[146578] in North American Network Operators' Group
Re: Arguing against using public IP space
daemon@ATHENA.MIT.EDU (Eric C. Miller)
Wed Nov 16 09:20:33 2011
From: "Eric C. Miller" <eric@ericheather.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 16 Nov 2011 14:14:59 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Not sure if anyone has thought of it like this, but:
Air Gap is still only as secure as the people with access to it. NAT and fi=
rewalls provide a compromise between security and connectivity. But remembe=
r that at a power plant, the PBX system still connects to the outside world=
, and there is a phone in the control room. What stops a nefarious social h=
acker from calling up the control room and convincing the 3rd shift operato=
r to stop producing power (claiming to be from the regional authority)? Cal=
ler-ID can be hacked. My personal belief is that all layers of the OSI/DOD =
model should assume that the adjacent lower level can and will be compromis=
ed at some point and measures should be put in place to encrypt or authenti=
cate messages. Unfortunately for us, our critical infrastructure in this co=
untry still operates on outdated security-less network architectures like A=
rcNET. Even most of the PLCs in use at power plants utilize no security or =
have simple passwords like "supervisor" and "operator." The US gov's NERC h=
as random inspections for CIP compliance, but I feel that they happen so in=
frequently, that nothing will be done in time to adequately protect us from=
certain dangers that loom.
Eric Miller
Network Engineering Consultant
