Firewall Wizards mailing list archives
Re: SCADA
From: Chris Myers <clmmacunix () charter net>
Date: Thu, 16 Apr 2009 17:43:13 -0500
Has no body read "Web Security Soucebook"? Sorry for the plug Marcus.It is timeless in the fact that the Browser is no more secure today. All I have to say is JAVASCRIPT. I deal with more email dung vulnerabilities today than ever, so NO to the personal email, so go somewhere
else to do your personal recipe swapping.Leave SCADA where it is secure from the window of the Internet and its storefront shoppers. Notice I did not say secure from all eyes. You have to realize the inside threat, but it is more manageable without getting lost in a sea of faceless threats, which is my consternation over the patch updates issue, because although it breaks stuff, there is always the wily newbie trembling to see if the vulnerability exists on the network. Here with no internet you can catch him much quicker, but it still does not keep from the risk/cost of downtime.
Chris Myers clmmacunix () charter net On Apr 16, 2009, at 11:04 AM, Paul D. Robertson wrote:
On Thu, 16 Apr 2009, Brian Loe wrote:On Wed, Apr 15, 2009 at 11:00 PM, Paul D. Robertson <paul () compuwar net > wrote:1. I'm not sure "no more" fits in the definition- for instance a system that's designed to send company email can also send personal email- howdoes that make the system less reliable?It propably - or probably should - violates the company's appropriate use policy. It may also induce a non-business reply, or forwards, which may introduce spam and viruses.That doesn't necessarily affect its reliability, and I don't know that many places which don't allow some level of personal email these days.That's not exactly true. A system that does exactly what it is supposed to - no more, no less - is achievable. It's notI'm not sure it's achievable. General purpose systems are too flexible to be completely locked down. I can use my "Shift" key to play the MontyPython theme, certainly not a design goal...You don't put general purpose systems on a SCADA network. They don't do email - nor do they have an email client installed. The are there to do one thing, run the SCADA application. Everything else has been removed or disabled.Windows systems are general-purpose, PCs are general-purpose computing systems. One of my customer's labs has lots of SCADA systems, most of them are Windows and some of them have email clients on them- because often the data has to come off the instrument and be used somewhere,another customer has process management systems that are Windows- based,and there's more on there than just the process programs for theproduction lines (though not much more- they're not a research environmentlike the first one- but the vendors don't always remove everything.) Not every SCADA device is PLC-based, more's the pity. Some folks have environments where the SCADA devices need to be able to talk to thebusiness network to dump raw data into business-side systems that analyze and report on the data- and sometimes those folks don't look at securitywhen they do their architecture because (a) the connection was a per-project thing that never got architected, (b) the only place with space was the regular network, or (c) nothing's ever happened.I know someone who shut down a large hub for a major shipping vendor with NMAP a few years ago- because it was all inter-connected. You're thinkingbest practice, and well there's a huge wall between current and best practice.One could argue that you don't put general purpose systems on thecorporate network either. You put accounting systems in the accountingdepartment and HR systems in the HR department.Show me a computer that is only physically capable of running an accounting applicaion. Pretty-much every computer these days is ageneral-purpose computer running a general purpose OS. Heck, the banks*require* Active-X enabled Web browsers for doing check deposits these days- accounting isn't what it used to be. Paul -----------------------------------------------------------------------------Paul D. Robertson "My statements in this message are personal opinionspaul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)
- Re: SCADA Chris Blask (Apr 16)
- Re: SCADA Brian Loe (Apr 16)
- Re: SCADA Marcus J. Ranum (Apr 16)