[snksnk]

This saga started with "Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say".

Then we got "Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say"

In summary, (i) the U.S. electricity grid was not penetrated, (ii) the malware can be purchased online by anyone.

The WaPo seems to be more concerned lately with pursuing a certain agenda instead of quality journalism. Another example is a recent article in which they give credibility and rely on an organisation called PropOrNot; this article even became "one of the most widely circulated political news articles on social media". [1]

And organisations such as the WaPo are supposed to shield us from fake news and "fact-check" Trump.

[1] For a good discussion, see: https://theintercept.com/2016/11/26/washington-post-disgrace...

[non_repro_blue]

A utility worker's laptop suffering an intrusion is something that should be investigated earlier, rather than later.

I'd rather hear about false alarms, early and often, since I'm not convinced that critical infrastructure is actually insulated from attack at all.

Electricity and water infrastructure is almost certainly in terrible shape, based on what we've learned about lead in Flint, Michigan and what's remembered about the 2003 blackout, and Enron.

Knowing this, and hearing not very much about what's being done to modernize essential utilities, I'd hate to find out that a massive accident was caused by someone's idea of modernization being a PHP web app prone to SQL injection running inside a docker image, as a rube goldberg facade wrapping a galaxy of SCADA controllers.

This is the kind of thing people should get noisy about, since there's been pretty much only silence and very little "disruption."

[throwaway7645]

A laptop shouldn't be connected in any way to critical infrastructure like SCADA/EMS/DMS. Only trusted software runs there that is tightly controlled. At least that is the right design. I'm aware of no utilities that violate this.

[rtpg]

Serious question: How can software arrive onto critical infrastructure?

For example, if it's possible to update the software on the infrastructure, there's going to be a delivery mechanism, right? One could imagine that coming from some process that is further up the chain until, eventually, you arrive at infrastructure that would be attached to the laptop.

For example, what if some build server got compromised (assuming that was the state of the art)? Some software backups, along with some phishing/false alarm to trigger a rollback?

Having rules like what you're saying is extremely helpful, but I imagine it's very likely for there to be a path between many devices to the infrastructure, even if its several jumps away. The chain of trust is probably very long.

[open_bear]

IIRC, uranium enrichment centrifuges in Iran were infected by Stuxnet because someone brought an infected USB stick, found in the parking lot, into the facility.

Social engineering is the best way to infiltrate the airgapped infrastructure.

[throwaway7645]

I don't think you should be able to plugin a thumb drive to critical infrastructure. I don't disagree that this happened, but modern well designed systems shouldn't allow it.

[pjc50]

I was under the impression that SHODAN could find you quite a lot of these.

[nthcolumn]

"PHP web app prone to SQL injection running inside a docker image, as a rube goldberg facade wrapping a galaxy of SCADA controllers"

LOL - I'm sure you wouldn't find anything as modern as PHP or... is this confession? I 'might' be 'aware' of some really er.. nifty solutions at a reasonable rate... connected to some sort of critical RTUs?

Do you remember when security was not even for tinfoil hats and Y2K was gonna make us all rich, rich, rich? Aah!

[perseusprime11]

This is the kind of journalism you get if your goal is to compete with Drudgereport

[talmand]

Strange thought, the Drudge Report is mostly just links to news sites. WaPo should be competing with other news sites to get linked on Drudge Report.