Re: SCADA (or: How I learned to love receiving FWW in digest form)

On Sat, 18 Apr 2009, Brian Loe wrote:
Countrymen , What matters is the coming challenges ,from afar .

That's where the "homeland security" group of morons should be
applying their energies - creating regulations for how and what can be
connected to the country's power grid that we are ALL dependent on.

Is that *REALLY* who you want drafting computer security regulations?  
"Please take off your shoes prior to booting Server 2008...."

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul@...       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@...
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Mike Barkett-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Yeah, I know the subject line makes me sound like a fuddy-duddy. Anyway, because this is apparently a last-one-to-post-wins thread, I figured I'd chime in. It seems that all of us subscribe to differing degrees of the same possibly incorrect notion... that all systems must be connected to something. If a system risks failure due to being connected to an infrastructure that will also fail along with it, then maybe the net value of such connectivity is greatly diminished. I believe Marcus' artist friend rather elegantly made a similar point. We've already talked about solving the logging problem with physical air gaps and a connectionless logger. Save for physical access and possibly a dedicated leased line to an isolated emergency outpost (for example, to try to remediate things if physical access is too dangerous for humans, or to manually apply patches IF applicable), why introduce any additional risk? -MAB _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Dotzero :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Apr 17, 2009 at 11:23 AM, Mike Barkett <mbarkett@...> wrote: > Yeah, I know the subject line makes me sound like a fuddy-duddy. Anyway, because this is apparently a last-one-to-post-wins thread, I figured I'd chime in. > > It seems that all of us subscribe to differing degrees of the same possibly incorrect notion... that all systems must be connected to something. If a system risks failure due to being connected to an infrastructure that will also fail along with it, then maybe the net value of such connectivity is greatly diminished. I believe Marcus' artist friend rather elegantly made a similar point. > Systems do not have to be connected to anything..... as long as one accepts the tradeoffs involved (just as there are tradeoffs to deciding something should be connected). All things being equal and there not being an incident in the news, would Marcus' artist friend agree to a 10% or 20% increase in his utility bills to have "proper security" (however one defines this)? I seriously doubt the average person is willing to pay for that extra security until after an incident (well, if I had known THAT was going to happen.....). Remember the days when customer support was unlimited and free when you bought software? And then it became free for 90 days.... and then it became free if you were willing to post to a forum...... > We've already talked about solving the logging problem with physical air gaps and a connectionless logger. Save for physical access and possibly a dedicated leased line to an isolated emergency outpost (for example, to try to remediate things if physical access is too dangerous for humans, or to manually apply patches IF applicable), why introduce any additional risk? > One argument for the introduction of additional risk is that there is added value to interconnected systems. Look at Electric production and distribution. In the good old days one company produced and distributed across a given area. Now it is a lot more complex. There might be any number of producers transiting a distribution grid and there might even be a choice of paths as to how those electrons get from point A to point B. You have interties across networks, etc. This means more people need access and/or provide more input. I'm not saying this is right or wrong, simply that it is. Some of the tradeoffs are made intentionallly. Some are made without the decisionmakers thinking about it. I like this hypothetical world that some are describing where security is easy and all the tradeoffs work easily. Where exactly is this place? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Marcus J. Ranum :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Dotzero wrote: > would Marcus' artist friend agree to a 10% or 20% increase in his > utility bills to have "proper security" (however one defines this)? Wait a minute!! It was properly secure BEFORE. In fact, had to have SPENT MONEY to make it worse. Someone, someplace, put it into a less secure state "to save money" or "for business reasons." What we're seeing is that their cost/benefit analysis was wrong; it didn't save as much as they thought (because they did it wrong!) or, if it recouped enough on the investment, then any additional security expense comes out of that profit/benefit's margin. Let me belabor that point a bit: security is often seen as a bill that gets presented; a cost of doing business. What they don't understand is that the bill is just interest coming due for when they cut some corners years ago. A break-in or disaster is that interest, compounded. This is one reason I am (obviously) highly skeptical of many business justifications. They omit to take hidden costs into account and then try to shift/blame someone else for them later. It's very easy to see something as a profitable and desirable activity as long as you only look at the upside. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Brian Loe-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Apr 17, 2009 at 12:03 PM, Dotzero <dotzero@...> wrote: > > One argument for the introduction of additional risk is that there is > added value to interconnected systems. Look at Electric production and > distribution. In the good old days one company produced and > distributed across a given area. Now it is a lot more complex. There > might be any number of producers transiting a distribution grid and > there might even be a choice of paths as to how those electrons get > from point A to point B. You have interties across networks, etc. This > means more people need access and/or provide more input. That interconnectedness on the SCADA network (which should NOT be transiting the Internet - only the power grid itself) is exactly how AND why you don't connect the SCADA network to a non-SCADA network. