[SCADASEC] GAO: TVA Power Plants Vulnerable to Cyber Attacks

[ljknews]

At 10:06 AM -0600 5/22/08, Kevin Lackey wrote:

> Larry,I do not profess in any way to be a standards expert (and can not
> quote chapter and verse), but as standards go (at least from what I have
> read and to my understanding) the NIST standards are pretty good. Standards,
> however always leave some room in the interpretation of semantics, such as
> what constitutes "continuous monitoring".

That is certainly an issue.  The context in 800-53 shows that
"continuous" certainly means "more frequently than annually",
but one Department (largest unit of the Federal Government
executive branch) decided that "continuous" means "quarterly".
Any alert practitioner will agree that is too infrequent to
look for things like "allow all", but once the "continuous"
monitoring has been automated, increasing the frequency is
no great burden.  In fact, increasing the frequency lets
security assessors discover trends earlier and feed that
back into ongoing staff training ("Allow All is bad.") to
reduce the total number of such incidents.

And so far as I can see, it will at best be "ongoing" because
truly "continuous" would mean that every machine cycle would
be devoted to monitoring, and none for the mission.  Unless
one were to switch all computers to dual processors and devote
one processor exclusively to security monitoring.  I do not
believe that is going to happen, but the world does not live
by semantics alone.

> They are great for changing mindset, providing a regulatory framework, and
> can coincide with best practices. But again I will re-iterate (I view the
> world mainly through an attackers perspective) compliance with any standard
> no matter how well written, and even implemented on site does
> not guarantee that you can not be compromised.

Nothing in life is guaranteed, but the possibility of a thief
breaking down the door to my house does not deter me from using
a strong lock and an alarm system.
-- 
Larry Kilgallen