16 November, 2006

5 Myths - Part 6 of 6

Part 1

Myth # 5 - You cannot scan or update Automated Control systems.

Scanning and updates are just as essential for these systems (or more important because of the geographic and ownership distributions) as any other IT system. Scanning and updating needs to be done carefully, within change management and with good communication to the users of the systems.

The key phrase here is change management. All stake holders must know when and how the scans will occur. From the Engineering Authority to the operators (current, off going and oncoming) everyone must be informed. This also means that you need a tool to do the scanning that is able to track and log (verifiably) to the second exactly what it is doing to the end system.

The last part is why I prefer CoreImpact over Nessus.

Both are good but Core gives you verifiable CYA. (and in many cases easier granular control)

In all cases you should know what you are doing to what, when, and why and be able to explain it to the engineers and operators. If you can't then you shouldn't be doing the scan.

With the caveats made once you get the process down it becomes a non event (other than fixing the problems that are found which for a while will be many). It was a weekly event at one of the companies I was CISO at.

As for updates not only is it possible to do them it is essential that they are done. Again with proper change management not just arbitrarily.

2 comments:

CNI operator said...

Jim, you already know my views on this!
My view on scanning was re-enforced when I completly wiped a vendors PLC level device during a test in their lab.
Before scanning, I'd need to be absolutely sure of whats on the network and be sure the devices can stand up to the scan.

Jim C said...

I agree. I am not saying to go willy nilly and pull down Nessus and start a scan.

What I am saying is that after you make sure your systems can handle specific settings and after you have informed all of the right people and once you get the right people watching the scan live and the right operators involved. Then you can scan. Carefully.

Think of it as a test plan. Once you are comfortable with it then go ahead. You always need change control and you always need to understand the implications if something goes wrong and be able to adjust for them.

With all of that said every security professional out there has made a mistake scanning. This is doubly true for people that haven't grown through the IT Security ranks. (and dealt with the scanning disasters there)

There is a whole religion thing about if it is ok or not to scan on the IT side let alone on the CNI side.

My take is this. If it can be done properly (and it can) then if you don't scan you don't know what can go wrong. You have no idea what the environment is like.

Doing security design in that environment is like a doctor performing surgery with a blindfold and oven mits. You are lucky if you can even pick up the right tools.

Many good security professionals have gotten bitten by bad scans. In the SCADA world it makes sense to be extra careful. Espeacially ater seeing what can happen but it doesn't mean they don't add value.

The Key point to the Myths is to make sure that CNI guys know that there is no difference between IT systems and DCS systems and so that IT guys know they are not the same.

That statement is not an oxymoron. Within context for each group it is true.

I have done hundreds of scans on PCN's successfully without problems. I wouldn't let just anyone do it but it is possible and more it is essential.