Thinking about getting gas. Then Ranting.

Bill said:
People don't know better? I'm the engineer over a small group of expensive electrical test equipment, and when I took over responsibility for that area I found operators on the internet surfing IE and getting personal email while running jobs. I stopped that right away, those machines are now on the internal network only with no connection to the outside world. Dumb.
Click to expand...

Yup. Its not difficult to put up basic measures that will keep 99% of the bad people out. You'll never stop the very committed 1%, so aim for the highest value/cost ratio that makes senses.

Locks on doors just keep the honest thieves out.
 
Cervieres said:
Hypocrisy is part of the foundation of both political parties. The degree of hypocrisy varies based on individual viewpoint.
Click to expand...

If that were true, then hypocrisy is not a discriminator.
 
I went to QuikTrip at lunch to get myself a Pibb. They had 87 octane E10 and diesel. They were pretty busy but there were no lines, so I guess the panic buying is over. My wife filled up this morning as she was below a quarter tank, she didn't have to wait in line.
 
Cervieres said:
Hypocrisy is part of the foundation of both political parties. The degree of hypocrisy varies based on individual viewpoint.
Click to expand...
Disagree. You either are or aren't hypocritical. Just like a woman is either pregnant or she's not.
 
Cap'n Jack said:
May I ask why they use the same computers for e-mail/web browsing and controlling mission-critical objects, such a pipeline valves?
Click to expand...

They may not be. Have seen both ways.

Attacking the network gear, central auth servers, all sorts of possibilities for other shared resources.

Should they be shared? Depends on cost to recover vs cost to have it all separate.

It’s literally a money question.

Lots of people sleep soundly every night making more than I do saving the company at 2 AM.

Most low level IT shops these days are about 1:100 ratio of IT staff to workers. It’s been unsustainable for decades.

Time to pay the piper.

And it was still cheaper than staffing properly for twenty years. The bean counters and the numbers are cold facts.

Haven’t met an executive yet who understands and wants to carry two laptops.
 
Seems like most stations around here have gas now. I just pulled in and filled up without issue.
 
Bill said:
People don't know better? I'm the engineer over a small group of expensive electrical test equipment, and when I took over responsibility for that area I found operators on the internet surfing IE and getting personal email while running jobs. I stopped that right away, those machines are now on the internal network only with no connection to the outside world. Dumb.
Click to expand...
Yes, it is dumb. But how about a separate network where they can do all of that? Just a separate WiFi network where they can use their own tablets or phones. No access to corporate resources such as shared storage, servers, or anything else. An awful lot of jobs are so short that you can't so something else that requires concentration, but long enough that it gets a little tedious to wait.
 
denverpilot said:
They may not be. Have seen both ways.

Attacking the network gear, central auth servers, all sorts of possibilities for other shared resources.

Should they be shared? Depends on cost to recover vs cost to have it all separate.

It’s literally a money question.

Lots of people sleep soundly every night making more than I do saving the company at 2 AM.

Most low level IT shops these days are about 1:100 ratio of IT staff to workers. It’s been unsustainable for decades.

Time to pay the piper.

And it was still cheaper than staffing properly for twenty years. The bean counters and the numbers are cold facts.

Haven’t met an executive yet who understands and wants to carry two laptops.
Click to expand...
See my post above. It needn't cost much to set up a separate network. Certainly less than $5 mil. As for attacking the network gear, that may be a different question- I think most of these ransomware attacks are from from phishing? That's why I suggested supplying the network, not the gear for personal use. If their iThing gets ransomwared, tough!
Corporate e-mail, training, etc. should be separate from the vital network and the "personal" network.
I haven't met an executive anywhere who needs access to the critical infrastructure, whether it is pipeline, lab instrument management system, drug manufacturing, or anything else, so they still only need a single laptop, so that isn't an obstacle. If they do need data, they'll ask for it from someone who actually knows the system and how to get the data.
 
