[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks
Kevin Lackey
jabberwoq at gmail.com
Thu May 22 08:49:11 CDT 2008
Matt,Just noting that compliance with a standard does in no
way guarantee security. I have seen and heard of too many assessments at
asset owner sites where they could check a box on a compliance checklist,
but the actual implementation was anything but secure.
Standards are a good starting point and have their place as they ensure some
type of baseline, and in many cases some type of enforceability. Some
standards are better than others. Standards also can provide a mechanism/
mpetus for a security policy and create an entry point into a
security life-cycle.
Maybe I came across too glib...
Kevin
On Wed, May 21, 2008 at 11:49 AM, Matthew Franz <mdfranz at gmail.com> wrote:
> Kevin,
>
> Not to be cheeky, but your point?
>
> Are you inferring that if we are in compliance we are not "secure"
> (however you might measure that, test that, etc.) and therefore we
> shouldn't bother with compliance? Is this another variation of the
> whole "standards provide a false sense of security" argument,
> therefore we should sit on our hands or endlessly argue about what it
> means to be "secure." Been there/seen that....
>
> - mdf
>
> On Wed, May 21, 2008 at 12:15 PM, Kevin Lackey <jabberwoq at gmail.com>
> wrote:
> > Being compliant with a standard does not in anyway infer secure. It just
> > infers compliance with the standard.
> > Kevin
> >
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>
More information about the scadasec
mailing list