firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Marcus J. Ranum)
2. Re: SCADA (Chris Blask)
3. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Brian Loe)
4. Re: Is a full collapse possible? (Brian Loe)
5. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Bret Watson)
6. Re: SCADA (Brian Loe)
----------------------------------------------------------------------
Message: 1
Date: Fri, 17 Apr 2009 18:24:52 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: "firewall-wizards@listserv.cybertrust.com"
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <49E901B4.7010200@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Dotzero wrote:
> would Marcus' artist friend agree to a 10% or 20% increase in his
> utility bills to have "proper security" (however one defines this)?
Wait a minute!! It was properly secure BEFORE.
In fact, had to have SPENT MONEY to make it worse.
Someone, someplace, put it into a less secure state
"to save money" or "for business reasons." What we're
seeing is that their cost/benefit analysis was wrong;
it didn't save as much as they thought (because they
did it wrong!) or, if it recouped enough on the
investment, then any additional security expense
comes out of that profit/benefit's margin.
Let me belabor that point a bit: security is often
seen as a bill that gets presented; a cost of doing
business. What they don't understand is that the
bill is just interest coming due for when they cut
some corners years ago. A break-in or disaster is
that interest, compounded.
This is one reason I am (obviously) highly skeptical
of many business justifications. They omit to take
hidden costs into account and then try to shift/blame
someone else for them later. It's very easy to see
something as a profitable and desirable activity as
long as you only look at the upside.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
Message: 2
Date: Fri, 17 Apr 2009 15:37:51 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <436889.46998.qm@web33807.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Brian Loe <knobdy@gmail.com> wrote:
> I have yet to see a system type that a business guy didn't want a
> report from. How you provide those reports depends on what you are
> after, I guess. In my case, where I am now, things could blow up and
> KILL people if the SCADA network gets a virus (unlikely, but
> PLAUSIBLE). At the last place a county would lose it's power and at
> certain times of the year a lot more would - or something could blow
> up and KILL people. :)
As bizarre as the concept is, human life has a measurable monetary value. Insurance companies have been doing this forever, ask one about actuarial tables (http://www.ssa.gov/OACT/STATS/table4c6.html). Mitigating risk to human life is something we each do every day, how we operate vehicles and raise kids is all about mitigating and accepting the risk of potential death to ourselves and others.
All that realism being said, I am right there with you as far as getting very personal about mitigating the risk to SCADA systems. We are less likely to see the direct personal harm done by hacked IT systems (though we can imagine the 85-year-old lady's heart attack when her identity is stolen or her retirement fund disappears) but with SCADA it gets physical real quick. This is even more the reason that I will argue energetically for a Pragmatist's solution rather than a Purist's - I believe we can on average protect and save more lives by advancing the state of security on many SCADA networks than we can by perfecting security on a few.
> The business guy's need to get a report does
> not override the requirement that the SCADA network does not get
> connected to the corporate network, and therefore the Internet.
I thought you had a SCADA network connected (albeit through a DMZ) to your corporate network, which I assume is connected to the Internet? Best laid plans and all that - I assume you are aware of some of the really neat testing that has broken through some really well designed SCADA standoffs? Even in the solution you describe, there is no guarantee that something really fascinating can't happen to prove Robert Burn's correct (again - http://en.wikipedia.org/wiki/To_a_Mouse).
> While I am a purist (it's almost official now)
It's official - you are a purist.
> my current SCADA
> network is required to feed a data logger. The implementation of that
> logger, and the business' ability to pull data out of that logger, do
> not lessen the SCADA network's security anymore than it absolutely has
> to.
"anymore than it absolutely has to. "
Sorry, you aren't a purist anymore. ;~)
-chris
------------------------------
Message: 3
Date: Sat, 18 Apr 2009 08:42:23 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: "firewall-wizards@listserv.cybertrust.com"
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<3c4611bc0904180642t5cf524c8hb1170fa1944a95a6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 17, 2009 at 12:03 PM, Dotzero <dotzero@gmail.com> wrote:
>
> One argument for the introduction of additional risk is that there is
> added value to interconnected systems. Look at Electric production and
> distribution. In the good old days one company produced and
> distributed across a given area. Now it is a lot more complex. There
> might be any number of producers transiting a distribution grid and
> there might even be a choice of paths as to how those electrons get
> from point A to point B. You have interties across networks, etc. This
> means more people need access and/or provide more input.
