firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: SCADA (Paul D. Robertson)
2. Re: Who stay focused? (was: [Fwd: Question]) (ArkanoiD)
3. Re: SCADA (Chris Blask)
4. Re: SCADA (Chris Myers)
5. Re: SCADA (Brian Loe)
6. Re: SCADA (Brian Loe)
----------------------------------------------------------------------
Message: 1
Date: Thu, 16 Apr 2009 12:04:26 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904161137110.15242-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
On Thu, 16 Apr 2009, Brian Loe wrote:
> On Wed, Apr 15, 2009 at 11:00 PM, Paul D. Robertson <paul@compuwar.net> wrote:
>
> > 1. ?I'm not sure "no more" fits in the definition- for instance a system
> > that's designed to send company email can also send personal email- how
> > does that make the system less reliable?
> >
>
> It propably - or probably should - violates the company's appropriate
> use policy. It may also induce a non-business reply, or forwards,
> which may introduce spam and viruses.
That doesn't necessarily affect its reliability, and I don't know that
many places which don't allow some level of personal email these days.
> >> That's not exactly true. A system that does exactly what it
> >> is supposed to - no more, no less - is achievable. It's not
> >
> > I'm not sure it's achievable. ?General purpose systems are too flexible to
> > be completely locked down. ?I can use my "Shift" key to play the Monty
> > Python theme, certainly not a design goal...
>
> You don't put general purpose systems on a SCADA network. They don't
> do email - nor do they have an email client installed. The are there
> to do one thing, run the SCADA application. Everything else has been
> removed or disabled.
Windows systems are general-purpose, PCs are general-purpose computing
systems. One of my customer's labs has lots of SCADA systems, most of
them are Windows and some of them have email clients on them- because
often the data has to come off the instrument and be used somewhere,
another customer has process management systems that are Windows-based,
and there's more on there than just the process programs for the
production lines (though not much more- they're not a research environment
like the first one- but the vendors don't always remove everything.)
Not every SCADA device is PLC-based, more's the pity. Some folks have
environments where the SCADA devices need to be able to talk to the
business network to dump raw data into business-side systems that analyze
and report on the data- and sometimes those folks don't look at security
when they do their architecture because (a) the connection was a
per-project thing that never got architected, (b) the only place with
space was the regular network, or (c) nothing's ever happened.
I know someone who shut down a large hub for a major shipping vendor with
NMAP a few years ago- because it was all inter-connected. You're thinking
best practice, and well there's a huge wall between current and best
practice.
> One could argue that you don't put general purpose systems on the
> corporate network either. You put accounting systems in the accounting
> department and HR systems in the HR department.
Show me a computer that is only physically capable of running an
accounting applicaion. Pretty-much every computer these days is a
general-purpose computer running a general purpose OS. Heck, the banks
*require* Active-X enabled Web browsers for doing check deposits these
days- accounting isn't what it used to be.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 2
Date: Thu, 16 Apr 2009 20:09:05 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090416160905.GA24045@eltex.net>
Content-Type: text/plain; charset=koi8-r
Well, i am one of the old-timers (yes, if you started as security professional
in mid-90s this counts as old-timer now) and i am still here.
I was too young and too idealistic those days and lost all opportunities to
get rich (there were plenty of those), so now i am still forced to work for living,
not for fun. And even that is not so easy - as i there is quite strange new breed
who do that really better.
Have you noticed those? Those guys who started in early 2000s and who are
*experienced professionals* now? They are not visionaries, nor scientists (not am
i, though), they are not bright minds either. You do not see them on any
security conferences (well, actually there *are* conferences they attend, they are
just different ones we consider boring), they do not show up on any workgroups or
technical commetees, they do not invent and more, they do not really have a clue
to stay on the leading edge (how ridiculously does it sound when applied to our
pretty conservative field, but there *is* something like that). They just do their
*carreer*. And they do it quite well, even more: they do not give a shit about who
you are and what can you do - there are other things that count, like "did you have
a senoir management job at company we do respect" (no one even cares if you performed
there good enough, the signle fact that you were there is what that counts)
and they are always welcome in the corporate world.
