COINE version 2 super secure network

[Maxburn]

USAF CE network is super secure. So secure that no machine is allowed to reach out to windows update. Supposedly some administrator somewhere is supposed to update these machines manually, like with sneakernet. The inevitable result is machines that never get an update and they have the hard shell candy security model, everything in the middle is super vulnerable. Sure doesn't seem to be a modern approach to me.

[orion242]

Yea, not getting windows updates these days seems like an extremely poor idea.

Contractors are certainly getting files on the machines somehow. Just one thing slips through the whole thing could fall over.

Will say that MS hasn't made it easy to get offline machines updated either. Been wrangling that issue for some time and can't say I have found a good method.

[Maxburn]

Patches? Please, they don't even load DRIVERS to get the hardware running. So they have these 42" something like 3k monitors that can't be set beyond 1024x768 because it's missing a video driver. Nobody is supporting these machines at all, it's actually scary the amount of thought that goes into the network and then how much they ignore the PC's that are on the network.

[orion242]

Seen it and in most cases it seems very fragile imo.

Solarwinds seems to be pushing a few things forward.

[orion242]

Also would look into DFARS. Timeline on that pushing forward and solarwinds is interesting. Somethings change, others seem to find ways to ignore.

[Maxburn]

Oh, haven't seen that one yet. Reminds me about the XKCD regarding standards.

[Maxburn]

OK, saw my first DFARS request today from the front office. Looks expensive.

[Maxburn]

Recent podcast "Hack the Plant Episode 11: Department of Defense Policy and ICS Security". Some talk of DFARS but more interesting was some specific talk about power meters being rejected because of things like they have bluetooth and optical connections. It's like they ignored they can be turned off and put in locked rooms and just stuck them on a shelf somewhere. Apparently the pentagon is going through a HVAC controls upfit now because the controls in the building are no longer supported and regarded as insecure. Last upfit was completed 2001, like what are they expecting, support forever? Interesting to watch some of this stuff unfold. Recent discussion with someone in corporate HVAC controls expressed the opinion there seems to be some "security" people inserting themselves in these discussions and creating required jobs for themselves.

https://www.rstreet.org/2021/06/02/hack ... -security/

[orion242]

A year or two ago I had an RFP for modernization of a large VA hospital. It was very clear they wanted all Jaces and supervisors brought up to the latest supported version of Niagara. All the field devices where crap from the 90s with AX Jaces and a proprietary driver that was not supported in N4. Without that driver in N4, it was going to be a complete reboot of the BMS with costs easily exceeding seven figures. Priced it up as they asked for and the customer freaked out. Went over the RFP and explained there was no way to meet the requirements without replacing everything.

In the end, they dropped the requirements and only upgraded the supervisor to N4, all the Jaces remained on AX and their 90s era crap lives on. It even has been expanded on with more used crap since you haven’t been able to buy the field devices in more than a decade now.
Even in customers that are covered under DFARS there doesn’t seem to be 100% adherence.

Some of these new requirements seem to be a bit of lip service, least what we have seen.

[Maxburn]

Sounds like the smart solution to me. Nothing wrong with isolating and protecting the older stuff.

It’s just interesting they are ignoring older, sometimes current, systems capabilities with some of these requirements.

[orion242]

Sounds like the smart solution to me. Nothing wrong with isolating and protecting the older stuff.

It’s just interesting they are ignoring older, sometimes current, systems capabilities with some of these requirements.

Can't say their choice didn't make sense. But when top command say thou shall do this, requirements meet reality...exceptions appear. Those field devices are beyond dead now. Have a hard time seeing the logic to go great lengths for something that should have been planed replace decades ago. The BMS that can't handle current daylight savings has nothing but outdated limits now, served them well since the 90s. Could get the final nail at any moment and your dead in the water and up the creek instantly. Band-aids, duct tape, band-aids...then it falls over and hits national news. Sure church down the street, shopping mall, etc. But a government outfit with a mandate to modernize adds on with used junk from yesteryear?

Seems nothing really changed. Serious will hold the line to the end of time and its now even more painful. They will pay for it. Others seems to find all the exceptions to continue in the past. Where do you put your effort if you chase this work?