It's confirmed
I just wanted to tell you what a great magazine you all are publishing through SC. It is one of the most useful IT magazines that I receive. I just wanted to let you know. Thanks.
H. Scott Lewis, information systems team, The Citizens Bank of Philadelphia

In the news: SCADA
In response to a Sept. 8 story, Attack code released for SCADA vulnerability:

I appreciate news about vulnerabilities and potential exploits on SCADA systems because it's my job to understand these security issues. I manage the patching and AV infrastructure for SCADA systems employed by the utility I work for.

As you can imagine, I've seen numerous articles identifying the potential for disrupting and harming our power control and energy delivery systems.  They are all well-meaning articles, but all have one common thread: to frighten the public into believing that all SCADA systems are intermingled with company productivity networks and sitting on desktops alongside web browsers and email clients.

There was an interesting article not too long ago that stated the writer's ability (if he wanted) to take control of a nuclear power plant reactor operation by using a carefully crafted web page.

Again, the presumption here is that all these systems are unprotected and exposed to the web.  If this were true, I wouldn't be commenting.

I've worked in the electrical industry for 20 years, both at a nuclear facility and as a specialist responsible for infrastructure services on SCADA networks.  From my experience, the design of the SCADA or plant control systems, have been carefully planned with many security measures implemented to prevent these kinds of incidents from becoming reality.

For instance, the nuclear plant control system and the SCADA systems are physically separated from the company network via a network firewall.  The ports are locked down to just those needed for specific applications. Web browsing and email service are disabled at the firewall and the browser and email client are disabled on the computers that control these critical systems. Operator consoles are locked down to allow just SCADA application use.

These are examples, as there are many other controls, both at the OS and network. As well, tightly controlled user management and strict policies help prevent this kind of scenario from occuring.

What bothers me when I read these articles is the assumption that SCADA system owners are all irresponsible and cavalier with respect to security and that these systems are wide open to attack. No mention is ever made in these articles that state these exploits can be effectively prevented through the kinds of security measures I speak of.

I'm sure there are real examples of exposed SCADA networks, but such is not always the case and the public has a right to know when SCADA owners are taking the right steps to protect their systems.

Also, no mention is made of regulatory oversight, which mandates the security measures needed for SCADA system protection. Familiar with NERC CIP [standards to secure bulk electric systems]? If a utility wants to prevent negative audit findings, they have to comply with the security requirements of NERC CIP.
Geoff Daley, ODN MS Services

In response to a Sept. 12 story, CTO defends researcher's decision to reveal SCADA exploit:

Many organizations that use SCADA did not believe that SCADA will be attacked. Releasing attack code for the Metasploit framework is a way to force them to test and patch or test and protect with alternate methods. SCADA organizations are cheap – they will use the same vulnerable junk that is 20 to 30 years old unless they are forced to change.
SCADA security analyst

I think it's a positive catalyst for the ridiculously slow SCADA industry, which is plagued with vulnerabilities. Getting them in the open in this manner is a step toward alignment with the security industry.
Nathan Boeger

In other news
In response to an article, Weaponization trumps skill, by Courtlend Little, Solutionary, we received the following:

This is a wonderful article. I'd love to see more like this. Any chance of Mr. Little doing a follow-up?
Christopher Cashel

In response to Removing admin rights to secure desktops, by Scott McCarley, BeyondTrust:

C-level associates have admin rights. That's rather amusing since the CEO/CFO tend to install the “oh, I saw this article and want it” type of apps.
  
Ah well, all are equal, but in the real world, the “C” level are a whole lot more “equal.”
George DoGood

I've been trying to get our users to use Run As on Windows XP to prevent them logging on with an administrator account, but it's less than ideal.
  
I've been looking for a better solution and then find two in a week! I was only reading about a startup in the U.K., Avecto, who have a similar product. I will be taking a closer look.
Jason



The opinions expressed in these letters are not necessarily those of SC Magazine.