Re: [fw-wiz] SCADA

On Tue, Apr 14, 2009 at 2:05 PM, Jim Seymour <jseymour@xxxxxxxxxxx> wrote:
and "Bertolett, Richard" <Richard.Bertolett@xxxxxxxxxxxxxxx> wrote:

<will reply to both inline>

Eh.  My personal experience, over the years, is that AV software is
relatively worthless as a preventive tool.  As for MS' security
patches: If you have the machines in question isolated from hostile
networks, most of them aren't strictly necessary, IMO.  Not that these
are a bad thing, mind you.  In any event: I suspect there's been a

To some degree there may have been a misunderstanding. I consider MS
updates to SCADA side machines utterly worthless. For one, they're
likely to break whatever crap control software is installed on those
machines (because they're running on Windows 95 or NT 4). Second,
they're not talking to anything that could get them in trouble.

... it is
much more secure to retrieve patches and virus sigs from an internal
server, say little of the internet connection bandwidth usage.

I think that if my SCADA machine is talking to another machine that is
talking to the Internet, my SCADA machine is talking too much. I'd
prefer a manual update process IF I were concerned about updates -
which, as I've said, I'm not.

I think there may've been some confusion induced by the way Mr. Loe
phrased things.  (Correct me if I'm wrong, Brian.)  I *believe* their
SCADA network is firewalled from the business network; the business
network is firewalled from the Internet; and there are some *few*
connections, of very specific types, allowed between specific machines
on the SCADA network and specific machines on the business network.

More or less:
<SCADA> -- <FIREWALL> -- <datalogger> -- <FIREWALL> -- <> --

The "datalogger" is the database system for those SCADA machines to
push their data for reporting. Access to that datalogger is restricted
to specific ports from both the SCADA and corp networks. Only certain
machines on certain ports have that access.

I *believe* what some people want is to allow the machines on the SCADA
network access to the 'net, and to allow incoming (allegedly secure)
connections from the 'net into the SCADA network.

I have gotten that request on several occassions. I don't usually say
"No." I usually say, "do you have the money in your budget to properly
implement your request in a properly secured manner?" It means and
accomplishes the same thing.

I don't believe convenience should *ever* trump security.  I believe
that when convenience is allowed to trump security, you get what we
have today: Wide-spread compromising of networks.

Not just "networks". INFRASTRUCTURE! Power grids! Fuel production!

Both at the power plant I worked at and my current job there were
"homeland security" issues involved. The idea of our SCADA network
getting a virus was disturbing to say the least. Imagine 50 windows 95
boxes all infected with a virus that wants to do nothing more than
flood your SCADA network with its own traffic looking for another
victim. Doesn't even have to be a targeted attack against a power
plant - it just doesn't allow the controller to know what the plant is
doing until its too late! BOOM. Why risk your job, let alone your
life, for the convenience of some data massager?
firewall-wizards mailing list

Relevant Pages

  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
  • Risks Digest 25.33
    ... States throw out costly electronic voting machines ... San Francisco officials looking for hidden network device ... Risks of better security ... ...
  • Re: Biometrics
    ... > great grasp of the security aspect of protecting computers. ... Use Windows 98 Second Edition Machines as a safety internal> protocol ... > Gateway to the Network. ... Maintain certain machines as off-line only in locked and secure> rooms ...
  • Re: [Full-Disclosure] Sasser author
    ... I am responsible for security in a small business' network (50-or-so ... machines, most of them running MS OSs). ... Sasser did nothing to my offices' network. ...
  • Re: Newsgroup filtering with host server software
    ... I was given permission to hook my personal notebook in to the company network before I had anything to do with our IT department. ... Where I used to work the rule was that you were not allowed to have a mobile switched on in the office (security) so I don't know if they would have worked. ... the internet before it hit my inbox. ... Well, if something could be deemed sufficiently sensitive I would agree that only company machines should be able to access it, after all any other machine could log it even if it was encrypted in transit. ...