Critical infrastructure still fails on basic access control

The recent “Energy Sector Incident Report – 29 December” by CERT Polska suggests updating regularly, not reusing credentials and using Multi-Factor Authentication is still too much to ask in some sectors.

Yes, we have to constantly manage access to things, spaces, services and even people. The forms of access control vary from physical keys or a receptionist to some digital tokens, usually a long line of characters and numbers. Just like a physical lock can be picked, many digital systems have exploitable flaws too.

For important things we do have multiple layers of security. For digital things it might be an updated firewall, unique and random passwords for the systems behind it, we may limit who even can talk to the firewall in the first place. For physical things you usually have your safe in a building or an appartment that already functions as the first layer of security.

If you can affect the operations of a combined heat and power plant supplying heat to half a million customers in the middle of the winter, what even more critical facilities can be attacked similarly and simultaneously?

If you are making it unnecessarily easy for the attackers to wreak havoc by negligence, imagine what somebody can do on purpose!