what blithering idiots are directly connecting this kind of kit to a TCP/IP network accessible from outside (or any insecure location) in the first place?
The only real difference between an IES and a normal one in the office or home (other than it costs about €500+ more) is it is in a solid metal case (that normally fits on a DIN rail) with better earthing and isolation against electronmagnetic interference, strong voltage surges and a more robust power supply often a backup supply from 24V or 48-60V DC accu if the mains fails. This is because it is often put into an outdoor equipment enclosure or used in a warehouse environment with only basic heating.
The rest of it is not going to be any more or less secure than any other business-grade networking equipment.
I agree with the security researchers findings; but the harsh facts are that for the last 25 years folk have traded security, reliability and resilience of their technology for features, price and faster “time to market” on top of which the global decline in patriotism and secure employment (in either private and public sector) for young people in particular and the tendency to replace nationalised utility industries with a load of competing private companies makes things worse.
It is not the case the engineers at Siemens, Cisco etc do not want to fix the bugs in the equipment; but they are often only employed on short term contracts (they may not even be directly employed by the brands) and there is this constant rush caused by the “Internet culture” to “fix” a system by ripping out the lot and replacing it with a new one rather than solving simple problems. Of course you cannot do that with nuclear power stations or hydroelectric dams; it does beg the question why the control systems of things are connected via TCP/IP in the first place as there are tried, tested and working technologies such as RS485 which are better and more secure. Most likely because their control is outsourced to another random contractor which is a major security risk in itself.
