Re: Loose Cannon-dian

In article <fb1eedec-c950-4c4e-874f-f70e46faaf4c@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
johnwallace4@xxxxxxxxxxx writes:
On Sep 10, 2:23 pm, billg...@xxxxxxxxxxx (Bill Gunshannon) wrote:
In article <eblGRJGgr...@xxxxxxxxxxxxxxxxxxxxxxxx>,
koeh...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (Bob Koehler) writes:

In article <ga6u7j$vnc$0...@xxxxxxxxxxxxxxxxx>, Michael Kraemer <M.Krae...@xxxxxx> writes:

That's pretty much nowhere land.
Are there widely accepted certifications beyond
orange book ?

Nowhere? C2, B1, ..., all were written by some folks based on thier
limited knowledge and thier specific needs. There are a lot of other
legitimate security concerns.

For example, Windows got a C2 rating at one time, based on
limitations like no network, no floppies, ...

So what good is a system if you can't enter or retrive data?

Those ratings are for operational systems. What need is there for a
network connection or floppies on a system running a power plant?

One can take the system offline, connect a floppy, load and install
needed upgrades and then remove the floppy, recertify and return to
production as a C2 system.

When one looks at things in terms of IS's instead of just a Windows
box this stuff makes a lot more sense. But then, when you are so
totally biased against MS, you become blind to reality.

Power plants are more networked than you seem to think, in order to
(for example) automate the process of matching electricity generation
against electricity demand in something approaching real time (this
kind of thing used to be done by phone but the PHBs prefer things like
this to be automated).

I just used that as an example as it is one that shows up here. If,
as you say, networking is required then obviously t either wouldn't
be C2 or wouldn't be Windows. I was just trying to show that not having
those things in production did not mean they could not be available in
a C2 rated IS.


And then there's also the wandering contractor
with a potentially-infected laptop connected to the (maybe isolated)
plant network on one side,

The statement was C2 + Windows = "no network" so, not a problem. Obviously,
a lot more goes into maintaining C2 systems than your home PC but it is done
every day.

and (maybe) via a 3G phone to the Internerd
on the other side.

Depending on the technologies used, this can make them more vulnerable
than you seem to think, and almost certainly more vulnerable than they
were prior to Windows monoculture. If the plant network is designed to
be isolated when operational, it will likely still have essential
Window boxes on it in places, so where will those boxes get their
daily AV updates, monthly Windows updates, occasional application
updates?

You missed the most important point. "No Network". Obviously, C2 rated
systems do not get "daily AV updates, monthly Windows updates, occasional
application updates" in the same manner as your home PC. Tell me something?
Can you get to any of the PC's currently being used by the military in Iraq?
Do you think they are not running Windows? Do you think they don't get kept
up to date for things like AV and Windows Updates?

A network connection or a removable media sneakernet,
perhaps? Isolated but out of date (and requiring downtime for each
update), or up to date and vulnerable. Take your pick.

If it is not connected to the outside world in any way and it only runs
one task, vulnerable to what? You guys really need to change your mindset
and accept that there are secure Windows Systems running all over the world.
I know, I just had to go back to school (again) to have my skills refreshed
on how this is being done.


Perhaps you missed the GAO report in May this year which had 92
specific suggestions for IT/SCADA security improvements at the
Tennessee Valley Authority (you've heard of them?) and recommendations
for "best practice" elsewhere?

Don't know anything about TVA but I doubt C2 is one of their requirements
for an IS. And that was what was being discussed.


GAO report: http://www.gao.gov/new.items/d08526.pdf
Sample "IT" media coverage: http://www.theregister.co.uk/2008/05/22/electrical_grid_vulnerable/

bill

--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
billg999@xxxxxxxxxxxxxxx | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
.

Relevant Pages

  • Re: Loose Cannon-dian
    ... limitations like no network, no floppies, ... ... network connection or floppies on a system running a power plant? ... When one looks at things in terms of IS's instead of just a Windows ... daily AV updates, monthly Windows updates, occasional application ...
    (comp.os.vms)
  • Re: Error number: 0x80190193
    ... I am currently using Windows XP Professional Version 5.1 (Build ... mind my using their wireless connectivity. ... updates from the last couple months as required by my university Cisco Clean ... Both symptoms could be caused by network security between your ...
    (microsoft.public.windowsupdate)
  • Re: start up menu
    ... then decide whether you want it to start with Windows. ... Enables the download and installation of critical Windows updates. ... Uses idle network bandwidth to transfer data. ... Enables ClipBook Viewer to store information and share it with remote ...
    (microsoft.public.windowsxp.customize)
  • Re: maccies - living in the past.
    ... something around the network, but in this particular instance it was ... isolated from our internal network and hooked into our internet line to ... download updates from Microsoft Update. ... Windows and update them? ...
    (comp.sys.mac.advocacy)
  • LoveSan Virus
    ... "Windows must restart because the Remote Procedure Call ... Turn on your Internet Connection Firewall ... and then click Network Connections. ... You can also configure Automatic Updates to automatically ...
    (microsoft.public.windowsxp.security_admin)