[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

[Kevin Lackey]

>
> This is a classic case of "Security is a state of mind, not a product."


So is paranoia, and I for one am not sure that I am sufficiently paranoid
yet.  :)  (I am working on it.... more paranoid daily).

Let me propose a totally contrived and exaggerated scenario that may bear
little resemblance to reality.

Let's say I am a sufficiently paranoid CSO at an asset owner and have done
great due diligence in security. I follow the NERC CIP standards to the "T."
 I conduct regular security audits, policy reviews, follow the cycle, and
appear pretty secure and think I (as a corporate entity) am sitting pretty
good. Until one day the (not to pick on any specific product but as this one
has been in the news) CISCO firewall products that I purchased at a great
price, actually came from non legitimate sources and are actually
counterfeit knock offs with covert back doors built into the firmware (again
contrived), allow a bad guy to walk right into my networks.

Probably too contrived.....

Now compliance with the standard would help protect the individual machines,
but does nothing for perimeter control as one of my base assumptions proved
wrong and my technology was compromised.

Kevin


On Thu, May 22, 2008 at 9:16 AM, Brodsky, Jake <jBrodsk at wsscwater.com>
wrote:

> This is a classic case of "Security is a state of mind, not a product."
>
>
> We can mandate the existence of all sorts of products and features.
> Until we have people capable and willing to using them properly, nobody
> will be secure.
>
> Jake Brodsky
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>