Firewall Wizards mailing list archives
Re: SCADA
From: Brian Loe <knobdy () gmail com>
Date: Thu, 16 Apr 2009 13:37:35 -0500
On Thu, Apr 16, 2009 at 11:04 AM, Paul D. Robertson <paul () compuwar net> wrote:
It propably - or probably should - violates the company's appropriate use policy. It may also induce a non-business reply, or forwards, which may introduce spam and viruses.That doesn't necessarily affect its reliability, and I don't know that many places which don't allow some level of personal email these days.
It's not whether or not they allow is as much as they don't disallow it - BEYOND a policy. Perhaps yet another downside of all the fervor for government mandates is that what we wound up with were a bunch of policy requirements that required...policies! Exception forms. Etc.. Big deal! There's no security there and we wind up with pencil pushing security admins who have never considered, let alone argued, such theories as we are right now. Instead they're former auditors that the CIO fell in love with.
You don't put general purpose systems on a SCADA network. They don't do email - nor do they have an email client installed. The are there to do one thing, run the SCADA application. Everything else has been removed or disabled.Windows systems are general-purpose, PCs are general-purpose computing systems.
I believe we're talking past each other. Yes, Windows is a general purpose operating system. Most PCs are general purpose machines. However, your implementation of that OS on that hardware is not generally FOR general purpose use. If, when you implement it, you set the scope of its operation and mandate that this set scope does not change without going through a full change management process, you will not have general purpose systems on your SCADA network.
One of my customer's labs has lots of SCADA systems, most of them are Windows and some of them have email clients on them- because often the data has to come off the instrument and be used somewhere, another customer has process management systems that are Windows-based, and there's more on there than just the process programs for the production lines (though not much more- they're not a research environment like the first one- but the vendors don't always remove everything.)
I have yet to see a system type that a business guy didn't want a report from. How you provide those reports depends on what you are after, I guess. In my case, where I am now, things could blow up and KILL people if the SCADA network gets a virus (unlikely, but PLAUSIBLE). At the last place a county would lose it's power and at certain times of the year a lot more would - or something could blow up and KILL people. :) The business guy's need to get a report does not override the requirement that the SCADA network does not get connected to the corporate network, and therefore the Internet. While I am a purist (it's almost official now) my current SCADA network is required to feed a data logger. The implementation of that logger, and the business' ability to pull data out of that logger, do not lessen the SCADA network's security anymore than it absolutely has to. And NO ONE has remote access.
One could argue that you don't put general purpose systems on the corporate network either. You put accounting systems in the accounting department and HR systems in the HR department.Show me a computer that is only physically capable of running an accounting applicaion. Pretty-much every computer these days is a general-purpose computer running a general purpose OS. Heck, the banks *require* Active-X enabled Web browsers for doing check deposits these days- accounting isn't what it used to be.
Again, its the scope of the implementation and your ability to maintain and control it. What it starts out as (general purpose) does not dictate what it winds up! _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)
- Re: SCADA Chris Blask (Apr 16)
- Re: SCADA Brian Loe (Apr 16)
- Re: SCADA Marcus J. Ranum (Apr 16)