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Bret Watson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message At 09:42 PM 18/04/2009, Brian Loe wrote: >That interconnectedness on the SCADA network (which should NOT be >transiting the Internet - only the power grid itself) is exactly how >AND why you don't connect the SCADA network to a non-SCADA network. >_______________________________________________ >Yup, <sarcasm>but it is so convenient when the operations guy can read emails whilst managing the system . Oh and management really likes to get those real-time pretty graphs...</sarcasm> Its amazing, but somehow SCADA always ends up getting connected - or even worse - running over corporate networks... Currently working with a critical infrastructure provider - exactly that problem, and their corporate strategy is to integrate it all further :( _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Brian Loe-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, Apr 18, 2009 at 9:19 AM, Bret Watson <lists@...> wrote: > <sarcasm>but it is so convenient when the operations guy can read emails > whilst managing the system . Oh and management really likes to get those > real-time pretty graphs...</sarcasm> > > Its amazing, but somehow SCADA always ends up getting connected - or even > worse - running over corporate networks... Currently working with a critical > infrastructure provider - exactly that problem, and their corporate strategy > is to integrate it all further :( > My operators are able to do all of that while watching the plant. There are two switches in every network box in the plant - one is a cisco switch on the "admin" network and the other is something else on the process network. Each switch has it's own fiber run back to the data center. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by ArkanoiD :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Well and if your SCADA network runs across thousands of sites, how secure will it be if the systems itself are vulnerable? ;-) Even if there is no known internet or modem link.. And you do not really know if some remote location uses some provider's MPLS without applying own tunneling and if that MPLS gets compromised because some youngsters hacked the provider network. Or if someone decides to use a wifi link because it takes some time to make a cable link across two buildings and he'd like to get the thing working now.. etc etc.. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Brian Loe-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, Apr 18, 2009 at 2:44 PM, ArkanoiD <ark@...> wrote: > Well and if your SCADA network runs across thousands of sites, how secure will it > be if the systems itself are vulnerable? ;-) Even if there is no known internet > or modem link.. And you do not really know if some remote location uses some provider's > MPLS without applying own tunneling and if that MPLS gets compromised because some > youngsters hacked the provider network. Or if someone decides to use a wifi > link because it takes some time to make a cable link across two buildings and he'd like > to get the thing working now.. etc etc.. That's where the "homeland security" group of morons should be applying their energies - creating regulations for how and what can be connected to the country's power grid that we are ALL dependent on. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Paul D. Robertson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, 18 Apr 2009, Brian Loe wrote: > That's where the "homeland security" group of morons should be > applying their energies - creating regulations for how and what can be > connected to the country's power grid that we are ALL dependent on. Is that REALLY who you want drafting computer security regulations? "Please take off your shoes prior to booting Server 2008...." Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul@... which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by John-654 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Paul D. Robertson wrote: On Sat, 18 Apr 2009, Brian Loe wrote: Countrymen , What matters is the coming challenges ,from afar . No one is wrong !, in the words of William Wallace , FREEDOM ....is what counts ,let us not lie in our beds and let the ' red horseman ' of the network apocalypse take control of out networks .lets #! . >:o Lets unite to use what we have and let those with the experience guide us . >:o May the force be with us ...as if isnt our networks are in trouble . :-) MaSk the lot the th#$ Regards Countryman O:-) That's where the "homeland security" group of morons should be applying their energies - creating regulations for how and what can be connected to the country's power grid that we are ALL dependent on. Is that REALLY who you want drafting computer security regulations? "Please take off your shoes prior to booting Server 2008...." Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul@... which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW in digest form) by Brian Loe-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, Apr 19, 2009 at 8:21 PM, Paul D. Robertson <paul@...> wrote: > On Sat, 18 Apr 2009, Brian Loe wrote: > >> That's where the "homeland security" group of morons should be >> applying their energies - creating regulations for how and what can be >> connected to the country's power grid that we are ALL dependent on. > > Is that REALLY who you want drafting computer security regulations? > "Please take off your shoes prior to booting Server 2008...." > > Paul Of course not - but if not them, what other group of morons would you have do it? This is one area where I think it could work, however, after all any group could so long as they reach out to non-morons for help. I wouldn't say the same about, for instance, health care or automobile manufacturing. :) I believe the FBI has some talented folks and this would be a legitimate exercise for them...right? