[SCADASEC] NERC compliant equipment

Sat Aug 9 15:33:52 CDT 2008

Actually between 1 and 13, but yeah, that's it. Can I use your list? I
think it is a very clear explanation of the necessary steps.

I dunno where to start. I suggested creating some sort of pathway that
users, researchers and vendors could use to collaborate openly, and I don't
think you liked that idea.

Where would YOU start, and how would you do it?

Walt

----------------------------------------------
Walt Boyes
Editor in Chief
CONTROL magazine
ControlGlobal.com
555 W. Pierce Road, Ste. 301
Itasca, IL 60143
630.467.1301 x 368
wboyes at putman.net
Read my blog, Sound Off, at www.controlglobal.com

             "Matthew Franz"                                               
             <mdfranz at gmail.co                                             
             m>                                                         To 
             Sent by:                  scadasec at news.infracritical.com     
             scadasec-bounces@                                          cc 
             news.infracritica         scadasec-bounces at news.infracritical 
             l.com                     .com                                
                                                                   Subject 
                                       Re: [SCADASEC] NERC compliant       
             08/09/2008 03:18          equipment                           
             PM                                                            

             Please respond to                                             
             scadasec at news.inf                                             
              racritical.com                                               

So we want to compress the number of days between 1 and 12 right?

Some of these are harder that other. Where do you start?

---
1) vuln found by someone (either inside/outside vendor, either
outside/inside legit user)
2) vuln reported to vendor
3) vuln confirmed by vendor
4) vendor identifies workarounds
5) vendor fix developed, code changes made identify workarounds until patch
6) fix enters vendor QA/regression
7) fix committed to release codebase
8) fix packaged for release, documentation completed
9) end user finds out about patch, vuln
10) user evaluates vuln/patch
11) patch/fix goes into user dev/QA systems
12) based on tresult, decision made whether to move patches to prod
12) patch goes to prod in selected environments
13) patch fully deployed throughout user org

>
> That's the problem. How do we adequately disclose vulnerabilities, help
> vendors correct them, help them and encourage them to provide timely
> patches, and get them to the end users and get them applied-- all without
> vastly increasing the vulnerability of installed systems to attack?
>
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec

To review our usage policy, please visit:
http://www.infracritical.com/usage-scadasec.html