Tuesday 1 July 2014

Engineers Are The Worst

News is filtering out of a nasty piece of malware rather nicely called Energetic Bear, which has been deliberately and systematically infiltrated into western energy systems: fingers being pointed, ahem, eastwards.  Where the Bears live.  (Now there's a surprise.)
The powerful piece of malware allows its operators to monitor energy consumption in real time, or to cripple physical systems such as wind turbines, gas pipelines and power plants at will. The well-resourced organisation behind the cyber attack is believed to have compromised the computer systems of more than 1,000 organisations in 84 countries in a campaign spanning 18 months.  (FT: registration needed)
That would be very nasty indeed - and its impact greatly magnified if the so-called 'smart grid' ever becomes reality in the way its proponents fantasize.

I was once heavily involved in the software industry, and it seems to be a truism that the worst profession for gullibility and general slackness when it comes to admitting malware into systems is - engineers.  Bankers (who are under constant and very determined cyber-threat) and other businessmen appear to have enough native suspicion and skepticism to avoid more of the come-ons and tricks employed by the bad guys (a favourite one being a bit of simple profiling of key individuals, then sending them emails with carefully selected bait-links).  I've been involved with enterprise-scale software being sold to banks, trading-houses and utilities: and it certainly seemed to be the case. 

No doubt there are appalling cases involving bankers, too: but engineers are the worst.  Trusting, inclined to take directions, overly optimistic about systems and human nature - who knows?  

Any ideas ?

ND

28 comments:

Electro-Kevin said...

With engineers any bad decision shows up. Either a machine works or it doesn't.

In banking, law, government there is so much bollocks going on that no-one can tell the dropped bollocks from the bollocks.

No-one knows if the bollocks works or not because... it's all BOLLOCKS !

Sackerson said...

Yeah, what E-K said.

andrew said...

Four things:

- what ek said

- some of the stuff used in banks is so _old_ it probably isnt vulnerable to new malware - I saw windows 95 in use at natwest a couple of years ago. Some readers here might not have been born in '95.

- at work (sort of financial) they have started to use segregated citrix vms per client and user.
(ie internet and email on your laptop and to do other stuff you need to log in again to client x as user y) which brings some inbuilt defense against such attacks.

- online security seems a bit wierd to many, but it is interesting to see the number of perople who use chromebooks.

Nick Drew said...

well Kev, not so much meaningless bollocks in banking if you can't get your cash out etc etc

I draw your attention to the (incredibly prompt) way Wall Street recovered from 9/11 - an unprecedented hostile externality which took out a major data centre - compared to the rolling blackouts of N.E. USA / Canada in 2003

Electro-Kevin said...

Nick - It would have been engineers working in banks that put that right. Not bankers.

Elby the Beserk said...

Operating systems should deal with malware. The software sitting on top should make no difference. Would that the GCMs had been designed by engineers - they might then come up with something useful rather than the garbage they do produce.

CityUnslicker said...

Sad to see scripts of 24 coming true; it as supposed to be thriller fantasy!

ivan said...

Engineers that let their control systems talk to the world should be taken out the back and the bodies left there.

That being said most of the potential problems are created by the managers that are not engineers and don't have any idea about how control systems operate. Like the idiot that insisted that the engineers gave the accounts department direct access to the main control interface 'to enable them to log events' and then wondered what happened when one of the account trainees fiddled and shut down half of the production facility. The engineers had argued against it saying what did happen would happen.

So Nick, it is not the actual engineers you should be looking at but the managers that order them to do things without listening to feedback.

The main thing is that non of the energy infrastructure should be directly connected to the internet anyway, no matter what head office says.

Blue Eyes said...

I find it quite sad that we seem to now fetishise making physical product and dismiss all other activity as being parasitic.

In Britain we have been able to take advantage of our "knowledge economy" better than almost everyone else, it would be a pity now to abandon it.

BrianSJ said...

Read this - Everything is Broken
https://medium.com/message/everything-is-broken-81e5f33a24e1

The more optimistic comments here are delusional I'm afraid.

Budgie said...

ND said: "... it seems to be a truism that the worst profession for gullibility and general slackness when it comes to admitting malware into systems is - engineers."

You just can't get the staff, can you?

Actually the "engineers" are at the bottom of the food chain - they get told what they can and cannot do by the managers. It's a joke, but with more than a grain of truth: engineering companies in Germany are run by engineers; engineering companies in the USA are run by lawyers; and in the UK run by accountants.

Blue Eyes said...

Sounds like the Natural Law party won in Germany. Their argument was that the health minister should be a doctor, education a teacher, etc.. Presumably the football industry should be managed by footballers, and so on.

Anonymous said...

"Trusting, inclined to take directions, overly optimistic about systems and human nature"

God forbid that an Engineer should read the brief and then deliver it.

[bites tongue] ...

Nick Drew said...

@ Budgie: engineering companies in Germany are run by engineers; engineering companies in the USA are run by lawyers; and in the UK run by accountants

well, from the FT .... "Energetic Bear is most actively in use in Spain and the US, followed by France, Italy and Germany"

but perhaps we simply don't have an engineering industry anymore ... (or still using Windows95)

Jer said...