So i am just a loser who did not get into that pack in time and now it is too late.
I did not care about money much and i did not care about the carreer much, i just
tried to do something to make this crazy world a little bit sane. And i failed
epically. There are some positive changes like all that DLP stuff is something
we talked about for 20 years before and i guess it is something that people with clue
was talking about several other decades before. But there is nothing in those positive
changes i can count as personal achievement - that's not because the world finally
learned to leasten, that's just because everything other fails too obviously
even for this insane world.
On Tue, Apr 14, 2009 at 08:22:25PM +0200, Jean-Denis Gorin wrote:
> Hi Paul
>
> > From: Paul D. Robertson
> > Sent: Tuesday, April 14, 2009 5:34 PM
> >
> [...]
> > Once again, I'd like to publicly state that if you want to see
> > interesting threads on the list, you have to de-lurk and
> > start some. If nothing else, it'd change the Pix/Interesting
> > ratio...
>
> So, I'll start a new one ;)
>
> Why am I now a long time lurker? Mainly because I have quit the infosec field!
>
> After 10 years in the infosec field, 5 years ago I decided to quit infosec and
> came back to infosys architecture, my original field.
> >From early 90's to begin of 00's [0], I lived the raise of firewalls and DMZs...
> and their doom: the eBusiness application model where Internet application where
> only a front-end to internal infosys!
>
> In those years, I concluded that there was no way to achieve a good security
> awareness because people (IT people or users [1]) didn't (or didn't want to)
> have a global view of IT or infosys.
> And the marketing buzz words of that time were enought to convince people to
> stay singleminded (and buy a 'lucky stone' firewall to protect themselves).
>
> So, my question is: among all of you, old timer firewall wizards, how many stay
> focused to infosec (and had kept a global view [2] of infosys) ?
>
>
> For them willing to know why I'm still lurking FW-wiz as I have quit the field,
> I'm just trying to assess how fast the IT world will collapse in case of a major
> security threat... (I already know who will survive this, and how ;) ).
>
>
> JDG
>
> [0] Not Y2K compliant, so what?!?
> [1] Or 'lusers' for the BOFH fans ;)
> [2] Global, but not unfocused!
> --
> Reality is that which, when you stop believing in it, doesn't go away.
> Philipp K. Dick
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>
------------------------------
Message: 3
Date: Thu, 16 Apr 2009 10:49:16 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <150578.46614.qm@web33808.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Brian Loe <knobdy@gmail.com> wrote:
> You don't put general purpose systems on a SCADA network. They don't
do email - nor do they have an email client installed. They are there
to do one thing, run the SCADA application. Everything else has been
removed or disabled.
Not sure I follow you, here, since I think you know differently. There is windows embedded directly into many SCADA devices, and there is nothing removed from it at all over a standard Windows install. Metasploit works wonderfully against them.
This quote just sums up the whole problem with the segment:
--------------------
http://www.engineeringtalk.com/news/roc/roc254.html
"Manufacturers in increasingly regulated industries such as pharmaceuticals, personal care, food and beverages will appreciate the improved security features available when running RSView SE 3.0 under Windows 2000."Windows 2000 Authentication is a system-wide user group list, and users set up on this list can be added to RSView SE.
"This takes advantage of the high level of security provided by Windows 2000 and avoids the need to duplicate user accounts.
"For some critical operations, such as changing set points or downloading recipes, RSView SE requires operators to re-enter their user name and password, and can also require a second authorising "signature" before the changes take effect."
--------------------
------------------------------
Message: 4
Date: Thu, 16 Apr 2009 17:43:13 -0500
From: Chris Myers <clmmacunix@charter.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <96595AE8-28B2-43AB-8363-5FF5E4D9D009@charter.net>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Has no body read "Web Security Soucebook"? Sorry for the plug Marcus.
