I can't help but feel there's a rush to judgement here. If you read the article it clearly states that the Federal Office for Information Security (BSI) said, quoting the article:
"describing the technical skills of the attacker as “very advanced.”"
And
"not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process."
And HN rushes to judgement to quickly blame workers who can't use a mouse and Microsoft.
Yes, the average worker in a manufacturing plant is not a CS grad. It is the job of engineers to develop systems that are usable by, well, the target user.
Most Heart Surgeons don't have a CS degree. And based on meeting a number of them during the course of my business I am comfortable saying that quite a few of them are "computer challenged". Yet, most of us would not have a problem being on that operating table, yes, with a room full of computers, a good number of them running MS software and with an OR team that is likely to use the same "123456" password on everything.
In a hospital you have IT and engineers who setup an infrastructure medical professionals can use. The same is true of steel plants. Yes, there's probably a lot more older code in your average steel plant. I just don't think characterizing them as IT or security morons migt be fair.
The BSI characterized the attackers as sophisticated across disciplines. Let's not engage in senseless conjecture.
I've owned and operated a small manufacturing plant consisting mostly of what I call "big iron" CNC equipment. Things are seldom as simple as discussions on various fora on the 'net would like them to be. Yes, in my case I air-gapped the plant and even individual machines and remote monitoring was done through a separate network that had no command-and-control capabilities at all, just sensing and reporting. There was no way to jump from the sensing network to command-and-control of any one machine, much less the plant. Even if you were physically at the factory this was pretty much impossible. Nobody wants a CNC milling machine with a 30HP spindle controllable from the internet. People are not that stupid...even if they can't use a mouse.
"describing the technical skills of the attacker as “very advanced.”"
And
"not only was there evidence of a strong knowledge of IT security but also extended know-how of the industrial control and production process."
And HN rushes to judgement to quickly blame workers who can't use a mouse and Microsoft.
Yes, the average worker in a manufacturing plant is not a CS grad. It is the job of engineers to develop systems that are usable by, well, the target user.
Most Heart Surgeons don't have a CS degree. And based on meeting a number of them during the course of my business I am comfortable saying that quite a few of them are "computer challenged". Yet, most of us would not have a problem being on that operating table, yes, with a room full of computers, a good number of them running MS software and with an OR team that is likely to use the same "123456" password on everything.
In a hospital you have IT and engineers who setup an infrastructure medical professionals can use. The same is true of steel plants. Yes, there's probably a lot more older code in your average steel plant. I just don't think characterizing them as IT or security morons migt be fair.
The BSI characterized the attackers as sophisticated across disciplines. Let's not engage in senseless conjecture.
I've owned and operated a small manufacturing plant consisting mostly of what I call "big iron" CNC equipment. Things are seldom as simple as discussions on various fora on the 'net would like them to be. Yes, in my case I air-gapped the plant and even individual machines and remote monitoring was done through a separate network that had no command-and-control capabilities at all, just sensing and reporting. There was no way to jump from the sensing network to command-and-control of any one machine, much less the plant. Even if you were physically at the factory this was pretty much impossible. Nobody wants a CNC milling machine with a 30HP spindle controllable from the internet. People are not that stupid...even if they can't use a mouse.