Firewall Wizards mailing list archives

Re: SCADA

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 14 Apr 2009 17:45:06 -0500

Chris Blask wrote:

As security folks we need to accept (no matter how reluctantly)

>the possibility that on occasion the folks asking to make things easier
>could be right.  What we should be doing is putting up an appropriate
>amount of back-pressure on the "just open it up" requests to result

>in a solution that balances the need for access with the management ofrisk.



Here's the problem: that's good in theory, but in practice, it
fails. The reason is, simply enough, that you're trying to
judge an "appropriate" amount of back-pressure given an
unknown and unknowable risk. All that results in is a game of
"duelling wild-ass guesses" based on our _current_ understanding
of the risks. Management is incapable of accurately predicting
the risks (and isn't interested in doing so, anyway) and security
is not, either. Game theory says that under those circumstances
you always get the most optimistic prediction.

What's scary is that those optimistic predictions don't get
updated! That's how you get things like the several companies
I know which implmented websites in PHP (because their web guys
said it was OK) and have now gone deeply down that path only
to discover that they made a bad decision and now they either
need to throw good work after bad, or attempt to back up and
unwind a mistake. We've all seen this over and over again - once
the mistake is made, it's easier to hunker down and keep applying
new duct tape to it, eternally. That's why the current internet
security environment resembles nothing more than a mountain of
duct tape, bandages, tire-patches, spit, and baling wire, wrapped
around a core of pure solid crap.

But, because they remember that they were told "it's OK" and
they exercised a basic attempt at diligence, management is
going to remember that security signed off on it.

In other words, the back pressure is good, in principle, but
doesn't actually help. The current situation with the SCADA
stuff is another case in point. No doubt the managers who
green-lit those interconnections did it with reasonable
expectation of success and cost savings. But, obviously,
they did not have an adequately nuanced view of the risks.
Now they are perceiving security as having either failed,
lied to them, being an unexpected additional burdensome
headache, or - more likely - all of the above.

So, generally, "no" _is_ the right answer.


I've outlined the whole dynamic in a paper I wrote one
<strike>day</strike> year when I was <strike>in a bad mood</strike>
having a moment of clarity. If any of you are interested, it's
here:
http://www.ranum.com/security/computer_security/editorials/disasters/index.html

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: [Fwd: Question], (continued)
- - Re: [Fwd: Question] Paul D. Robertson (Apr 14)
    - SCADA Kaas, David D (Apr 14)
    - Re: SCADA Anton Chuvakin (Apr 14)
    - Re: SCADA Steven M. Bellovin (Apr 14)
    - Re: SCADA Brian Loe (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 14)
    - Re: SCADA david (Apr 20)
    - Re: SCADA Bertolett, Richard (Apr 14)
    - Re: SCADA Sam Golden (Apr 14)
    - Re: SCADA Chris Blask (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Jim Seymour (Apr 14)
    - Re: SCADA Brian Loe (Apr 14)
    - Re: SCADA ArkanoiD (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA ArkanoiD (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)
    - Re: SCADA Paul D. Robertson (Apr 14)
    - Re: SCADA Marcus J. Ranum (Apr 15)
    - Re: SCADA Dotzero (Apr 15)
    - Re: SCADA Brian Loe (Apr 15)

(Thread continues...)