It is timeless in the fact that the Browser is no more secure today.
All I have to say is JAVASCRIPT. I
deal with more email dung vulnerabilities today than ever, so NO to
the personal email, so go somewhere
else to do your personal recipe swapping.
Leave SCADA where it is secure from the window of the
Internet and its storefront shoppers. Notice I
did not say secure from all eyes. You have to realize the inside
threat, but it is more manageable without
getting lost in a sea of faceless threats, which is my consternation
over the patch updates issue, because although
it breaks stuff, there is always the wily newbie trembling to see if
the vulnerability exists on the network. Here
with no internet you can catch him much quicker, but it still does not
keep from the risk/cost of downtime.
Chris Myers
clmmacunix@charter.net
On Apr 16, 2009, at 11:04 AM, Paul D. Robertson wrote:
> On Thu, 16 Apr 2009, Brian Loe wrote:
>
>> On Wed, Apr 15, 2009 at 11:00 PM, Paul D. Robertson <paul@compuwar.net
>> > wrote:
>>
>>> 1. I'm not sure "no more" fits in the definition- for instance a
>>> system
>>> that's designed to send company email can also send personal
>>> email- how
>>> does that make the system less reliable?
>>>
>>
>> It propably - or probably should - violates the company's appropriate
>> use policy. It may also induce a non-business reply, or forwards,
>> which may introduce spam and viruses.
>
> That doesn't necessarily affect its reliability, and I don't know that
> many places which don't allow some level of personal email these days.
>
>>>> That's not exactly true. A system that does exactly what it
>>>> is supposed to - no more, no less - is achievable. It's not
>>>
>>> I'm not sure it's achievable. General purpose systems are too
>>> flexible to
>>> be completely locked down. I can use my "Shift" key to play the
>>> Monty
>>> Python theme, certainly not a design goal...
>>
>> You don't put general purpose systems on a SCADA network. They don't
>> do email - nor do they have an email client installed. The are there
>> to do one thing, run the SCADA application. Everything else has been
>> removed or disabled.
>
> Windows systems are general-purpose, PCs are general-purpose computing
> systems. One of my customer's labs has lots of SCADA systems, most of
> them are Windows and some of them have email clients on them- because
> often the data has to come off the instrument and be used somewhere,
> another customer has process management systems that are Windows-
> based,
> and there's more on there than just the process programs for the
> production lines (though not much more- they're not a research
> environment
> like the first one- but the vendors don't always remove everything.)
>
> Not every SCADA device is PLC-based, more's the pity. Some folks have
> environments where the SCADA devices need to be able to talk to the
> business network to dump raw data into business-side systems that
> analyze
> and report on the data- and sometimes those folks don't look at
> security
> when they do their architecture because (a) the connection was a
> per-project thing that never got architected, (b) the only place with
> space was the regular network, or (c) nothing's ever happened.
>
> I know someone who shut down a large hub for a major shipping vendor
> with
> NMAP a few years ago- because it was all inter-connected. You're
> thinking
> best practice, and well there's a huge wall between current and best
> practice.
>
>> One could argue that you don't put general purpose systems on the
>> corporate network either. You put accounting systems in the
>> accounting
>> department and HR systems in the HR department.
>
> Show me a computer that is only physically capable of running an
> accounting applicaion. Pretty-much every computer these days is a
> general-purpose computer running a general purpose OS. Heck, the
> banks
> *require* Active-X enabled Web browsers for doing check deposits these
> days- accounting isn't what it used to be.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal
> opinions
> paul@compuwar.net which may have no basis whatsoever in fact."
