Re: SCADA

["Daniel E. Hassler" <hassler () speakeasy net>]

OK - I may have misrepresented what I'm doing. I am not doing true 
SCADA. I have a system which is required to report electric meter 
readings securely over the internet from remote sites. Traffic is 
allowed to pass (only encrypted) from the Modbus network (which has no 
control devices) to the public internet. The gateway is sufficiently 
secure given the value of the data. It's low value residential/small 
business stuff but it is not supposed to be visible to outside parties 
so it must travel encrypted. Authentication is also important as we need 
to know the data is from the meter is says it's from. If you've ever 
purchased anything over the internet you obviously felt the level of 
protection offered was sufficient. I would say these systems are as 
secure as OpenBSD which is actually not good enough to allow true SCADA 
access to the internet. No remote holes - ever or keep it away from the 
internet is a good mantra. Since I don't believe anyone has sufficiently 
proved they have a system with zero remote holes ever possible other 
than a system with zero remote connections I too would recommend 
strongly the latter for true SCADA where perhaps a power grid or nuclear 
plant are involved. Common sense.

Dan Hassler

R. DuFresne wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Wed, 15 Apr 2009, Daniel E. Hassler wrote:
>
> > OK - I expected this. As I stated I was/am not trolling. Heck - check 
> > the email headers - This noise is coming from Thunderbird on a WinXP 
> > Pro system. I don't expect this system is secure even with two 
> > different firewalls and an AV software product installed. Marcus - 
> > I've really enjoy your works/writings/postings and sincerely did not 
> > mean any offense.  I've read over and over about SCADA security 
> > issues but find practically nothing on the market to effectively 
> > address them. We can write a lot on the Firewall Wizards list about 
> > the woes of mixing today's connected business needs with yesterdays 
> > isolation is a form of security. My basic question is why aren't 
> > those who have a clue creating solutions to meet the business needs?  
> > This is where I think our time is better spent (and the.the $$$ are). 
> > If I can rephrase my original question it would be more like: "I 
> > think we can do better, If we build it will they come?"
>
>
> As I have read this thread, and a variety of otherrs over the years, I 
> keep coming to the conclusion that many seem to miss the point that 
> "those who have a clue" are ignored, or their chants/rants about how 
> to secure systems like SCADA are missed or ignored.  the point being 
> made early on and at various times in this version of the thread, 
> leave then off the corporate network and far far away from any 
> internet capable connection. Or have I misinterpreted the advice given 
> over the years on this topic specifically?
>
> Similair point to broader corporate network security, do not let 
> insecure protocols pass the perimiter.  Seems to me that these threads 
> keep popping up from time to time because folks just do not like the 
> answers they are getting from the clued.  Or, am I again misreading 
> and interpreting?
>
>
> Thanks,
>
>
> Ron DuFresne
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629
>
> These things happened. They were glorious and they changed the world...,
> and then we fucked up the endgame.    --Charlie Wilson
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
>
> iD8DBQFJ8Ns4st+vzJSwZikRAjUDAJ4+Ba8Idt7d3AwT7N1NSRXsI81BKwCdE2YB
> gmlB6WGPQ8c022hR5tji+/s=
> =SXn2
> -----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards