The Security Mentor

Mostly, the talk about terrorists blacking out whole regions from a computer is hot air. But there are some worrisome vulnerabilities and bits of cluelessness among the operators of equipment control systems.

"These are what you would consider, in the IT world, critical enterprise applications," [security firm CEO]Peterson said. "But the companies don't act like these are critical enterprise applications."

and

Consultants who have done penetration testing and security audits of real-time process control systems tell grim stories about the lack of security in the systems.

One major problem is that control systems are really hard to update. It's not like your home PC where you can get the latest fixes from Microsoft in a matter of minutes.

Another big problem is that the operators think they're secure because their control systems are so arcane that nobody will know what to do even after they break in. That attitude might have made a little sense long ago. In the age of Google, as soon as an operating manual touches the web anywhere, the whole world can find it.

The operators need to harden their systems, a slow and painful process, but the first and most imporant thing they need to do is to guarantee nobody can reach them from the Internet.