Firewall Wizards mailing list archives
Re: SCADA
From: Chris Blask <chris () blask org>
Date: Tue, 14 Apr 2009 14:30:27 -0700 (PDT)
"Bertolett, Richard" <Richard.Bertolett () ci austin tx us> wrote:
While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's position either.
Security, particularly cyber-security, is best implemented in layers. So yes, you do need an anti-virus system, and yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from doing things on SCADA computers that they should not be doing. But easy should never be a driver in security decisions, it is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection bandwidth usage.
That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas delivery, unfortunately, you can't just 'sneakernet' all the reporting data. SCADA historical data in raw form is like drinking from a fire hose. So you have to distill it some way, and push it into a DMZ and then out to a database server on the business network some way, so it can be combined with other data, sliced and diced, and mushed into reports. Why couldn't the connections allowed thru the firewall be outgoing only? Then you need to make sure the destination server on the business network is secure of course, but you're already doing that, yes?
There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, maybe not. But that is a cost of basic security.
Now that right there is a good answer. There is no simple one-liner answer, it depends what you are protecting and what you are risking. You aren't eliminating risk in any case, the question is really "how much effort are you willing to expend to lower your risk?" As security folks we need to accept (no matter how reluctantly) the possibility that on occasion the folks asking to make things easier could be right. What we should be doing is putting up an appropriate amount of back-pressure on the "just open it up" requests to result in a solution that balances the need for access with the management of risk. That may in fact be sneaker-net or it may be a well-thought-out connected solution as has been described: whatever solution you put in place can be compromised by someone willing to expend enough resources on it. -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: [Fwd: Question], (continued)
- Re: [Fwd: Question] Jean-Denis Gorin (Apr 14)
- Re: SCADA Bertolett, Richard (Apr 14)
- Re: SCADA Sam Golden (Apr 14)
- Re: SCADA Chris Blask (Apr 14)
- Re: SCADA Marcus J. Ranum (Apr 15)
- Re: SCADA Jim Seymour (Apr 14)
- Re: SCADA Brian Loe (Apr 14)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA Paul D. Robertson (Apr 14)
- Re: SCADA Marcus J. Ranum (Apr 15)
- Re: SCADA Dotzero (Apr 15)