Firewall Wizards mailing list archives
Re: SCADA
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 14 Apr 2009 17:45:06 -0500
Chris Blask wrote:
As security folks we need to accept (no matter how reluctantly)
>the possibility that on occasion the folks asking to make things easier >could be right. What we should be doing is putting up an appropriate >amount of back-pressure on the "just open it up" requests to result>in a solution that balances the need for access with the management of risk.
Here's the problem: that's good in theory, but in practice, it fails. The reason is, simply enough, that you're trying to judge an "appropriate" amount of back-pressure given an unknown and unknowable risk. All that results in is a game of "duelling wild-ass guesses" based on our _current_ understanding of the risks. Management is incapable of accurately predicting the risks (and isn't interested in doing so, anyway) and security is not, either. Game theory says that under those circumstances you always get the most optimistic prediction. What's scary is that those optimistic predictions don't get updated! That's how you get things like the several companies I know which implmented websites in PHP (because their web guys said it was OK) and have now gone deeply down that path only to discover that they made a bad decision and now they either need to throw good work after bad, or attempt to back up and unwind a mistake. We've all seen this over and over again - once the mistake is made, it's easier to hunker down and keep applying new duct tape to it, eternally. That's why the current internet security environment resembles nothing more than a mountain of duct tape, bandages, tire-patches, spit, and baling wire, wrapped around a core of pure solid crap. But, because they remember that they were told "it's OK" and they exercised a basic attempt at diligence, management is going to remember that security signed off on it. In other words, the back pressure is good, in principle, but doesn't actually help. The current situation with the SCADA stuff is another case in point. No doubt the managers who green-lit those interconnections did it with reasonable expectation of success and cost savings. But, obviously, they did not have an adequately nuanced view of the risks. Now they are perceiving security as having either failed, lied to them, being an unexpected additional burdensome headache, or - more likely - all of the above. So, generally, "no" _is_ the right answer. I've outlined the whole dynamic in a paper I wrote one <strike>day</strike> year when I was <strike>in a bad mood</strike> having a moment of clarity. If any of you are interested, it's here: http://www.ranum.com/security/computer_security/editorials/disasters/index.html mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: [Fwd: Question], (continued)
- Re: SCADA Jim Seymour (Apr 14)
- Re: SCADA Brian Loe (Apr 14)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA ArkanoiD (Apr 15)
- Re: SCADA Brian Loe (Apr 15)
- Re: SCADA Paul D. Robertson (Apr 14)
- Re: SCADA Marcus J. Ranum (Apr 15)
- Re: SCADA Dotzero (Apr 15)
- Re: SCADA Brian Loe (Apr 15)