Re: SCADA

["Paul D. Robertson" <paul () compuwar net>]

On Thu, 16 Apr 2009, Brian Loe wrote:

> On Wed, Apr 15, 2009 at 11:00 PM, Paul D. Robertson <paul () compuwar net> wrote:
>
> > 1.  I'm not sure "no more" fits in the definition- for instance a system
> > that's designed to send company email can also send personal email- how
> > does that make the system less reliable?
>
> It propably - or probably should - violates the company's appropriate
> use policy. It may also induce a non-business reply, or forwards,
> which may introduce spam and viruses.

That doesn't necessarily affect its reliability, and I don't know that 
many places which don't allow some level of personal email these days.

> > > That's not exactly true. A system that does exactly what it
> > > is supposed to - no more, no less - is achievable. It's not
> >
> > I'm not sure it's achievable.  General purpose systems are too flexible to
> > be completely locked down.  I can use my "Shift" key to play the Monty
> > Python theme, certainly not a design goal...
>
> You don't put general purpose systems on a SCADA network. They don't
> do email - nor do they have an email client installed. The are there
> to do one thing, run the SCADA application. Everything else has been
> removed or disabled.

Windows systems are general-purpose, PCs are general-purpose computing 
systems.  One of my customer's labs has lots of SCADA systems, most of 
them are Windows and some of them have email clients on them- because 
often the data has to come off the instrument and be used somewhere, 
another customer has process management systems that are Windows-based, 
and there's more on there than just the process programs for the 
production lines (though not much more- they're not a research environment 
like the first one- but the vendors don't always remove everything.)

Not every SCADA device is PLC-based, more's the pity.  Some folks have 
environments where the SCADA devices need to be able to talk to the 
business network to dump raw data into business-side systems that analyze 
and report on the data- and sometimes those folks don't look at security 
when they do their architecture because (a) the connection was a 
per-project thing that never got architected, (b) the only place with 
space was the regular network, or (c) nothing's ever happened.

I know someone who shut down a large hub for a major shipping vendor with 
NMAP a few years ago- because it was all inter-connected.  You're thinking 
best practice, and well there's a huge wall between current and best 
practice.

> One could argue that you don't put general purpose systems on the
> corporate network either. You put accounting systems in the accounting
> department and HR systems in the HR department.

Show me a computer that is only physically capable of running an 
accounting applicaion.  Pretty-much every computer these days is a 
general-purpose computer running a general purpose OS.  Heck, the banks 
*require* Active-X enabled Web browsers for doing check deposits these 
days- accounting isn't what it used to be.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards