Question

Locked

SCADA security in GPRS networks

By arkahnz ·
I work on a SCADA system that basically uses a GPRS network to acquire data from remote sites. The 3rd party telecom company providing GPRS allots dynamic IP addresses to the remote devices. We use a Cisco router at the perimeter for managing incoming traffic from these remote sites. In this scenario where IP addresses change periodically, how do I secure my servers using ACLs ? I basically want to make sure that only the traffic coming from the remote sites is allowed into the LAN network of the control center.
Thanks
Khaled

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Tricky problem

by robo_dev In reply to SCADA security in GPRS ne ...

Ideally you could use DNS names for an ACL, but I don't believe Cisco can do that in any IOS I've seen.

Three approaches:

1) One solution, though limited, would be to create an ACL to limit IP addresses to only those used by that ISP.

2) Transit ACLs will help to reduce the attack surface by limiting ingress to only ports you need for SCADA

http://www.ciscosystems.com/en/US/tech/tk648/tk361/technologies_white_paper0**86a00801afc76.shtml

3) Cisco has a way to create dynamic ACLs called 'lock and key':

http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scflock.html#wp1001134

Back to Networks Forum
1 total post (Page 1 of 1)  

Related Forums