Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)]

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 6/30/07, Brian Loe <knobdy () gmail com> wrote:
> On 6/29/07, Paul Ferguson <fergdawg () netzero net> wrote:
>
> > True enough.
> >
> > I've a number of conversations with several people on this issue
> > in the past few months that go something along the lines of:
> >
> > Me: "You'd be shocked if you knew the extent of the problem."
> > Them: "Huh? Aren't critical systems like electrical power, etc.
> > not connected to the Internet?"
> > Me: "You'd think they wouldn't be, but you'd be wrong."
> >
> > Some astoundingly stupid business decisions may put critical
> > infrastructure at risk?
>
> Absolutely - and decisions often made by management and not the
> engineers. Some of it is for ease of use, so an electrical engineer
> can monitor a pump station or a power substation from his desk, "We'll
> just put sensors on this network - and it will have its own VLAN,
> that's safe." <skip a year> "We need to be able to control that pump
> ASAP - do what you have to do."

Agreed, its not just ease of use, but cost of development. JCI or
Johnson Controls used to have a proprietary OS that used BACNET for
communication. Sometime around 2004 they decided that EmbeddedXP with
IIS' www and smtp services would be much less costly to use. They
didnt however think about how they would patch these systems.

Of course any sane person would have a private network for their
building controls, but still that only makes you as secure if you
control physical access to all of your ethernet cables.

-JP<who started bitchin about this when some place swapped out the
Fume Hood controls with EmbeddedXP systems>
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.