Firewall Wizards mailing list archives

Re: SCADA

From: Chris Blask <chris () blask org>
Date: Tue, 14 Apr 2009 14:30:27 -0700 (PDT)


"Bertolett, Richard" <Richard.Bertolett () ci austin tx us> wrote:

While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's 
position either.

Security, particularly cyber-security, is best implemented in layers.  So yes, you do need an anti-virus system, and 
yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from 
doing things on SCADA computers that they should not be doing.  But easy should never be a driver in security 
decisions, it is much more secure to retrieve patches and virus sigs from an internal server, say little of the 
internet connection bandwidth usage.

That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas 
delivery, unfortunately, you can't just 'sneakernet' all the reporting data.  SCADA historical data in raw form is 
like drinking from a fire hose.  So you have to distill it some way, and push it into a DMZ and then out to a 
database server on the business network some way, so it can be combined with other data, sliced and diced, and mushed 
into reports.  Why couldn't the connections allowed thru the firewall be outgoing only?  Then you need to make sure 
the destination server on the business network is secure of course, but you're already doing that, yes?

There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, 
maybe not.  But that is a cost of basic security.



Now that right there is a good answer.

There is no simple one-liner answer, it depends what you are protecting and what you are risking.  You aren't 
eliminating risk in any case, the question is really "how much effort are you willing to expend to lower your risk?"  
As security folks we need to accept (no matter how reluctantly) the possibility that on occasion the folks asking to 
make things easier could be right.  What we should be doing is putting up an appropriate amount of back-pressure on the 
"just open it up" requests to result in a solution that balances the need for access with the management of risk.  That 
may in fact be sneaker-net or it may be a well-thought-out connected solution as has been described: whatever solution 
you put in place can be compromised by someone willing to expend enough resources on it.

-chris


      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: [Fwd: Question], (continued)
- Re: [Fwd: Question] Jean-Denis Gorin (Apr 14)
  - Re: [Fwd: Question] Paul D. Robertson (Apr 14)
    - SCADA Kaas, David D (Apr 14)
    - Re: SCADA Anton Chuvakin (Apr 14)
    - Re: SCADA Steven M. Bellovin (Apr 14)
    - Re: SCADA Brian Loe (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 14)
    - Re: SCADA david (Apr 20)
    - Re: SCADA Bertolett, Richard (Apr 14)
    - Re: SCADA Sam Golden (Apr 14)
    - Re: SCADA Chris Blask (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Jim Seymour (Apr 14)
    - Re: SCADA Brian Loe (Apr 14)
    - Re: SCADA ArkanoiD (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA ArkanoiD (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA Paul D. Robertson (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Dotzero (Apr 15)

(Thread continues...)