Last edited:
Cap'n Jack said:
See my post above. It needn't cost much to set up a separate network. Certainly less than $5 mil. As for attacking the network gear, that may be a different question- I think most of these ransomware attacks are from from phishing? That's why I suggested supplying the network, not the gear for personal use. If their iThing gets ransomwared, tough!
Corporate e-mail, training, etc. should be separate from the vital network and the "personal" network.
I haven't met an executive anywhere who needs access to the critical infrastructure, whether it is pipeline, lab instrument management system, drug manufacturing, or anything else, so they still only need a single laptop, so that isn't an obstacle. If they do need data, they'll ask for it from someone who actually knows the system and how to get the data.
Click to expand...

You’re delusional. Seriously. Do the math.

With labor included, $5M is nothing in a network as geographically diverse as a pipeline. Peanuts.

Doubling that network including the people to maintain it forever in perpetuity is waaaaaay above $5M.

If it was truly redundant every valve would be duplicated by a second one with software made by a different company completely.

Replacing all the old SCADA gear with stuff that uses any sort of actual encrypted transit... and 2FA auth... even more money. Almost nobody has done that yet.

Even just a “decent” e-mail content scanner big enough to make a poor attempt at stopping phishing is an easy $150K a year in software licenses alone, let alone hardware to run it on. And it won’t work anyway. Let’s not even mention the multiple months of zero-days this year in both Outlook and Exchange. More were released... Tuesday. MSFT broke Outlook for hundreds of thousands on Wednesday before they revised it again.

That’s monthly now. Minimum. Other products weekly. Adobe is pushing 50 criticals so far this year alone.

Software is crap. Total crap. You can’t throw enough money at that problem unless you’re the OS makers.

Insider details on Colonial and hints now seem to be indicating it all came in from an off site machine on their VPN...

Same with the Florida water system thing. Just a slightly outdated copy of remote access software that gets monthly updates it’s so bad. It’s also cheap so guess why they used it?

Literally too expensive to do any more than lip service to any of this and meet whatever weak standards some agency drops on everyone in a sector.

It won’t be effective.

That said, it pays well to pretend, and will for the long foreseeable future. If a real bad actor wants your data or to take you offline, they will. Anyone who says otherwise is flat lying. Probably wants to sell you some “security” too. Ha.
 
denverpilot said:
You’re delusional. Seriously. Do the math.

With labor included, $5M is nothing in a network as geographically diverse as a pipeline. Peanuts.

Doubling that network including the people to maintain it forever in perpetuity is waaaaaay above $5M.

If it was truly redundant every valve would be duplicated by a second one with software made by a different company completely.

Replacing all the old SCADA gear with stuff that uses any sort of actual encrypted transit... and 2FA auth... even more money. Almost nobody has done that yet.

Even just a “decent” e-mail content scanner big enough to make a poor attempt at stopping phishing is an easy $150K a year in software licenses alone, let alone hardware to run it on. And it won’t work anyway. Let’s not even mention the multiple months of zero-days this year in both Outlook and Exchange. More were released... Tuesday. MSFT broke Outlook for hundreds of thousands on Wednesday before they revised it again.

That’s monthly now. Minimum. Other products weekly. Adobe is pushing 50 criticals so far this year alone.

Software is crap. Total crap. You can’t throw enough money at that problem unless you’re the OS makers.

Insider details on Colonial and hints now seem to be indicating it all came in from an off site machine on their VPN...

Same with the Florida water system thing. Just a slightly outdated copy of remote access software that gets monthly updates it’s so bad. It’s also cheap so guess why they used it?

Literally too expensive to do any more than lip service to any of this and meet whatever weak standards some agency drops on everyone in a sector.

It won’t be effective.

