Firewall Wizards mailing list archives

Re: SCADA

From: Chris Myers <clmmacunix () charter net>
Date: Thu, 16 Apr 2009 17:43:13 -0500

Has no body read "Web Security Soucebook"? Sorry for the plug Marcus.

It is timeless in the fact that the Browser is no more secure today.All I have to say is JAVASCRIPT. Ideal with more email dung vulnerabilities today than ever, so NO tothe personal email, so go somewhere

else to do your personal recipe swapping.

Leave SCADA where it is secure from the window of theInternet and its storefront shoppers. Notice Idid not say secure from all eyes. You have to realize the insidethreat, but it is more manageable withoutgetting lost in a sea of faceless threats, which is my consternationover the patch updates issue, because althoughit breaks stuff, there is always the wily newbie trembling to see ifthe vulnerability exists on the network. Herewith no internet you can catch him much quicker, but it still does notkeep from the risk/cost of downtime.



Chris Myers
clmmacunix () charter net


On Apr 16, 2009, at 11:04 AM, Paul D. Robertson wrote:

On Thu, 16 Apr 2009, Brian Loe wrote:

On Wed, Apr 15, 2009 at 11:00 PM, Paul D. Robertson <paul () compuwar net> wrote:
1. I'm not sure "no more" fits in the definition- for instance asystemthat's designed to send company email can also send personalemail- how
does that make the system less reliable?
It propably - or probably should - violates the company's appropriate
use policy. It may also induce a non-business reply, or forwards,
which may introduce spam and viruses.


That doesn't necessarily affect its reliability, and I don't know that
many places which don't allow some level of personal email these days.

That's not exactly true. A system that does exactly what it
is supposed to - no more, no less - is achievable. It's not
I'm not sure it's achievable. General purpose systems are tooflexible tobe completely locked down. I can use my "Shift" key to play theMonty
Python theme, certainly not a design goal...


You don't put general purpose systems on a SCADA network. They don't
do email - nor do they have an email client installed. The are there
to do one thing, run the SCADA application. Everything else has been
removed or disabled.


Windows systems are general-purpose, PCs are general-purpose computing
systems.  One of my customer's labs has lots of SCADA systems, most of
them are Windows and some of them have email clients on them- because
often the data has to come off the instrument and be used somewhere,

another customer has process management systems that are Windows-based,

and there's more on there than just the process programs for the

production lines (though not much more- they're not a researchenvironment

like the first one- but the vendors don't always remove everything.)

Not every SCADA device is PLC-based, more's the pity.  Some folks have
environments where the SCADA devices need to be able to talk to the

business network to dump raw data into business-side systems thatanalyzeand report on the data- and sometimes those folks don't look atsecurity

when they do their architecture because (a) the connection was a
per-project thing that never got architected, (b) the only place with
space was the regular network, or (c) nothing's ever happened.

I know someone who shut down a large hub for a major shipping vendorwithNMAP a few years ago- because it was all inter-connected. You'rethinking

best practice, and well there's a huge wall between current and best
practice.

One could argue that you don't put general purpose systems on the
corporate network either. You put accounting systems in theaccounting
department and HR systems in the HR department.


Show me a computer that is only physically capable of running an
accounting applicaion.  Pretty-much every computer these days is a

general-purpose computer running a general purpose OS. Heck, thebanks

*require* Active-X enabled Web browsers for doing check deposits these
days- accounting isn't what it used to be.

Paul
-----------------------------------------------------------------------------

Paul D. Robertson "My statements in this message are personalopinions

paul () compuwar net       which may have no basis whatsoever in fact."
          Moderator: Firewall-Wizards mailing list
          Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SCADA, (continued)
- Re: SCADA Bill McGee (bam) (Apr 15)
  - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Brian Loe (Apr 16)
  - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Paul D. Robertson (Apr 15)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Paul D. Robertson (Apr 15)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Paul D. Robertson (Apr 16)
    - Re: SCADA Chris Myers (Apr 16)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Marcus J. Ranum (Apr 16)
    - Re: SCADA Chris Blask (Apr 16)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Marcus J. Ranum (Apr 16)
  - Re: SCADA R. DuFresne (Apr 23)
- Re: SCADA Chris Blask (Apr 17)
  - Re: SCADA Brian Loe (Apr 18)
    - Re: SCADA Chris Blask (Apr 18)