[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks
Matthew Franz
mdfranz at gmail.com
Thu May 22 10:12:26 CDT 2008
> out. Now for some standards the existence of the firewall is sufficient to
> be in compliance with the standard, regardless of the ruleset on the
> firewall. In the above mentioned case the firewall is moot as it is acting
> like a router. Hence they are compliant with the standard but said
> compliance does nothing for security.
And this is an example of weak standards not a problem with the
fundamental idea of standards or compliance itself being able to make
things secure/insecure.
Rehashing my previous email, this is:
1) Overly general standards - only a firewall (useless because it is
too generic)
2) An omission in the standard - unless adequate firewall rule audits
and change management procedures for firewall rules are included in
the standard a firewall is not going to do what it can/should. (And
this is not a "firewall" problem either)
- mdf
More information about the scadasec
mailing list