Comment We're not showing lack of awareness... (Score 1) 76
It's not a case of lack of awareness, it's a case of mostly not giving a shit. We don't use most of the encryption features or hardening available between control systems on our site either because quite frankly we don't expect to and we don't need to. Actually I was quite critical at the last Schneider conference where they were talking about the encryption they are adding allowing you to connect multiple SCADA systems together directly via the internet. My comment to the presenter was "Why should I care at all about your encryption? Why should I trust you to do something out side your competency? We buy your gear because it's good at controlling equipment, we buy Juniper or other networking gear because they are good at networks. Your lack of encryption has never stopped me from connecting disperse systems. "
In all installations I have worked on we consider the network the device itself. If you touch the network then it's already game over, hardcoded passwords or not. Equipment is setup within private LANs, behind very strict firewalls. Physical access is prevented by means of lock and key, as well as privilege to even be in the same room as equipment. Where a connection is made over an outside network it is done only via an approved firewall / VPN method. We are aware of the security issues, we just work around them.
Now on the flip side this makes it incredibly hard to bring data onto or off from the network, but physical security is one of the best defenses. And no hardcoded passwords / encryption keys are not a good idea. But even if they didn't exist the industry has a lot to prove before I would trust any of them to create a secure system that I wouldn't lock down physically.