I figured that I would chime in here, since I've worked on these types of systems, and in this type of environment for nearly 30 years.

It is common to see these types of alerts for all kinds of HMI software, PLC's, and DCS's. They all have security vulnerabilities discovered, just like any software-based systems do. In the electric utility environment in the US, these systems fall under NERC CIP regulations. There will be someone at the utility tasked with keeping track of these alerts and making sure that systems are patched. For really old systems, they will be planning upgrades.

These Industrial Controls Systems (ICS) will be firewalled from the business networks, which will again be firewalled from the Internet. It is common to have a data historian pushing data out of the secured ICS network onto a system on the business networks. This allows managers, engineers, and anyone else who needs the data for analysis and reporting to do so without having to be inside the plant. These days it is common to have a mechanical engineer working on something from across the country through these historian systems.

The firewalled connection pushing the data out of the network may just be a connection between two servers over a particular TCP port that must be initiated from inside the ICS network as an example of the simplest, and probably the most common example. It is more common these days for the data to be pushed to a DMZ server, which then passes it to the business system, making it even more secure. It is also common to use a data diode, where there is only a fiber optic transmitter on the inside and a receiver on the outside, so you can't even physically pass a signal into the ICS network.

I'm not an expert in these particular Schneider systems, but the alert seems to be for HMI software used in the control room to operate the equipment. These systems would be on the firewalled ICS network and not exposed to the business network, so it is unlikely that someone would be able to access them from the company's business network, much less the Internet.

Security of these ICS networks is taken pretty seriously, and the visibility and attention to security have increased greatly in the last ten years. It certainly isn't as far along as it could be, but the ominous picture of cooling towers, which most people equate to nuclear plants, although they are common in large coal units as well, makes this look much worse than it probably is. I can assure you that there are none of these Schneider systems connected to the Internet controlling a nuclear reactor anywhere.

I'm not trying to paint a rosy picture here, merely suggesting that in all probability there will be some engineers patching some firewalled HMI systems in the coming weeks, while they continue to beef up the security at their plants, and not a nuclear meltdown as some script kiddie exploits this hole in a nuclear control system sitting on the Internet with this hole in it.

Indeed it was. I'll correct the correction. Thanks for the catch.

My father pointed out to me that the nuclear carriers can be a great help after humanitarian disasters as they can desalinate large quantities of water. I found an article about the Carl Vincent that says that it can desalinate 400,000 gallons of water a day. We stationed it off the coast of Haiti after the earthquakes there.

http://content.time.com/time/s...

Wow, imagine a Beowolf Cluster of these!

I have to agree. You can't build a system that isn't ever going to be hacked. You can build a system using the best available practices that is very difficult to hack and put the most effective system possible in place to detect hacking attempts as early as possible. To a large extent, it seems that they did a respectable job in both respects. I'm sure that they can make improvements and will learn lessons from this. They are a well capitalized company and it is absolutely vital that they maintain credibility in this respect. The value of their service diminishes greatly if it is not secure. They simply can't be seen as ineffective in this matter.

I am especially impressed that they obviously had an effective plan together to quickly update client applications in the event that something like this happened. They pushed out updates for IOS and Android very quickly. They even updated Penultimate which was only recently integrated into Evernote. It seems like they had their act together as far as that was concerned.

They obviously need to stay on top of this game. I'd like to see two factor authentication and better not encryption options. I have my concerns about using Evernote, but I am still a pretty heavy user with over 6000 notes. So far, the benefits outweigh the risks. From what I have learned about this incident so far, I don't think that my appraisal of the cost and benefit will tip the other way. I hope that it stays that way because we don't learn anything new about this incident that seems careless or irresponsible, and because they continue to develop the product and improve the security.

How things change in just over 15 years.

1992:

Buy Doom after getting to try 1/3 of the game first.

* Be able to play it via dialup modem or LAN for as long as you have the working equipment.
* Be able to sell the game after you're done with it and have that second user have the game be just as usable to them.
* Enjoy playing thousands of user-created maps and mods -- anything from a monster health editor to a porn graphic replacement mod.

2008:

Buy game X.

* Require internet permission to install it. Hopefully you haven't committed the mortal sin of installing it more than three times.
* Require internet permission every time you wish to run the game.
* Require CD checking despite the above.
* Unable to sell the game to people who want something more than a coaster.
* Multiplayer server for Game X goes down after year because Game X 2009 edition is now out. People who still want to play the original Game X via LAN/hosted internet games are SOL and anyone hacking together hosting capabilities likely receives notice from lawyers.
* Have some type of over-zealous security check built into the game mess with your computer, internet connection, or both.
* Deal with an over-moderated/sterile mod community.

The second thread you link almost reads like a Monty Python skit.

"You won't let me *not* play for free?! Well, in that case I'll cancel my *second* and *third* accounts dedicated to not playing! See how you like me not playing for free now! And my first account? Well, it'll not only 'not play' all that often, but pay to do so! In your face, CCP!"

I've had to pull a few strings to grab a hold of the expansion's source code. Luckily the download should be a small one.

GenerateExpansion()
    for (i = 1..200)
        GenerateSolarSystem()
    end for
end GenerateExpansion()

GenerateSolarSystem()
      GeneratePlanets(random(1..20))
      GenerateBases(random(1..3))
      GenerateAsteroidFields(random(1..5))
      GenerateSecurityLevel(random(0.0..1.0))
      Connect(this, universe)
end GenerateSolarSystem()

I kid, I kid...

>Of course McCain had a choice. One he was urged repeatedly by the media to take just after selection, many citing the previous example of George McGovern and Eagleton. Instead he stuck by here even through criticism from his own party, never mind the media.

I was talking about supporting the daughter after it became a big story, not the VP pick (which I think you are talking about). Both McCain and Palin had to stand by the daughter.

>You are not serious, right?

I really am. I barely knew anything about the election, except for the race between Obama and Clinton, but the stories about Palin were just too much to ignore. And no, they weren't positive stories. It just seemed to me to be, as other commentators had named it, a "hail mary" choice.

>You don't think tens of millions in contributons the days after the announcement, and as great a viewership of the Republican convention speeches as Obama got to be an amazing achievement?

I'm actually more impressed by the $10 million raised by Obama after Palin's first speech. She only raised $1 million after the speech.