a reply to:
leolady
I obviously can't speak for everywhere, just my personal experience. Regarding the equipment utilized at various entities etc. I've seen that Allen
Bradley PLC's are probably the most common component found in any generating or transmitting location. Not saying that's the attack vector, but if I
were a betting man that's where I would throw my money.
Supply chain security is just in its infancy right now, at least as far as OT/ICS is concerned. I've only seen it done right at a single company,
which I can't name due to NDA reasons. However it is one of the highest recommendations that I make when doing audits and assessments of OT/ICS
equipment, that and proper network segmentation.
All of this if FUD however until an actual attack occurs, which I only see in a total war scenario, because aside from causing discord and chaos what
is the objective? At least as far as power generation/transmission and I would even say water treatment. You don't have the IP theft you find in
manufacturing, you don't have the PHI of healthcare, PII you can pick up just about anywhere, and as far as ransom style attacks you're better off
hitting something less flashy than a utility. The most likely cause of any type of "attack" on grid control systems is going to be from misconfigured
systems on an unrelated network segment, such as a business network system getting ransomware and it spreading to a control network, which is what
happened with notpetya and Maersk
Link to really good
story.
I will leave you with a sobering anecdote however. The very first time I stepped into a power plant, I showed up at the gate and was not asked my
name, just who I was there to see. I gave the name of the plant manager (easily found via social media etc.) and was directed to visitor parking. I'm
an average guy, average height, a little extra weight on me, jeans, boots, polo, hard hat in hand, safety glasses hanging from my shirt pocket and a
set of ear plugs. I park, walk to the admin building, walk inside and there is no one there. A reception desk is in front of me, a sign in sheet, and
a door to my left. I poke my head through the window to verify no one is in the office and see no one still. So I test the door to my left, it opens
easily. At that point I call my point of contact on site, because less than 40 feet from where I could have entered was the entrance to one of the
control rooms.
I know not all plants are the same, not all plants owned by one utility are the same, and to be fair that was a few years ago when I started OT/ICS
cyber work. Unfortunately when I left that particular field to get back into regular enterprise cyber last year, I was still running into similar
situations at other locations. It is better than it was, but there is still a very long way to go, and even then, an attacker is always one step
ahead.