Firewall Wizards mailing list archives
Re: SCADA
From: Brian Loe <knobdy () gmail com>
Date: Tue, 14 Apr 2009 17:01:24 -0500
On Tue, Apr 14, 2009 at 2:05 PM, Jim Seymour <jseymour () linxnet com> wrote: and "Bertolett, Richard" <Richard.Bertolett () ci austin tx us> wrote: <will reply to both inline>
Eh. My personal experience, over the years, is that AV software is relatively worthless as a preventive tool. As for MS' security patches: If you have the machines in question isolated from hostile networks, most of them aren't strictly necessary, IMO. Not that these are a bad thing, mind you. In any event: I suspect there's been a misunderstanding...
To some degree there may have been a misunderstanding. I consider MS updates to SCADA side machines utterly worthless. For one, they're likely to break whatever crap control software is installed on those machines (because they're running on Windows 95 or NT 4). Second, they're not talking to anything that could get them in trouble.
... it is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection bandwidth usage.
I think that if my SCADA machine is talking to another machine that is talking to the Internet, my SCADA machine is talking too much. I'd prefer a manual update process IF I were concerned about updates - which, as I've said, I'm not.
I think there may've been some confusion induced by the way Mr. Loe phrased things. (Correct me if I'm wrong, Brian.) I *believe* their SCADA network is firewalled from the business network; the business network is firewalled from the Internet; and there are some *few* connections, of very specific types, allowed between specific machines on the SCADA network and specific machines on the business network.
More or less: <SCADA> -- <FIREWALL> -- <datalogger> -- <FIREWALL> -- <corp.net> -- <FIREWALL> -- <INTERNET> The "datalogger" is the database system for those SCADA machines to push their data for reporting. Access to that datalogger is restricted to specific ports from both the SCADA and corp networks. Only certain machines on certain ports have that access.
I *believe* what some people want is to allow the machines on the SCADA network access to the 'net, and to allow incoming (allegedly secure) connections from the 'net into the SCADA network.
I have gotten that request on several occassions. I don't usually say "No." I usually say, "do you have the money in your budget to properly implement your request in a properly secured manner?" It means and accomplishes the same thing.
I don't believe convenience should *ever* trump security. I believe that when convenience is allowed to trump security, you get what we have today: Wide-spread compromising of networks.
Not just "networks". INFRASTRUCTURE! Power grids! Fuel production! Both at the power plant I worked at and my current job there were "homeland security" issues involved. The idea of our SCADA network getting a virus was disturbing to say the least. Imagine 50 windows 95 boxes all infected with a virus that wants to do nothing more than flood your SCADA network with its own traffic looking for another victim. Doesn't even have to be a targeted attack against a power plant - it just doesn't allow the controller to know what the plant is doing until its too late! BOOM. Why risk your job, let alone your life, for the convenience of some data massager? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)
- Re: SCADA Jim Seymour (Apr 14)
- Re: SCADA Brian Loe (Apr 14)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA Paul D. Robertson (Apr 14)
- Re: SCADA Marcus J. Ranum (Apr 15)
- Re: SCADA Dotzero (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA AMuse (Apr 15)
- Re: SCADA david (Apr 20)