[Fwd: Question]
|
View:
New views
20 Messages
—
Rating Filter:
Alert me
|
| < Prev | 1 - 2 - 3 - 4 - 5 | Next > |
 |
[Fwd: Question]
by Marcus J. Ranum
::
Rate this Message:
I just thought I'd send this along to the list, because it had
me laughing into my coffee. My friend Olaf is not a security practitioner. He's not even an IT guy. He's an artist and a professional photographer. I just love the way that any person with a brain who encounters this internet security stuff can immediately cut to the core of the problem as Olaf does below: -------- Original Message -------- Subject: Question Date: Wed, 8 Apr 2009 08:41:39 -0400 From: Olaf S <lightdesigner@----> Reply-To: lightdesigner@---- To: Ranum Marcus <mjr@...> So, I'm watching a piece on the news this morning that "hackers" from China, Russia, Korea and maybe others have got into the computers that control the electrical grid. My question is why the fuck are these computers connected to the internet? Olaf S -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by AMuse
::
Rate this Message:
Marcus: Sadly he's exactly right in asking that! Of course the answer
is simple.. broadband over powerline. The hidden downside is the electrical grid IS the internet! ;) Marcus J. Ranum wrote: > I just thought I'd send this along to the list, because it had > me laughing into my coffee. My friend Olaf is not a security > practitioner. He's not even an IT guy. He's an artist and a > professional photographer. > > I just love the way that any person with a brain who > encounters this internet security stuff can immediately > cut to the core of the problem as Olaf does below: > > -------- Original Message -------- > Subject: Question > Date: Wed, 8 Apr 2009 08:41:39 -0400 > From: Olaf S <lightdesigner@----> > Reply-To: lightdesigner@---- > To: Ranum Marcus <mjr@...> > > > > > So, I'm watching a piece on the news this morning that "hackers" from > China, Russia, Korea and maybe others have got into the computers that > control the electrical grid. My question is why the fuck are these > computers connected to the internet? > > Olaf S > > > firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by Chris Blask
::
Rate this Message:
Marcus J. Ranum <mjr@...> wrote: .d. > I just love the way that any person with a brain who > encounters this internet security stuff can immediately > cut to the core of the problem as Olaf does below: A lot of it doesn't require us to actually show up and write a thesis to fix, that's for sure. But the real answer for Olaf is twofold, sure, part one is a knee-slapper but part two is a chin-scratcher: 1/ They shouldn't be but someone screwed up. and/or 2/ If it's not a screwup (HMI with a live modem, etc...) then it may be that the control system network is connected to the corporate network, and that one is connected to the Internet. Even where this is absolutely necessary for business purposes, and has been implemented at least reasonably well, it is at best a struggle between those who want to protect and those who want to disrupt. Frankly, many of these sites have not put enough effort into security to compensate for their busines needs for external connectivity. It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with. -chris >> From: Olaf S <lightdesigner@----> > So, I'm watching a piece on the news this morning that "hackers" from > China, Russia, Korea and maybe others have got into the computers that > control the electrical grid. My question is why the fuck are these > computers connected to the internet? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by Marcin Antkiewicz
::
Rate this Message:
> Marcus: Sadly he's exactly right in asking that! Of course the answer is
> simple.. broadband over powerline. The hidden downside is the electrical > grid IS the internet! ;) With the advancement of automated metering, it will be wireles too! Tesla rejoices. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by Brian Loe-2
::
Rate this Message:
On Wed, Apr 8, 2009 at 3:16 PM, Chris Blask <chris@...> wrote:
> > A lot of it doesn't require us to actually show up and write a thesis to fix, that's for sure. But the real answer for Olaf is twofold, sure, part one is a knee-slapper but part two is a chin-scratcher: > > 1/ They shouldn't be but someone screwed up. > > and/or > > 2/ If it's not a screwup (HMI with a live modem, etc...) then it may be that the control system network is connected to the corporate network, and that one is connected to the Internet. Even where this is absolutely necessary for business purposes, and has been implemented at least reasonably well, it is at best a struggle between those who want to protect and those who want to disrupt. Frankly, many of these sites have not put enough effort into security to compensate for their busines needs for external connectivity. > > It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with. > > -chris I don't know how many of you have worked with process and control networks, let alone SCADA networks at a power producer. I do know that I have. In both cases there is generally only ONE need for the two networks to ever touch physically or logically - data logging reports. This should always be done with the data logger placed into a DMZ. The DMZ should not allow anything from the A network into the B network or vice versa. No connections should originate from the DMZ. This has been done and works well. Often you don't even run anti-virus on the process control or SCADA networks as there's VIRTUALLY no way for them to get a virus. Frankly, if you're told there's a business "need" for access to the process network call BS on who ever is saying it. I've done that in my current position three times. The plant managers just can't understand how it can be so expensive for them to watch operations from their homes because, "the last place I worked the just used that program called PCAnywhere...."!! _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by Chris Blask
::
Rate this Message:
