[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

[ljknews]

At 7:49 AM -0600 5/22/08, Kevin Lackey wrote:

> Matt,Just noting that compliance with a standard does in no
> way guarantee security. I have seen and heard of too many assessments at
> asset owner sites where they could check a box on a compliance checklist,
> but the actual implementation was anything but secure.

Falsely checking a box does not mean compliance, any more than
falsely claiming I am a US Citizen/physician/qualified pilot
makes those true.

NIST 800-53A is about to be released, giving very clear guidance
on what it takes to "check the box" for NIST 800-53.  The final
public draft of NIST 800-53A is at

http://csrc.nist.gov/publications/drafts/800-53A/draft-SP800-53A-fpd-sz.pdf

Examine carefully Appendix D and Appendix E.  Then choose your
favorite of the 171 controls in Appendix F and see how you
would apply the standards from Appendix D and Appendix E to
that control.  It takes a mighty amount of prevarication to
falsely "check the box".

Within the US government, the check against such prevarication
is oversight by the independent Inspectors General for each
major department.  Do a Google search for the string "800-53"
in the .GOV top-level domain and note that a fair number of
those references are from the various OIG (office of the
inspector general sites).  One OIG even reported inadequate
compliance with 800-53 _in_their_own_oig_office_, so there
is good reason to trust OIG reviews.
-- 
Larry Kilgallen