Working with the EPA to Secure Exposed Water HMIs
3 comments
·June 7, 2025oasisbob
> This is all just a long-winded way of saying: you don’t just stumble across insecure critical infrastructure every day, and when you do, it’s usually just a one-off host with a misconfiguration, and not an issue that affects a large number of hosts. But if you do find yourself in a situation where there seems to be some widespread security issue in actual critical infrastructure, you should be encouraged to reevaluate and reassess because in all probability, it’s not what you think it is.
... or in this case, it is what you think it is.
This article could have benefited from some stern and constructive editing. In the age of AI, I find myself with very little patience for verbose and vapid writing.
aaron695
[dead]
In general the whole industrial and SCADA world is pretty endangered from my experience. They are ususually very conservative which often means the SCADA stations are stuck to very old OS Versions (often Windows or even DOS).
One reason is OPC DA, a legacy communication protocol based on DCOM. Another is that at least some of the operator stations are often also used as engineering station, so they have to support the controller engineering software for the often also ancient PLCs.
As long as nothing is connected or exposed to the internet that's fine but nowadays companies try use edge computing and machine learning and so on to optimize running costs. Also predictive maintenance etc. is used to automatically trigger service when e.g. vibration sensors show patterns that indicate damage (e.g. bearing damage).