[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks
ljknews
ljknews at mac.com
Thu May 22 10:37:25 CDT 2008
At 8:52 AM -0600 5/22/08, Kevin Lackey wrote:
> Larry,Some of the examples I have seen were not falsely checking a box. They
> complied with the standard and checked the box, but the
> actual implementation was bad. Such an example (not NIST standard specific)
> would be a requirement for segmentation and a firewall between the control
> system and other network segments such as corporate, dmz etc. It is all well
> until you look at the firewall rules and someone, probably during some type
> of resource failure added a permit all to all rule, that was never backed
> out. Now for some standards the existence of the firewall is sufficient to
> be in compliance with the standard, regardless of the ruleset on the
> firewall. In the above mentioned case the firewall is moot as it is acting
> like a router. Hence they are compliant with the standard but said
> compliance does nothing for security.
I don't deny that there is such a thing as a weak standard.
But look at what how the final public draft of 800-53a says
one should evaluate a firewall for control enhancement SC-7(5).
Nobody is going to do all of that very often, but CA-7 (continuous
monitoring) and RA-5 (vulnerability scanning) say that part of
that should be conducted on an ongoing basis. Certainly what
NIST calls "information system configuration settings" would
be the first candidate for inclusion in the continuous monitoring
effort, since it is readily automated. And that daily (or hourly
if you prefer) monitoring should detect any unauthorized "permit
all to all" rule.
> SC-7(5).1 ASSESSMENT OBJECTIVE:
>
> Determine if the information system denies network traffic
> by default and allows network traffic by exception.
>
> POTENTIAL ASSESSMENT METHODS AND OBJECTS:
>
> Examine: [SELECT FROM: System and communications protection
> policy; procedures addressing boundary protection; information
> system design documentation; information system configuration
> settings and associated documentation; other relevant documents
> or records]. (M) (H)
>
> Interview: [SELECT FROM: Selected organizational personnel
> with boundary protection responsibilities]. (H)
--
Larry Kilgallen
More information about the scadasec
mailing list