Re: SCADA

["Bertolett, Richard" <Richard.Bertolett () ci austin tx us>]

While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's 
position either.

Security, particularly cyber-security, is best implemented in layers.  So yes, you do need an anti-virus system, and 
yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from doing 
things on SCADA computers that they should not be doing.  But easy should never be a driver in security decisions, it 
is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection 
bandwidth usage.

That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas 
delivery, unfortunately, you can't just 'sneakernet' all the reporting data.  SCADA historical data in raw form is like 
drinking from a fire hose.  So you have to distill it some way, and push it into a DMZ and then out to a database 
server on the business network some way, so it can be combined with other data, sliced and diced, and mushed into 
reports.  Why couldn't the connections allowed thru the firewall be outgoing only?  Then you need to make sure the 
destination server on the business network is secure of course, but you're already doing that, yes?

There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, maybe 
not.  But that is a cost of basic security.  

Rick Bertolett
Austin Water Utility

-----Original Message-----
From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] 
On Behalf Of Brian Loe
Sent: Tuesday, April 14, 2009 11:18 AM
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] SCADA

On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas () rl gov> wrote:
> We have a few SCADA and process control networks firewalled from our corporate network which is connected to the 
> Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our 
> corporate network. We have some owners of these networks that would like the firewalls to be more open.  Their 
> initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve 
> Microsoft patches and virus signatures and to do MS file sharing to our corporate network.  We currently have these 
> services (patching and virus signatures) available on the corporate network but they believe it would be easier and 
> simpler to retrieve them separately.
>
> How do you answer this without just saying NO?
>
> Thank you,
>
> Dave

You just say no. Their MS updates aren't important. If its truly segregated from the corporate network, their machines 
do not need antivirus. A SCADA network should not even connect to your corporate network for ANYTHING - or vice versa. 
We have a data logger system that needs to be able to talk to both networks, it's in a DMZ with TWO firewalls between 
the corporate network and the control network.
Traffic is not allowed to pass between networks, ONLY to and from that system and only on the designated ports for the 
data logging application (which isn't the same on both networks).

With the latest news of China breaching our power (SCADA) networks you would think people wouldn't be so stupid as to 
ask for this kind of access!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards