Firewall Wizards mailing list archives
Re: [Fwd: Question]
From: Brian Loe <knobdy () gmail com>
Date: Wed, 8 Apr 2009 16:48:23 -0500
On Wed, Apr 8, 2009 at 3:16 PM, Chris Blask <chris () blask org> wrote:
A lot of it doesn't require us to actually show up and write a thesis to fix, that's for sure. But the real answer for Olaf is twofold, sure, part one is a knee-slapper but part two is a chin-scratcher: 1/ They shouldn't be but someone screwed up. and/or 2/ If it's not a screwup (HMI with a live modem, etc...) then it may be that the control system network is connected to the corporate network, and that one is connected to the Internet. Even where this is absolutely necessary for business purposes, and has been implemented at least reasonably well, it is at best a struggle between those who want to protect and those who want to disrupt. Frankly, many of these sites have not put enough effort into security to compensate for their busines needs for external connectivity. It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with. -chris
I don't know how many of you have worked with process and control networks, let alone SCADA networks at a power producer. I do know that I have. In both cases there is generally only ONE need for the two networks to ever touch physically or logically - data logging reports. This should always be done with the data logger placed into a DMZ. The DMZ should not allow anything from the A network into the B network or vice versa. No connections should originate from the DMZ. This has been done and works well. Often you don't even run anti-virus on the process control or SCADA networks as there's VIRTUALLY no way for them to get a virus. Frankly, if you're told there's a business "need" for access to the process network call BS on who ever is saying it. I've done that in my current position three times. The plant managers just can't understand how it can be so expensive for them to watch operations from their homes because, "the last place I worked the just used that program called PCAnywhere...."!! _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [Fwd: Question] Marcus J. Ranum (Apr 08)
- Re: [Fwd: Question] AMuse (Apr 08)
- Re: [Fwd: Question] Marcin Antkiewicz (Apr 08)
- Re: [Fwd: Question] Chris Blask (Apr 08)
- Re: [Fwd: Question] Brian Loe (Apr 08)
- Re: [Fwd: Question] Chris Blask (Apr 08)
- Re: [Fwd: Question] ArkanoiD (Apr 10)
- Re: [Fwd: Question] Anton Chuvakin (Apr 10)
- Re: [Fwd: Question] Chris Blask (Apr 11)
- Re: [Fwd: Question] Brian Loe (Apr 08)
- Re: [Fwd: Question] AMuse (Apr 08)
- Re: [Fwd: Question] ArkanoiD (Apr 10)
- <Possible follow-ups>
- Re: [Fwd: Question] Jean-Denis Gorin (Apr 14)
- Re: [Fwd: Question] Paul D. Robertson (Apr 14)