[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

[ljknews]

At 9:43 AM -0600 5/22/08, Kevin Lackey wrote:

> Let's say I am a sufficiently paranoid CSO at an asset owner and have done
> great due diligence in security. I follow the NERC CIP standards to the "T."
>  I conduct regular security audits, policy reviews, follow the cycle, and
> appear pretty secure and think I (as a corporate entity) am sitting pretty
> good. Until one day the (not to pick on any specific product but as this one
> has been in the news) CISCO firewall products that I purchased at a great
> price, actually came from non legitimate sources and are actually
> counterfeit knock offs with covert back doors built into the firmware (again
> contrived), allow a bad guy to walk right into my networks.

It seems unlikely that your vendor of those fake firewalls
would have qualified under the NIST 800-53 acquisition
standards.

I realize the electric industry rejected a suggestion to
adopt the NIST standards rather than the NERC standards,
but that is not a problem with the concept of standards.

> SA-4 ACQUISITIONS
> Control: The organization includes security requirements
> and/or security specifications either explicitly or by
> reference, in information system acquisition contracts
> based on an assessment of risk and in accordance with
> applicable laws, Executive Orders, directives, policies,
> regulations, and standards.
>
> Supplemental Guidance:
>
> Solicitation Documents
>
> The solicitation documents (e.g., Requests for Proposals) for
> information systems and services include, either explicitly
> or by reference, security requirements that describe: (i)
> required security capabilities (security needs and, as
> necessary, specific security controls and other specific
> FISMA requirements); (ii) required design and development
> processes; (iii) required test and evaluation procedures;
> and (iv) required documentation. The requirements in the
> solicitation documents permit updating security controls
> as new threats/vulnerabilities are identified and as new
> technologies are implemented. NIST Special Publication
> 800-36 provides guidance on the selection of information
> security products. NIST Special Publication 800-35 provides
> guidance on information technology security services. NIST
> Special Publication 800-64 provides guidance on security
> considerations in the system development life cycle.
>
> Information System Documentation
>
> The solicitation documents include requirements for
> appropriate information system documentation. The
> documentation addresses user and systems administrator
> guidance and information regarding the implementation
> of the security controls in the information system. The
> level of detail required in the documentation is based
> on the FIPS 199 security category for the information system.
>
> Use of Tested, Evaluated, and Validated Products
>
> NIST Special Publication 800-23 provides guidance on
> the acquisition and use of tested/evaluated information
> technology products.
>
> Configuration Settings and Implementation Guidance
>
> The information system required documentation includes
> security configuration settings and security implementation
> guidance. OMB FISMA reporting instructions provide guidance
> on configuration requirements for federal information systems.
> NIST Special Publication 800-70 provides guidance on
> configuration settings for information technology products.
-- 
Larry Kilgallen