Firewall Wizards mailing list archives

Re: SCADA

From: Brian Loe <knobdy () gmail com>
Date: Sat, 18 Apr 2009 09:14:06 -0500

On Fri, Apr 17, 2009 at 5:37 PM, Chris Blask <chris () blask org> wrote:

This is even more the reason that I will argue energetically for a Pragmatist's solution rather than a Purist's - I 
believe we can on average protect and save more lives by advancing the state of security on many SCADA networks than 
we can by perfecting security on a few.


Spoken like a true bean counter! :)

I thought you had a SCADA network connected (albeit through a DMZ) to your corporate network, which I assume is 
connected to the Internet?  Best laid plans and all that - I assume you are aware of some of the really neat testing 
that has broken through some really well designed SCADA standoffs?  Even in the solution you describe, there is no 
guarantee that something really fascinating can't happen to prove Robert Burn's correct (again - 
http://en.wikipedia.org/wiki/To_a_Mouse).


As I said later, I can't prevent all risks. While I might not install
a workstation on the SCADA network with a removable drive and with all
of the USB interfaces disabled, I can't provide a defense for an
operator violating my security policy, risking his job, and physically
installing a floppy drive he brought from home. I would, however, know
that there is some kind of problem because my monitoring system would
tell me so.

my current SCADA
network is required to feed a data logger. The implementation of that
logger, and the business' ability to pull data out of that logger, do
not lessen the SCADA network's security anymore than it absolutely has
to.


"anymore than it absolutely has to. "

Sorry, you aren't a purist anymore. ;~)


I don't think that makes me less of a purist.That logger doesn't talk
to people and people aren't able to talk to it. The systems it talks
to are not allowed to carry on long conversations or use foreign
languages.

If Marcus is still a purist, I can be too. I doubt he spends his time
traveling around and cutting peoples' network connections with his
favorite pair of wire cutters!

There are folks in my company that WANT remote access to the process
network from their homes. I've proposed installing cameras, on the
admin network, in the control rooms and pointing them at the
controller's screens. :)
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SCADA, (continued)
- - - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Paul D. Robertson (Apr 16)
    - Re: SCADA Chris Myers (Apr 16)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Marcus J. Ranum (Apr 16)
    - Re: SCADA Chris Blask (Apr 16)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Marcus J. Ranum (Apr 16)
  - Re: SCADA R. DuFresne (Apr 23)
- Re: SCADA Chris Blask (Apr 17)
  - Re: SCADA Brian Loe (Apr 18)
    - Re: SCADA Chris Blask (Apr 18)