Re: [fw-wiz] SCADA




Brian Loe <knobdy@xxxxxxxxx> wrote:

I have yet to see a system type that a business guy didn't want a
report from. How you provide those reports depends on what you are
after, I guess. In my case, where I am now, things could blow up and
KILL people if the SCADA network gets a virus (unlikely, but
PLAUSIBLE). At the last place a county would lose it's power and at
certain times of the year a lot more would - or something could blow
up and KILL people. :)

As bizarre as the concept is, human life has a measurable monetary value. Insurance companies have been doing this forever, ask one about actuarial tables (http://www.ssa.gov/OACT/STATS/table4c6.html). Mitigating risk to human life is something we each do every day, how we operate vehicles and raise kids is all about mitigating and accepting the risk of potential death to ourselves and others.

All that realism being said, I am right there with you as far as getting very personal about mitigating the risk to SCADA systems. We are less likely to see the direct personal harm done by hacked IT systems (though we can imagine the 85-year-old lady's heart attack when her identity is stolen or her retirement fund disappears) but with SCADA it gets physical real quick. This is even more the reason that I will argue energetically for a Pragmatist's solution rather than a Purist's - I believe we can on average protect and save more lives by advancing the state of security on many SCADA networks than we can by perfecting security on a few.


The business guy's need to get a report does
not override the requirement that the SCADA network does not get
connected to the corporate network, and therefore the Internet.


I thought you had a SCADA network connected (albeit through a DMZ) to your corporate network, which I assume is connected to the Internet? Best laid plans and all that - I assume you are aware of some of the really neat testing that has broken through some really well designed SCADA standoffs? Even in the solution you describe, there is no guarantee that something really fascinating can't happen to prove Robert Burn's correct (again - http://en.wikipedia.org/wiki/To_a_Mouse).

While I am a purist (it's almost official now)

It's official - you are a purist.

my current SCADA
network is required to feed a data logger. The implementation of that
logger, and the business' ability to pull data out of that logger, do
not lessen the SCADA network's security anymore than it absolutely has
to.

"anymore than it absolutely has to. "

Sorry, you aren't a purist anymore. ;~)

-chris



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards