[SCADASEC] scadasec Digest, Vol 4, Issue 17

Luiijf, H.A.M. (Eric) eric.luiijf at tno.nl
Fri May 23 15:16:02 CDT 2008 

Dear Ron and Eirann,

Last Wednesday in The Netherlands the first Process Control Security Event took place
organised by the National Infrastructure against Cyber Crime (NICC). NICC follows the 
UK CPNI model on information exchanges in peer groups. Process control security is seen as 
a cross-sector theme.

Eric Luiijf, TNO


________________________________

Van: scadasec-bounces at news.infracritical.com namens scadasec-request at news.infracritical.com
Verzonden: vr 2008-05-23 19:00
Aan: scadasec at news.infracritical.com
Onderwerp: scadasec Digest, Vol 4, Issue 17



Send scadasec mailing list submissions to
        scadasec at news.infracritical.com

To subscribe or unsubscribe via the World Wide Web, visit
        http://news.infracritical.com/mailman/listinfo/scadasec
or, via email, send a message with subject or body 'help' to
        scadasec-request at news.infracritical.com

You can reach the person managing the list at
        scadasec-owner at news.infracritical.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of scadasec digest..."


Today's Topics:

   1. (no subject) (Leverett, Eireann (GE Infra, Energy))
   2. Re: (no subject) (southworthrg at bigpond.com)
   3. Re: (no subject) (Brodsky, Jake)
   4. Re: British/European Standards (Stephan Beirer)


----------------------------------------------------------------------

Message: 1
Date: Fri, 23 May 2008 11:15:36 +0200
From: "Leverett, Eireann \(GE Infra, Energy\)"
        <eireann.leverett at ge.com>
Subject: [SCADASEC] (no subject)
To: <scadasec at news.infracritical.com>
Message-ID:
        <02AD898DD517E04DAB130CBE58258412170C63C2 at BFTMLVEM01.e2k.ad.ge.com>
Content-Type: text/plain;       charset="iso-8859-1"


David,

Here in the UK we have CPNI, who are doing great work raising awareness in the industry. If you have any influence in government policy circles, look at their model, I think it is working very well. Their information sharing networks have produced a lot of inter-business trust on best practices (despite being competitors). This has a better influence on security culture and changing vendors than I think CIP will. Don't get me wrong, CIP is a good standard to hang the culture of off, but I think CPNI's networks are promoting a longer lasting culture. Of course that's only possible because we're a smaller country...

What do you think of ENISA?

Joe,

I'm glad you see this as a global issue. I'm also pleased people feel this is the right forum for those of us on the other side of the puddle to air our thoughts. I know there are more non-American readers out there, and I hope there will be a little less lurking by us in the future. Not that we're not interested in the American perspective, and all the good work being done by the INL, Sandia, and others. Just that we need a little 'airtime' of our own on this side of the Atlantic.

Cheers,

?ireann

_________________

?ireann Leverett CSSA
BEng (Hons) Artificial Intelligence & Software Engineering

DialCom:             * 41 51 293
Direct: 01506 591 1293
Email:       eireann.leverett at ge.com
www.ge.com

Lauder House,
Almondvale Business Park,
Livingston, West Lothian, EH54 6BX
GE Energy

> NOTICE: The information contained in this e-mail is privileged, confidential and intended solely for the use of the addressee named above. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please destroy this e-mail as well as any copy. Thank you.
>
>
>


------------------------------

Message: 2
Date: Fri, 23 May 2008 9:57:18 +0000
From: <southworthrg at bigpond.com>
Subject: Re: [SCADASEC] (no subject)
To: scadasec at news.infracritical.com
Cc: "Leverett, Eireann \(GE Infra, Energy\)" <eireann.leverett at ge.com>
Message-ID: <15215256.1211536638824.JavaMail.root at web04sl>
Content-Type: text/plain; charset=utf-8

Eireann,

I don't think the size of the country matters much.

