On 11/14/11 10:24 , Joe Greco wrote:
Sure, anytime there's an attack or failure on a SCADA network that wouldn't have occurred had it been air-gapped, it's easy for people to knee-jerk a "SCADA networks should be airgapped" response. But that's not really intelligent commentary unless you carefully consider what risks are associated with air-gapping the network.
Not to mention that it's not the only way for these things to get infected. Getting fixated on air-gapping is unrealistically ignoring the other threats out there.
There needs to be a whole lot more security work done on SCADA nets.
Stuxnet should provide a fairly illustrative example.
It doesn't really matter how well isolated from direct access it is if it has a soft gooey center and a willing attacker.
That's basically the case for so many things. I was reading, recently, two articles on Ars Technica ("Die, VPN" and "Live, VPN") which made it exceedingly clear that these sorts of designs are still the rule for most companies. I mean, I already knew that, but it was *depressing* to read. We've been very successful for many years designing things as though they were going to be deployed on the public Internet, even if we do still put them behind a firewall. That's just belt-and-suspenders common sense. We do run a VPN service, which I use heavily, but it really has little to do with granting magical access to resources - the VPN endpoint is actually outside any firewall. I've so frequently found, over the years, that some "free" Internet connection offering is crippled in some stupid manner (transparent proxying with ad injection!), that the value added is mostly just that of getting an Internet connection with no interference by third parties. The fact that third parties cannot do any meaningful snooping is nice too. I also recall a fairly surreal discussion with a NANOG'er who was absolutely convinced that SSH key based access to other servers was more secure than password based access along with some ACL's and something like sshguard; my point was that compromise of the magic host with the magic key would tend to be worse (because you've suddenly got access to all the other servers) while having different secure passwords for each host, along with some ACL's and sshguard, allow you to retain some isolation within the network from an infected node. It's dependent on design and forethought, of course... Basically, getting access to some point in the network shouldn't really allow you to go on a rampage through the rest of the network. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.