Re: [fw-wiz] SCADA
- From: Brian Loe <knobdy@xxxxxxxxx>
- Date: Tue, 14 Apr 2009 17:01:24 -0500
On Tue, Apr 14, 2009 at 2:05 PM, Jim Seymour <jseymour@xxxxxxxxxxx> wrote:
and "Bertolett, Richard" <Richard.Bertolett@xxxxxxxxxxxxxxx> wrote:
<will reply to both inline>
Eh. My personal experience, over the years, is that AV software is
relatively worthless as a preventive tool. As for MS' security
patches: If you have the machines in question isolated from hostile
networks, most of them aren't strictly necessary, IMO. Not that these
are a bad thing, mind you. In any event: I suspect there's been a
To some degree there may have been a misunderstanding. I consider MS
updates to SCADA side machines utterly worthless. For one, they're
likely to break whatever crap control software is installed on those
machines (because they're running on Windows 95 or NT 4). Second,
they're not talking to anything that could get them in trouble.
... it is
much more secure to retrieve patches and virus sigs from an internal
server, say little of the internet connection bandwidth usage.
I think that if my SCADA machine is talking to another machine that is
talking to the Internet, my SCADA machine is talking too much. I'd
prefer a manual update process IF I were concerned about updates -
which, as I've said, I'm not.
I think there may've been some confusion induced by the way Mr. Loe
phrased things. (Correct me if I'm wrong, Brian.) I *believe* their
SCADA network is firewalled from the business network; the business
network is firewalled from the Internet; and there are some *few*
connections, of very specific types, allowed between specific machines
on the SCADA network and specific machines on the business network.
More or less:
<SCADA> -- <FIREWALL> -- <datalogger> -- <FIREWALL> -- <corp.net> --
<FIREWALL> -- <INTERNET>
The "datalogger" is the database system for those SCADA machines to
push their data for reporting. Access to that datalogger is restricted
to specific ports from both the SCADA and corp networks. Only certain
machines on certain ports have that access.
I *believe* what some people want is to allow the machines on the SCADA
network access to the 'net, and to allow incoming (allegedly secure)
connections from the 'net into the SCADA network.
I have gotten that request on several occassions. I don't usually say
"No." I usually say, "do you have the money in your budget to properly
implement your request in a properly secured manner?" It means and
accomplishes the same thing.
I don't believe convenience should *ever* trump security. I believe
that when convenience is allowed to trump security, you get what we
have today: Wide-spread compromising of networks.
Not just "networks". INFRASTRUCTURE! Power grids! Fuel production!
Both at the power plant I worked at and my current job there were
"homeland security" issues involved. The idea of our SCADA network
getting a virus was disturbing to say the least. Imagine 50 windows 95
boxes all infected with a virus that wants to do nothing more than
flood your SCADA network with its own traffic looking for another
victim. Doesn't even have to be a targeted attack against a power
plant - it just doesn't allow the controller to know what the plant is
doing until its too late! BOOM. Why risk your job, let alone your
life, for the convenience of some data massager?
firewall-wizards mailing list
- Re: [fw-wiz] SCADA
- From: ArkanoiD
- Re: [fw-wiz] SCADA
- Prev by Date: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
- Next by Date: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
- Previous by thread: Re: [fw-wiz] SCADA
- Next by thread: Re: [fw-wiz] SCADA