A U.S. newspaper recently printed an article, "Hacked: Energy industry controls provide an alluring target for cyberattacks", focusing on purported cybersecurity weaknesses across the energy sector. The article, unfortunately, combined old news, urban myth, generalizations, and an utter disregard for aggressive, national and international measures to defend critical infrastructure. Seldom does a better opportunity arise for Industrial Control System (ICS) and energy sector myth-busting. This response is intended to set the record straight.Myth one - the energy sector is the main target of all internet evilThe article stated that the energy sector is aware that bad people are trying to do bad things via cyberspace. \u201cThere are actors that are scanning for these vulnerable systems and taking advantage of\u00a0those weaknesses when they find them,\u201d said Marty Edwards, director of U.S. Homeland Security\u00a0Cyber Emergency Response Team for industrial systems.\u00a0While this is true, it is so incredibly broad and generalized that it could apply to anything connected to the internet and quite a few that are not - from the International Space Station to home baby monitors to stand-alone processors in universities. There have even been inflammatory reports that ISIS is attacking our electric grid! Nothing is unique to the energy sector, to ICS, or to supervisory control and data acquisition (SCADA) domains.Myth two - our stuff is OK, yours has a problemThe article continues by stating \u201cNowhere is the threat more consequential than in Houston and Southeast Texas...\u201dAgain, I will disagree. Cyber knows no boundaries. Malware code released in Obscuristan can instantaneously make its way to your home computer, pivot to your business system, then attack a third party. Cyber is not geographic, cyber is overarching. It has been said that all politics is local. In that case, all cyber is global. That\u2019s why the U.S. Government early on designated the energy sector a National Critical Infrastructure (NCI).Myth three - the weakness of the energy sectorAttempting to sensationalize the energy sector\u2019s vulnerabilities, the article provides that \u201cThe U.S. Department of Homeland Security, responsible for protecting the nation from cybercrime, received reports of more than 350 incidents at energy companies between 2011 and 2015. In most cases, a hacker infiltrated or tried to infiltrate the control systems of energy firms. During that period, the agency identified nearly 900 security vulnerabilities within U.S. energy companies, more than any other industry.\u201dLet's contrast that with a report from the cybersecurity firm Dragos, which in March 2017 concluded that about 3,000 industrial infections occur each year. Sounds scary until you read further. \u00a0The infections all were common, non-targeted malware. These included\u00a0W32.Ramnit\u00a0and\u00a0Conficker, discovered in an RW Bavaria nuclear power plant\u00a0during upgrades. The likely source was removable media; malware was also reportedly found on 18 removable data drives, mainly USB sticks. Hackers? Maybe. Poor personnel training and cyber hygiene? Absolutely.Myth four - we don't talk anymoreEnergy companies have a close, cybersecurity relationship with their Electric and Downstream Natural Gas Information Sharing and Analysis Centers (E-ISAC and DNG-ISAC) as well as the U.S. Department of Energy. The aforementioned \u201cnearly 900 security vulnerabilities\u201d were discovered by examination by experts from the U.S. Government ICS-Computer Emergency Response Team (CERT). \u00a0In each case the teams were specifically invited by the companies to examine corporate networks. The private sector has been working with DHS, the CERTs, the ISACs, and other partners to secure our energy for nearly two decades.Finally some truth\u201cThe vastness of oil and gas operations makes it difficult to secure. Thousands of interconnected sensors and automated controls that run oil and gas facilities remain rife with weak\u00a0spots. Much of this equipment was designed decades ago without security features. In recent years,\u00a0companies have linked devices that monitor pressure, control valves and initiate safety procedures to\u00a0computer networks and - sometimes inadvertently - the internet.This is truly a challenge the energy sector faces each day. Why not simply replace decades-old\u00a0equipment with modern, cyber-secure equipment? Let me answer that question with another. In 1969 we traveled to the moon. Can we do it today? The answer is no.Most ICS equipment was specially\u00a0designed for a single purpose or process. There are no duplicates. There are no factories to recreate the parts. Intended to last 30 years or more, ICS and SCADA components are generally replaced as they fail, not upgraded. Industry has failed the critical infrastructure sectors as well as home users by failing to develop security at the same time they develop software. What does that mean? Just because you\u00a0can\u00a0connect it to the internet doesn't mean you should connect it to the internet.The rise and fall of the internetIn the 1970s, 80s, and much of the 90s cybersecurity was not really an issue. The internet is based on the\u00a0government funded ARPANET created by the Department of Defense in the 1960s. ARPANET originally restricted connections to military sites and to universities, and thus security was not a consideration. Why?Because at one time in our country, people did good things. Lawlessness and treason were shunned and punished. Malware coders, violent protesters, graffiti vandals, and their likes were not idolized. Everything worked. Today we\u00a0live in a culture where Pointless, Persistent Jackassery (PPJ) is not only tolerated, but celebrated. But I digress....Let me leave you with a question while I work on part two of this article. Have you experienced an instance of an ICS infection here in the United States? Did it go boom, or did you stop it? If it went boom, what was the result? I'll be back soon to deflate the last few media myths floated in the recent press.