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW indigest form) by Michael Balasko :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Eh, they do!!?? I like the bunch of “morons” known as NIST. http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf and this should keep you busy for a while. http://www.oe.energy.gov/information_center/reports.htm Cisco has a whole class dedicated to it at Networkers but this can be tortured into SCADA specific ideas http://www.cisco.com/en/US/docs/solutions/Verticals/EttF/EttFDIG.html Pay Stuff- and good book- http://bookstore.gpo.gov/actions/GetPublication.do?stocknumber=008-022-00338-0 and den- http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeI Above links being present, I’d like to rename the morons to a group of seriously intelligent, committed folk who happen to get a bad name from the PR of the respective agencies they work for.:) I can assure you that there are tons of Birkenstock wearing, long bearded multiple Ph.D holding guys fighting the good fight who happen to work for the government. Enjoy the reading- Michael Balasko CCNP,CCSP,MCSE,MCNE Network Specialist II City of Henderson, Nevada -----Original Message----- From: firewall-wizards-bounces@... [mailto:firewall-wizards-bounces@...] On Behalf Of Brian Loe Sent: Monday, April 20, 2009 9:27 AM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] SCADA (or: How I learned to love receiving FWW indigest form) On Sun, Apr 19, 2009 at 8:21 PM, Paul D. Robertson <paul@...> wrote: > On Sat, 18 Apr 2009, Brian Loe wrote: > >> That's where the "homeland security" group of morons should be >> applying their energies - creating regulations for how and what can be >> connected to the country's power grid that we are ALL dependent on. > > Is that REALLY who you want drafting computer security regulations? > "Please take off your shoes prior to booting Server 2008...." > > Paul Of course not - but if not them, what other group of morons would you have do it? This is one area where I think it could work, however, after all any group could so long as they reach out to non-morons for help. I wouldn't say the same about, for instance, health care or automobile manufacturing. :) I believe the FBI has some talented folks and this would be a legitimate exercise for them...right? _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	The Cybersecurity Act of 2009 (was: SCADA) by Chris Blask :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Michael Balasko <Michael.Balasko@...> wrote: > I can assure you that there are tons of Birkenstock wearing, long bearded multiple Ph.D > holding guys fighting the good fight who happen to work for the government. I'm willing to even trust some of them if they have short hair (but only so far...) >From the looks of things much of this argument is about to become academic. I've just read through the Cybersecurity Act of 2009 - which is now on the table in DC - and put my initial thoughts in order (http://www.motleymoose.com/showDiary.do?diaryId=1289). In general I'm not displeased but the devil is in the details, so I hear. NIST is being harnessed up (Section 6 "NIST Standards Development and Compliance"), so brace yourself, Emmy. Also interesting are sections 7 (certification of infosec geeks, as if we weren't already certifiable), 14 (Public/Private Clearinghouse, where EFF blows a fuse) and 18 (aka "In case of emergency, break glass"). If anyone thought the SCADA debate was lively, this one is sure to be a doosie... -chris (PS - I imagine there is some Ancient Polish Shared Ancestor at work, Mr. Balasko). _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: The Cybersecurity Act of 2009 (was: SCADA) by Steven Bellovin :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I wrote a long analysis of the bill in my blog; see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-12.html --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: The Cybersecurity Act of 2009 (was: SCADA) by Chris Blask :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Steven M. Bellovin <smb@...> > I wrote a long analysis of the bill in my blog; see > http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-12.html Hey Steve, Thanks for the link. The Moose is much more a political than a technical audience so my commentary there reflects that but - in short - I share many of your technical concerns. There is a fair bit of technical specificity that doesn't really seem to either belong in a law or seem likely to actually work. I suppose the best thing in my view about this bill is that it pushes the discussion sooner rather than later. I think we may have reached a point of diminishing returns in waving our hands and drawing on whiteboards in front of politicians. As awkward as it may be, it is possible that trying to struggle through crafting and implementing legislation could be what it takes to clarify the realm of possibilities for all parties (and, heck, we could even find that some of our assumptions were incorrect, too). I will restrain myself by sheer force of will from debating most of the fine points (Identity!) at the moment. More interesting for the purpose of this list atm is to see what level of general consternation and/or agreement our fellow fellows have with it. -chris _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
	Re: SCADA (or: How I learned to love receiving FWW indigest form) by Brian Loe-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Apr 20, 2009 at 1:06 PM, Michael Balasko <Michael.Balasko@...> wrote: > Above links being present, I’d like to rename the morons to a group of > seriously intelligent, committed folk who happen to get a bad name from the > PR of the respective agencies they work for.:) I can assure you that there > are tons of Birkenstock wearing, long bearded multiple Ph.D holding guys > fighting the good fight who happen to work for the government. > There are exceptions to every rule, right? But, government morons are the only ones able to write and pass laws - and they direct the regulations of the various departments. Neither party has a surplus of "electable" people with an understanding of how things work AND without a personal interest in this or that (the auditing industry, for instance ;) ). I could, again, be wrong. In which case I'm glad to hear about it. _______________________________________________ firewall-wizards mailing list firewall-wizards@... https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Re: SCADA (or: How I learned to love receiving FWW in digest form)