Brian Loe <knobdy@...> wrote: > I don't know how many of you have worked with process and control > networks, let alone SCADA networks at a power producer. I do know that > I have. In both cases there is generally only ONE need for the two > networks to ever touch physically or logically - data logging reports. > This should always be done with the data logger placed into a DMZ. The > DMZ should not allow anything from the A network into the B network or > vice versa. No connections should originate from the DMZ. This has > been done and works well. Often you don't even run anti-virus on the > process control or SCADA networks as there's VIRTUALLY no way for them > to get a virus. What you are saying is that these networks *do* in fact connect to the Internet by way of the business networks... ...but that you did it intelligently. That there's my point. The definition of "not connected to the outside world" is either black (not/air gap/can't-get-there-from-here) or important shades of gray (like you said/PCAnywhere/HMIs with modems/...). I had a very interesting knock-down-drag-out whiteboard argument with a control system VAR over whether the network they had installed in a sensitive context was connected to the outside world or not. His opinion - "it absolutely is not" - was eventually clarified to "ok, it certianly is, but it's not a problem because we have a PIX 515 between them". Not "A PIX configured with a DMZ to only allow the necessary and logical traffic...", just "a PIX installed". None of this will make Olaf completely happy... -chris _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by ArkanoiD
::
Rate this Message:
Finally something on the list not related to "how do i configure my PIX" ;-)
I wonder what happened? We used to have interesting discussions here years ago, and now everything is reduced to PIX setup? P.S. I hate PIX. (and ASA too). Cannot imagine a single case for it to be optimal solution. But even that is not what i'd like to discuss ;-) On Wed, Apr 08, 2009 at 04:14:44PM -0400, Marcus J. Ranum wrote: > I just thought I'd send this along to the list, because it had > me laughing into my coffee. My friend Olaf is not a security > practitioner. He's not even an IT guy. He's an artist and a > professional photographer. > > I just love the way that any person with a brain who > encounters this internet security stuff can immediately > cut to the core of the problem as Olaf does below: > > -------- Original Message -------- > Subject: Question > Date: Wed, 8 Apr 2009 08:41:39 -0400 > From: Olaf S <lightdesigner@----> > Reply-To: lightdesigner@---- > To: Ranum Marcus <mjr@...> > > > > > So, I'm watching a piece on the news this morning that "hackers" from > China, Russia, Korea and maybe others have got into the computers that > control the electrical grid. My question is why the fuck are these > computers connected to the internet? > > Olaf S > > > > -- > Marcus J. Ranum CSO, Tenable Network Security, Inc. > http://www.tenablesecurity.com > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by ArkanoiD
::
Rate this Message:
A friend of mine is head admin at Russian power grid (FSK, "Federal Grid Company"). He ensures me the SCADA
really *is* not connected to anything ;-) On Wed, Apr 08, 2009 at 01:16:21PM -0700, Chris Blask wrote: > > It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with. > _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by Anton Chuvakin
::
Rate this Message:
> A friend of mine is head admin at Russian power grid (FSK, "Federal Grid Company"). He ensures me the SCADA
> really *is* not connected to anything ;-) Surely, you mean: ... *THEIR* SCADA is not connected *YET*. > > On Wed, Apr 08, 2009 at 01:16:21PM -0700, Chris Blask wrote: >> >> It's not as simple as saying "they shouldn't be connected to anything". Beyond nuke generation (which is very much not connected to anything) you have hundreds of thousands of control system networks in the country and running each of these in air-gap isolation is not something that has been economically viable. The number of sites that can be completely isolated will always be a minority, the rest we will need to do better with. >> > > _______________________________________________ > firewall-wizards mailing list > firewall-wizards@... > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards > -- Anton Chuvakin, Ph.D http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: [Fwd: Question]
by Chris Blask-2
::
Rate this Message:
Anton Chuvakin <anton@...> wrote: > Surely, you mean: > ... *THEIR* SCADA is not connected *YET*. "...as far as they know..." _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
|
|
|
Re: [Fwd: Question]
by Paul D. Robertson-2
::
Rate this Message:
Jean-Denis Gorin wrote:
> I also remember [1] the split of the original Firewalls list to Firewalls and > FW-Wizards because there were too many messages about firewall solutions > configurations... > > BTW, does the original Firewalls list still exist? When I last looked I couldn't find it at ISC, where it'd eventually moved to. I've tried to balance operational questions with the few theoretical ones there are and the occasional rant thread. > [1] Yes, I'm a very long time lurker! Once again, I'd like to publicly state that if you want to see interesting threads on the list, you have to de-lurk and start some. If nothing else, it'd change the Pix/Interesting ratio... Paul -- President and Chairman, FluidIT Group Moderator, Firewall-Wizards. Editor, Network Firewall FAQ Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
SCADA
by Kaas, David D
::
Rate this Message:
We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open. Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network. We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately. How do you answer this without just saying NO? Thank you, Dave _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Anton Chuvakin
::
Rate this Message:
> We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet.
