I figured that I would chime in here, since I've worked on these types of systems, and in this type of environment for nearly 30 years.

It is common to see these types of alerts for all kinds of HMI software, PLC's, and DCS's. They all have security vulnerabilities discovered, just like any software-based systems do. In the electric utility environment in the US, these systems fall under NERC CIP regulations. There will be someone at the utility tasked with keeping track of these alerts and making sure that systems are patched. For really old systems, they will be planning upgrades.

These Industrial Controls Systems (ICS) will be firewalled from the business networks, which will again be firewalled from the Internet. It is common to have a data historian pushing data out of the secured ICS network onto a system on the business networks. This allows managers, engineers, and anyone else who needs the data for analysis and reporting to do so without having to be inside the plant. These days it is common to have a mechanical engineer working on something from across the country through these historian systems.

The firewalled connection pushing the data out of the network may just be a connection between two servers over a particular TCP port that must be initiated from inside the ICS network as an example of the simplest, and probably the most common example. It is more common these days for the data to be pushed to a DMZ server, which then passes it to the business system, making it even more secure. It is also common to use a data diode, where there is only a fiber optic transmitter on the inside and a receiver on the outside, so you can't even physically pass a signal into the ICS network.

I'm not an expert in these particular Schneider systems, but the alert seems to be for HMI software used in the control room to operate the equipment. These systems would be on the firewalled ICS network and not exposed to the business network, so it is unlikely that someone would be able to access them from the company's business network, much less the Internet.

Security of these ICS networks is taken pretty seriously, and the visibility and attention to security have increased greatly in the last ten years. It certainly isn't as far along as it could be, but the ominous picture of cooling towers, which most people equate to nuclear plants, although they are common in large coal units as well, makes this look much worse than it probably is. I can assure you that there are none of these Schneider systems connected to the Internet controlling a nuclear reactor anywhere.

I'm not trying to paint a rosy picture here, merely suggesting that in all probability there will be some engineers patching some firewalled HMI systems in the coming weeks, while they continue to beef up the security at their plants, and not a nuclear meltdown as some script kiddie exploits this hole in a nuclear control system sitting on the Internet with this hole in it.

Indeed it was. I'll correct the correction. Thanks for the catch.

My father pointed out to me that the nuclear carriers can be a great help after humanitarian disasters as they can desalinate large quantities of water. I found an article about the Carl Vincent that says that it can desalinate 400,000 gallons of water a day. We stationed it off the coast of Haiti after the earthquakes there.

http://content.time.com/time/s...

Wow, imagine a Beowolf Cluster of these!

I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibility in this respect. The value of their service diminishes greatly if it is not secure. They simply can't be seen as ineffective in this matter.

I am especially impressed that they obviously had an effective plan together to quickly update client applications in the event that something like this happened. They pushed out updates for IOS and Android very quickly. They even updated Penultimate which was only recently integrated into Evernote. It seems like they had their act together as far as that was concerned.

They obviously need to stay on top of this game. I'd like to see two factor authentication and better not encryption options. I have my concerns about using Evernote, but I am still a pretty heavy user with over 6000 notes. So far, the benefits outweigh the risks. From what I have learned about this incident so far, I don't think that my appraisal of the cost and benefit will tip the other way. I hope that it stays that way because we don't learn anything new about this incident that seems careless or irresponsible, and because they continue to develop the product and improve the security.

+1. So many people fail to understand the purpose of the Second Amendment.

As I have told countless friends through the years: the Second Amendment is not about duck hunting.

I don't understand. If the guy who runs the company goes away usually it's fairly easy process (albeit longwinded and boring) to get a new general manager, CEO or whatever. Namesys isn't a public company, so they could name their Thanksgiving turkey the CEO.

It all depends on how the company is setup. For example it could be an S Corp with Reiser as the only shareholder. In that case, he is the company. There is no they to do anything. He may be the only one who can write checks, file taxes, etc. As for the Thanksgiving turkey, I hope that you don't think that it is that easy to run even a small company.

Theoretically, the employees could form another company and carry on that way. Obviously not everyone has the aptitude and intestinal fortitude to pull that sort of thing off.

Is Hans really that important to ReiserFS? Isn't this the whole beauty of GPL code, that there are thousands of people out there who can pick his work up without even involving him, Namesys etc., and continue the 'legacy'?

I think that this is part of the falacy of opensource. In theory you are right but something along these lines takes a highly qualified programmer focused on the task a long time to write and test. During that time the programmer needs food, shelter, clothing, utilities, insurance, transportation, computer equipment, etc. Start to work out the logistics for yourself. I'd love to work on it but I can't figure out a way to pay all of my bills while I am doing it. I imagine that I am not alone. I don't have enough spare time to work on it. I imagine that it would take quite a bit of time and effort to even get up to speed. When you start looking at the details, you are really lucky if your theoretical thousands doesn't in fact turn out to be one or two.

I think that when you look at any opesource project, you will find that there are maybe a small handful of people that are able to devote the time and effort to keep it going. Sometimes they get grants or sponsorships and sometimes they just don't mind being flat broke all the time. There certainly aren't thousands makeing really meaningful contributions. There is a small handful without whom the whole thing falls apart.

On behalf of Mel Brooks and his lawyers, we respectfully request that you to cease and desist from using that name. Failure to comply will result in your being "detained" indefinitely in Git'mo.

Great!

I/we are surrounded by assholes!

I guess it is springtime for lawyers.

In addition to keeping your notes, make sure your digital camera (if you have one) is set to the correct time and take lots of pictures. Even the photos you don't use will give you the date and time of the highlights of your visit. This lets you enjoy the sights without being a slave to your watch.