That interconnectedness on the SCADA network (which should NOT be
transiting the Internet - only the power grid itself) is exactly how
AND why you don't connect the SCADA network to a non-SCADA network.
------------------------------
Message: 4
Date: Sat, 18 Apr 2009 09:03:14 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] Is a full collapse possible?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904180703j11e06f7egda2d76cdcd920c18@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 17, 2009 at 4:46 PM, Marcus J. Ranum <mjr@ranum.com> wrote:
> Behm, Jeff wrote:
>>
>> Agreed. If they are smart they wouldn't do that
>
> Robots aren't smart.
>
> We can worry about the motives of human agents, but
> doesn't it seem much more likely that some piece
> of self-replicating code will get into one of these
> SCADA systems and crash it all to hell? The end
> result is the same.
When I'm explaining risks for process networks to non-IT folks I don't
talk about a "someone" hacking into the network and blowing it up or
doing other malicious things. I tell them about the network I watched
go down when only two of five hundred machines got infected with a new
virus that the up-to-date AV software didn't know about. The plant
blowing up is Hollywood. The plant going down for hours or days...now
that's a loss of productivity they can feel in their pants, especially
in today's job market.
------------------------------
Message: 5
Date: Sat, 18 Apr 2009 22:19:29 +0800
From: Bret Watson <lists@ticm.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>,
Message-ID: <49e9e182.25578c0a.0cc4.ffffd595@mx.google.com>
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 09:42 PM 18/04/2009, Brian Loe wrote:
>That interconnectedness on the SCADA network (which should NOT be
>transiting the Internet - only the power grid itself) is exactly how
>AND why you don't connect the SCADA network to a non-SCADA network.
>_______________________________________________
>Yup,
<sarcasm>but it is so convenient when the operations guy can read
emails whilst managing the system . Oh and management really likes to
get those real-time pretty graphs...</sarcasm>
Its amazing, but somehow SCADA always ends up getting connected - or
even worse - running over corporate networks... Currently working
with a critical infrastructure provider - exactly that problem, and
their corporate strategy is to integrate it all further :(
------------------------------
Message: 6
Date: Sat, 18 Apr 2009 09:14:06 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904180714v5ebe4c17jfd74f3596c73a808@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Fri, Apr 17, 2009 at 5:37 PM, Chris Blask <chris@blask.org> wrote:
>This is even more the reason that I will argue energetically for a Pragmatist's solution rather than a Purist's - I believe we can on average protect and save more lives by advancing the state of security on many SCADA networks than we can by perfecting security on a few.
>
Spoken like a true bean counter! :)
> I thought you had a SCADA network connected (albeit through a DMZ) to your corporate network, which I assume is connected to the Internet? ?Best laid plans and all that - I assume you are aware of some of the really neat testing that has broken through some really well designed SCADA standoffs? ?Even in the solution you describe, there is no guarantee that something really fascinating can't happen to prove Robert Burn's correct (again - http://en.wikipedia.org/wiki/To_a_Mouse).
>
As I said later, I can't prevent all risks. While I might not install
a workstation on the SCADA network with a removable drive and with all
of the USB interfaces disabled, I can't provide a defense for an
operator violating my security policy, risking his job, and physically
installing a floppy drive he brought from home. I would, however, know
that there is some kind of problem because my monitoring system would
tell me so.
>> my current SCADA
>> network is required to feed a data logger. The implementation of that
>> logger, and the business' ability to pull data out of that logger, do
>> not lessen the SCADA network's security anymore than it absolutely has
>> to.
>
> "anymore than it absolutely has to. "
>
> Sorry, you aren't a purist anymore. ;~)
I don't think that makes me less of a purist.That logger doesn't talk
to people and people aren't able to talk to it. The systems it talks
to are not allowed to carry on long conversations or use foreign
languages.
If Marcus is still a purist, I can be too. I doubt he spends his time
traveling around and cutting peoples' network connections with his
favorite pair of wire cutters!
There are folks in my company that WANT remote access to the process
network from their homes. I've proposed installing cameras, on the
admin network, in the control rooms and pointing them at the
controller's screens. :)
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 28
************************************************
No comments:
Post a Comment