My work in the utility industry was with an integrated gas/electric/water utility in the Midwest. I worked full time in research and analytics while attending law school. I came away from that experience very unimpressed with the IT sophistication of that organization - and it included nuclear generation assets. Unless something has changed in the last 20 years, they are sitting ducks.
When I first started working at the utility it was 1992 - and the first thing I asked for was a file layout for the main customer file (database). It took about a week, and then a large interoffice mail envelope (with the string fastener) arrived with a photocopy of a green-bar paper printout of the COBOL 01 level layout for the customer file. Up in one corner of the printout was the date 12/10/1977. I called the folks who sent it to me and said: “there must be a mistake - this is dated 1977, this can’t possibly be the correct, current master file layout.” The response was: “oh no, that’s it.”
I’m thinking something like that is still going on there, and that means we should be very afraid that some extremely skilled Russsian hackers have our infrastructure number.
Your example may be dated but it is still relevant because the mindset has not changed in a major way. Utilities still operate in a regulated environment and under resource constraints (who doesn’t?) but more than other industries I’ve seen, use those factors to justify cutting corners and increasing exposure to threats.
Here’s a more recent example - utilities use SCADA systems to monitor remote assets and the PC is the most cost-effective platform for running that software. While it is possible to create secure isolated sub-nets and enforce rigorous network security measures, it’s a lot easier to just run off-the-shelf stuff and rely on the same measures that get hacked every day. The literature is full of cases where this happens all the time, but fortunately no intrusions have yet been severe enough to raise real havoc. I for one don’t feel lucky.