Is obsolete the new secure?
I recently read an article in Defense Systems Magazine that toyed with the idea of using what most would consider obsolete technology as a “security” measure. In this case they were specifically talking about the use of 8-inch (yes, you read that right) floppy disks that hold about 1 to 1.2 megabytes of data.
They make a convincing case for it as well. How many hackers not only can write a malicious program à la Stuxnet with such a limited amount of storage let alone even have equipment to write it to a disk?
Along this same vein, there are advocates of using old “retired” Operating Systems as a means of security. Really think about this point, how many hackers are going to develop and use exploits for Windows NT 4.0 or Windows 95? What about long ago unsupported Solaris OS’s? The cost to benefit ratio or, in business terms, return on investment (ROI) is almost nil since so few viable target systems.
Now, looking at things from a realistic perspective, companies by and large are not going to rely on aging, and unsupported technologies for normal day-to-day business. Given that reality, continual updates to the latest and greatest version of whatever platform they are using.
Yet hiding in that dark corner somewhere they might just have that old system running some specialized system that they just “forgot” or simply are “afraid” to touch. This is often true in the Industry Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. These are those systems that run everything from the robot that built your car, the computer that controls a Computer Numerical Control (CNC) machine that makes parts or even the units that control the water and electrical systems for your utility companies. Companies really tend to hate updating these systems, regardless of how old they are because not only the cost involved but they tend to control critical pieces of the companies process or infrastructure.
There are really several big drawback of using obsolescence as a means of security. The first is that if there is a known vulnerability, there is no way to actually fix it. It is out there and can be exploited at any time. The second is attrition of technical experts with skills in that outdated software. Right now, you can find plenty of IT folks with current skill-sets on Windows XP if you’re still using it after the XPocalypse a few months ago. Taking that a few years back in time, try finding someone who is still in the industry with a still current working knowledge of Windows NT 3.51 that was release nearly 20 years ago and stopped being supported more than a decade ago. The final issue is an issue of physical products. We are talking the hardware bits that these obsolete systems run on. Finding compatible systems for these old programs to run on becomes hard and more expensive as time go one. This also includes the physical media for repair and reinstall if it’s required. How well does that 8-inch floppy going to hold up over time?
While obsolete, might very well work as method to secure systems, in the long run, the deck is stacked against it as a viable long-term solution to an ever persistent problem.