The fact that so many are focusing on the water plant using Windows 7, which had nothing to do with how the attack was done, is interesting. Folks have an obsession with vulnerabilities and while they can matter a lot it is a fundamentally different value prop in ICS.
The attack took advantage of TeamViewer. In this instance the OS didn’t matter. The TeamViewer application was Internet facing and available. The attack took advantage of the HMI, that’s not a software vuln issue, they just did what operators could do on the system natively
There’s a lot of “insecure by design” systems in ICS. Meaning most of the things you want to do you don’t need a vulnerability or exploit to do.

Also a lot of IT security is system or data security, protect the system don’t let folks get root, encrypt the data, etc. ICS is not
ICS is often a system-of-systems security issue. Product security when you’re mainly a Windows shop adds a ton of value. Product security when you integrate multiple systems into a complex process with a focus on the physics can have value but not the same level.
Or said differently: what was the system of systems designed to do and what is allowed by the physics? The adversary is confined to that regardless of software vulnerabilities. But they also have all of that available to them, often without exploits.
In Ukraine 2015 as an example folks were obsessed with BlackEnergy3. It was a good tool, but it was leveraged in the IT environment not the ICS. The actual attack was just the adversary learning how to manipulate the distribution management system. No exploits or malware required
That does not mean vulnerabilities are pointless though. Many are. Not all. E.g. a vulnerability that introduces new functionality, can get you access to the ICS (border systems like historians), or can cause loss of control or view - those can definitely matter.
It just means the value proposition of patch management is not the same in ICS as IT, it’s a good control but often not one of the top ones. In @DragosInc’s research we find that roughly 64% of the ICS vulns (2019 data) were not really useful at all nor worth your attention.
So while I appreciate that moving to Windows 10 over Windows 7 has a lot of benefits. It was irrelevant in this specific attack, further it likely isn’t even a top 5 security control for what’s necessary to help that org out. Yet the focus on “zomg outdated systems” happens
You can follow @RobertMLee.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.