From: "Brett Frankenberger" <rbf+nanog@panix.com>
What if you air-gap the SCADA network of which you are in
administrative control, and then there's a failure on it, and the
people responsible for troubleshooting it can't do it remotely (because of
the air gap), so the trouble continues for an extra hour while they drive
to the office, and that extra hour of failure causes someone to die.
Should that result in a homicide charge?
I should think it would be your responsibility, as the chief engineer, to
make sure *you have filled all such possible holes in your operations plan*.
What if you air-gap the SCADA network of which you are in
administrative control, but, having done so, you can't afford the
level of redundancy you could when it wasn't air-gapped, and a transport
failure leaves you without remote control of a system at a time when
it's needed to prevent a cascading failure, and that leads to someone
dieing. Should that result in a homicide charge?
If it costs more to run, then it *costs more to run*.
Air-gap means you have to build your own facilities for the entire
SCADA network. No MPLS-VPN service from providers. Can't even use
point-to-point TDM circuits (T1, for example) from providers, since
those are typically mixed in with other circuits in the carrier's
DACS, so it's only logical separation. And even if you want to redefine
"air-gap" to be "air-gap, or at least no co-mingling in any packet
switching equipment", you've ruled out any use of commercial wireless
service (i.e. cellular) for backup paths.
*I* define "air gap" as "no way to move packets from the outside world
into the network. I didn't say "100% dedicated facilities", though your
implication that that still leaves an attacker a way to reconfigure things
such that they could get in is absolutely correct.
A good engineer weighs all the tradeoffs and makes a judgement. In
some systems, there's might be a safety component of availability that
justifies accepting some very small increase in the risk of outside
compromise.
The line is pretty bright, I think, but you're correct in asserting that the
price difference goes up as the square of the number of nines. But that's not
important now; we're talking about cases that aren't even *99%*, much less 4 or
5 nines of unlikelihood that an outsider can find a way to break in.
You can argue that safety is paramount -- that the system needs to be
designed to never get into an unsafe condition because of a
communications failure (which, in fact is a good argument) -- that
there must always be sufficient local control to keep the system in a
safe state. Then you can implement the air-gap policy, knowing that
while it might make remote control less reliable, there's no chance
of, say, the plant blowing up because of loss of remote control. (Except,
of course, that that's only true if you have complete faith in the
local control system. Sometimes remote monitoring can allow a human to see
and correct a developing unsafe condition that the control system was
never programmed to deal with.)
Yes, but that's enablement for loss of locally staffed control, all by itself.
Even power utilities have a pretty good real rate of return these days; I have
no problem with them spending a little more of their revenue on safety, instead
of profit. If that takes regulators pointing guns at them, I'm fine with that.
But even if the local control is completely safe in the loss-of-comm
failure case, it's still not as cut and dried as it sounds. The plant
might not blow up. But it might trip offline with there being no way
to restart it because of a comm failure. Ok, fine, you say, it's still
in a safe condition. Except, of course, that power outages, especially
widespread ones, can kill people. Remote control of the power grid
might not be necessarily to keep plants from blowing up, but it's
certainly necessary in certain cases to keep it online. (And in this
paragraph, I'm using the power grid as an example. But the point I'm
making in this post is more general case.)
And I just read the Cracked piece talking about the 77 NYC blackout, which is
sort of weird, actually. 
But the general case point *I* was making was
not that I expected a conviction.
It was that I expected a charge, and a trial.
If a bridge collapses, are we going to charge the Professional Engineer who
signed off on it?
Sure, anytime there's an attack or failure on a SCADA network that
wouldn't have occurred had it been air-gapped, it's easy for people to
knee-jerk a "SCADA networks should be airgapped" response. But that's
not really intelligent commentary unless you carefully consider what
risks are associated with air-gapping the network.
Practically speaking, non-trivial SCADA networks are almost never
completely air-gapped. Have you talked to people who run them?
No, and yes my knee was jerking. But based on the industry stuff I have seen
from out here, security isn't anywhere in the same *county* with where it needs
to be, and -- just as with RMS and the GPL -- maybe if some extremists knees jerk,
the end result, while more moderate, will be more salutary.
If you were that chief, and you knew the result of you screwing up might be
the loss of your liberty, not just your job... you don't think you'd fight
budget battles with your utility harder? (That's often the reason for such
regulations: to give middle to upper management more bullets to fire at the
(greedy) owners.)
Thanks for doing some of my math for me, though, Brett.
Cheers,
-- jra
