Firewall Wizards mailing list archives

Re: SCADA

From: Chris Blask <chris () blask org>
Date: Sat, 18 Apr 2009 07:43:18 -0700 (PDT)


Brian Loe <knobdy () gmail com> wrote:

Spoken like a true bean counter! :)


It ain't sexy and it doesn't get you a lot of kudos but it's the most reliable approach.  There's always my favorite 
diddy from a one-man play about WWI Ace Billy Bishop that speaks to it:

"When you fight, stay as calm as the ocean
And watch what's going on behind your shoulder.
Remember war's not the place for deep emotion,
And you might get to be a little older."

As I said later, I can't prevent all risks. While I might not install
a workstation on the SCADA network with a removable drive and with all
of the USB interfaces disabled, I can't provide a defense for an
operator violating my security policy, risking his job, and physically
installing a floppy drive he brought from home. I would, however, know
that there is some kind of problem because my monitoring system would
tell me so.

I don't think that makes me less of a purist.That logger doesn't talk
to people and people aren't able to talk to it. The systems it talks
to are not allowed to carry on long conversations or use foreign
languages.



It depends on definitions, but by a *pure* definition you have already crossed the line from purely separated networks 
to a thoughtful balance of risk mitigation and functionality.  Marcus' friend would not be convinced.

There are folks in my company that WANT remote access to the process
network from their homes. I've proposed installing cameras, on the
admin network, in the control rooms and pointing them at the
controller's screens. :)



That isn't as silly as it sounds, if for no other reason than being obscure.  Of course, someone could crack the video 
traffic, glean info and become interested in your site where they otherwise weren't, or leverage the information they 
learn from your screens to cause mischief elsewhere... ;~)

-chris


      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: SCADA, (continued)
- - - Re: SCADA Paul D. Robertson (Apr 16)
    - Re: SCADA Chris Myers (Apr 16)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Marcus J. Ranum (Apr 16)
    - Re: SCADA Chris Blask (Apr 16)
    - Re: SCADA Brian Loe (Apr 16)
    - Re: SCADA Marcus J. Ranum (Apr 16)
  - Re: SCADA R. DuFresne (Apr 23)
- Re: SCADA Chris Blask (Apr 17)
  - Re: SCADA Brian Loe (Apr 18)
    - Re: SCADA Chris Blask (Apr 18)