Re: [fw-wiz] SCADA

On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas@xxxxxx> wrote:

We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open.  Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network.  We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately.

How do you answer this without just saying NO?

Thank you,


You just say no. Their MS updates aren't important. If its truly
segregated from the corporate network, their machines do not need
antivirus. A SCADA network should not even connect to your corporate
network for ANYTHING - or vice versa. We have a data logger system
that needs to be able to talk to both networks, it's in a DMZ with TWO
firewalls between the corporate network and the control network.
Traffic is not allowed to pass between networks, ONLY to and from that
system and only on the designated ports for the data logging
application (which isn't the same on both networks).

With the latest news of China breaching our power (SCADA) networks you
would think people wouldn't be so stupid as to ask for this kind of
firewall-wizards mailing list