Friday, April 24, 2009

firewall-wizards Digest, Vol 36, Issue 34

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: SCADA (Chris Blask)
2. Re: SCADA (R. DuFresne)
3. Re: Who stay focused? (was: [Fwd: Question]) (R. DuFresne)
4. Re: SCADA (R. DuFresne)
5. Re: SCADA (R. DuFresne)
6. Re: SCADA (R. DuFresne)


----------------------------------------------------------------------

Message: 1
Date: Thu, 23 Apr 2009 15:18:50 -0700 (PDT)
From: Chris Blask <wobblingmoon@yahoo.com>
Subject: Re: [fw-wiz] SCADA
To: "R. DuFresne" <dufresne@sysinfo.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <166573.45769.qm@web33805.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii


From: R. DuFresne <dufresne@sysinfo.com> wrote:

> Which again begs the question; why windows systems?

Because the vendors the facility owners have trusted for years have built it into their devices.

You get into these circular discussions with many folks involved in Control Systems/SCADA:

"It's not a computer, it's an HMI."
"Um, it has Windows on it. It has Solitaire installed. It has Notepad. I could run video games on it. It's a computer".
"No it isn't, it's an HMI. Besides, it works so don't flippin' touch it or I'll escort you off the property."

The folks who own IT networks have nothing on the average set of folks running SCADA networks. If you think you've been frustrated trying to secure an IT network you ain't seen nothing, yet.

-chris



------------------------------

Message: 2
Date: Thu, 23 Apr 2009 16:48:00 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] SCADA
To: Chris Blask <chris@blask.org>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0904231647010.30560@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Apr 2009, Chris Blask wrote:

>
> Daniel E. Hassler <hassler@speakeasy.net> wrote:
>
>> Forgive my ignorance but why is SCADA even allowed to run on a Windows host? IMHO - when industry insists (i.e. $$$ on the table) on secure alternatives can and will become available.
>
>
> Many manufacturers have used Windows as an embedded component of SCADA devices such as Human Machine Interfaces (HMIs - the gadgets that produce the touchscreen management interface for operators). Moreover, industry has not insisted on secure alternatives in control systems, period. In fact, industry continues to be overwhelmingly resistant to any changes to their existing systems - reliability is many times more important to them as a group than security.


Which again begs the question; why windows systems?


Thanks,


Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJ8NQDst+vzJSwZikRAjRKAJ9DPs1OpgPDsu+y26C5HXmXk+NfYgCfV1Fq
tlEVRKNE3o6qU+WZ9WsS+Qs=
=ri61
-----END PGP SIGNATURE-----


------------------------------

Message: 3
Date: Thu, 23 Apr 2009 16:52:04 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] Who stay focused? (was: [Fwd: Question])
To: Brian Loe <knobdy@gmail.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0904231649330.30560@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Apr 2009, Brian Loe wrote:

>
> Instead use your change management policy to request the changes you
> want to make or the access a user wants. Then if bad decisions are
> made by other people they are documented as to who is responsible for
> the resulting evil!
>
> I could care less what my employer wants to do, so long as I have
> informed them of my opinion and accountability for their stupidity has
> been assigned to someone else.


This assumes two poiots though, that the BIG guys up there have integrity
and have taken responsiblity for their decisions. I seldom find either f
those to be the case and have seen cases whence the "stupidity" still
rests on the techies shoulders as "they failed to properly inform me of
the error of my ways".

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJ8NT2st+vzJSwZikRAoykAKDWimA7PIbs24RiAmzsF02XvxXrfQCgnrPh
idbeb9eDqgQz5WYiKjqhwDY=
=ORUK
-----END PGP SIGNATURE-----


------------------------------

Message: 4
Date: Thu, 23 Apr 2009 16:56:49 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] SCADA
To: "Daniel E. Hassler" <hassler@speakeasy.net>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0904231655370.30560@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Apr 2009, Daniel E. Hassler wrote:

> I agree with your observations but how can an insecure system be considered
> reliable?


