Over the last weekend, it emerged that two researchers, using a tool not more complicated then Google Search have found more than 500,000 SCADA devices which use little to no security, and are accessible from the Internet. This deserves repeating: over 500,000 from Internet-connected SCADA devices alone. This does not include the many millions of devices that are not direct-connected to the Internet.
The state is truly grim.
From those, it appears that Mark and friends at DHS, have contacted the ‘owners’ for the 7,200 systems judged the most risky or egregious in terms of potential impact to the country (US) . and are working with these owners to fix the situation or remove these systems from the Internet.
So the good news is that (finally) something is being done. I wonder if we can continue to be just step ahead of hackers and rely on luck, or should we have a more fundamental risk-based approach to SCADA security.