[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

[Brodsky, Jake]

I tried to chime in yesterday from home, and, well, somewhere between
Comcast and Infracritical, my e-mail fell on the floor.  

These are all great comments.  Ron Southworth hit the nail on the head.
Standards are as much about social expectations as anything else.  

For example, we have a safety standard (and laws) that say we must have
seatbelts for every seat in a car.  We can not compel everyone to use
them, nor can we state that they are guaranteed not to hurt more than
help in an accident.  But on average, they'll save more lives than they
take.  

The point of NIST 800-53 and other security standards, is to declare a
minimalist set of features and policies for secure operations.  It does
not mean you're invulnerable to hacking any more than it means you're
guaranteed to survive while wearing a seatbelt in an automobile
accident.  But for those who do follow a security standard, the chances
of serious damage from hacking incidents should be substantially less.  

Jake Brodsky