[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks
Paul Ferguson
fergdawg at netzero.net
Wed May 21 13:11:43 CDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- "Matthew Franz" <mdfranz at gmail.com> wrote:
>Kevin,
>
>Not to be cheeky, but your point?
>
>Are you inferring that if we are in compliance we are not "secure"
>(however you might measure that, test that, etc.) and therefore we
>shouldn't bother with compliance? Is this another variation of the
>whole "standards provide a false sense of security" argument,
>therefore we should sit on our hands or endlessly argue about what it
>means to be "secure." Been there/seen that....
Well, I'm not Kevin, but I feel compelled to respond.
I definitely believe that compliance != secure, and in fact, this
exact same discussion is happening in another vertical market -- PCI
compliance and the merchant/banking/payment card industry.
In fact, recent breaches/incidents have illustrated why is is
indeed the case.
I think there's a corollary in the SCADA community, but "compliance"
with NERC mandates (for instance) should be a minimal goal, at the
very least.
$.02,
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFINGXbq1pz9mNUZTMRAqvMAJ4/I5f1FZULe/C6SXf+Z4w5gIwOQACg0PdC
So2bK/NWLVkBoeiAvumIah8=
=Pnox
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the scadasec
mailing list