> Unbelievable! This kind of victim-blaming has to stop.
Victim blaming is bad at the outset of a problem. It's certainly bad in its usual context of sexual assault of the "ideal victim" by the "ideal perpetrator" [1]. But this isn't a case of an ideal victim. It's more like going on a safari in the Darfur region of Sudan. Have you not read the news at all?
"Hack me once, shame on you - hack me twice, shame on me". When shipping conglomerates, energy facilities, and manufacturing plants across the globe continue to be victims of hacks, and continue to devote little effort or funds to security, it's no longer the fault of the hackers.
> None of the SCADA for nuclear power plants will be on Windows thankfully.
I think the problem that is that the SCADA for nuclear power plants probably doesn't have the security you think it should. Download some Rockwell software, hook up to the Ethernet or set up a VPN on one of the office PCs, and enter "admin" and "password" and you'll probably be in at a lot of places. Perhaps, we can hope, not at a nuclear plant - but definitely for, say, an old coal plant, local government's municipal water, sewer, or traffic control, low-margin industrial manufacturing...the list goes on. The whole economy is cobbled together by networks that the engineers were pleased to just get to work in the few hours that their quote allocated for that task.
When the project is behind schedule and over budget, all that management cares about is the black-and-white, yes-or-no answer to the question "does it work?" There is no time or money for security. And when you take those shortcuts, you'll have no one to blame but yourself when you get hacked eventually.
Although curiously the most tightly constrained place I've worked was a swiss bank (horrendous) even more than a UK government agency, my personal experience of working in such a plant is that there is a lot more diligence than your usual business workplace and that the office is very much separate from the station. You never need (and need is key) to copy files from without for instance, (no Windows behind the curtain). The budgets are much bigger and due to being very process heavy, deadlines are theoretical minima only, certainly management are not as you describe. Generally staff were very highly educated, very security conscious and in absolutely no hurry.
I felt the comment was blaming in that they would serve as an example and that that would be okay as they were at fault somehow. We do not know the infrastructural constraints in terms of legacy software with regard to whether they can safely take patches and it is unrealistic to expect large organisations such as Maersk to be able to do so automatically in my view. Having some small inkling into the matter, I feel that people must be arguing from a point of ignorance to suggest otherwise. I have even seen these script kiddie fans cry 'patch your shit' as if it is okay to release malware to global scale companies and they are somehow absolved from blame. It certainly is not.
Victim blaming is bad at the outset of a problem. It's certainly bad in its usual context of sexual assault of the "ideal victim" by the "ideal perpetrator" [1]. But this isn't a case of an ideal victim. It's more like going on a safari in the Darfur region of Sudan. Have you not read the news at all?
"Hack me once, shame on you - hack me twice, shame on me". When shipping conglomerates, energy facilities, and manufacturing plants across the globe continue to be victims of hacks, and continue to devote little effort or funds to security, it's no longer the fault of the hackers.
> None of the SCADA for nuclear power plants will be on Windows thankfully.
I think the problem that is that the SCADA for nuclear power plants probably doesn't have the security you think it should. Download some Rockwell software, hook up to the Ethernet or set up a VPN on one of the office PCs, and enter "admin" and "password" and you'll probably be in at a lot of places. Perhaps, we can hope, not at a nuclear plant - but definitely for, say, an old coal plant, local government's municipal water, sewer, or traffic control, low-margin industrial manufacturing...the list goes on. The whole economy is cobbled together by networks that the engineers were pleased to just get to work in the few hours that their quote allocated for that task.
When the project is behind schedule and over budget, all that management cares about is the black-and-white, yes-or-no answer to the question "does it work?" There is no time or money for security. And when you take those shortcuts, you'll have no one to blame but yourself when you get hacked eventually.
[1] https://en.wikipedia.org/wiki/Victim_blaming#Ideal_victim