Firewall Wizards mailing list archives
Re: SCADA (or: How I learned to love receiving FWW in digest form)
From: Dotzero <dotzero () gmail com>
Date: Fri, 17 Apr 2009 13:03:44 -0400
On Fri, Apr 17, 2009 at 11:23 AM, Mike Barkett <mbarkett () us checkpoint com> wrote:
Yeah, I know the subject line makes me sound like a fuddy-duddy. Anyway, because this is apparently a last-one-to-post-wins thread, I figured I'd chime in. It seems that all of us subscribe to differing degrees of the same possibly incorrect notion... that all systems must be connected to something. If a system risks failure due to being connected to an infrastructure that will also fail along with it, then maybe the net value of such connectivity is greatly diminished. I believe Marcus' artist friend rather elegantly made a similar point.
Systems do not have to be connected to anything..... as long as one accepts the tradeoffs involved (just as there are tradeoffs to deciding something should be connected). All things being equal and there not being an incident in the news, would Marcus' artist friend agree to a 10% or 20% increase in his utility bills to have "proper security" (however one defines this)? I seriously doubt the average person is willing to pay for that extra security until after an incident (well, if I had known THAT was going to happen.....). Remember the days when customer support was unlimited and free when you bought software? And then it became free for 90 days.... and then it became free if you were willing to post to a forum......
We've already talked about solving the logging problem with physical air gaps and a connectionless logger. Save for physical access and possibly a dedicated leased line to an isolated emergency outpost (for example, to try to remediate things if physical access is too dangerous for humans, or to manually apply patches IF applicable), why introduce any additional risk?
One argument for the introduction of additional risk is that there is added value to interconnected systems. Look at Electric production and distribution. In the good old days one company produced and distributed across a given area. Now it is a lot more complex. There might be any number of producers transiting a distribution grid and there might even be a choice of paths as to how those electrons get from point A to point B. You have interties across networks, etc. This means more people need access and/or provide more input. I'm not saying this is right or wrong, simply that it is. Some of the tradeoffs are made intentionallly. Some are made without the decisionmakers thinking about it. I like this hypothetical world that some are describing where security is easy and all the tradeoffs work easily. Where exactly is this place? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Mike Barkett (Apr 17)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Dotzero (Apr 17)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Marcus J. Ranum (Apr 17)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Brian Loe (Apr 18)
- Message not available
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Bret Watson (Apr 18)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Brian Loe (Apr 18)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) ArkanoiD (Apr 18)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Brian Loe (Apr 19)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Paul D. Robertson (Apr 19)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Brian Loe (Apr 20)
- Re: SCADA (or: How I learned to love receiving FWW indigest form) Michael Balasko (Apr 20)
- The Cybersecurity Act of 2009 (was: SCADA) Chris Blask (Apr 21)
- Re: SCADA (or: How I learned to love receiving FWW in digest form) Dotzero (Apr 17)