[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks
Kevin Lackey
jabberwoq at gmail.com
Thu May 22 09:52:25 CDT 2008
Larry,Some of the examples I have seen were not falsely checking a box. They
complied with the standard and checked the box, but the
actual implementation was bad. Such an example (not NIST standard specific)
would be a requirement for segmentation and a firewall between the control
system and other network segments such as corporate, dmz etc. It is all well
until you look at the firewall rules and someone, probably during some type
of resource failure added a permit all to all rule, that was never backed
out. Now for some standards the existence of the firewall is sufficient to
be in compliance with the standard, regardless of the ruleset on the
firewall. In the above mentioned case the firewall is moot as it is acting
like a router. Hence they are compliant with the standard but said
compliance does nothing for security.
Kevin
On Thu, May 22, 2008 at 8:16 AM, ljknews <ljknews at mac.com> wrote:
> At 7:49 AM -0600 5/22/08, Kevin Lackey wrote:
>
> > Matt,Just noting that compliance with a standard does in no
> > way guarantee security. I have seen and heard of too many assessments at
> > asset owner sites where they could check a box on a compliance checklist,
> > but the actual implementation was anything but secure.
>
> Falsely checking a box does not mean compliance, any more than
> falsely claiming I am a US Citizen/physician/qualified pilot
> makes those true.
>
> NIST 800-53A is about to be released, giving very clear guidance
> on what it takes to "check the box" for NIST 800-53. The final
> public draft of NIST 800-53A is at
>
> http://csrc.nist.gov/publications/drafts/800-53A/draft-SP800-53A-fpd-sz.pdf
>
> Examine carefully Appendix D and Appendix E. Then choose your
> favorite of the 171 controls in Appendix F and see how you
> would apply the standards from Appendix D and Appendix E to
> that control. It takes a mighty amount of prevarication to
> falsely "check the box".
>
> Within the US government, the check against such prevarication
> is oversight by the independent Inspectors General for each
> major department. Do a Google search for the string "800-53"
> in the .GOV top-level domain and note that a fair number of
> those references are from the various OIG (office of the
> inspector general sites). One OIG even reported inadequate
> compliance with 800-53 _in_their_own_oig_office_, so there
> is good reason to trust OIG reviews.
> --
> Larry Kilgallen
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>
More information about the scadasec
mailing list