[SCADASEC] Meta Discussion: discussing SCADA security

Brodsky, Jake jBrodsk at wsscwater.com
Wed Mar 26 09:41:38 CST 2008 

The interesting thing that Matt points out is something that I'm very
curious about as well:  

Why do we keep discussing this?

Am I mistaken in thinking that IT departments query their clients
carefully to determine how they can implement a system that serves their
company well?  

I mean, who knows more about accounting?  The Accountant? Or the IT
department?  

So, when it comes to a financial system, how does this issue get
discussed?  How do these two parties communicate?  

My reason for asking is to see if whatever they're doing can be applied
to a SCADA system.  

The problem I keep seeing is that many experts in their departments
often go marching in to the SCADA applications, acting as if they
already understand what is going on.  

/* begin war story */

A major city water utility that shall remain nameless call upon us
recently to discuss the proposed SCADA system they were about to
commission.  Someone had come up with the notion of having individual T1
lines to each of 20-something water pumping stations, and wireless VPNs
to nearby water tanks.  The RTUs in the system was supposed to ride on
the Internet as a VPN application.  The internet was visible from any
pumping station network.  The SCADA system was going to be tied in to
the office directly, where anyone could see it.  They were going to use
a VPN to keep the traffic separated.  

We're talking about an awful lot of monthly cash for 1) unnecessary
bandwidth, and 2) the risk of office/internet exposure.  

Oh, and they were going to have ISPs bid for the whole service.  They
didn't care who it was or what reliability numbers they had.  

The guy who visited us understood his ignorance.  He hoped the
consultants knew what they were doing.  He was doing his due diligence
by interviewing us.  He was dismayed but not surprised to hear what we
thought of the internet ideas.  He was shocked at what we thought of
using 47CFR15 type devices to act the telecommunications media for
getting water tank level data back to the pumping station.  He'd never
even considered those risks.  

His IT department was running the show, and had clearly heard of this
SCADA thing, but had never actually looked at one in a real water
application.  Apparently, neither had the consultants.  

And finally, not only were there no controls engineers, there wasn't an
engineer of any sort on this project.  

/* end war story */

I guess what I'm asking is this:  Are we control engineering people
acting invisible in some way?  Is there something we're supposed to be
doing that we're not?  If not, why do incidents like the future
catastrophe described above keep happening?  


Jake Brodsky

More information about the scadasec mailing list