Unbelievable! This kind of victim-blaming has to stop. Maersk were infected because they downloaded software updates! Their software provider got pwned and malware was delivered past their firewall. How is it their fault? How do they deserve to burn? I suppose it would be the plant's fault if some stuxnet variant were to irradiate the eastern seaboard? You seem to have conveniently forgotten that it was the US government who created the means here. And what is Maersk's Total Cost Of Ownership(TM) looking like now? Perhaps the best strategy for them and all companies now is to trust only themselves and to only consider non-proprietary software in future. The idea that some aircraft carriers are running Microsoft is chilling enough. None of the SCADA for nuclear power plants will be on Windows thankfully.
My impression from OP wasn't victim blaming, but more of a ruthless "break a few eggs" in order to have enough of an impact for other critical businesses to take security more seriously.
I disagree. If best practices had been followed, the damage would have been minimal.
Even if the initial infection was caused by an infected software update, its spreading mechanism relies on misconfiguration or unpatched software.
> only consider non-proprietary software in future
I'm a big proponent of open source software, but how is this relevant here? Microsoft handled the initial disclosure perfectly and provided patches before the vulnerability was publicly disclosed. By the time this attack happened, the patches had been out for a few months.
I certainly hope that they recover from this, but it's not like that kind of attack is hard to prevent.
> Unbelievable! This kind of victim-blaming has to stop.
Victim blaming is bad at the outset of a problem. It's certainly bad in its usual context of sexual assault of the "ideal victim" by the "ideal perpetrator" [1]. But this isn't a case of an ideal victim. It's more like going on a safari in the Darfur region of Sudan. Have you not read the news at all?
"Hack me once, shame on you - hack me twice, shame on me". When shipping conglomerates, energy facilities, and manufacturing plants across the globe continue to be victims of hacks, and continue to devote little effort or funds to security, it's no longer the fault of the hackers.
> None of the SCADA for nuclear power plants will be on Windows thankfully.
I think the problem that is that the SCADA for nuclear power plants probably doesn't have the security you think it should. Download some Rockwell software, hook up to the Ethernet or set up a VPN on one of the office PCs, and enter "admin" and "password" and you'll probably be in at a lot of places. Perhaps, we can hope, not at a nuclear plant - but definitely for, say, an old coal plant, local government's municipal water, sewer, or traffic control, low-margin industrial manufacturing...the list goes on. The whole economy is cobbled together by networks that the engineers were pleased to just get to work in the few hours that their quote allocated for that task.
When the project is behind schedule and over budget, all that management cares about is the black-and-white, yes-or-no answer to the question "does it work?" There is no time or money for security. And when you take those shortcuts, you'll have no one to blame but yourself when you get hacked eventually.
Although curiously the most tightly constrained place I've worked was a swiss bank (horrendous) even more than a UK government agency, my personal experience of working in such a plant is that there is a lot more diligence than your usual business workplace and that the office is very much separate from the station. You never need (and need is key) to copy files from without for instance, (no Windows behind the curtain). The budgets are much bigger and due to being very process heavy, deadlines are theoretical minima only, certainly management are not as you describe. Generally staff were very highly educated, very security conscious and in absolutely no hurry.
I felt the comment was blaming in that they would serve as an example and that that would be okay as they were at fault somehow. We do not know the infrastructural constraints in terms of legacy software with regard to whether they can safely take patches and it is unrealistic to expect large organisations such as Maersk to be able to do so automatically in my view. Having some small inkling into the matter, I feel that people must be arguing from a point of ignorance to suggest otherwise. I have even seen these script kiddie fans cry 'patch your shit' as if it is okay to release malware to global scale companies and they are somehow absolved from blame. It certainly is not.
