If you’ve been a long-time reader of this blog you may recall seeing here before that around 1999 the US government left security of critical infrastructure up to the cash-flush market (e.g. market investors in infrastructure, mainly banks) to figure out.
It was like a “trickle-down” theory of big banks showering their littlest critical infrastructure projects with the kind of money needed to make things safe — at a market-designated level.
I have done critical infrastructure security audits as well as strategy consulting before and after this time and what one might imagine on the outside is very different than what I found on the inside.
That is to say, I expect most people (even myself) expect the inside management to be laser focused on safety of service delivery, and willing to invest even a little extra to protect people from harm (capacity and disaster planning). Yet that hasn’t been my experience.
For example on one engagement I had a bank ask if they should put their investments towards building adjacent bitcoin mining operations in power stations to shove “excess” power into assets they would sell off to an unregulated market.
On another engagement, as I was on my way to hack into the generation and distribution networks (they were weak), management stopped me and said “wait a minute, we care not much if those go down and people are without service, as that’s routine for us; instead please focus attacks on our trading systems and financial operations around billing and pricing” (they were weak too).
To be fair they were saying they could handle dangerous life-threatening accidents because that’s what they have been planning for all along… yet when I probed deeper it was more like they knew that those accidents wouldn’t have an effect on their P&L. Really.
Alas, from an economics standpoint it’s easy to say “poor” America doesn’t have the money in its utilities. Yet a wider macro view is probably that American investors with loads of cash to invest made it a conscious market decision since at least 2000 to not invest in service safety. They’re not cash strapped as much as they’re not regulated in a way that a whole history of relevant accidents would force a cash infusion into the areas we might expect.
Also sometimes I wonder things like why Microsoft’s billionaires even charged utilities to license software for water utilities in the first place… or why the utilities didn’t all shift to software that came without a license, avoiding built-in end-of-life (EOL) and support models wildly inconsistent with their operation plans.
Anyway, here’s the TL;DR on the most recent “news” in America that uses the headline of “cash strapped” Americans (who have been violating basically every basic principle of safe operations even as laid out by the US government for years):
- Remote control on all computers used by plant personnel
- All computers connected to the plant’s control system
- All computers also connected directly to the Internet
- Out of date OS (Win7 – EOL Jan 2020)
- All users share the same password
- No network protection (firewall)
And here’s a post I wrote about many of the prior warnings: Was Stuxnet the First?
And here’s a post I wrote (in 2011!) about this exact issue: Chicken LittleStux is Falling