[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

Thu May 22 11:06:57 CDT 2008

Larry,I do not profess in any way to be a standards expert (and can not
quote chapter and verse), but as standards go (at least from what I have
read and to my understanding) the NIST standards are pretty good. Standards,
however always leave some room in the interpretation of semantics, such as
what constitutes "continuous monitoring".

They are great for changing mindset, providing a regulatory framework, and
can coincide with best practices. But again I will re-iterate (I view the
world mainly through an attackers perspective) compliance with any standard
no matter how well written, and even implemented on site does
not guarantee that you can not be compromised. Which was my
original opinion, the proverbial "face that launched 1000 ships" as it were.

Kevin

On Thu, May 22, 2008 at 9:37 AM, ljknews <ljknews at mac.com> wrote:

> At 8:52 AM -0600 5/22/08, Kevin Lackey wrote:
>
> > Larry,Some of the examples I have seen were not falsely checking a box.
> They
> > complied with the standard and checked the box, but the
> > actual implementation was bad. Such an example (not NIST standard
> specific)
> > would be a requirement for segmentation and a firewall between the
> control
> > system and other network segments such as corporate, dmz etc. It is all
> well
> > until you look at the firewall rules and someone, probably during some
> type
> > of resource failure added a permit all to all rule, that was never backed
> > out. Now for some standards the existence of the firewall is sufficient
> to
> > be in compliance with the standard, regardless of the ruleset on the
> > firewall. In the above mentioned case the firewall is moot as it is
> acting
> > like a router. Hence they are compliant with the standard but said
> > compliance does nothing for security.
>
> I don't deny that there is such a thing as a weak standard.
>
> But look at what how the final public draft of 800-53a says
> one should evaluate a firewall for control enhancement SC-7(5).
> Nobody is going to do all of that very often, but CA-7 (continuous
> monitoring) and RA-5 (vulnerability scanning) say that part of
> that should be conducted on an ongoing basis.  Certainly what
> NIST calls "information system configuration settings" would
> be the first candidate for inclusion in the continuous monitoring
> effort, since it is readily automated.  And that daily (or hourly
> if you prefer) monitoring should detect any unauthorized "permit
> all to all" rule.
>
> > SC-7(5).1 ASSESSMENT OBJECTIVE:
> >
> > Determine if the information system denies network traffic
> > by default and allows network traffic by exception.
> >
> > POTENTIAL ASSESSMENT METHODS AND OBJECTS:
> >
> > Examine: [SELECT FROM: System and communications protection
> > policy; procedures addressing boundary protection; information
> > system design documentation; information system configuration
> > settings and associated documentation; other relevant documents
> > or records]. (M) (H)
> >
> > Interview: [SELECT FROM: Selected organizational personnel
> > with boundary protection responsibilities]. (H)
> --
> Larry Kilgallen
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>