Re: [foxboro] foxboro Digest V9 #214

Patching and hardening in a controls environment are definitely not as easy
as the typical IT-world.  That being said, both activities CAN be done
effectively if proper planning and testing is done beforehand.  Obtaining
vendor support is key.  Invensys has a consulting organization who has a lot
of experience in this realm -- patching and hardening control systems,
including situations when the control system is operational.
There are some limitations as to which patches/hardening may be supported by
the vendor.  This is why you need to start by identifying the criticality of
the assets you are intending to protect and then determining what steps you
can take to reduce their exposed risk.  Realizing that there may be some
risks for which there is no patch or hardening steps to mitigate, you might
have to look into perimeter-based solutions (firewalls with
Antivirus/intrusion prevention.)

One option you can deploy is disabling USB-based disk support in Windows.
It is done through Windows policy or through some 3rd-party applications.
With this option you can allow your USB keyboards and mice to work but not
allow "jump drives/USB sticks" without authorization.

Clayton


> ----------------------------------------------------------------------
>
> Subject: Re: [foxboro] "Conficker" virus,
> From: Corey R Clingo <corey.clingo@xxxxxxxx>
> Date: Tue, 16 Jun 2009 12:57:26 -0500
>
> Conficker (I think) and other modern virus variants are using other means
> to get onto machines, i.e., "autorun" (I call it auto-hose) on CDs and USB
> sticks -- you know, that thing you thought you could disable in Windows
> but really wasn't disabled (thanks, Microsoft).  You do not have to
> connect your system to the Internet anymore to get infected.
>
> Your statements are valid, but in practical terms there are problems. Yes,
> you can scan the CDs and USB sticks on some sacrificial box and hope
> nothing gets by your scanner(s).  "Hardening" Windows is not an option on
> most systems I have dealt with because it causes massive breakage (not
> necessarily Windows' fault, but that of the entire Windows software
> development mindset).  Patching is not always as easy as it sounds;
> usually the PCS vendor must qualify them before you load them, and even
> then it is more of a "smoke test" than a comprehensive compatibility
> review.  And who has resources to test all those patches inhouse before
> loading them, potentially on a hundred or more machines?
>
>
> I feel a how-stupid-do-you-have-to-be-to-build-a-control-system-on-Windows
> rant coming on, so I'll stop now.
>
>
> Corey Clingo
> BASF Corp.
>
>
>
>
>
>


 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             http://www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts: