Guy in Shorts wrote:Being too busy protecting the Vermont power grid from Russian hackers to ski or respond the last few days. The laptop in question was hooked up to the corporate network at Burlington Electric which like every company in the country is connected to the internet. The job of any IT dept is to monitor and clean off malware that finds its way in. The computer system used to control the power grid in the City of Burlington was not impacted. These systems we run are never connected to the internet and are run as a secure stand alone system. I can’t operate their breakers and the operator there can’t operate mine. My bunker like building is designed to protect me from any possible threat physical or electronic threat. Like working behind 6 foot thick concrete walls, bullet proof glass and bomb blast doors. Each of the control rooms just like mine have their own secure protected system. Every difficult to hack into one system but then you would need to hack into control rooms in other states to gain control of the power grid. Large blast electronic pulse or a nuclear bomb are the big game changers that are hard to defend against but that job falls to the military and The Donald. There was not a real story here only the Washington Post running with a story without fact checking.
If the laptop was never hooked to the net, how did it supposedly get infected.
Or was it NEVER actually infected.
Not disputing what you are saying but then why do the government wonks make it seem like if you get into a single laptop, that you could take down whole sections of the power grid.
They are obviously lying to us, yes ? No ?
He said the laptop was on the Corporate network and thus would have access to the internet.
Government wonks, in many cases, don't know what they're talking about. If you ever meet someone in the private sector they will tell you exactly that. From what I've heard, the gov't are not the cyber experts. This is why the DoD outsources a lot of it's most technical work (think SIGINT and Snowden) to specialized consulting firms. Same reason why we learned yesterday the FBI relied on due diligence performed by CrowdStrike, rather than perform their own independent inquiry. It's funny how there are rules and regulations on SEC filings on the reliance of third-parties around the highest-risk areas of financial statement attestation, but when we're talking about the election being comprised, FBI just relies on someone else without doing their own independent analysis to corroborate CrowdStrike's conclusions.
Anyway, an attack on industrial control systems / manufacturing facilities is highly-sophisticated, but not impossible. Most companies in energy, chemical, etc. have strict policies and controls to prevent such attacks (e.g., ISO, NIST, etc.). Companies in these industries are not mom-and-pop companies with no controls ... think of how Pharma's are regulated around the manufacturing of drugs or clinical trials ... energy/chemical are similar. Not sure GIS can confirm, but likely his team is required to meet or exceed many of these standards for their controls ... I'd guess they qualify as a Federal Information Systems and Organization given their role, but I might be wrong.
Siemens, Emerson, GE, etc. are all heavily involved in control systems security space as manufacturers as well.