Thanks for the reply, Sam. Yeah, I agree developers are mostly getting better, but still… Sometimes I don’t know whether to laugh or cry.
Much of that security was designed when you had to have physical access in order to do anything, and preventing physical access is something that is more tangible.
The WWW came about 25 years ago.
What’s happened since then is that networks (such as our power network) have gotten more sophisticated.
Control can be more sophisticated but the remote switches for the power distribution may be pre-internet.
IIRC, a lot of the power system still uses controllers designed for serial communication. In the Ukrainian hack, the interface boxes between the internet and serial interfaces on the circuit breakers had their firmware hacked.
Remote control was not possible and each breaker had to be manually controlled - meaning someone had to go to each breaker to flip it.
The US system is the same.