Re: SCADA

[Brian Loe <knobdy () gmail com>]

On Tue, Apr 14, 2009 at 2:05 PM, Jim Seymour <jseymour () linxnet com> wrote:
and "Bertolett, Richard" <Richard.Bertolett () ci austin tx us> wrote:

<will reply to both inline>

> Eh.  My personal experience, over the years, is that AV software is
> relatively worthless as a preventive tool.  As for MS' security
> patches: If you have the machines in question isolated from hostile
> networks, most of them aren't strictly necessary, IMO.  Not that these
> are a bad thing, mind you.  In any event: I suspect there's been a
> misunderstanding...

To some degree there may have been a misunderstanding. I consider MS
updates to SCADA side machines utterly worthless. For one, they're
likely to break whatever crap control software is installed on those
machines (because they're running on Windows 95 or NT 4). Second,
they're not talking to anything that could get them in trouble.

> > ... it is
> > much more secure to retrieve patches and virus sigs from an internal
> > server, say little of the internet connection bandwidth usage.

I think that if my SCADA machine is talking to another machine that is
talking to the Internet, my SCADA machine is talking too much. I'd
prefer a manual update process IF I were concerned about updates -
which, as I've said, I'm not.


> I think there may've been some confusion induced by the way Mr. Loe
> phrased things.  (Correct me if I'm wrong, Brian.)  I *believe* their
> SCADA network is firewalled from the business network; the business
> network is firewalled from the Internet; and there are some *few*
> connections, of very specific types, allowed between specific machines
> on the SCADA network and specific machines on the business network.

More or less:
<SCADA> -- <FIREWALL> -- <datalogger> -- <FIREWALL> -- <corp.net> --
<FIREWALL> -- <INTERNET>

The "datalogger" is the database system for those SCADA machines to
push their data for reporting. Access to that datalogger is restricted
to specific ports from both the SCADA and corp networks. Only certain
machines on certain ports have that access.

> I *believe* what some people want is to allow the machines on the SCADA
> network access to the 'net, and to allow incoming (allegedly secure)
> connections from the 'net into the SCADA network.

I have gotten that request on several occassions. I don't usually say
"No." I usually say, "do you have the money in your budget to properly
implement your request in a properly secured manner?" It means and
accomplishes the same thing.


> I don't believe convenience should *ever* trump security.  I believe
> that when convenience is allowed to trump security, you get what we
> have today: Wide-spread compromising of networks.

Not just "networks". INFRASTRUCTURE! Power grids! Fuel production!

Both at the power plant I worked at and my current job there were
"homeland security" issues involved. The idea of our SCADA network
getting a virus was disturbing to say the least. Imagine 50 windows 95
boxes all infected with a virus that wants to do nothing more than
flood your SCADA network with its own traffic looking for another
victim. Doesn't even have to be a targeted attack against a power
plant - it just doesn't allow the controller to know what the plant is
doing until its too late! BOOM. Why risk your job, let alone your
life, for the convenience of some data massager?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards