[ale] OT, mostly - remote access w/o internet

Greg Freemyer greg.freemyer at gmail.com
Mon Mar 15 09:33:40 EDT 2010


I'd verify the utility does not maintain an air-gapped private wan
that has those servers on it.

If they do, the issue simplifies to accessing that private wan.

Greg


On 3/15/10, Neal Rhodes <neal at mnopltd.com> wrote:
> I'm pondering on this for a friend.     (really!)   He supports control
> systems for power plants.
>
> Power companies are adamant that their control systems will NEVER touch
> the internet.   I'm not sure I disagree with them; but it don't matter.
>
> So, whenever said friend gets a call from said power plant, if he can't
> resolve it over the phone, he gets in the car and drives.  Hundreds of
> miles.
>
> Ergo, accepting that the power company won't ever change, I'm thinking
> what kind of remote access could be configured that would meet their
> most
> rigorous requirements:
>
> A. No in-bound access.
> B. Initiate FROM the power plant TO the support vendor.   Shutdown when
> problem resolved.
> C. Allowing many power plants to access a single vendor number, although
> not all at the same time.
> D. Effectively impossible to intercept.
> E. Insignificant monthly costs.
>
> I'm coming up with the vendor hanging a 56K dialup modem on a linux box,
> supporting an inbound PPP call from the vendor with a 56K modem.   Dog
> slow, but I remember the days when we thought that was wicked fast and
> it's still waaaaay faster than driving to pensacola and back.
> Essentially impossible to eavesdrop or intercept, and it's really easy
> to verify the modem is switched off when the vendor is done.   Of
> course, that requires a "real" phone line to work.
>
> What else?   I was thinking a bonded ISDN line.  Those support dialup to
> another ISDN, and would get them up to 128KB.  (whoohoo)  Also
> essentially not possible to intercept and the same degree of isolation,
> but the power company might not "trust" that it's truly dormant when
> offline.
>
> What else?   They could technically go with leased lines, but client
> fear of that might be impossible to overcome.   You could talk yourself
> blue about running a VPN over the leased line, but they'll plug their
> ears and run.
>
> Somehow initiating a new project with 56K modems sounds like dinosaurs
> mating in the snow, but I'm not seeing really swell alternatives.
>

-- 
Sent from my mobile device

Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
Preservation and Forensic processing of Exchange Repositories White Paper -
<http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com


More information about the Ale mailing list