Pipelines run for thousands of miles and operate 24/7. What do you imagine? Keeping a fleet of helicopters on standby to pick up a technician at home, and drop him wherever the equipment is, in case something needs to be adjusted at night?
You could have an air-gapped system and still have remote access. Just not external access. I don't think it's unreasonable to have a couple of people in a control booth monitoring a computer that regulates the pipeline 24/7. The recommendation is, however, that we should not have that monitoring computer connected to any other network besides the internal one. If you're running pipeline, surely you can run some data cables with it?
Yes - and consider how many people have the resources needed to run Stuxnet versus ordinary ransomware. That seems like a pretty clear win if you can shrink the pool of likely attackers down to “top-tier nation-state”.
Stuxnet was built by a very well funded organization and was not targeting monetary gains. Getting ransomware spreading via USB drive is insanely expensive and complicated. You won't make money on it, whatever they are extorting will not cover development expenses
There's an entire parallel internet for the DoD and it's contractors. It's not like there isn't precedent that critical industries can emulate if they ever became concerned about the common good.
> You could have an air-gapped system and still have remote access
You're suggesting the gas company run their own network, and then you assume no employee will connect that network to the general internet for their own convenience? Not happening.
Is that the one when the CIA got wind of a Soviet industrial espionage operation, and seeded it with a legit-looking but subtly flawed schematic, which the Soviets ended up actually building to spec, and it exploded shortly after?
According to the story, this was some Canadian pipeline control equipment or software which the USSR purchased from some Canadians, but the CIA modified the software somehow before it was delivered. A supply-chain attack on a computer system.
I understand there's nonzero doubt as to the credibility of this story.
I'm currently reading The Dead Hand, and I think this matches what you're talking about:
> Rather than roll up the Line X officers and expel them, Reagan approved a secret plan to exploit the Farewell dossier for economic warfare against the Soviet Union. The plan was to secretly feed the Line X officers with technology rigged to self-destruct after a certain interval. The idea came from Weiss, who approached Casey, who took it to Reagan. The CIA worked with American industry to alter products to be slipped to the KGB, matching the KGB’s shopping list. “Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disturbed the output of chemical plants and a tractor factory,” Weiss said. “The Pentagon introduced misleading information pertinent to stealth aircraft, space defense, and tactical aircraft.”
> Oil and gas equipment was at the top of the Soviet wish list, and the Soviets needed sophisticated control systems to automate the valves, compressors and storage facilities for a huge new pipeline to Europe. When the pipeline technology could not be purchased in the United States, the KGB shopped it from a Canadian firm. However, tipped by Vetrov, the CIA rigged the software sold from Canada to go haywire after a while, to reset pump speeds and valve settings to create pressures far beyond those acceptable to the pipeline joints and welds. One day, the system exploded. “The result was the most monumental non-nuclear explosion and fire ever seen from space,” Reed recalled. The blast was starting to trigger worried looks in the U.S. government that day, he recalled, when, at the National Security Council, “Gus Weiss came down the hall to tell his fellow NSC staffers not to worry.” The explosion had been one of the first fruits of the Reagan confrontation.
It's funny how upset the US public can get about any perceived incursions by the Russians (sometimes true, often not) when you consider the country's own history.
There's a big difference between the capabilities of a criminal organization (like the one involved here) and that of a nation state. Such attacks are also responded to differently, and it's not going to be send some Bitcoin to this address.
Couldn't the pipeline have it's own network connected to a monitoring station. At the station employees could access the pipeline network but never connect it to the network from which they could communicate with the people who would be dispatched to make repairs or adjustments?
Sounds looks a solved problem, but it isn’t. The electrical grid isolates SCADA networks from the internet, so substations are interconnected via dedicated networks. But then at the command centers you have the entire monitoring and control systems with on site operators. Then, inevitably you will have some employees with vpn access, and now you have 2 vectors: remote admins getting hacked and local admins plugging in external devices. You’d think it’s easy to get rid of vpns, but things like the pandemic brought them all back to full force.
I remember they got past the Iranian air gap using a USB stick. It’s a mistake to think air gaps are safe but they are certainly better than having your network open to the internet.
