True. Anyone who uses an Operating System on a computer that does anything with machinery at all should know what that OS does. Microsoft OS's are vulnerable as a newborn kitten without proper protection.

In addition to those steps I would implement software-firewalls with reporting on all computer systems in the plant, as well as force all IP communications to go through a router with reporting and packet filtering. Having a 2nd router for redundancy should suffice to keep that from inhibiting operations in the event of a failure in the system.

As well, if connecting the plant network to the internet is ABSOLUTLEY necissary, put another firewall in between it and the office network. And then, do the same thing as I described above to the office network. At this time, any leased line should first go through an approval process described by a previous poster, and even then, any connection to the network should be outside the firewall. Any ports that need be open from that connection should be included in the approval process. (And the person doing the approval should make sure they don't approve anything that says "open this port so SQL slammer can spread to your corporate network." Just making sure because I can imagine a beurocrat doing that.)

But above all, don't use MS SQL.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6767/21723#21723