11

I have a (sensitive) background in security, in short, I believe that the infrastructures MUST NOT connect to the internet. If you connect to the internet, it is a matter of time before it is breached.

In recent news

An unidentified hacker has accessed the computer systems for the water treatment facility in the city of Oldsmar, Florida, and has modified chemical levels to dangerous parameters.

Are there any specific important reasons to connect such important facilities to the internet?

schroeder
  • 123,438
  • 55
  • 284
  • 319
kelalaka
  • 5,409
  • 4
  • 24
  • 47
  • How would you propose monitoring the operation of these facilities? – schroeder Feb 09 '21 at 13:39
  • 2
    @schroeder Night shifts? – kelalaka Feb 09 '21 at 13:40
  • Globally? In every environment? Even in remote unmanned switching stations? Plus, if you use a human, it is a matter of time before it errors. – schroeder Feb 09 '21 at 13:41
  • I suppose that to monitor and administer a remote system, either you build your own private network (with huge costs), or you use the existing internet. Humans managing disconnected systems don't solve the problem of putting all the data together (unless they keep phoning each other, or fill out forms, or have automatic software that ends up using the internet anyway). – reed Feb 09 '21 at 13:44
  • 3
    Where is the boundary? Will you connect a nuclear facility to the internet or ICBMs facilities? What if the next time a hacker made more clever changes to the water system that the indicators show no problem? – kelalaka Feb 09 '21 at 13:47
  • 2
    @reed I suppose the problem of collecting data can be solved by separating the monitoring systems from the systems that control the facility. The monitoring systems can be connected and the control systems disconnected. However, the hacker can still cause limited damage by making the monitor systems report everything as normal when it isn't. – nobody Feb 09 '21 at 14:00
  • I voted to close this as opinion based. While I appreciate that it's an interesting event to analyse from a security perspective, there's no real concrete answer to this question and the information is limited. There are innumerable reasons why an organisation might connect some piece of equipment to the internet for remote access or monitoring, and those decisions are very much down to the individual business case and human behaviour. I've seen everything from boats to air filters connected to the internet and every time the reason has been specific to individual needs. – Polynomial Feb 09 '21 at 14:45
  • It seems that a distinction is being drawn between 'infrastructures' and 'organizations', which is something I agree with. –  Feb 09 '21 at 15:25
  • @kelalaka "Will you connect a nuclear facility to the internet or ICBMs facilities?" - uh, yes? I think that you have an overly prejudiced view of "The Internet" that does not include basic risk management. – schroeder Feb 09 '21 at 15:49
  • @schroeder Everything should have risk management then one can decide to be online or not. In my assessment, most of the facilities must be off-line. Think the GRID, a successful attack can leave cities out of electricity for hours, days (I know many is managed via modem in the US). My assessment is a bit more into more unconnected since I've worked in one of those in my early years. Yes, this can increase the cost, and I cannot calculate the risk of those infrastructures from here. Maybe I should ask like, does the risk assessment are right to be online? – kelalaka Feb 09 '21 at 16:31
  • 1
    @kelalaka An un-networked ICBM is useless once enemy missiles head your way... – dandavis Feb 09 '21 at 20:33
  • @dandavis [No, The United States Doesn't Have An Automatic "Dead Hand" Trigger For Its ICBMs](https://www.thedrive.com/the-war-zone/32114/no-the-united-states-doesnt-have-an-automatic-dead-hand-trigger-for-its-icbms) – kelalaka Feb 09 '21 at 20:37
  • @kelalaka no, i mean, how would missiles get launched if they are offline? Such time is crucial. Do they want to have to wait on some dudes in a jeep to drive out to the silo and launch it? – dandavis Feb 09 '21 at 20:40
  • @dandavis You can have various channel to reach them, however, no of them need to be connected to the launch system. It seems it is only the radio if the operators are not active. I remember that the operators played dangerous games mentioned in 2900 magazine. I'm no expert of these sites, just have some knowledge of what I've read over the years that I saw. – kelalaka Feb 09 '21 at 20:43
  • @Polynomial "I voted to close this as opinion based." Thiis absolutely not opinion-based. The article I read explicitly stated that it was so a supervisor could monitor the system at night using Teamviewer. OP's question **does not ask** whether or not it was a **wise idea**. – RonJohn Feb 09 '21 at 22:28
  • @kelalaka how the heck can we assess the risk assessment? If that's what you are asking, then that's certainly opinion-based. – schroeder Feb 10 '21 at 00:08
  • @RonJohn the question, though, is not about this specific use case, but all facilities. – schroeder Feb 10 '21 at 00:08
  • @schroeder right. And there's a factual answer: convenience. – RonJohn Feb 10 '21 at 00:16
  • @schroeder did you said the human factor? [Breached water plant employees used the same TeamViewer password and no firewall](https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/?comments=1) – kelalaka Feb 12 '21 at 20:17

1 Answers1

9

It is the common balance between ease of use and security. The most secure system I can imagine is a switched off system inside a physical safe in secured room in a strong building, with armed guards around. But to access it, you have to physicaly enter the building, go to the secure room, tell the guards why you are there, open the safe, switch the system on, do the job, and then revert everything, meaning switch off, put in safe, lock the safe, quit the room and the building. Phew...

Hiring human beings is quite expensive, so instead of having a bunch of employees each with a car and ready to go to the water treatment installations just to change some parameters, you just connect everything to internet, and then a single employee can control a number of remote systems. Furthermore, a rather good part of system maintenance can be performed remotely by the system provider, with again a serious money gain.

So serious organizations do an analysis of security risks, with the chance of occurence, the impact, and the cost required to eliminate of reduce each risk. From that point they can objectively decide to establish some actions to reduce some risks and accept others. Exactly like in real life scenarii, I have a lock on the main door at my home, to prevent casual bad guys to come in, but I know that if an important organization decide to break in, I cannot prevent it: the cost of securing all the issues (including the roof) is not acceptable from my point of view. So I accept that risk, and contract with an insurance company to partially transfer it.

But I agree with you on one point: when it comes to the IT world, many people for both their private and work life fail at doing that security analysis, and let sensitive information unprotected without even thinking of the possible impacts.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 4
    You can do remote control with your own network that is separated from the internet. You don't need to connect them, at all, to achieve the same level of automation. The Internet is just cheaper than building a separate network. Its all about cost. – Polygnome Feb 09 '21 at 21:42
  • 1
    @Polygnome of course, but that wasn't part of OP's question. And even then, if you hack into a worker's home system, you can then start up the VPN, log into the plant and wreak havoc. – RonJohn Feb 09 '21 at 22:31
  • 1
    @RonJohn I was talking about physically separated networks. And yes, it *was*. They ask why water treatment plants are connected to the internet. the answer alludes to ease of use (centralization and automation). You can get both effects by having a completely separated network. The reason why such a network isn't build is cost. – Polygnome Feb 09 '21 at 22:33
  • @Polygnome "by having a completely separated network" which means having to run cables to the houses of every worker who needs remote access. – RonJohn Feb 09 '21 at 22:48
  • @RonJohn: One can mitigate many security risks by having a VPN firewall bridges between a secure trusted network segments and the Internet, which won't allow any machines on the network to connect to anything other than other secure segments of the same network. – supercat Feb 09 '21 at 23:23
  • @RonJohn Well, not exactly if you are operating from a central control room/office. In days of working from home, yes. But as I said, the factor is cost. It would be too expensive to maintain such a network. its technically possible and it would be more secure, though. – Polygnome Feb 10 '21 at 08:27