In other news today, MIT Technology Review posted a good article about spreading "Triton"/"Triss" malware, targeting industrial safety controllers:
https://www.technologyreview.com/s/6130 ... n-malware/. If you somehow hadn't heard of the Stuxnet or Russia hacking Ukraine electrical grid stories, they cover those briefly as well, but there are even better full stories elsewhere.
I am far from a luddite when it comes to interconnected industrial technology - some people like the term Industrial Internet of Things (IIoT), but I don't like that whole concept as much as I don't like normal IoT. I've had a hand in proliferating the industrial interconnectedness of data/controllers/etc. and it is clearly an unstoppable change in business because of the efficiency it can bring. Nonetheless, I am resistant to its over-application, and I think security must always be taken as a high priority, particularly in instances where it doesn't appear to be of great concern.
A lot of devices that we might invite into our houses and workplaces may seem convenient and productive, but do their manufacturers and/or implementers take security into account? Things like WiFi routers, PLCs, Nest, Alexa, and even things as sophisticated as cell phones and laptops each bring a lot of extra attack surface with them. Not every business is going to be able to afford in-depth security auditing for every project, or able to follow best-practice guidelines perfectly every time. Unfortunately, you have to be perfect all the time, or wrong once, to make the difference against a sophisticated attacker. The attack surface across many industries is already very large, and we have a lot of catching up to do before I'd start to feel "safe" with it.
I've added a generic "State-actor cyber attack" to my list of possible scenarios to prepare for. The extent of which could range from inconvenient to catastrophic depending on the specifics, but preparing for the zompocalypse is a good goal, as always.