Budgie - there used to be a lot of UK engineering companies run by engineers.

Once.

Anonymous said...

Can't see it on today's map here.

http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16253&view=map

Which one is it then?

Blue Eyes said...

All those engineering companies, did they disappear while the engineers were running them?

Sebastian Weetabix said...

You say engineers but really you mean software guys and programmers. Last time i looked my car worked, the bridge i cross daily didn't fall down and the electrical and gas systems at work, worked.

As a mere metal bashing chartered engineer I do get vexed when PPE graduates who know 3/16ths of fuck-all presume to opine on matters they do not understand. Especially when said people control budgets, set priorities and allocate resources, and don't take the advice of those who know better because they prefer to listen to flatterers, bullshitters and chancers. And then wonder why systems fail.

Anonymous said...

"and don't take the advice of those who know better because they prefer to listen to flatterers, bullshitters and chancers."

Worth repeating, that.

Nick Drew said...

You say engineers but really you mean software guys and programmers

no SW, I mean engineers: it is apparently qualified engineers the bad guys get most traction with hen playing their games

Clearly you are right about the things they do very well: but (as a generalisation) they seem to be suckers for clicking on malicious links

Anonymous said...

"a nasty piece of malware rather nicely called Energetic Bear, which has been deliberately and systematically infiltrated "

Of course it would be handy to have something to blame when the mal investment of all those windmills and the closing of all that cf generating plant meet during the coming severe winter.

Yea, that's what it'll be, energetic bear. Nothing to do with the wankers running the government.

ivan said...

Nick, it shouldn't matter if they click on a link or not - the control systems SHOULD NOT have access to the internet. If, for some obscure reason, internet access is necessary then that access should be protected. The problems only happen when the bean counters and managers get involved and system protection is cut to the bone, or even non existent.

Sebastian Weetabix said...

Ivan is quite right. We are in this pickle because the public school/oxbridge land-owning chancers who run this country and give each other all the plum jobs are largely innumerate and do not understand technology. Which is why we have some of the shittiest bakelite and walnut infrastructure in the developed world, kept going by under-appreciated techies using the metaphorical equivalent of hairy twine and baling wire.

The powers that be witter on about a non-existent problem, viz: "global warming" - no, make that "climate change" - oops, no, "climate weirding" - while our energy systems slowly collapse, our sewers crumble and we revert to the pre-antibiotic age. Still, as long as Cameron and Osborne can play candy crush on their iPads and kid themselves Old Street tube is going to take over from Stanford University, why worry, eh?

Truly this country is run by cunts.

Kynon said...

Apart from the sweeping generalisation about engineers (which is BS, in my humble opinion, as I am one) - the problem is stupid people (unfortunately there are plenty of them to go round).

Most of the engineers I have worked with are the absolute opposite - they don't trust systems, they certainly don't trust people (either in nature or to do what they are supposed to do/follow operating instructions).

Connecting the DCS for any kind of plant, be it chemical, nuclear, power or whatever is stupid, however keeping it isolated from the internet is almost as bad, because what you will find is that (unless some suitably draconian security measures are put in place) some operator who is not necessarily the sharpest tool in the shed will come into work with a USB stick that has some video or music that he either wants to share with his colleagues, or to use to alleviate the boredom of his shift; he then plugs that into one of the computers in the control room...which is connected to the DCS. Whatever that stick is riddled with is then transmitted through the control system (as I understand it, this was the original Stuxnet attack vector), and given that isolated control system has probably never been patched (after, why would it - it's not connected to the outside world), then hey presto, your plant is compromised (see Quinn Norton's writing on this also: https://medium.com/message/everything-is-broken-81e5f33a24e1 )

Based on my experience, I will 100% back everyone above who puts the majority of the blame for poor systems design/execution on knowledgeless management & bean-counting.

CityUnslicker said...

I feel I should stand up for chancers, not all of us are blessed with great intelligence, mathematical skills or linguistic coherence.

But still we must make a living inspite of our inadeqaucies. Who is to blame, the fool who gives bad advice or the knave who listens to it?

Sebastian Weetabix said...

I can't resist quoting that great psychoanalyst Dr. Heinz Kiosk.... "We are all to blame!"

The older I get the more in favour I am of a military coup led by me. I've got a little list, you know.

dearieme said...

But have you got enough machine guns, Seb?

Peter said...

It will be first and utmist the responsibillity of the plant owner.If production loss is eminent than they will listen.Only 3 % will enter through usb stick , most of them come via officenetwork and remote maintenance..
They infected the vendors website, replaced software with injected malware that the engineer downloaded and installed.
Dont blame the engineer for crafting, blame the vendors for not incorporating secure architecture in their solutions...
The machines arent the issue , its idea fixe you van protect systems in a plant that runs for 29 years..
so look ar some of the standards isa secure zoning, trusted computing, sans 20 for ics and design an network which is durable .And without engineers the it world is lost since the demands are diffrent in process control enverionments and so is the security model.
Stop the blame game and work towards a solution and you find out that role based access and authorisation managing the rights and containment will bring you very very far.