Firewall Wizards mailing list archives
Re: SCADA
From: Brian Loe <knobdy () gmail com>
Date: Sat, 18 Apr 2009 09:14:06 -0500
On Fri, Apr 17, 2009 at 5:37 PM, Chris Blask <chris () blask org> wrote:
This is even more the reason that I will argue energetically for a Pragmatist's solution rather than a Purist's - I believe we can on average protect and save more lives by advancing the state of security on many SCADA networks than we can by perfecting security on a few.
Spoken like a true bean counter! :)
I thought you had a SCADA network connected (albeit through a DMZ) to your corporate network, which I assume is connected to the Internet? Best laid plans and all that - I assume you are aware of some of the really neat testing that has broken through some really well designed SCADA standoffs? Even in the solution you describe, there is no guarantee that something really fascinating can't happen to prove Robert Burn's correct (again - http://en.wikipedia.org/wiki/To_a_Mouse).
As I said later, I can't prevent all risks. While I might not install a workstation on the SCADA network with a removable drive and with all of the USB interfaces disabled, I can't provide a defense for an operator violating my security policy, risking his job, and physically installing a floppy drive he brought from home. I would, however, know that there is some kind of problem because my monitoring system would tell me so.
my current SCADA network is required to feed a data logger. The implementation of that logger, and the business' ability to pull data out of that logger, do not lessen the SCADA network's security anymore than it absolutely has to."anymore than it absolutely has to. " Sorry, you aren't a purist anymore. ;~)
I don't think that makes me less of a purist.That logger doesn't talk to people and people aren't able to talk to it. The systems it talks to are not allowed to carry on long conversations or use foreign languages. If Marcus is still a purist, I can be too. I doubt he spends his time traveling around and cutting peoples' network connections with his favorite pair of wire cutters! There are folks in my company that WANT remote access to the process network from their homes. I've proposed installing cameras, on the admin network, in the control rooms and pointing them at the controller's screens. :) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)
- Re: SCADA Brian Loe (Apr 18)
- Re: SCADA Chris Blask (Apr 18)