Title

When you can't see the forest for the domains: why a two forest model should be used to achieve logical segregation between SCADA and corporate networks

Document Type

Conference Proceeding

Publisher

School of Computer and Information Science, Edith Cowan University,

Place of Publication

Perth, Western Australia

Faculty

Computing, Health and Science

School

Computer and Security Science, Centre for Security Research

RAS ID

8592

Comments

This paper was originally published as: Woodward, A., & Turner, B. (2009). When You Can’t See the Forest for the Domains: Why a Two Forest Model Should be Used to Achieve Logical Segregation Between SCADA and Corporate Networks. In proceeding of the 10th Australian Information Warfare and Security Conference. Edith Cowan University, Perth Western Australia. Original article available here

Abstract

The increasing convergence of corporate and control systems networks creates new challenges for the security of critical infrastructure. There is no argument that whilst this connection of what was traditionally an isolated network, to a usually internet enabled corporate network, is unavoidable, segregation must be maintained. One such challenge presented is how to properly and appropriately configure an active directory environment to allow for exchange of required data, but still maintain the security goal of separation of the two networks. This paper argues that while separate domains may seem to achieve this goal, the reality is that a domain is not a security boundary, and in fact does not effectively segregate the networks. A more secure and robust barrier can be created through the creation of separate forests, which still allows for one-way trust relationships to be established between the two forests for authentication and data exchange. The paper concludes that there is no loss of functionality or communication through the use of two forests, but there is a loss of security if using one.

DOI

10.4225/75/57a7f28c9f481

Access Rights

free_to_read

 

Link to publisher version (DOI)

10.4225/75/57a7f28c9f481