That said, it pays well to pretend, and will for the long foreseeable future. If a real bad actor wants your data or to take you offline, they will. Anyone who says otherwise is flat lying. Probably wants to sell you some “security” too. Ha.
Click to expand...
If you can call me "delusional", then I can call you "lazy". I'm very sure you didn't read my post, you certainly didn't understand it.
I didn't say they system needed redundant networks, valves, and the rest of it. Just have a network dedicated to that stuff. No software runs on those machines other than what is needed to run the pipeline (or other critical infrastructure). The only people with physical access are those who run it. The access is via dedicated computers. No e-mail, so the "e-mail content scanner" isn't needed. With little to no access, it becomes easier to maintain because there are fewer ways for it to break. All of the buggy MS office, Adobe Creative cloud, and the rest of that stuff runs on separate computers on a separate network. If that network goes down, the pipeline, water, electricity keep running because the critical network is separate. They can keep their old SCADA gear. If it is separate, it can't be ransomwared because someone clicked on an e-mail link. Most of these occur because someone clicked on a link, right? Keep the mission critical stuff physically separate and it is safe.

It's being done now. The contract research organizations that run the clinical trials have their lab equipment on a separate network form everything else, which get saved to a dedicated set of servers. They test the medicines, and they test the samples taken from patients (blood, urine, etc) for medicine and metabolites of those medicines There are "windows" into those machines for certain trusted systems to access the data for reports, but this access is very limited. The same for the labs that do the QC testing, all of the electronic notebooks are in their own network. All of the e-mail and the rest of it are totally separate.

As for the network for people to look at their own e-mail, pron, or whatever on their own tablets, well that need only be a local ISP like for your home with some wifi routers separate from the work network and servers. That can't cost much to maintain.
 
Here's your daily Autoblog public service announcement: Don't hoard gasoline, but if you do, absolutely do not let 20 gallons of it catch fire inside your 2004 Hummer H2. You might end up, as a Florida owner learned the hard way, with a very crispy Hummer.

2d169811cb797cfec1e58993363facc4
 
Cap'n Jack said:
If you can call me "delusional", then I can call you "lazy". I'm very sure you didn't read my post, you certainly didn't understand it.
I didn't say they system needed redundant networks, valves, and the rest of it. Just have a network dedicated to that stuff. No software runs on those machines other than what is needed to run the pipeline (or other critical infrastructure). The only people with physical access are those who run it. The access is via dedicated computers. No e-mail, so the "e-mail content scanner" isn't needed. With little to no access, it becomes easier to maintain because there are fewer ways for it to break. All of the buggy MS office, Adobe Creative cloud, and the rest of that stuff runs on separate computers on a separate network. If that network goes down, the pipeline, water, electricity keep running because the critical network is separate. They can keep their old SCADA gear. If it is separate, it can't be ransomwared because someone clicked on an e-mail link. Most of these occur because someone clicked on a link, right? Keep the mission critical stuff physically separate and it is safe.

It's being done now. The contract research organizations that run the clinical trials have their lab equipment on a separate network form everything else, which get saved to a dedicated set of servers. They test the medicines, and they test the samples taken from patients (blood, urine, etc) for medicine and metabolites of those medicines There are "windows" into those machines for certain trusted systems to access the data for reports, but this access is very limited. The same for the labs that do the QC testing, all of the electronic notebooks are in their own network. All of the e-mail and the rest of it are totally separate.

As for the network for people to look at their own e-mail, pron, or whatever on their own tablets, well that need only be a local ISP like for your home with some wifi routers separate from the work network and servers. That can't cost much to maintain.
Click to expand...

I read it fine. It wasn’t how their network got attacked. There’s fifty other ways in and generally nobody really authorizes doubling the labor and hardware budget for such things. There’s a few, maybe even your labs. Either they have much higher profit margins but more likely it’s some regulatory requirement. Multiple enormous medical companies have been hit this year also.

What I’m saying is it’s all about money. If they’ll sell just as much fuel a week later as they would have sold last week, they literally don’t care. There’s virtually no fiscal risk for them being down for a week.

Or, they can pay to do it right and pass along the price at the pump. Really that’s all it is.

Fiscal industry has been doing this fir decades. Way cheaper to write off fraud losses than follow their own standard.

Same with telecom. Nobody interested in the slightest in re-engineering to catch fraud calls. No money in it.

