Critical Infrastructure Security

Well, not everyone, it was just, like, 10% of all Windows installs.But here's how things work from the perspective of a small-ish airport, healthcare, or finance operator (DMM is a D*mb*ss Middle Manager as employed by a regulator, WIP is the well-meaning IT person on said operator's end):1. DMM: You're critical infrastructure! It's imperative that the Bad Guys don't take over your PCs!2. WIP: Well, I'm pretty sure that our locked-down kiosks are pre

I do not think windows is the problem here. The problem is that equipment that is critical infrastructure being connected to the internet, imo. There is little reason for a lot of computers in some settings to be connected to the internet, except for convenience or negligence. If data transfer needs to be done, it can happen through another computer. Some systems should exist on a (more or less) isolated network at best. Too often we do not really understand the risk of a device being connected

Sounds like bad Infosec policies at work. I doubt they have VLANs, everything can likely access everything internally.

Totally. A lot of industrial/utility type places don't really have robust IT, and they treat computers like industrial equipment. So you may have a factory foreman or operating engineer who is responsible for equipment, who is 100% reliant on a vendor CE for implementing stuff.What ends up happening is that they'll bolt on some network connectivity for convenience or to take on some new process and not set it up appropriately, or not understand what it means to expose something

Underpaid IT/Infosec. People conflate IT and Infosec, once it's on an Govt payroll for billing purposes, no one touches the system if it's on a network provider, and not internal. If not internal, it won't show up on audits, most IT departments deal with a Windows Domain/Network and that's most locked down, but if it doesn't share a true connection physically, it's exempted from most audits.The question is, why are the telecom providers allowing this, b

My thoughts exactly. Just use an IPsec VPN through to the monitoring centre if it must be monitored. No need to have listening ports on the Internet. It's not exactly network engineering black magic. I imagine what happened is that it was compromised by phishing on an unprotected host. In that case the control systems should be air-gapped from Joe Blog's in accounting PC.

Having worked at a power-plant and a pumping station, I can believe it.Such places will be left open now and again. Mistakes happen. Anything from "ABB needs the telemetry but cannot visit the site in person due to covid, can you open the firewall on port 1337 when they call you". Sure. (and then forgets). Some engineer left a dongle in a controller, during an emergency a laptop logs on on the network that is not properly secured etc.What I don't believe is that OP never rep

I deploy these kinds of network security solutions to large enterprises as part of my job (typically healthcare customers, from a network MSP/MSSP VAR perspective these days) and as much as I like being paid to continually "fix" broken implicit systems it's not the way to go and never should have been. Either you control the systems or you don't, if you don't fully control you're going to fail at reliably breaking into the conversations to a meaningful level an

One of my clients, a well known fixture in American finance, has been hacked by employees or contractors several times over the past 10 years. These cases have been public and supposedly cost millions (it's so hard to know how accurate the assessed damages in these cases are).Because they now fear employees and contractors more than external threats it takes 30 tickets to different groups to set up a server. You can't chown a file in a directory you own without a ticket. You can use

You would have to lock such machines down such that they have no direct connection to the internet and no way to get data off of them via portable disk storage. In practice this is enough of an impediment to getting actual work done that it's unrealistic. You are basically asking companies to create SKIF's. For a defense contractor working in intelligence it is often the case that they work in SKIF's provided by the Government. But in healthcare it's probably unreasonable to