funsec mailing list archives
Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)]
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sat, 30 Jun 2007 05:14:51 -0400
On 6/30/07, Brian Loe <knobdy () gmail com> wrote:
On 6/29/07, Paul Ferguson <fergdawg () netzero net> wrote: > True enough. > > I've a number of conversations with several people on this issue > in the past few months that go something along the lines of: > > Me: "You'd be shocked if you knew the extent of the problem." > Them: "Huh? Aren't critical systems like electrical power, etc. > not connected to the Internet?" > Me: "You'd think they wouldn't be, but you'd be wrong." > > Some astoundingly stupid business decisions may put critical > infrastructure at risk? Absolutely - and decisions often made by management and not the engineers. Some of it is for ease of use, so an electrical engineer can monitor a pump station or a power substation from his desk, "We'll just put sensors on this network - and it will have its own VLAN, that's safe." <skip a year> "We need to be able to control that pump ASAP - do what you have to do."
Agreed, its not just ease of use, but cost of development. JCI or Johnson Controls used to have a proprietary OS that used BACNET for communication. Sometime around 2004 they decided that EmbeddedXP with IIS' www and smtp services would be much less costly to use. They didnt however think about how they would patch these systems. Of course any sane person would have a private network for their building controls, but still that only makes you as secure if you control physical access to all of your ethernet cables. -JP<who started bitchin about this when some place swapped out the Fume Hood controls with EmbeddedXP systems> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Paul Ferguson (Jun 29)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Dave Paris (Jun 29)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Valdis . Kletnieks (Jun 29)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] B.K. DeLong (Jun 30)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Brian Loe (Jun 30)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Dude VanWinkle (Jun 30)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Dave Paris (Jun 29)