Most of it is theater. Not security. Splitting computers is great, just hire the staff to support all the extra buggy hardware and software. Nobody does unless staff is cheaper than the consequences.
 
denverpilot said:
That said, it pays well to pretend, and will for the long foreseeable future. If a real bad actor wants your data or to take you offline, they will. .
Click to expand...

along those lines, there is always the approach where you make your place more secure than some other easier target. Kind of like protecting your car from theft... most thieves go for the quicker/easier target. Of course, some hackers thrive on the challenge... so, yes, if someone really really really wants to break in, if they are sufficiently motivated they *will* get in. They just need to find the weak link.
 
denverpilot said:
I read it fine. It wasn’t how their network got attacked. There’s fifty other ways in and generally nobody really authorizes doubling the labor and hardware budget for such things. There’s a few, maybe even your labs. Either they have much higher profit margins but more likely it’s some regulatory requirement. Multiple enormous medical companies have been hit this year also.

What I’m saying is it’s all about money. If they’ll sell just as much fuel a week later as they would have sold last week, they literally don’t care. There’s virtually no fiscal risk for them being down for a week.

Or, they can pay to do it right and pass along the price at the pump. Really that’s all it is.

Fiscal industry has been doing this fir decades. Way cheaper to write off fraud losses than follow their own standard.

Same with telecom. Nobody interested in the slightest in re-engineering to catch fraud calls. No money in it.

Most of it is theater. Not security. Splitting computers is great, just hire the staff to support all the extra buggy hardware and software. Nobody does unless staff is cheaper than the consequences.
Click to expand...
How did their network get attacked?
It's not that expensive. A dedicated network for the mission critical stuff costs very little. The computers don't get updates, the instrument software rarely gets updated, because it works. It is secure, stable, and perhaps obsolete. But it works. It is very stable- IT rarely needs to do anything on the instrument & server side, because nothing changes. Updating the instrument software requires a new OQ, PQ, and IQ, never mind the IT support.
The enormous medical companies you mention almost certainly were hit in the "business" side, not the lab nor manufacturing. Because those are separate from everything else!
What I'm saying is that it isn't about the money. Keeping mission-critical stuff on it's own network is probably cheaper because it needs a lot less support, and that support is often from the people who wrote the software to run the pipeline, LIMS, and so forth.
EDIT: I still say you didn't read my posts. You keep all the buggy Micro$oft stuff off the mission critical machines and network. There is still only on set of buggy software. The mission-critical stuff is maintained by the people who assembled it, often the vendors. You are an IT pro, but you wouldn't know what to do with MassLynx, OpenLab, Chromeleon, or PeakTrak- too specialized for you. But the people who write that code would maintain it, and that's the only thin that might run on a given computer.
 
Last edited:
Bob Noel said:
along those lines, there is always the approach where you make your place more secure than some other easier target. Kind of like protecting your car from theft... most thieves go for the quicker/easier target. Of course, some hackers thrive on the challenge... so, yes, if someone really really really wants to break in, if they are sufficiently motivated they *will* get in. They just need to find the weak link.
Click to expand...

That only works for random attacks by live bodies.

If you’re the actual target someone is focused on, and/or the attack is automated, it’s completely useless.

Automation doesn’t sleep. Or decide it would rather go play with the tractor. Ha.

Vast majority are automated but then there’s stuff like the specific targeting of SolarWinds.

(SolarWinds was social engineering, then fully automated and once it got somewhere it looked around and knew where to stay quiet and where it was when it wanted things. The entire attack took almost two years to plan and execute.)

These nice sayings like “just make yourself a lesser target” are a decade out of date now. Groups of black hats know what they’re after now and plenty of funding to get it. Nation-state levels of funding.

Ransomware is mostly automated but once that starts not paying off, payments to janitors and USB sticks are cheap. LOL.

So many easy ways to take out anybody really... especially if all you want is destruction. Many do.

And then there’s the inconvenient truth that more than half (by far) of attacks are done by employees. Not outsiders.
 