>... >We have some owners of these networks that would like the firewalls to be more open. >... > How do you answer this without just saying NO? I refuse to believe this is not "Ranum-bait" :-) -- Anton Chuvakin, Ph.D http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Marcus J. Ranum
::
Rate this Message:
Kaas, David D wrote:
> How do you answer this without just saying NO? You might start by pointing them to all the articles from last week, about the (insert favorite asiatic threat here) who are all over the power grid's SCADA systems: "they did what you want to do." mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Brian Loe-2
::
Rate this Message:
On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas@...> wrote:
> > We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open. Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network. We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately. > > How do you answer this without just saying NO? > > Thank you, > > Dave You just say no. Their MS updates aren't important. If its truly segregated from the corporate network, their machines do not need antivirus. A SCADA network should not even connect to your corporate network for ANYTHING - or vice versa. We have a data logger system that needs to be able to talk to both networks, it's in a DMZ with TWO firewalls between the corporate network and the control network. Traffic is not allowed to pass between networks, ONLY to and from that system and only on the designated ports for the data logging application (which isn't the same on both networks). With the latest news of China breaching our power (SCADA) networks you would think people wouldn't be so stupid as to ask for this kind of access! _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Steven Bellovin
::
Rate this Message:
On Tue, 14 Apr 2009 09:06:09 -0700
Anton Chuvakin <anton@...> wrote: > > We have a few SCADA and process control networks firewalled from > > our corporate network which is connected to the Internet. > >... > >We have some owners of these networks that would like the firewalls > >to be more open. ... > > How do you answer this without just saying NO? > > I refuse to believe this is not "Ranum-bait" :-) > See http://voices.washingtonpost.com/securityfix/2009/04/report_china_russia_top_source.html?wprss=securityfix on scanning for SCADA systems. --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Marcus J. Ranum
::
Rate this Message:
Brian Loe wrote:
> We have a data logger system > that needs to be able to talk to both networks, it's in a DMZ with TWO > firewalls between the corporate network and the control network. BTW - I know your data logging application is not syslog, but - in case the problem ever comes up for someone on this list, I've published the source for "plog" on my website. It's in my code archives on: http://www.ranum.com/security/computer_security/code/ "Plog is a promiscuous syslog listener. It sucks UDP syslog packets up off a network, rips the message screaming and kicking out of the packet body, and stuffs it into /dev/log. This program supports a bare minimum of options. Be very careful you do not use plog to inject messages into a syslog server that forwards the messages to a loghost over a network! It will hurt! (the good news is you'll get lots of log messages..)" Oddly, plog works faster than regular UDP syslog on some systems, because the bpf implementations are sometimes faster than the UDP stack. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Bertolett, Richard
::
Rate this Message:
While I agree that the level of access the original poster was...a bit too open, I cannot really agree with Mr. Loe's position either.
Security, particularly cyber-security, is best implemented in layers. So yes, you do need an anti-virus system, and yes, you do need to apply MS security patches, and you do need firewalls, a DMZ, and ways to keep the users from doing things on SCADA computers that they should not be doing. But easy should never be a driver in security decisions, it is much more secure to retrieve patches and virus sigs from an internal server, say little of the internet connection bandwidth usage. That said, the reality is that as reporting becomes just as mission critical as electricity or water or oil or gas delivery, unfortunately, you can't just 'sneakernet' all the reporting data. SCADA historical data in raw form is like drinking from a fire hose. So you have to distill it some way, and push it into a DMZ and then out to a database server on the business network some way, so it can be combined with other data, sliced and diced, and mushed into reports. Why couldn't the connections allowed thru the firewall be outgoing only? Then you need to make sure the destination server on the business network is secure of course, but you're already doing that, yes? There are other ways to support a SCADA network remotely other than through the internet, maybe they are as fast, maybe not. But that is a cost of basic security. Rick Bertolett Austin Water Utility -----Original Message----- From: firewall-wizards-bounces@... [mailto:firewall-wizards-bounces@...] On Behalf Of Brian Loe Sent: Tuesday, April 14, 2009 11:18 AM To: Firewall Wizards Security Mailing List Cc: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] SCADA On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas@...> wrote: > > We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open. Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network. We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately. > > How do you answer this without just saying NO? > > Thank you, > > Dave You just say no. Their MS updates aren't important. If its truly segregated from the corporate network, their machines do not need antivirus. A SCADA network should not even connect to your corporate network for ANYTHING - or vice versa. We have a data logger system that needs to be able to talk to both networks, it's in a DMZ with TWO firewalls between the corporate network and the control network. Traffic is not allowed to pass between networks, ONLY to and from that system and only on the designated ports for the data logging application (which isn't the same on both networks). With the latest news of China breaching our power (SCADA) networks you would think people wouldn't be so stupid as to ask for this kind of access! _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
|
|
Re: SCADA
by Sam Golden
::
Rate this Message:
-----Original Message----- I have no idea of what the SCADA networks are to which you refer. What I do know is that not all SCADA networks are critical infrastructure networks that messing-with would cause a "Great Blackout of 1965" or worse. Some SCADA networks control one little machine which makes something. Protecting the National Critical Infrastructure is different from protecting that one little machine. And so, one treats access to these two differently according to the risks and benefits of the access requested. Regards, Sammy _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards |
| < Prev | 1 - 2 - 3 - 4 - 5 | Next > |
| Free embeddable forum powered by Nabble | Forum Help |
