On 11/13/11 07:36, Jason Lewis wrote:
I don't want to start a flame war, but this article seems flawed to me. It seems an IP is an IP.
http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-u...
I think I could announce private IP space, so doesn't that make this argument invalid? I've always looked at private IP space as more of a resource and management choice and not a security feature.
Really, the article doesn't make much sense. The claim is that SCADA systems come with "public IP addresses by default" and that SCADA engineers are too ignorant of Internet security practices to know to re-configure them. First, the ignorance factor goes right back to the two axioms I mentioned in my reply to Bill. If you aren't paying attention, then you don't have security, regardless of which IP address space you use. Second, there's the point that the SCADA systems come with public IP addresses by default. So what? The article incorrectly confuses "public" IP addresses with "routable" IP addresses. As an example, when I worked in the College of Chemistry at UC Berkeley, there was a lab with NMR machines that all came with public IP addresses by default--those of the manufacturer. Of course, since the manufacturer was in Germany, and we were in the US those IP addresses weren't routable in our network. Are SCADA systems similarly configured? The article doesn't say if the manufacturers pre-configure addresses within the client's IP blocks or their own, or even 1.2.3.0/24. If the manufacturer went to the trouble of configuring the system on routable IP addresses, then the SCADA engineer can easily specify which set of addresses. If the manufacturer really does configure "public" IP addresses "by default" then it's unlikely that those "public" IP addresses are actually _routable_ on the network which is using the SCADA system. Oh, and the article treats RFC1918 and RFC4193 is equivalent, which is WRONG WRONG WRONG! michael