[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

Kevin Lackey jabberwoq at gmail.com
Thu May 22 11:25:04 CDT 2008 

Back to the counterfeit gear example. While I do not know if they were
subject to NIST standards when the purchases were made counterfeit CISCO
items are believed to be in Federal  (DoD) inventories.
See:
http://news.zdnet.co.uk/security/0,1000000189,39417171,00.htm

Or various other articles which state that the FBI believes that the DoD has
some of these knock off products in their inventories.

Kevin

On Thu, May 22, 2008 at 10:13 AM, ljknews <ljknews at mac.com> wrote:

> At 9:43 AM -0600 5/22/08, Kevin Lackey wrote:
>
> > Let's say I am a sufficiently paranoid CSO at an asset owner and have
> done
> > great due diligence in security. I follow the NERC CIP standards to the
> "T."
> >  I conduct regular security audits, policy reviews, follow the cycle, and
> > appear pretty secure and think I (as a corporate entity) am sitting
> pretty
> > good. Until one day the (not to pick on any specific product but as this
> one
> > has been in the news) CISCO firewall products that I purchased at a great
> > price, actually came from non legitimate sources and are actually
> > counterfeit knock offs with covert back doors built into the firmware
> (again
> > contrived), allow a bad guy to walk right into my networks.
>
> It seems unlikely that your vendor of those fake firewalls
> would have qualified under the NIST 800-53 acquisition
> standards.
>
> I realize the electric industry rejected a suggestion to
> adopt the NIST standards rather than the NERC standards,
> but that is not a problem with the concept of standards.
>
> > SA-4 ACQUISITIONS
> > Control: The organization includes security requirements
> > and/or security specifications either explicitly or by
> > reference, in information system acquisition contracts
> > based on an assessment of risk and in accordance with
> > applicable laws, Executive Orders, directives, policies,
> > regulations, and standards.
> >
> > Supplemental Guidance:
> >
> > Solicitation Documents
> >
> > The solicitation documents (e.g., Requests for Proposals) for
> > information systems and services include, either explicitly
> > or by reference, security requirements that describe: (i)
> > required security capabilities (security needs and, as
> > necessary, specific security controls and other specific
> > FISMA requirements); (ii) required design and development
> > processes; (iii) required test and evaluation procedures;
> > and (iv) required documentation. The requirements in the
> > solicitation documents permit updating security controls
> > as new threats/vulnerabilities are identified and as new
> > technologies are implemented. NIST Special Publication
> > 800-36 provides guidance on the selection of information
> > security products. NIST Special Publication 800-35 provides
> > guidance on information technology security services. NIST
> > Special Publication 800-64 provides guidance on security
> > considerations in the system development life cycle.
> >
> > Information System Documentation
> >
> > The solicitation documents include requirements for
> > appropriate information system documentation. The
> > documentation addresses user and systems administrator
> > guidance and information regarding the implementation
> > of the security controls in the information system. The
> > level of detail required in the documentation is based
> > on the FIPS 199 security category for the information system.
> >
> > Use of Tested, Evaluated, and Validated Products
> >
> > NIST Special Publication 800-23 provides guidance on
> > the acquisition and use of tested/evaluated information
> > technology products.
> >
> > Configuration Settings and Implementation Guidance
> >
> > The information system required documentation includes
> > security configuration settings and security implementation
> > guidance. OMB FISMA reporting instructions provide guidance
> > on configuration requirements for federal information systems.
> > NIST Special Publication 800-70 provides guidance on
> > configuration settings for information technology products.
> --
> Larry Kilgallen
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>

More information about the scadasec mailing list