[SCADASEC] IBM is offering 'SCADA security best practices'...

Fri Feb 8 08:14:57 CST 2008

> But who among the IT security product providers are addressing (or
> claiming to address) the legacy device issue for folks like you and
> Walt to get so worked up about? 

Howdy,

Well I believe the AGA came up with a standard to address serial line 
security but it appeared to die on the vine as no vendors, to my 
knowledge, got a product out in the marketplace that uses this standard:

http://www.aga.org/NR/rdonlyres/8EAD7021-61EB-4FDA-ABE5-5140B7914834/0/0603REPORT12.PDF

> If they are still using non-IP, then
>> what is the problem?

I don't want to put words in your mouth but are you implying "security 
by obscurity"?

My own scratched & broken record on this issue is that, if we are honest 
with ourselves, we still don't have a very good handle on the risks we 
are taking. As we move from serial to IP based comms we are most likely 
increasing the risks to our systems but by how much? Have we gone from 
.5% to .7345% or from .5% to 15%??

If there are any sharp grad students out there looking for a PhD thesis 
topic then IMHO if you can figure this one out then we can all start 
calling you Dr. in a very short while. :-)

Regards,
Kevin
--
Kevin M. McGrath, CISSP, TCSP-P
Lead Analyst | US-Gas Management System (GMS)
Critical National Infrastructure (CNI) | National Grid
Office: (718)403-2910 | Cell: (917)939-8569 Nextel 172*86*2119
kmcgrath at keyspanenergy.com

Matthew Franz wrote:
>> before they are employed an active network is a must. I also want to
>> reiterate - my broken record- that electric and other industries still
>> primarily utilize serial not IP communications with control system
>> protocols. They must be secured in ways that many cross-over vendors may
>> not be familiar.
> 
> I'm confused by your comment about not being concerned about network
> devices but they you go on to be worried about testing, network
> architecture or even what these "new" technologies are.
> 
> Mark's points about cut and paste security consulting services are
> well taken. But that is the end users fault for employing their
> services (due to name recognition among the IT staff, price, or  some
> clueless manager or whatever). Now that I'm an end user and maintain
> infrastructure and have too deal with vendors, I feel comfortable
> saying that.
> 
> But who among the IT security product providers are addressing (or
> claiming to address) the legacy device issue for folks like you and
> Walt to get so worked up about? If they are still using non-IP, then
> what is the problem?
> 
> There is no technology to compete and nothing to be defensive (meaning
> feel threatened about their purported expertise) about.  Does
> Tippingpoint sell an inline serial IPS? Does Checkpoint's "Industrial
> Firewall" include an RS-485 interface? Security vendors aren't
> clamoring to release products for TCP/IP, let along what you are
> describing.
> 
> But if you are looking at someone doing an web app assessment of an
> IIS-based management interface on an EMS, you want somebody that knows
> that territory. And that requires absolutely no knowledge of
> SCADA/DCS/HMI--and that is almost as true for evaluating an embedded
> device. Protocols are protocols and vulnerabilities are
> vulnerabilities whether its Cisco or Sisco.
> 
> 
> Or has this changed? This isn't about technology or even best
> practices. Obviously, if there isn't a product for a given protocol,
> it's not relevant. As my 4 year old would say, "duh!" (although she
> doesn't use it correctly)
> 
> This sad debate is about mind share, market share, organizational
> control, and the bottom line -- not technology.
> 
> - mdf
> 
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
> 
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec

**** For your information: KeySpan is now part of National Grid.**** 

********************************************************************************
This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.