[SCADASEC] Improper reporting

[Brodsky, Jake]

I tried to reply to this earlier, and for whatever reason the e-mail hit
the proverbial bit bucket.  

The Water Cyber Security document does refer to the Taum Sauk dam
failure as a cyber incident.  I disagree with this assessment.  In fact
my Co-Worker Tony McConnell noticed this too and commented to the
committee about this last fall.  For whatever reason, that comment
didn't result in any changes, although other comments he made seem to
have been noticed.  

Anyone seeking the official account of the dam failure causes should
look here:

http://ferc.gov/industries/hydropower/safety/projects/taum-sauk/ipoc-rpt
/conclusion.pdf

I can't blame the Washington Technology reporting for thinking that Taum
Sauk dam failure was a cyber event.  The Water Cyber Security document
got it wrong.  

This is one of those things that the project leader, Seth Johnson,
refers to as being a "work in progress."  

My feeling is that this document is meant to be a roadmap in the same
sense that the Roadmap to Secure Control Systems in the Energy Sector
was meant to be a roadmap (the outcome was NERC CIP).  In fact, it
borrows from that document heavily.  I believe that this is intended to
be a stalling tactic to keep politicians from making all sorts of ill
advised legislation and regulation.  (Just like NERC CIP)

So to a certain extent, I feel obligated to comment on this effort.
However, this document doesn't have to be polished like a standard.  It
only has to work.  

Please understand, I'm not thrilled about this.  However, given the
state of most water utility SCADA security efforts (ranging from mostly
non-existent to feeble) and the fact that several crucial standards are
still very much in development, I can't say they're wrong.  

Jake Brodsky