and pipelines, and chemical production plants. What’s incredibly depressing is this:
The exploits take advantage of the fact that the Modicon Quantum PLC doesn’t require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC—essentially trusting any computer that can talk to the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a “stop” command to halt the system from operating.
These kinds of ‘attacks’ or ‘exploits’ are possible because the most basic security precautions are not integrated into the logic controllers running such infrastructure. On the one hand this makes sense: many PLCs and the infrastructure they are embedded in were created and deployed prior to ‘the Internet’ being what it is today. On the other, however, one has to ask: if the money spent on security theatre at airports had been invested in hardening actual PLCs and other infrastructure, where would critical infrastructure security be today?