(no title)

Lol is this basically a train SaaS solution? Whats wild to me is that SaaS products aren’t actually required to issue CVEs since customers aren’t the ones responsible for patching.

This may be the first time I had that "well, that's enough Internet today ..." reactions on HN from a cybersecurity/cyber-physical protection perspective, and not something gross on Reddit.

So, my hat off to you, Internet stranger.

> but there are a lot of disasters where the cables are fine

We are talking about war-like situations, and where one state actor has incentive to cause maximum harm to another. Exposing your infrastructure like this is unlike damage that can come from natural disaster. For example, disrupting the communications exactly before the attack. Similar issues (though through lower tech hacking) happened in 7th of October during the Hamas attack in Israel, where the over-reliance on advanced, complicated technology became a liability.

The stuff you describe make sense in normal, peaceful situations, where the cost of securing certain infrastructure can be higher than the cost of a power cut once. That has nothing to do with what the article really says, which is basically that infrastructure is currently not as secure from a potential hostile state attack. Also, in that case, a hostile state actor can combine attacks that together cause more damage than the sum of the attacks independently.

The back of my head is screaming "defense in depth! Redundant systems!"

The whole idea of the internet (and even some of our infra, like suburbs or highways/rail) is that there's no one single point of failure. Like designed-to-survive-nuclear-war redundant.

Definitely incorporate the most advanced tech you can for when things are going smoothly to get that efficency gain, but there's a reason all branches of the military (that I'm aware of) still train and test their aptitude using paper maps and trig instead of relying 100% on GPS and electronic devices.

> When the entire San Diego region lost power during rush hour for 4 hours in 2011, the cell phone system still worked. I was able to email documents to Tokyo from a car despite no traffic lights.

Around me, cell towers have 3-5 hours of battery when utility power is out. If your outage had gone on much longer, you would likely have seen cell towers start dropping out.

Of course, my area also has some other nasty SPoFs. A couple years ago, a telco cable was severed and DSL for everyone was out and at least some of the cell towers were live, but no service. A few weeks ago, the cableco had its wires severed, and cable tv and internet was offline, and so were some cell towers. IIRC, for the telco one t-mobile worked and verizon didn't, and for the cableco t-mobile didn't work and verizon did. Not sure about at&t.

> Change Healthcare has lost $872M since it was attacked in February.

The question is, what is the cost to secure? I've been in so many meetings where the cost of security is 10-15x the cost of a breach. It's horrifying.

I find it additionally odd that the author calls this era pre war. Ukraine is certainly at war right now with a very potent cyber state. Their infrastructure seems to hold up ok. It’s not perfect but definitely not doomsday like described in this article.

On the hospital system part, there are actual timelines and goals to harden their systems after seeing what happened to the HSE in 2021. The issue is some parts of the chain have been slow on the uptick.

That said, paper based redundancies do exist as a massive ransomware attack is similar in impact to a multiweek power outage.

> What if you live on the Gulf Coast, exposed to hurricanes? [...] Sure, but there are a lot of disasters where the cables are fine.

You have to understand that this article was written by an European technologist worrying about a war situation. Sure, you can make a counter-point, but your counter-example is very different in many aspects: nature of the threat, jurisdictions involved, orgs involved, etc.

TL;DR hybrid-cloud, multi-cloud, or at the very minimum multi-region is a really good idea.

Except the stated goal here is to replace these sensors with GPS.

Rails has clever systems for locating trains by detecting circuit shorted by trains' wheels, no need to replace that with GPS. Besides railroads passes valleys and tunnels, GPS won't work anyway.

The absolute last resort for trains is semaphores and mutexes based on physical tokens. Those concepts came from there, and were still used sometimes to this day. Doesn't sound high tech, but it works.