Comment I see a huge job offer in their future. (Score 1) 90
I'm sure any number of military and intelligence agencies would be thrilled to give them a pile of money and all the cool toys they could handle.
I'm sure any number of military and intelligence agencies would be thrilled to give them a pile of money and all the cool toys they could handle.
* Ahem * As a degree holder in Political Science with a minor in International Relations,
Oddly enough, the Chinese government isn't stupid and takes a very long-term view of things.
This could be exactly what they're planning and want this to happen so they can have the benefits and freedom due to the "changing times" without having to embarrass themselves by back-peddling with their current policy. It also lets them selectively enforce "who has freedom" by allowing the access policy to the area be "leaky".
If you don't control everything on the box, you can't ensure security.
Regardless of what they claim or what they do, you're essentially sharing the box with hundreds or thousands of other users who potentially have access to run whatever they feel like.
I would suggest a Virtual Private Server on Linode. Your server is yours and security will live or die by how you configure it.
When most of the long haul and medium haul fiber was laid, they didn't just bury what they needed, they buried a bunch of it. However most was never connected to equipment (lit up).
This dark fiber is still sitting in trenches and conduits (many were taxpayer funded) running along a huge number of US superhighways, and has not seen a single byte of data.
This is mostly because having additional capacity would remove the artifical limits, increase the supply and cause prices for internet access to drop.
While some companies have problems with "the last mile" (to the home), companies that ran fiber to the home like Verizon, are still attempting to limit bandwidth and create artifical shortages.
If I get a text about a giant tornado headed my way, do you honestly think I care if they charge me 20 cents for the "head's up"?
That is completely impractical.
People in userland need data from the SCADA network to keep the business running. They absolutely must have a way to get it. Saying "no" isn't an option.
Sure it is.
Watch this: "You're being paid to do a job. Being inconvient helps to safeguard the public utilities and prevents tampering from remote locations. If I find any systems that are connected to the public internet in any manner no matter how convoluted, I will fire the responsible individual(s) and their manager(s) on the spot."
See how easy that is?
Need data? Write it to a DVD and sneakernet it to whoever/whatever needs it.
Good advice. Try it with 30 plants covering a 1500sq mile area. While you were out all day updating your servers, an instrument tech forgot to clean his thumbdrive before plugging it in to an IEM to update the firmware. Since you didn't have regularly updating anti-virus, your whole network is now down and the company is losing millions of dollars an hour in lost production while you try to clean the 60 servers and 400 consoles on your SCADA network.
That's even more of a reason to not be connected to the net. The damage would be limited to the area one man could travel in a day, instead of everything, everywhere.
And you know what? I don't care if it's practical. Not all jobs get to be "convienient".
Good safe practice for separating a process control network from the internet is something like: internet > corporate network > buffer network > process network. Completely separating it is not advisable, because it can actually make it harder to administer and protect (updates, antivirus, etc). It's an option though if you are diligent with sneakernet updates and whatnot.
That's absolutely a recipe for disaster.
Nothing on the SCADA system should connect to anything, on any other network, using any method. No VPN, VLAN, Dameware, Citrix, or anything else you can come up with. Nada. Zip.
If this makes updates harder, that's awesome. It's supposed to. Someone is getting paid to do maintenance. It's their job. If by chance, you wish to do an update at some point, download the update, verify all the signatures with the vendor, burn it to a DVD and walk it over and install it. Then put the DVD somewhere safe, so when your system goes down you can find out what did it.
Advertising exists in order to create a demand for stuff people don't need.
People already know they need food, water and shelter. Nobody needs a steak from Outback or a new Disney toy.
They can't "force" anybody to do anything and if viewing specific content requires watching an ad, then I guess they'll have to get along without my business.
To do nothing is to be nothing.