<html><head/><body>I held a position about 15 yrs ago that included introducing application software into secure environments. These environments were not patched unless a specific problem was experienced or was likely to seen. The networks were not connected to the outside world for inbound traffic. Outbound real-time data traffic was constantly streamed on the campus network, controlled by the TTL. It was also streamed over private WANs to locations around the world.<br>
<br>
* Absolutely no Windows PCs were allowed on the network. Mostly UNIX systems plus a mainframe running MVS, a Novell Netware file server and a few Windows Servers.<br>
* No methods to physically touch the computers on the network were easily available. The end-user systems were all inside consoles to help prevent controller tampering.<br>
* Servers were on a secure floor with elevator and doorway controls, as you'd expect.<br>
* USB connectors were physically glued. No way to plug anything in. Fortunately, almost none of the systems had USB.<br>
* Optical drives were disconnected internally, as were floppies.<br>
* Almost all software development was performed inside this environment. If the developer didn't type in the code, it didn't get into the machine. No internet.<br>
* My group did software development in an internet connected lab elsewhere. Our program and data was treated like a commercial vendor. To bring the software into the secure environment, I had ...<br>
** training to use the "software introduction systems"<br>
** delivered the new software releases, via tape, to a system that was disconnected from every network, copied all the software off the tape to a local disk, scanned using 3 different commercial anti-virus tools. If no issues were found, another person would validate the result, physically connect it to an intermediate network, and copy the files to a network storage area. <br>
** I'd have to physically go up 2 floors, behind more security (card and pin access required), login to an different network, locate my files on the storage, sftp them to our server inside the control center network. Then physically move to a different network to do the setup and configuration.<br>
<br>
The required process was clearly documented. People who performed it were few and accountable. The idea of taking any shortcuts never crossed my mind.<br>
<br>
Basically, there were 2 hops to get programs inside the control center network. Everything that i took into the secured environment was scanned and copied with a tag showing my name and backed up to tape. Should anything go wrong later, it could be traced back to me and the system logs would show whether I followed the procedures or not. It wasn't foolproof, but it did provide traceability. <br>
<br>
Every 28 days, I'd spend 4 hours walking around all the different networks changing passwords. Only 1 expired every 28 days, but there were so many accounts on disconnected networks that I wasn't allowed to write down, so it was just easier for me to change them all. It also assured that my access card(s) still worked at each location. <br>
<br>
Cumbersome, definitely.<br>
<br>
There were about 20 servers and 400+ workstations on that network for this single location. Approximately 5-10 other locations around the world were setup, but much smaller with about 5 workstations at those locations. I had direct access to their internal networks through a private WAN connection from a specific workstation in a secure room. I installed any updates for our program on all these networks, sometimes 2 times a week, but usually once a month as development slowed.<br>
<br>
We've known for years how to do this stuff. It is just the lack of convenience that makes managers choose to allow short cuts. If a worker can take a shortcut, then they will. Don't allow it by removing physical port access. Make the only way to get software onto these machines via a process that forces them to do the "right things."<br>
<br>
I've read about control systems being accessible over the internet with trivial passwords. Convenience or security, that is the choice that we all have to balance. <br>
-- <br>
Sent from a Linux system.</body></html>