Bad (Insecure) Business Decisons [Was: Re: [funsec] IPv6, C&C (not bot nets, coffe and cats)]

[Paul Ferguson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- "Brian Loe" <knobdy at gmail.com> wrote:

>No, Fight Club was simply blowing up "all" of the credit companies.
>This is more along the lines of shutting down ALL water, natural gas,
>electric and financial systems. Funny that SCADA/DCS networks have
>been getting some airtime of late - the more they make connections to
>it the more likely something like this is possible and not just a
>Hollywood nightmare.
>
>There are utilities out there that if you got in you'd have water,
>power and a lot of street lights to play with...very bad.
>

True enough.

I've a number of conversations with several people on this issue
in the past few months that go something along the lines of:

Me: "You'd be shocked if you knew the extent of the problem."
Them: "Huh? Aren't critical systems like electrical power, etc.
not connected to the Internet?"
Me: "You'd think they wouldn't be, but you'd be wrong."

Some astoundingly stupid business decisions may put critical
infrastructure at risk?

How you ask?

Consider this simple scenario.

A regional electric company wants to remotely read residential
meters for electric consumption, but does not want to invest in
installing their own infrastructure (read: laying new fiber or
hybrid-fiber coax [HFC]) to do so, and makes a business decision
(everything boils down to dollars and cents) to use existing
infrastructure (read: Internet VPN-style connectivity) to accomplish
this feat.

Boggles the mind, eh? This exact scenario exists today.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.2 (Build 2014)

wj8DBQFGhce6q1pz9mNUZTMRAraOAJ92XQnd46go/1yCrWqecfsR3yp2twCfd2vk
3KWRtJAQkmMry0FZ+Ot92M4=
=GT/R
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/