20 November, 2006

Scanning Vs Not Scanning - This deserves to move out of comments

Tell me if I am wrong and why. Give me another option.

CNI operator said...
Jim, you already know my views on this!My view on scanning was re-enforced when I completly wiped a vendors PLC level device during a test in their lab.Before scanning, I'd need to be absolutely sure of whats on the network and be sure the devices can stand up to the scan.
20/11/06 4:03 PM

Jim C said...
I agree. I am not saying to go willy nilly and pull down Nessus and start a scan.

What I am saying is that after you make sure your systems can handle specific settings and after you have informed all of the right people and once you get the right people watching the scan live and the right operators involved.
Then you can scan.

Think of it as a test plan. Once you are comfortable with it then go ahead.

You always need change control and you always need to understand the implications if something goes wrong and be able to adjust for them.

With all of that said every security professional out there has made a mistake scanning. This is doubly true for people that haven't grown through the IT Security ranks. (and dealt with the scanning disasters there) There is a whole religion thing about if it is ok or not to scan on the IT side let alone on the CNI side.

My take is this. If it can be done properly (and it can) then if you don't scan you don't know what can go wrong. You have no idea what the environment is like.

Doing security design in that environment is like a doctor performing surgery with a blindfold and oven mits. You are lucky if you can even pick up the right tools.

Many good security professionals have gotten bitten by bad scans. In the SCADA world it makes sense to be extra careful. Especially after seeing what can happen but it doesn't mean they don't add value.

The Key point to the Myths is to make sure that CNI guys know that there is no difference between IT systems and DCS systems and so that IT guys know they are not the same.

That statement is not an oxymoron. Within context for each group it is true.

I have done hundreds of scans on PCN's successfully without problems. I wouldn't let just anyone do it but it is possible and more it is essential.
20/11/06 4:23 PM



and from Rich at Securosis

No comments: