Why in the world power control computers need to have Internet connectivity is beyond me. With the low price of desktops today, systems controlling power plants and the grid should be single-function machines on isolated/private networks. If power plant employees need Internet access to do their jobs, then those systems should be physically different and isolated from the control desktops. Seems a lot cheaper than trying to secure critical systems from hackers.
Latest security headlines from Network World:
Design flaws, besides vulnerabilities, hurt banking sites
McAfee: SMBs underestimate cybercrime risks
Romanian admits to phishing, could face five years
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
SCADA
What is the reasoning behind having Internet access at all in these locations?
At least having physically separated networks with separate computers.
Segmentation implies they are still physically and logically connected, for a SCADA site that is just not enough.
The DHS should spend more time and effort and budget on separate computers and networks then worrying about a fence between Mexico or the H-1B laws.
Reasons for interconnecting SCADA
SCADA Systems collect a large volume of very useful data and provide many tools for conveniently reviewing and analysing those data. Individuals whose job involves system planning, customer engineering, and system protection (e.g. relay settings for breakers) need these data. It is possible (I have done so) to leverage the SCADA data to create a fairly complete external database and user interface that is adequately firewalled from the SCADA system, and thereby avoid creating vulnerabilities. (Two different penetration tests have demonstrated this.) Unfortunately, vendors are just catching on to security, and are only starting to provide this. Unfortunately, at least so far, what is offered is essentially un-auditable (short of an expensive code review). Things are slowly getting better, but many utilities are still using older software, and will only spend the money to cure this as the new FERC Cyber Security Standards come into enforcement over the next few years. Indeed, there may still be regulators who see cyber security as an unnecessary waste of customer's money. (Much of the utility industry is still regulated.)
My opinions are mine only and do not represent the opinions of my employer, who also shall remain anonymous.
and thats y you are not the
and thats y you are not the decision maker....
are they logged in as Administrator?
I wouldn't be too surprised if they were logged in as Administrator while browsing the internet on these systems controlling power plants...
Because most all of the government entities (NERC, FERC) as well
Because most all of the government entities (NERC, FERC) as well as the regional entities (PJM, CALISO, MISO) do their business over the internet...
anti-phishing feature in Opera browser?
While this is an interesting article, and having physically separate systems would be an obvious solution...I noticed that no mention was made what what OS, what browser, etc...
Simply having a secure, advanced, ACID3-compliant browser, like Opera v9.5 on Windows, Mac, Linux, that includes a cool Fraud Protection anti-phishing feature would solve the social engineering attack. PowerCo employee clicks on a phishing email, they get a warning in Opera, and are diverted.
End of attack.
Maybe I'm missing something.
yeeah, you do. Opera 9.5 is
yeeah, you do. Opera 9.5 is still in beta.
Using Opera on an unpatched
Using Opera on an unpatched Windows box will not solve the problem. (google "opera vulnerabilities") Should we bet the integrity of our infrastructure on the security of any browser and thoughtfulness of that user?
IMHO the S.C.A.D.A. networks need to be completely unaccessible from the Internet, otherwise one networked Computer with a browser could easily bypass all firewalls and potentially bring the SCADA network down.
Apparently in a mater of hours. Scary Man!
They dont
We do the same time of work for pretty much every large energy company and are SCADA systems which have all been properly segmented and have been since the mid 90's. They dont have any internet access, and are almost always on a physically segmented network. I'm not sure if what company he was working on was foreign, or just a tiny power plant not the large ones. Seems pretty bogus to me.
David Gerard
Power station desktops should not be Windows and should not use Internet Explorer. That will have been what they used to get in.
If you MUST have IE for the intranet, set a group policy that it can only be used internally, not for the real internet.