|
|
|
|
|
|
by santaragolabs
3289 days ago
|
|
|
So I've been in the position, a few years back, where I spent months doing comprehensive code reviews of these energy distribution management systems and what not more. It's all super scary legacy stuff and the code in general is horrendous (regardless of vendor). It's next to unmaintainable, it's next to un-upgradeable due to the risk of outages and there has been no oversight into it whatsoever. All the comments regarding "who puts these things on the internet" are missing the point completely. It doesn't matter if this stuff is on the Internet or not. It only makes it somewhat easier to get access to these networks and start causing outages. However you've got thousands of miles of converter stations and transformers and power lines dotting the country. It's not that hard to go to the middle of nowhere and get access to the backend networks that carry for example the DNP3 traffic. Once you're on there you can carry out these type of attacks too. The fact that an enemy can just use the Internet to penetrate the power companies' networks and pivot from there to their back end networks and actually touch equipment is the icing on the cake; it means they don't need to bother with recruiting and sending spies who can get physical access somehow. |
|
|
The cost and complexity of designing and tuning the process control software, and the lack of the detailed design calculations involved in figuring out what it needed to be written to do 20 or 30 years ago makes replacing that old tech stack nearly equivalent to replacing the entire installation.
Big power plants, refineries, and chemical plants truly are the worst of all legacy nightmares.