
Rise of "forever day" bugs in ICS threatens critical infrastructure - iProject
http://arstechnica.com/business/news/2012/04/rise-of-ics-forever-day-vulnerabiliities-threaten-critical-infrastructure.ars
======
kylemaxwell
At first I thought "what does Android 4.0 have to do with critical
infrastructure?"

Maybe I've been reading HN too much.

~~~
wmf
I've never heard that acronym either; I thought it was called SCADA.

~~~
raffi
The unwashed masses say SCADA. Those in the know say Industrial Control
Systems. At least that's what I'm told. I'm kind of the unwashed type myself.

~~~
elithrar
> The unwashed masses say SCADA. Those in the know say Industrial Control
> Systems. At least that's what I'm told. I'm kind of the unwashed type
> myself.

The terms are often interchanged, even if they shouldn't be. "SCADA"
(Supervisory Control And Data Acquisition) is your secondary control and
historian/logging system, and will often be in control of sending data across
comms links and monitoring events. An ICS (Industrial Control System) is your
front-line system in charge of controlling your valves, motors and equipment
directly.

The roles have become more blurred together, especially as we move towards
more general-purpose equipment and IP-based networks.

------
Retric
As long as these things don't have a wide adoption or a public facing IP
address I don't see the problem. I mean plenty of company's have an windows NT
box inside their network running some internal service that nobody want's to
pay to upgrade.

At some point it's ok to say if a bank robber is inside the vault with a crow
bar, then yea they have access to everyones safety deposit boxes. But, let's
just try and keep them out of that room.

~~~
sakai
The problem with that analogy (and ICS in general) is that indeed the bank
robber is outside the bank with a crow bar most of the time (harmless enough),
but the safety deposit boxes are poking through the back wall into the alley.

The archaic, closed nature of these systems (and their small user bases and
tremendously long refresh cycles) is precisely the source of their
vulnerabilities, not a fount of "security through obscurity."

------
aidenn0
This doesn't seem to surprising to me. A lot of these systems had ad-hoc build
systems such that probably nobody can build from source-code (and that's for
the shops that were actually using some form of source-control).

------
codereview
This is just one more reason why it's important not to skimp on developer
testing, including unit testing (of course they need to include these
scenarios in their test cases). Learn how to prevent these cases at
<http://j.mp/IdJI0j>

------
dedward
ok.. so we havethe facts. now who bearsresponsibility for damages? the company
using these flawed systems instead of upgrading or pressuring their
vendors..... ? at the scale of critical infrastru ture thatcomes down to
contractual terms. if the vilns and recommendations have been disclosed, and
thatswhat the contract required...... notsellers fwult in my book. fixes arent
free, and these decisions will bebased on either a risk analasys, or blind
ignorance, depending on who is involved. if products really. are eol and eos,
per contract, then fair enough... your license to use them probqblyexpires
anyway.

still, hardto paintthis in a good light..... smells bad.

------
nodata
ICS == "industrial control systems"

