Firewall Wizards mailing list archives
Re: SCADA
From: Chris Blask <chris () blask org>
Date: Sat, 18 Apr 2009 07:43:18 -0700 (PDT)
Brian Loe <knobdy () gmail com> wrote:
Spoken like a true bean counter! :)
It ain't sexy and it doesn't get you a lot of kudos but it's the most reliable approach. There's always my favorite diddy from a one-man play about WWI Ace Billy Bishop that speaks to it: "When you fight, stay as calm as the ocean And watch what's going on behind your shoulder. Remember war's not the place for deep emotion, And you might get to be a little older." As I said later, I can't prevent all risks. While I might not install a workstation on the SCADA network with a removable drive and with all of the USB interfaces disabled, I can't provide a defense for an operator violating my security policy, risking his job, and physically installing a floppy drive he brought from home. I would, however, know that there is some kind of problem because my monitoring system would tell me so.
I don't think that makes me less of a purist.That logger doesn't talk to people and people aren't able to talk to it. The systems it talks to are not allowed to carry on long conversations or use foreign languages.
It depends on definitions, but by a *pure* definition you have already crossed the line from purely separated networks to a thoughtful balance of risk mitigation and functionality. Marcus' friend would not be convinced.
There are folks in my company that WANT remote access to the process network from their homes. I've proposed installing cameras, on the admin network, in the control rooms and pointing them at the controller's screens. :)
That isn't as silly as it sounds, if for no other reason than being obscure. Of course, someone could crack the video traffic, glean info and become interested in your site where they otherwise weren't, or leverage the information they learn from your screens to cause mischief elsewhere... ;~) -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)
- Re: SCADA R. DuFresne (Apr 23)
- Re: SCADA Brian Loe (Apr 18)
- Re: SCADA Chris Blask (Apr 18)