Just when you think people can’t get any dumber...

0EE2F100-344D-4BC5-AE8D-B92404380F2F.jpeg
 
Cervieres said:
Hypocrisy is part of the foundation of both political parties. The degree of hypocrisy varies based on individual viewpoint.
Click to expand...
Exactly. Lots of sincere and decent people get into politics, but few of them rise to high positions — sincere and decent people might make it to committee chair, or rarely, a minor cabinet post, but no higher.

Like CEOs, political leaders need a fair amount of narcissism or flat-out sociopathy to get there because of all the betrayal and ruthlessness involved in rising to the top. Number 45 was, admittedly, an extreme case — even by political standards — but they all need a certain amount of those traits. They're usually just a lot less dim-witted, and better at hiding it and passing themselves off as normal.
 
luvflyin said:
Here's your daily Autoblog public service announcement: Don't hoard gasoline, but if you do, absolutely do not let 20 gallons of it catch fire inside your 2004 Hummer H2. You might end up, as a Florida owner learned the hard way, with a very crispy Hummer.

2d169811cb797cfec1e58993363facc4
Click to expand...
Good news is, the gas shortage doesn’t exist for this person anymore. ;)
 
And there it is. The pipeline thing was caused by a user connecting an unauthorized device to the VPN.

LOL LOL LOL.

Next news will be it was some exec who thought his personal MacBook was safe because Apple told him so... and felt entitled to break the rules because ...
 
denverpilot said:
And there it is. The pipeline thing was caused by a user connecting an unauthorized device to the VPN.
Click to expand...

ok, dumb question - how does an unauthorize device get connected? Isn't the device supposed to have a VPN certificate?
 
Bob Noel said:
ok, dumb question - how does an unauthorize device get connected? Isn't the device supposed to have a VPN certificate?
Click to expand...

Probably no certs, just username and password. Or even 2FA.

Tons of places do VPN that way. Users want “self service” and with a typical ratio of 1:100 IT staff per machine, and no safe ways to deliver the certificates to remote users... ahh lots of reasons.

“Do they even have an anti-virus loaded? One we can centrally manage? How will we meet the 3rd Party Software audit requirements or even know they patch their browser?”

“I just want people to be able to work from home, I don’t want it to become a three month project that’ll cost us $50,000 a year in licenses!”

LOL Hell most places still think BYOD is ok in the current security environment. It was an industry buzzword just a few years ago.

Let all users buy whatever hardware and software they want and connect it up... they’re such HAPPY employees that way! Haha.

“I bought myself the latest and greatest wizz bang 6000 computer/phone/tablet and by god I deserve to use it for work!
I’m not using that junk laptop we buy for employees!” LOL

Execs and sales guys. Always those two. And developers of the place is super cheap. Oh and Matketing, they always need the latest Macs.
 
My gas “hoarding” paid off.

We arrived in the Atlanta suburbs with about 1/8 tank of gas remaining. Poured one 5 gal can into the car and that got me home after dropping Karen off at ATL for her FL trip.

51179270901_374a44eda9_z.jpg


I may have been able to find gas before running out - I did get 51 EV miles from an overnight charge - but it was nice not having to worry.

And yes, I know, there’s some level of risk carrying gas like that. But I’ve done it before, and will likely do it again in the future.
 
@denverpilot mostly correct. But not just exec, sales and marketing. Plenty of tech folks (in this case, pipeline operatrors) want latest and greatest. And yeah, BYOD is still a problem - I refused for a bunch of reasons. Carried 2 phones and 2 laptops for quite a while.

But some of it is driven by stupid IT policies: in one major company I worked for, only people above a certain level could have a hotspot, even if an underling (the one doing the actual work) was the one on the road all the time. But underling was expected to check in and be on email, so that required using unprotected , uncontrolled, or public wifi. Bzzt. This was a place that required loaner/wiped laptops on international travel. The VPNs had both certificates and 2FA, but the laptops could still operate and access the Internet with the VPN turned off (needed to login to those public and hotel wifi systems before the VPN became activated. Yeah, they were locked down with centrally managed AV, but there was still exposure.
 
denverpilot said:
Probably no certs, just username and password. Or even 2FA.

