Re: SCADA

[Brian Loe <knobdy () gmail com>]

On Thu, Apr 16, 2009 at 11:04 AM, Paul D. Robertson <paul () compuwar net> wrote:

> > It propably - or probably should - violates the company's appropriate
> > use policy. It may also induce a non-business reply, or forwards,
> > which may introduce spam and viruses.
>
> That doesn't necessarily affect its reliability, and I don't know that
> many places which don't allow some level of personal email these days.

It's not whether or not they allow is as much as they don't disallow
it - BEYOND a policy.

Perhaps yet another downside of all the fervor for government mandates
is that what we wound up with were a bunch of policy requirements that
required...policies! Exception forms. Etc.. Big deal! There's no
security there and we wind up with pencil pushing security admins who
have never considered, let alone argued, such theories as we are right
now. Instead they're former auditors that the CIO fell in love with.


> > You don't put general purpose systems on a SCADA network. They don't
> > do email - nor do they have an email client installed. The are there
> > to do one thing, run the SCADA application. Everything else has been
> > removed or disabled.
>
> Windows systems are general-purpose, PCs are general-purpose computing
> systems.

I believe we're talking past each other. Yes, Windows is a general
purpose operating system. Most PCs are general purpose machines.
However, your implementation of that OS on that hardware is not
generally FOR general purpose use. If, when you implement it, you set
the scope of its operation and mandate that this set scope does not
change without going through a full change management process, you
will not have general purpose systems on your SCADA network.

>  One of my customer's labs has lots of SCADA systems, most of
> them are Windows and some of them have email clients on them- because
> often the data has to come off the instrument and be used somewhere,
> another customer has process management systems that are Windows-based,
> and there's more on there than just the process programs for the
> production lines (though not much more- they're not a research environment
> like the first one- but the vendors don't always remove everything.)

I have yet to see a system type that a business guy didn't want a
report from. How you provide those reports depends on what you are
after, I guess. In my case, where I am now, things could blow up and
KILL people if the SCADA network gets a virus (unlikely, but
PLAUSIBLE). At the last place a county would lose it's power and at
certain times of the year a lot more would - or something could blow
up and KILL people. :) The business guy's need to get a report does
not override the requirement that the SCADA network does not get
connected to the corporate network, and therefore the Internet.

While I am a purist (it's almost official now) my current SCADA
network is required to feed a data logger. The implementation of that
logger, and the business' ability to pull data out of that logger, do
not lessen the SCADA network's security anymore than it absolutely has
to. And NO ONE has remote access.

> > One could argue that you don't put general purpose systems on the
> > corporate network either. You put accounting systems in the accounting
> > department and HR systems in the HR department.
>
> Show me a computer that is only physically capable of running an
> accounting applicaion.  Pretty-much every computer these days is a
> general-purpose computer running a general purpose OS.  Heck, the banks
> *require* Active-X enabled Web browsers for doing check deposits these
> days- accounting isn't what it used to be.

Again, its the scope of the implementation and your ability to
maintain and control it. What it starts out as (general purpose) does
not dictate what it winds up!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards