From the BBC:

The US government has told thousands of companies to beef up protection of computers which oversee power plants and other utilities.

The action comes after a survey revealed that thousands of these systems can be found online.

The survey was carried out via a publicly available search engine that pinpointed computers controlling critical infrastructure.

This comes as little surprise. I have used Shodan and found a lot of similar issues with externally exposed systems. I spent quite a few years in that sector and have learned that there is an inherent disconnect in how control system operators and security folks view these issues. They typically don’t play well together.

Control system operators are good at their jobs. They keep the lights on. However, on occasion they take a focus on convenience that can ultimately expose critical systems to the wilds of the Internet. Enter the security folks who gleefully rub their hands together at all the missteps taken by engineering folks.

There are two ways this can play out. Security folks can help them better understand the security issues and work with them, as Bob and Jacob did, or they can point and laugh.

Sadly too often the path taken leads to the schoolyard.