On Jul 8, 2010, at 10:13 AM, George Bonser wrote:
-----Original Message----- From: Brandon Ross Sent: Thursday, July 08, 2010 6:52 AM To: Michael Painter Cc: nanog@nanog.org Subject: Re: U.S. Plans Cyber Shield for Utilities, Companies
On Wed, 7 Jul 2010, Michael Painter wrote:
Have we all gone mad? I find it hard to understand that a nuclear power plant, air-traffic control network, or electrical grid would be 'linked' to the Internet in the interest of 'efficiency'. Air gap them all and let them apply for "Inefficiency Relief" from the $100 million relief fund.
Absolutely! For example, those thousands of flight plans filed every day by airlines across the globe, not to mention private flights, should be done manually the old fashioned way, with a paper form and stopping by your local FAA office where a human keys them into the ATC computer. Oh wait, we closed all of those offices when we moved all of those functions to the Internet. I guess we'll just have to re-open them.
I believe the point was in response to:
"control systems that were often designed without Internet connectivity or security in mind. Many of those systems-which run everything from subway systems to air-traffic control networks-have since been linked to the Internet"
If something was designed without network security "in mind" and then connected to the internet as-is, then yeah, that pretty much is not only "madness" but is just asking for trouble. So I am torn between this being another exercise in treating the symptoms while ignoring the underlying cause and at least having SOMEONE watching the front door if the owners aren't paying any attention themselves. But I would think the cost of the program could be scaled back somewhat if certain basic security practices were mandated prior to the system being installed.
I think part of the problem comes from interrelationships between the transitive property of trust (if A trusts B and B trusts C, then A trusts C whether A knows it or not) and the perceived vs. actual nature of linkage. For example, it would seem madness to put an HTTP server directly on the primary Air Traffic Scheduling System at "FAA Central" and have it collect flight plans directly from the internet. However, what happens is that FAA contracts Lockheed out to run several Automated Flight Service Stations and also contracts two other companies (GTE and CONTEL last I looked at who had the contracts) to run a service known as "Direct User Access Terminals" or DUATS. Lockheed runs their own systems and interacts with pilots by telephone and radio. Flight Plans and Pilot Reports collected by Lockheed are put into Lockheed systems which are then linked into the FAA systems. I do not know if any of those links involve internet connectivity or not. LIkely some do. The DUATS systems also link into the FAA computers for uploading flight plans and pilot reports and for getting weather and NOTAM information from the FAA. As such, at least on some level, the FAA systems are linked to systems that are linked to the internet and there definitely isn't an air-gap. I suspect it is a full enough form of proxy that only data can traverse from one to the other. I think the design of the systems is probably relatively sane on that level. However, I doubt anyone on this list really knows for sure how the systems were designed or the exact nature of their linkages and I suspect there are many many other examples of such indirect linkages that have grown organically over time as the internet has moved from scientific novelty to a place to distribute web access and now starts to become the fundamental basis for communication among humans, machines, and others throughout the world. There used to be a clear line between telecom and datacom. It used to be that the internet was clearly datacom. Today, it's almost as if telecom as a separate discipline is going away and instead voice is becoming an application on the datacom network. It used to be that datacom was many disparate specialized networks each serving a particular datacom purpose. Today, the internet has become the generic low-level building block upon which virtually every datacom application, including the new telecom (voice as an application on a data network) is being built. With these changes and their relationships to legacy systems come new security concerns. Some known, many likely not even noticed as things move forward. Owen