return to ARPAnet? Are you MAD?!?!
replace the hierarchical DNS structure w/ P2P filesharing to avoid a vulnerability? Are you INSANE?!?!
Sure, professional consultants may understand that alternatives exist for several key infrastructure services (oooh let's get rid of RIP/EIGRP/BGP/etc w/ static routes. It's more secure and that means its more reliable!). Hopefully they understand the issues w/ NOT utilizing it and the ramifications to operational costs to maintain it as well as the implications to reliability. End of the day... you're CRAZY!
I'd start reaching out to other utilities/organizations in a similar situation for what they're doing. I'm involved in the electric sector (ES-ISAC) as well as the FERC/NERC stuff so I'm heavily involved in the regional and national "user groups".
For more direct advice:
1) discrete network firewalled, ideally air gapped, from the "corporate" or normal network. This is a single function network.
2) strict controls on media usage as well as protocols on how to use
3) strict config management and change control
4) physical protections to "local" and "remote" systems (RTUs, PLCs, and IEDs (note: IED = intelligent electrical device), you really don't want to build a secure control room and then get back hacked from a field device!)
To actually learn more, Idaho National Labs has the National SCADA Test Bed Program (http://www.inl.gov/scada/) and they also have control system security workshops/training programs. Their Advanced SCADA Security Training is pretty eye opening, and that's coming from the perspective of an IT security guy. Your normal operators and operational engineers will likely be blown away by it.
Like I mentioned, coming from the electric sector, I know what your facing (technical as well as cultural issues) and feel you pain. Good luck, and know you are not alone out there... just a minority!;)
Slashdot Mirror
i'd appreciate an invite as well. noone(.)indy@liamg.moc danke schon!
return to ARPAnet? Are you MAD?!?! replace the hierarchical DNS structure w/ P2P filesharing to avoid a vulnerability? Are you INSANE?!?! Sure, professional consultants may understand that alternatives exist for several key infrastructure services (oooh let's get rid of RIP/EIGRP/BGP/etc w/ static routes. It's more secure and that means its more reliable!). Hopefully they understand the issues w/ NOT utilizing it and the ramifications to operational costs to maintain it as well as the implications to reliability. End of the day... you're CRAZY!
For more direct advice:
1) discrete network firewalled, ideally air gapped, from the "corporate" or normal network. This is a single function network.
2) strict controls on media usage as well as protocols on how to use
3) strict config management and change control
4) physical protections to "local" and "remote" systems (RTUs, PLCs, and IEDs (note: IED = intelligent electrical device), you really don't want to build a secure control room and then get back hacked from a field device!)
To actually learn more, Idaho National Labs has the National SCADA Test Bed Program (http://www.inl.gov/scada/) and they also have control system security workshops/training programs. Their Advanced SCADA Security Training is pretty eye opening, and that's coming from the perspective of an IT security guy. Your normal operators and operational engineers will likely be blown away by it.
Like I mentioned, coming from the electric sector, I know what your facing (technical as well as cultural issues) and feel you pain. Good luck, and know you are not alone out there... just a minority! ;)