firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: SCADA (Chris Blask)
2. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Brian Loe)
3. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (ArkanoiD)
4. Re: SCADA (or: How I learned to love receiving FWW in digest
form) (Brian Loe)
----------------------------------------------------------------------
Message: 1
Date: Sat, 18 Apr 2009 07:43:18 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <181326.16538.qm@web33802.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Brian Loe <knobdy@gmail.com> wrote:
> Spoken like a true bean counter! :)
It ain't sexy and it doesn't get you a lot of kudos but it's the most reliable approach. There's always my favorite diddy from a one-man play about WWI Ace Billy Bishop that speaks to it:
"When you fight, stay as calm as the ocean
And watch what's going on behind your shoulder.
Remember war's not the place for deep emotion,
And you might get to be a little older."
As I said later, I can't prevent all risks. While I might not install
a workstation on the SCADA network with a removable drive and with all
of the USB interfaces disabled, I can't provide a defense for an
operator violating my security policy, risking his job, and physically
installing a floppy drive he brought from home. I would, however, know
that there is some kind of problem because my monitoring system would
tell me so.
> I don't think that makes me less of a purist.That logger doesn't talk
> to people and people aren't able to talk to it. The systems it talks
> to are not allowed to carry on long conversations or use foreign
> languages.
It depends on definitions, but by a *pure* definition you have already crossed the line from purely separated networks to a thoughtful balance of risk mitigation and functionality. Marcus' friend would not be convinced.
> There are folks in my company that WANT remote access to the process
> network from their homes. I've proposed installing cameras, on the
> admin network, in the control rooms and pointing them at the
> controller's screens. :)
That isn't as silly as it sounds, if for no other reason than being obscure. Of course, someone could crack the video traffic, glean info and become interested in your site where they otherwise weren't, or leverage the information they learn from your screens to cause mischief elsewhere... ;~)
-chris
------------------------------
Message: 2
Date: Sat, 18 Apr 2009 09:31:34 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904180731g1728b7cmefa626f48d6996f5@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Apr 18, 2009 at 9:19 AM, Bret Watson <lists@ticm.com> wrote:
> <sarcasm>but it is so convenient when the operations guy can read emails
> whilst managing the system . Oh and management really likes to get those
> real-time pretty graphs...</sarcasm>
>
> Its amazing, but somehow SCADA always ends up getting connected - or even
> worse - running over corporate networks... Currently working with a critical
> infrastructure provider - exactly that problem, and their corporate strategy
> is to integrate it all further :(
>
My operators are able to do all of that while watching the plant.
There are two switches in every network box in the plant - one is a
cisco switch on the "admin" network and the other is something else on
the process network. Each switch has it's own fiber run back to the
data center.
------------------------------
Message: 3
Date: Sat, 18 Apr 2009 23:44:03 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090418194403.GA15479@eltex.net>
Content-Type: text/plain; charset=koi8-r
Well and if your SCADA network runs across thousands of sites, how secure will it
be if the systems itself are vulnerable? ;-) Even if there is no *known* internet
or modem link.. And you do not really know if some remote location uses some provider's
MPLS without applying own tunneling and if that MPLS gets compromised because some
youngsters hacked the provider network. Or if someone decides to use a wifi
link because it takes some time to make a cable link across two buildings and he'd like
to get the thing working now.. etc etc..
------------------------------
Message: 4
Date: Sat, 18 Apr 2009 20:20:02 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW
in digest form)
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904181820l71181f82g20e725424cb262a0@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Sat, Apr 18, 2009 at 2:44 PM, ArkanoiD <ark@eltex.net> wrote:
> Well and if your SCADA network runs across thousands of sites, how secure will it
> be if the systems itself are vulnerable? ;-) Even if there is no *known* internet
> or modem link.. And you do not really know if some remote location uses some provider's
> MPLS without applying own tunneling and if that MPLS gets compromised because some
> youngsters hacked the provider network. Or if someone decides to use a wifi
> link because it takes some time to make a cable link across two buildings and he'd like
> to get the thing working now.. etc etc..
That's where the "homeland security" group of morons should be
applying their energies - creating regulations for how and what can be
connected to the country's power grid that we are ALL dependent on.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 29
************************************************
No comments:
Post a Comment