> Moderator: Firewall-Wizards mailing list
> Art: http://PaulDRobertson.imagekind.com/
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 5
Date: Thu, 16 Apr 2009 13:37:35 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904161137r1798555el620bcb1ff9bdbbab@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Apr 16, 2009 at 11:04 AM, Paul D. Robertson <paul@compuwar.net> wrote:
>> It propably - or probably should - violates the company's appropriate
>> use policy. It may also induce a non-business reply, or forwards,
>> which may introduce spam and viruses.
>
> That doesn't necessarily affect its reliability, and I don't know that
> many places which don't allow some level of personal email these days.
It's not whether or not they allow is as much as they don't disallow
it - BEYOND a policy.
Perhaps yet another downside of all the fervor for government mandates
is that what we wound up with were a bunch of policy requirements that
required...policies! Exception forms. Etc.. Big deal! There's no
security there and we wind up with pencil pushing security admins who
have never considered, let alone argued, such theories as we are right
now. Instead they're former auditors that the CIO fell in love with.
>> You don't put general purpose systems on a SCADA network. They don't
>> do email - nor do they have an email client installed. The are there
>> to do one thing, run the SCADA application. Everything else has been
>> removed or disabled.
>
> Windows systems are general-purpose, PCs are general-purpose computing
> systems.
I believe we're talking past each other. Yes, Windows is a general
purpose operating system. Most PCs are general purpose machines.
However, your implementation of that OS on that hardware is not
generally FOR general purpose use. If, when you implement it, you set
the scope of its operation and mandate that this set scope does not
change without going through a full change management process, you
will not have general purpose systems on your SCADA network.
> ?One of my customer's labs has lots of SCADA systems, most of
> them are Windows and some of them have email clients on them- because
> often the data has to come off the instrument and be used somewhere,
> another customer has process management systems that are Windows-based,
> and there's more on there than just the process programs for the
> production lines (though not much more- they're not a research environment
> like the first one- but the vendors don't always remove everything.)
I have yet to see a system type that a business guy didn't want a
report from. How you provide those reports depends on what you are
after, I guess. In my case, where I am now, things could blow up and
KILL people if the SCADA network gets a virus (unlikely, but
PLAUSIBLE). At the last place a county would lose it's power and at
certain times of the year a lot more would - or something could blow
up and KILL people. :) The business guy's need to get a report does
not override the requirement that the SCADA network does not get
connected to the corporate network, and therefore the Internet.
While I am a purist (it's almost official now) my current SCADA
network is required to feed a data logger. The implementation of that
logger, and the business' ability to pull data out of that logger, do
not lessen the SCADA network's security anymore than it absolutely has
to. And NO ONE has remote access.
>
>> One could argue that you don't put general purpose systems on the
>> corporate network either. You put accounting systems in the accounting
>> department and HR systems in the HR department.
>
> Show me a computer that is only physically capable of running an
> accounting applicaion. ?Pretty-much every computer these days is a
> general-purpose computer running a general purpose OS. ?Heck, the banks
> *require* Active-X enabled Web browsers for doing check deposits these
> days- accounting isn't what it used to be.
Again, its the scope of the implementation and your ability to
maintain and control it. What it starts out as (general purpose) does
not dictate what it winds up!
------------------------------
Message: 6
Date: Thu, 16 Apr 2009 13:42:00 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904161142m4e434d7cjaf69431646a94c98@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Thu, Apr 16, 2009 at 12:49 PM, Chris Blask <chris@blask.org> wrote:
> Not sure I follow you, here, since I think you know differently. ? There is windows embedded directly into many SCADA devices, and there is nothing removed from it at all over a standard Windows install. ?Metasploit works wonderfully against them.
Actually we only have one embedded Windows device here and it shares
on basic characteristic as all of those at the power plant - they
weren't networked. I can't tell you what's running on them besides the
app because that's all you see and I have no ability to scan them.
As for the rest of the SCADA systems here, we will change their
configuration once we get them back from the OEM.
If the need arise, we're likely to provide the SCADA network with its
own AD environment.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 25
************************************************
No comments:
Post a Comment