Vulnerabilities in infrastructure software concern cybersecurity experts

[de officiis]

Vulnerabilities in infrastructure software concern cybersecurity experts

Vulnerabilities in software that automates everything from factories to traffic lights has become the nation's top cybersecurity threat, an agent on the FBI's Denver Cyber Task Force said Thursday in Colorado Springs.

Supervisory control and data acquisition software is used to control - sometimes remotely - many types of devices in the energy, transportation, manufacturing and other industries and often is connected to sensors, valves, pumps, motors and other types of equipment to ensure safe operation, detect problems and maintain quality. The systems can be vulnerable to cyber attacks because they sometimes aren't protected by sophisticated security systems since they aren't accessible to or used by members of the public and usually are located in areas away from the public.

Dan Leyman, special agent in the Denver Cyber Task Force, said the industrial control software is the biggest threat for the FBI because it is used to control much of the nation's critical infrastructure, ranging from dams and power grids to traffic control systems and waste water treatment plants. He made the comments during a panel discussion during a breakfast briefing at the Cheyenne Mountain Resort on cybersecurity by FedInsider.com, a Washington, D.C.-based website specializing in information and education about government management.

Seems like the more sophisticated we become, the more vulnerable we are. Why can't we seem to do a better job building things that are more secure?

[Fife]

The relation of the sophistication of the state to the fragility of its constructs is proportional.

[The Conservative]

The issue is this, simple networks are easier to defend because they have less to defend, the more complex it gets, unless you keep the K.I.S.S. mentality, will inherently be more complex and difficult to defend.

I am utilizing KISS in my case, because I am pushing our tech from four different components to one that can do the same as four, and do more than the four separate. It can defend from end user to firewall.

The technology that we are using today sucks, it is built off of a broken system to begin with, if you want to fix our internet infrastructure, you need to rebuild the internet from the ground up, and not make it so easily accessible by everyone like it is today. We would have to secure the network from branch to ISP and from ISP to share points, from share points to end user. This would be professional security, not this half-assed shit we have today.

[SuburbanFarmer]

Re: the PLCs (the infrastructure that they're talking about), those things don't have security, and don't need it. They need to be separated from the wider internet completely, and run on internal, secured networks.

I'm guessing, however, that this is not the case. It's expensive to add security to anything, and the government loves going with the lowest-cost option available.

[The Conservative]

Re: the PLCs (the infrastructure that they're talking about), those things don't have security, and don't need it. They need to be separated from the wider internet completely, and run on internal, secured networks.

I'm guessing, however, that this is not the case. It's expensive to add security to anything, and the government loves going with the lowest-cost option available.

You could easily take the network and separate it from others, but the problem would be that you would need to hard secure them as well, and that's not a possibility with how things are designed today.

[SuburbanFarmer]

Re: the PLCs (the infrastructure that they're talking about), those things don't have security, and don't need it. They need to be separated from the wider internet completely, and run on internal, secured networks.

I'm guessing, however, that this is not the case. It's expensive to add security to anything, and the government loves going with the lowest-cost option available.

You could easily take the network and separate it from others, but the problem would be that you would need to hard secure them as well, and that's not a possibility with how things are designed today.

Define 'hard secure'... You mean adding security to every single device? No need. You'd have to add an operating system for that.

[The Conservative]

Re: the PLCs (the infrastructure that they're talking about), those things don't have security, and don't need it. They need to be separated from the wider internet completely, and run on internal, secured networks.

I'm guessing, however, that this is not the case. It's expensive to add security to anything, and the government loves going with the lowest-cost option available.

You could easily take the network and separate it from others, but the problem would be that you would need to hard secure them as well, and that's not a possibility with how things are designed today.

Define 'hard secure'... You mean adding security to every single device? No need. You'd have to add an operating system for that.

The OS is the least secure portion of the connection next to the end user.

That being said, hard security means everything is hard wired, no wireless, no open ports, nothing to allow vulnerabilities.

[SuburbanFarmer]

You could easily take the network and separate it from others, but the problem would be that you would need to hard secure them as well, and that's not a possibility with how things are designed today.

Define 'hard secure'... You mean adding security to every single device? No need. You'd have to add an operating system for that.

The OS is the least secure portion of the connection next to the end user.

That being said, hard security means everything is hard wired, no wireless, no open ports, nothing to allow vulnerabilities.

Right, this would be an 'air-gapped' option - obviously secure, but ludicrously expensive, at any kind of scale.

[Speaker to Animals]

BSG had the right idea.

I honestly think our future looks more like that because of the vulnerabilities.

[The Conservative]

Define 'hard secure'... You mean adding security to every single device? No need. You'd have to add an operating system for that.

The OS is the least secure portion of the connection next to the end user.

That being said, hard security means everything is hard wired, no wireless, no open ports, nothing to allow vulnerabilities.

Right, this would be an 'air-gapped' option - obviously secure, but ludicrously expensive, at any kind of scale.

Actually not really, it's only expensive if you have to lay wires down multiple times for multiple services.