[outofcuriosity]

Manufacturing environments are probably among the best use cases for "the Internet of Things" but also magnify the security concerns tenfold. Stuxnet was a similar attack on networked manufacturing infrastructure, and it proved that if you give a sensor/automation network control over manufacturing processes, you create a massive vulnerability in the supply chain itself.

If a Russian student owns my Nest and makes my home freezing cold in the winter, I reconfigure or replace the device and its fine. If the automation system in a Siemens plant gets bricked, that's millions of dollars in damage before considering lost revenues.

The Risk Managers are gonna go wild for this one...

[nickbauman]

One thing you should know about Stuxnet that I can talk about publicly (I used to work for Siemens) is that it was an attack vector on part of the SCADA RTU drivers that ran on a very old and unpatched version of WindowsNT. People running an nuke plant on something that old (which is typical of Iran, considering how their politics have isolated them over the last 30 years) are kinda asking to get hacked like this.

Of course I'm not saying that this means the problem you're talking about isn't real: security is a real concern, especially with SCADA systems running energy plants. Just putting in some perspective.

[confiscate]

hey nick do you have an email address? would love to talk with you about this

my email is confiscate@gmail.com

[perrylaj]

I think you are right about the use case being almost ideal for manufacturing, but I have a feeling the general best practice will remain to keep control systems air-gapped. It's the norm for many organizations (as policy, unfortunately not always as implementation), and is the recommendation of ICS-CERT, but there are still way too many jumping onto internet connected controls due to cost savings, convenience or whatever else. Often times the business arm wants data from control systems and are either too cheap or just can't be bothered to implement things like data-diodes and other one-way access that can provide feedback without exposing controls.

The increasing vulnerability isn't so much from networked automation -- PLCs have been networked for decades. The danger lies in dangerous jumping onto the the IIoT ("Industrial Internet of Things") and exposing of SCADA systems to the Internet, or thinking things like VPNs are secure. We are also seeing in a much higher focus of state-actors in controls. Industrial hacking is seeing a big shift away from espionage and IP theft to gaining access/control of processes. It's scary how many PLCs are the number that are freely exposed to the internet and browsable through sites like shodan. Even scarier is the number of infrastructure-critical control systems have already been found to be compromised and phoning home just waiting for a command by some unknown entity.

edit: clarity