Search This Blog

Sunday, April 26, 2009

firewall-wizards Digest, Vol 36, Issue 36

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: SCADA (Paul Ferguson)


----------------------------------------------------------------------

Message: 1
Date: Fri, 24 Apr 2009 18:49:10 -0700
From: Paul Ferguson <fergdawgster@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: mjr@ranum.com, "R. DuFresne" <dufresne@sysinfo.com>, Firewall
Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID:
<6cd462c00904241849w372f4a5fua7bcb74a22a436bf@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Apr 24, 2009 at 6:10 PM, Daniel E. Hassler <hassler@speakeasy.net>
wrote:

> OK - I may have misrepresented what I'm doing. I am not doing true SCADA.
> I have a system which is required to report electric meter readings
> securely over the internet from remote sites. Traffic is allowed to pass
> (only
> encrypted) from the Modbus network (which has no control devices) to the
> public internet. The gateway is sufficiently secure given the value of
> the data. It's low value residential/small business stuff but it is not
> supposed to be visible to outside parties so it must travel encrypted.
> Authentication is also important as we need to know the data is from the
> meter is says it's from. If you've ever purchased anything over the
> internet you obviously felt the level of protection offered was
> sufficient. I would say these systems are as secure as OpenBSD which is
> actually not good enough to allow true SCADA access to the internet. No
> remote holes - ever or keep it away from the internet is a good mantra.
> Since I don't believe anyone has sufficiently proved they have a system
> with zero remote holes ever possible other than a system with zero remote
> connections I too would recommend strongly the
> latter for true SCADA where perhaps a power grid or nuclear plant are
> involved. Common sense.
>

Famous last words: "Sufficiently secure."

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFJ8mwDq1pz9mNUZTMRAsLCAJwLZjWzkqm9rMPQMO5hBS4XlOnGOACghLDf
E9m+lEkfjNEAsZ5ShIZaGko=
=3Eso
-----END PGP SIGNATURE-----


--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawgster(at)gmail.com
ferg's tech blog: http://fergdawg.blogspot.com/


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 36
************************************************

No comments: