----- Original Message -----
From: "Brett Frankenberger" <rbf+nanog@panix.com>
What if you air-gap the SCADA network of which you are in administrative control, and then there's a failure on it, and the people responsible for troubleshooting it can't do it remotely (because of the air gap), so the trouble continues for an extra hour while they drive to the office, and that extra hour of failure causes someone to die. Should that result in a homicide charge?
I should think it would be your responsibility, as the chief engineer, to make sure *you have filled all such possible holes in your operations plan*.
What if you air-gap the SCADA network of which you are in administrative control, but, having done so, you can't afford the level of redundancy you could when it wasn't air-gapped, and a transport failure leaves you without remote control of a system at a time when it's needed to prevent a cascading failure, and that leads to someone dieing. Should that result in a homicide charge?
If it costs more to run, then it *costs more to run*.
Air-gap means you have to build your own facilities for the entire SCADA network. No MPLS-VPN service from providers. Can't even use point-to-point TDM circuits (T1, for example) from providers, since those are typically mixed in with other circuits in the carrier's DACS, so it's only logical separation. And even if you want to redefine "air-gap" to be "air-gap, or at least no co-mingling in any packet switching equipment", you've ruled out any use of commercial wireless service (i.e. cellular) for backup paths.
*I* define "air gap" as "no way to move packets from the outside world into the network. I didn't say "100% dedicated facilities", though your implication that that still leaves an attacker a way to reconfigure things such that they could get in is absolutely correct.
A good engineer weighs all the tradeoffs and makes a judgement. In some systems, there's might be a safety component of availability that justifies accepting some very small increase in the risk of outside compromise.
The line is pretty bright, I think, but you're correct in asserting that the price difference goes up as the square of the number of nines. But that's not important now; we're talking about cases that aren't even *99%*, much less 4 or 5 nines of unlikelihood that an outsider can find a way to break in.
You can argue that safety is paramount -- that the system needs to be designed to never get into an unsafe condition because of a communications failure (which, in fact is a good argument) -- that there must always be sufficient local control to keep the system in a safe state. Then you can implement the air-gap policy, knowing that while it might make remote control less reliable, there's no chance of, say, the plant blowing up because of loss of remote control. (Except, of course, that that's only true if you have complete faith in the local control system. Sometimes remote monitoring can allow a human to see and correct a developing unsafe condition that the control system was never programmed to deal with.)
Yes, but that's enablement for loss of locally staffed control, all by itself. Even power utilities have a pretty good real rate of return these days; I have no problem with them spending a little more of their revenue on safety, instead of profit. If that takes regulators pointing guns at them, I'm fine with that.
But even if the local control is completely safe in the loss-of-comm failure case, it's still not as cut and dried as it sounds. The plant might not blow up. But it might trip offline with there being no way to restart it because of a comm failure. Ok, fine, you say, it's still in a safe condition. Except, of course, that power outages, especially widespread ones, can kill people. Remote control of the power grid might not be necessarily to keep plants from blowing up, but it's certainly necessary in certain cases to keep it online. (And in this paragraph, I'm using the power grid as an example. But the point I'm making in this post is more general case.)
And I just read the Cracked piece talking about the 77 NYC blackout, which is sort of weird, actually. :-) But the general case point *I* was making was not that I expected a conviction. It was that I expected a charge, and a trial. If a bridge collapses, are we going to charge the Professional Engineer who signed off on it?
Sure, anytime there's an attack or failure on a SCADA network that wouldn't have occurred had it been air-gapped, it's easy for people to knee-jerk a "SCADA networks should be airgapped" response. But that's not really intelligent commentary unless you carefully consider what risks are associated with air-gapping the network.
Practically speaking, non-trivial SCADA networks are almost never completely air-gapped. Have you talked to people who run them?
No, and yes my knee was jerking. But based on the industry stuff I have seen from out here, security isn't anywhere in the same *county* with where it needs to be, and -- just as with RMS and the GPL -- maybe if some extremists knees jerk, the end result, while more moderate, will be more salutary. If you were that chief, and you knew the result of you screwing up might be the loss of your liberty, not just your job... you don't think you'd fight budget battles with your utility harder? (That's often the reason for such regulations: to give middle to upper management more bullets to fire at the (greedy) owners.) Thanks for doing some of my math for me, though, Brett. :-) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274