Tons of places do VPN that way. Users want “self service” and with a typical ratio of 1:100 IT staff per machine, and no safe ways to deliver the certificates to remote users...
[didn't read the rest]
Click to expand...

YUCK!!!

I'm retired, but even I can figure out you don't rely on a screen door for security.
 
Bob Noel said:
YUCK!!!

I'm retired, but even I can figure out you don't rely on a screen door for security.
Click to expand...

There’s a lot who aren’t attempting any sort of security at all. They just want access to the stuff in the building’s servers when they’re out and “VPN” was what they heard was the cool thing.

And of course they split tunnel it so it’s just a direct conduit from malicious web malware to their internal network.

Wouldn’t want to pay for all that bandwidth you know. Heh.
 
FastEddieB said:
My gas “hoarding” paid off.

We arrived in the Atlanta suburbs with about 1/8 tank of gas remaining. Poured one 5 gal can into the car and that got me home after dropping Karen off at ATL for her FL trip.

51179270901_374a44eda9_z.jpg


I may have been able to find gas before running out - I did get 51 EV miles from an overnight charge - but it was nice not having to worry.

And yes, I know, there’s some level of risk carrying gas like that. But I’ve done it before, and will likely do it again in the future.
Click to expand...

Ya need one a them IF YOU CAN READ THIS bumper stickers. But instead of You’re Following To Close, it’s YOU GONNA DIE
 
denverpilot said:
There’s a lot who aren’t attempting any sort of security at all. They just want access to the stuff in the building’s servers when they’re out and “VPN” was what they heard was the cool thing.

And of course they split tunnel it so it’s just a direct conduit from malicious web malware to their internal network.

Wouldn’t want to pay for all that bandwidth you know. Heh.
Click to expand...

well, a system architect that doesn't segregate mission-critical systems is a blithering idiot that is too stupid to stay employed.
 
Bob Noel said:
well, a system architect that doesn't segregate mission-critical systems is a blithering idiot that is too stupid to stay employed.
Click to expand...

You’d be amazed how many aren’t. Garmin wasn’t. Whether on purpose or accident, they didn’t reveal.
 
I could say a lot on the tech side. We sell SCADA equipment for O&G and pipelines are a part of that business.

These systems used to be bullet proof, 1970’s technology using 1,200 baud radios with serial interfaces and dip switches.

That all changed in the last few years because the Feds and the higher ups at the oil companies wanted fancier interfaces, live streaming video and the ability to run drones over the pipelines instead of Cessna 182’s doing pipeline patrols.


You add all these fancy functions, and first off, it adds the number of people with access to critical infrastructure. Second, the software becomes buggy and slow, where you are forced to connect it to outside networks (cell phone data rather than the old point to point 900mhz 1,200 baud data streams)

The automation of valves has gotten to the point where it’s running off of algorithms that are easy to manipulate if you get into the software, where before it was a guy sending a simple command.

It’s the same at the railroads and at power grid companies. This kind of incident is only going to get worse and worse.
 
Bob Noel said:
well, a system architect that doesn't segregate mission-critical systems is a blithering idiot that is too stupid to stay employed.
Click to expand...
denverpilot said:
You’d be amazed how many aren’t. Garmin wasn’t. Whether on purpose or accident, they didn’t reveal.
Click to expand...
Sometimes the line between "mission critical" and not critical is blurry. In this case, it wasn't- the pipeline needs to keep running. The production line is critical. How about the web site that is used to take orders and customer inquiries? At some point, it needs to connect to the customer, inventory, and financial databases, and those are critical, but that web page/server faces outside where it is exposed to attack. @denverpilot knows how to make those connections from the web interface to do order entry properly. For all I know, the Garmin attack may have been through their web interface.
 
You must log in or register to reply here.
Back
Top