The same way a windows OS can be considered "reliable"?


Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJ8NYUst+vzJSwZikRArZOAJ4/Vhv1JL8l1eb8ztpMbKcayE7M2gCdGF8+
uiy3lnkD/fCeAedMVvV2/es=
=U+5s
-----END PGP SIGNATURE-----


------------------------------

Message: 5
Date: Thu, 23 Apr 2009 17:03:56 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] SCADA
To: "Bill McGee (bam)" <bam@cisco.com>
Cc: Chris Blask <chris@blask.org>, Firewall Wizards Security Mailing
List <firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0904231659500.30560@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Apr 2009, Bill McGee (bam) wrote:

> And what, exactly, is 'reliable'? The only reasonable definition I can think of is one that hasn't been broken into 'YET'. Like has been said before, unless you disassemble your machine, embed it into a cement and glass matrix, and dump it in the ocean, there is no such thing as 'secure' - and even then... Everything else involves degrees of risk balanced with the need to actually conduct business.
>
> In spite of what some of the purists on this list might imply, security is a trade-off, and every naive administrator believes his/her network to be 'secure' until it isn't. The rest of us manage risk and try our best to reduce the cost of risk to a level below the value of the business being conducted. Our job as security professionals is to help organizations reduce that risk as much as possible. Anyone selling anything else is hawking snake oil.
>


I'm not sure that with many outside security that reliable equates with
security in mind. More often it equates with uptime, or time between
reboots due to system hangs. Point being, one can not simply ask how
reliable is it, without adding more to the context of the questing
evaluation. "One man's garbage being another's treasure"...

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJ8Ne/st+vzJSwZikRAhVPAJ0UBuLl+cB6y/y8fMh7ycMA1E8IFQCgsi9T
dd+Ky2EvbzvD1MtFQn3M410=
=RpJV
-----END PGP SIGNATURE-----


------------------------------

Message: 6
Date: Thu, 23 Apr 2009 17:18:45 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] SCADA
To: "Daniel E. Hassler" <hassler@speakeasy.net>
Cc: mjr@ranum.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0904231712070.30560@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Apr 2009, Daniel E. Hassler wrote:

> OK - I expected this. As I stated I was/am not trolling. Heck - check the
> email headers - This noise is coming from Thunderbird on a WinXP Pro system.
> I don't expect this system is secure even with two different firewalls and an
> AV software product installed. Marcus - I've really enjoy your
> works/writings/postings and sincerely did not mean any offense. I've read
> over and over about SCADA security issues but find practically nothing on the
> market to effectively address them. We can write a lot on the Firewall
> Wizards list about the woes of mixing today's connected business needs with
> yesterdays isolation is a form of security. My basic question is why aren't
> those who have a clue creating solutions to meet the business needs? This is
> where I think our time is better spent (and the.the $$$ are). If I can
> rephrase my original question it would be more like: "I think we can do
> better, If we build it will they come?"
>


As I have read this thread, and a variety of otherrs over the years, I
keep coming to the conclusion that many seem to miss the point that "those
who have a clue" are ignored, or their chants/rants about how to secure
systems like SCADA are missed or ignored. the point being made early on
and at various times in this version of the thread, leave then off the
corporate network and far far away from any internet capable connection.
Or have I misinterpreted the advice given over the years on this topic
specifically?

Similair point to broader corporate network security, do not let insecure
protocols pass the perimiter. Seems to me that these threads keep popping
up from time to time because folks just do not like the answers they are
getting from the clued. Or, am I again misreading and interpreting?


Thanks,


Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFJ8Ns4st+vzJSwZikRAjUDAJ4+Ba8Idt7d3AwT7N1NSRXsI81BKwCdE2YB
gmlB6WGPQ8c022hR5tji+/s=
=SXn2
-----END PGP SIGNATURE-----


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 34
************************************************

No comments:

Post a Comment