Firewall Wizards mailing list archives

Re: SCADA

From: jseymour () linxnet com (Jim Seymour)
Date: Tue, 14 Apr 2009 15:05:07 -0400 (EDT)


"Bertolett, Richard" <Richard.Bertolett () ci austin tx us> wrote:

[snip]


Security, particularly cyber-security, is best implemented in layers.


I think of it more as "defense in depth."

So yes, you do need an anti-virus system, and yes, you do need to apply
MS security patches,

[snip]

Eh.  My personal experience, over the years, is that AV software is
relatively worthless as a preventive tool.  As for MS' security
patches: If you have the machines in question isolated from hostile
networks, most of them aren't strictly necessary, IMO.  Not that these
are a bad thing, mind you.  In any event: I suspect there's been a
misunderstanding...

... it is
much more secure to retrieve patches and virus sigs from an internal
server, say little of the internet connection bandwidth usage.


I think there may've been some confusion induced by the way Mr. Loe
phrased things.  (Correct me if I'm wrong, Brian.)  I *believe* their
SCADA network is firewalled from the business network; the business
network is firewalled from the Internet; and there are some *few*
connections, of very specific types, allowed between specific machines
on the SCADA network and specific machines on the business network.

I *believe* what some people want is to allow the machines on the SCADA
network access to the 'net, and to allow incoming (allegedly secure)
connections from the 'net into the SCADA network.

Hmph.

I don't believe convenience should *ever* trump security.  I believe
that when convenience is allowed to trump security, you get what we
have today: Wide-spread compromising of networks.

[remainder snipped]

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

SCADA, (continued)
- - - SCADA Kaas, David D (Apr 14)
    - Re: SCADA Anton Chuvakin (Apr 14)
    - Re: SCADA Steven M. Bellovin (Apr 14)
    - Re: SCADA Brian Loe (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 14)
    - Re: SCADA david (Apr 20)
    - Re: SCADA Bertolett, Richard (Apr 14)
    - Re: SCADA Sam Golden (Apr 14)
    - Re: SCADA Chris Blask (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Jim Seymour (Apr 14)
    - Re: SCADA Brian Loe (Apr 14)
    - Re: SCADA ArkanoiD (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA ArkanoiD (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA Paul D. Robertson (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Dotzero (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA AMuse (Apr 15)

(Thread continues...)