Firewall Wizards mailing list archives
Re: SCADA
From: "Bertolett, Richard" <Richard.Bertolett () ci austin tx us>
Date: Tue, 14 Apr 2009 12:54:06 -0500
While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's position either. Security, particularly cyber-security, is best implemented in layers. So yes, you do need an anti-virus system, and yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from doing things on SCADA computers that they should not be doing. But easy should never be a driver in security decisions, it is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection bandwidth usage. That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas delivery, unfortunately, you can't just 'sneakernet' all the reporting data. SCADA historical data in raw form is like drinking from a fire hose. So you have to distill it some way, and push it into a DMZ and then out to a database server on the business network some way, so it can be combined with other data, sliced and diced, and mushed into reports. Why couldn't the connections allowed thru the firewall be outgoing only? Then you need to make sure the destination server on the business network is secure of course, but you're already doing that, yes? There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, maybe not. But that is a cost of basic security. Rick Bertolett Austin Water Utility -----Original Message----- From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Brian Loe Sent: Tuesday, April 14, 2009 11:18 AM To: Firewall Wizards Security Mailing List Cc: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] SCADA On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas () rl gov> wrote:
We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open. Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network. We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately. How do you answer this without just saying NO? Thank you, Dave
You just say no. Their MS updates aren't important. If its truly segregated from the corporate network, their machines do not need antivirus. A SCADA network should not even connect to your corporate network for ANYTHING - or vice versa. We have a data logger system that needs to be able to talk to both networks, it's in a DMZ with TWO firewalls between the corporate network and the control network. Traffic is not allowed to pass between networks, ONLY to and from that system and only on the designated ports for the data logging application (which isn't the same on both networks). With the latest news of China breaching our power (SCADA) networks you would think people wouldn't be so stupid as to ask for this kind of access! _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: [Fwd: Question], (continued)
- Re: [Fwd: Question] Chris Blask (Apr 11)
- Re: [Fwd: Question] ArkanoiD (Apr 10)
- Re: [Fwd: Question] Jean-Denis Gorin (Apr 14)
- Re: SCADA Bertolett, Richard (Apr 14)
- Re: SCADA Sam Golden (Apr 14)
- Re: SCADA Chris Blask (Apr 14)
- Re: SCADA Marcus J. Ranum (Apr 15)
- Re: SCADA Jim Seymour (Apr 14)
- Re: SCADA Brian Loe (Apr 14)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA Paul D. Robertson (Apr 14)