[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks
ljknews
ljknews at mac.com
Wed May 21 16:53:02 CDT 2008
At 4:33 PM -0500 5/21/08, Matthew Franz wrote:
> 0) Standards set the bar too low, everything is covered appropriately
> but the recommended practice may not mitigate threats, reduce risk
> (recommendations for weak encryption algorithms)
>
> 1) Standards are too generic/abstract/high level not prescriptive
> enough so an organization can be compliant too with too little effort
> (just use encryption, do it!)
There are standards like that, and there are others.
800-53 is the best I have seen for specificity.
8500,2 has a very few good points that 800-53 omits.
I certainly would agree there are some standards not worth
following.
> 2) Standards omit critical areas or do not have proper scope (only
> require encryption for data at rest vs. data in motion)
That speaks for openly developed standards, with feedback from
expert onlookers.
> 3) Users/organizations can game the standards, audit process, etc. so
> they win. Give the appearance of compliance when they are not
For that one needs review by a higher authority. A more immediate
likelihood of review than that for Hebrew National hot dogs. Needs
for offsite backup storage are hard to meet on a submarine, so it
is up to that higher authority to determine if the exception is a
valid one.
--
Larry Kilgallen
More information about the scadasec
mailing list