Re: [fw-wiz] SCADA

Has no body read "Web Security Soucebook"? Sorry for the plug Marcus.

It is timeless in the fact that the Browser is no more secure today. All I have to say is JAVASCRIPT. I
deal with more email dung vulnerabilities today than ever, so NO to the personal email, so go somewhere
else to do your personal recipe swapping.

Leave SCADA where it is secure from the window of the Internet and its storefront shoppers. Notice I
did not say secure from all eyes. You have to realize the inside threat, but it is more manageable without
getting lost in a sea of faceless threats, which is my consternation over the patch updates issue, because although
it breaks stuff, there is always the wily newbie trembling to see if the vulnerability exists on the network. Here
with no internet you can catch him much quicker, but it still does not keep from the risk/cost of downtime.

Chris Myers

On Apr 16, 2009, at 11:04 AM, Paul D. Robertson wrote:

On Thu, 16 Apr 2009, Brian Loe wrote:

On Wed, Apr 15, 2009 at 11:00 PM, Paul D. Robertson <paul@xxxxxxxxxxxx > wrote:

1. I'm not sure "no more" fits in the definition- for instance a system
that's designed to send company email can also send personal email- how
does that make the system less reliable?

It propably - or probably should - violates the company's appropriate
use policy. It may also induce a non-business reply, or forwards,
which may introduce spam and viruses.

That doesn't necessarily affect its reliability, and I don't know that
many places which don't allow some level of personal email these days.

That's not exactly true. A system that does exactly what it
is supposed to - no more, no less - is achievable. It's not

I'm not sure it's achievable. General purpose systems are too flexible to
be completely locked down. I can use my "Shift" key to play the Monty
Python theme, certainly not a design goal...

You don't put general purpose systems on a SCADA network. They don't
do email - nor do they have an email client installed. The are there
to do one thing, run the SCADA application. Everything else has been
removed or disabled.

Windows systems are general-purpose, PCs are general-purpose computing
systems. One of my customer's labs has lots of SCADA systems, most of
them are Windows and some of them have email clients on them- because
often the data has to come off the instrument and be used somewhere,
another customer has process management systems that are Windows- based,
and there's more on there than just the process programs for the
production lines (though not much more- they're not a research environment
like the first one- but the vendors don't always remove everything.)

Not every SCADA device is PLC-based, more's the pity. Some folks have
environments where the SCADA devices need to be able to talk to the
business network to dump raw data into business-side systems that analyze
and report on the data- and sometimes those folks don't look at security
when they do their architecture because (a) the connection was a
per-project thing that never got architected, (b) the only place with
space was the regular network, or (c) nothing's ever happened.

I know someone who shut down a large hub for a major shipping vendor with
NMAP a few years ago- because it was all inter-connected. You're thinking
best practice, and well there's a huge wall between current and best

One could argue that you don't put general purpose systems on the
corporate network either. You put accounting systems in the accounting
department and HR systems in the HR department.

Show me a computer that is only physically capable of running an
accounting applicaion. Pretty-much every computer these days is a
general-purpose computer running a general purpose OS. Heck, the banks
*require* Active-X enabled Web browsers for doing check deposits these
days- accounting isn't what it used to be.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • RE: SCADA Auditing Tools
    ... There is also very little support from the vendor, to say that "Hi, we know ... > write some tools based around the control network protocols, ... > SCADA system or the deal is off. ... > - the vendor shall supply patches to the client in regards to security ...
  • Re: Pakistan to ban encryption software
    ... network you have access to (and of course, ... capture, which is illegal without said permission). ... But the point remains that general email is at least as secure as a letter, and that greater security than that is not generally warranted. ... card details are sold in batches as quickly as possible. ...
  • Re: What security package for SBS?
    ... I have a secure Windows network. ... I also have a secure MacMini and on occasion a secure Ubuntu. ... With a business class firewall stripping crap off all incoming traffic and properly implemented security policies in addition to giving your users absolutely no admin rights, there is no reason to believe you can't create a secure Microsoft Network. ...
  • Re: Wifi Security
    ... Then add in good practices and secure those endpoints! ... I have changed the security to WPA2 with a 128bit ... and attempt to break into her wireless internet connection. ... part of her network cannot do WPA2 but you actually want her network to ...
  • RE: One computer two different networks
    ... Internet connection and one an internal secure connection tempts one ... You have a private network with no Internet for the reason that you ... in Information Security. ...