Re: SCADA

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 14 Apr 2009, Bertolett, Richard wrote:

> Security, particularly cyber-security, is best implemented in layers.  
> So yes, you do need an anti-virus system, and yes, you do need to apply
> MS security patches, and you do need firewalls, a DMZ, and ways to keep
> the users from doing things on SCADA computers that they should not be
> doing.  But easy should never be a driver in security decisions, it is
> much more secure to retrieve patches and virus sigs from an internal
> server, say little of the internet connection bandwidth usage.

The other side of the coin is that adding layers adds complexity and code- 
and adding code adds bugs- so you don't *always* get a net security gain 
by adding "protecion."  That's not even factoring in having to update the 
update infrastructure, configuration complexity, or a bunch of other 
things.

Adding layers should be done on a risk-based basis, with the probability 
of failure of a particular control or the elevation of a particular attack 
vector taken into account.

Also, the "obvious" choices aren't always the best ones.  I can stop more 
Windows malware with permissions and group policies than I can with 
anti-virus software for instance.

 
Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards