I work at a power plant that has a digital control system, DCS (Distributed Control System), tied to the corporate LAN which is tied to the Internet. We of course have a firewall between the two networks; UNIX on both sides of the firewall (DCS is 100% UNIX), then it ties to the corp LAN, and then it?s mostly all Windows form there. Very recently we had a virus come in and wreck havoc on the corp LAN, but the control network was never affected (or infected). So, right away all the Microsoft bashers are going to say ?proof positive, see M$ is junk?, but let me add a few more details.

In a nutshell the security policy (one of my designs) allows information to pass one-way, from the secure (DCS) side to the corp LAN. Access lists protect interfaces from all in-bound traffic (spoofing and such) from the insecure side, no access to the secure side from anywhere except the secure side. Data gets formatted at boxes on the insecure side of firewall, and it?s ready for engineering/marketing. Now let me comment on a few posts here.

(Post) Why even have a control network tied to the Internet?

(A) OK, someone already answered this but let me reaffirm the fact that we are talking about literally multi-millions of dollars (or euro?s) of power that are produced and sold each and every day, not year, day!

(Post) Many utilities don?t have IT people maintaining the system.

(A) A MIS department (I believe that stands for misinformation services) has no business touching a system that they don?t know about. These are not just simple computer networks, not only do they control revenue; they also control safety (equipment and personnel).

Lastly I would like to say that I personally prefer UNIX to Windows (or Linux for that matter). I have used just about everything and I can honestly say that Win2K, XP Pro, and 2003 are good products, but I still prefer UNIX. I have pointed out numerous security holes to IT groups ranging from people with Masters degrees in Computer Science, to people with cracker-jack certs (that?s what I call the boot campies). If anyone honestly believes that *nix is not prone to the multiple holes and viruses that plague Windows (how about BIND for one), then I really feel sorry for you; more than just you, I feel sorry for the companies you work/consult for, but most of all I feel sorry the Internet community. Thanks for your post Ryan Lambert, after all that?s the bottom line; if you don?t patch your OS (any OS) and take a proactive stance to security in general, then you are part of the problem, not part of the solution!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6767/21766#21766