[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

Matthew Franz mdfranz at gmail.com
Wed May 21 16:33:58 CDT 2008 

Ron,

So I'm not getting it :)

So there are a number of problems with standards. And BTW, I'm not a
big standards, compliance advocate, I'm just making small talk...

0) Standards set the bar too low, everything is covered appropriately
but the recommended practice may not mitigate threats, reduce risk
(recommendations for weak encryption algorithms)

1) Standards are too generic/abstract/high level not prescriptive
enough so an organization can be compliant too with too little effort
(just use encryption, do it!)

2) Standards omit critical areas or do not have proper scope (only
require encryption for data at rest vs. data in motion)

3) Users/organizations can game the standards, audit process, etc. so
they win. Give the appearance of compliance when they are not (insert
your example from experience here)

4) Users/organizations can sincerely try to implement the standards
correctly but fail because there they don't have to tools, culture,
the standards are too hard to implement (what the hell is encryption)

#3 & #4 cannot be solved by improvements to the standards while #0-2
might be able to be addressed by "better" standards.


On Wed, May 21, 2008 at 4:05 PM, Ron Southworth
<southworthrg at bigpond.com> wrote:
> A simple answer.
>
> It is a big picture thing most people don't seem to get it....
>
> It is not the standard it is how it is going to be used It is only
> addressing part of best practices.
>
> Ron Southworth
>
> ljknews wrote:
>> At 4:13 AM +1000 5/22/08, Ron Southworth wrote:
>>
>>
>>> Security Standards give a measure to aspire to and compare
>>> quantitatively and have a place in the industry for certain.
>>>
>>> Breeding a security culture based on best practices is far more
>>> effective, valuable and long lasting, remember that old saying - loose
>>> lips sink ships.
>>>
>>
>> I would like to read the regards in which you feel 800-53
>> does not represent "best practices".
>>
>> Probably NIST would like your input as well.
>>
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>



-- 
Matthew Franz
http://www.threatmind.net/

More information about the scadasec mailing list