Australia is nearly as big as the USA and we have a very similar system here  to CPNI (TISN). You do have a lot more people so the scale of the task of communicating effectively in the community is more the question and seems to be one issue at hand whenever I talk with people in the USA .

With standards, there are already a number in either IEC / ISO (27000 or 17799) that are good approaches. Germany has their own set of standards as well if you are looking for more of an EU flavour.

We don't hear too much from either the UK or European Union Nations as to what they are doing in public forums which is a shame. I am certain that there are a lot of good things happening?

Ron Southworth


---- "Leverett wrote:
>
> David,
>
> Here in the UK we have CPNI, who are doing great work raising awareness in the industry. If you have any influence in government policy circles, look at their model, I think it is working very well. Their information sharing networks have produced a lot of inter-business trust on best practices (despite being competitors). This has a better influence on security culture and changing vendors than I think CIP will. Don't get me wrong, CIP is a good standard to hang the culture of off, but I think CPNI's networks are promoting a longer lasting culture. Of course that's only possible because we're a smaller country...
>
> What do you think of ENISA?
>
> Joe,
>
> I'm glad you see this as a global issue. I'm also pleased people feel this is the right forum for those of us on the other side of the puddle to air our thoughts. I know there are more non-American readers out there, and I hope there will be a little less lurking by us in the future. Not that we're not interested in the American perspective, and all the good work being done by the INL, Sandia, and others. Just that we need a little 'airtime' of our own on this side of the Atlantic.
>
> Cheers,
>
> ?ireann
>
> _________________
>
> ?ireann Leverett CSSA
> BEng (Hons) Artificial Intelligence & Software Engineering
>
> DialCom:           * 41 51 293
> Direct:       01506 591 1293
> Email:       eireann.leverett at ge.com
> www.ge.com
>
> Lauder House,
> Almondvale Business Park,
> Livingston, West Lothian, EH54 6BX
> GE Energy
>
> > NOTICE: The information contained in this e-mail is privileged, confidential and intended solely for the use of the addressee named above. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please destroy this e-mail as well as any copy. Thank you.
> >
> >
> >
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec



------------------------------

Message: 3
Date: Fri, 23 May 2008 07:02:49 -0400
From: "Brodsky, Jake" <jBrodsk at wsscwater.com>
Subject: Re: [SCADASEC] (no subject)
To: <scadasec at news.infracritical.com>
Message-ID:
        <0B00243645B37C47B85C6E9785C9BDE80102452C at COB-EXV-01.wssc.ad.root>
Content-Type: text/plain;       charset="iso-8859-1"

..And more importantly, are there any differences in philosophy behind these standards, and if so, what might they be aiming at and what might we in North America be missing? 

Jake Brodsky

-----Original Message-----
From: scadasec-bounces at news.infracritical.com [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of southworthrg at bigpond.com
Sent: Friday, May 23, 2008 5:57 AM
To: scadasec at news.infracritical.com
Cc: Leverett, Eireann (GE Infra, Energy)
Subject: Re: [SCADASEC] (no subject)
Importance: Low

Eireann,

I don't think the size of the country matters much.

Australia is nearly as big as the USA and we have a very similar system here  to CPNI (TISN). You do have a lot more people so the scale of the task of communicating effectively in the community is more the question and seems to be one issue at hand whenever I talk with people in the USA .

With standards, there are already a number in either IEC / ISO (27000 or 17799) that are good approaches. Germany has their own set of standards as well if you are looking for more of an EU flavour.

We don't hear too much from either the UK or European Union Nations as to what they are doing in public forums which is a shame. I am certain that there are a lot of good things happening?

Ron Southworth


---- "Leverett wrote:
>
> David,
>
> Here in the UK we have CPNI, who are doing great work raising awareness in the industry. If you have any influence in government policy circles, look at their model, I think it is working very well. Their information sharing networks have produced a lot of inter-business trust on best practices (despite being competitors). This has a better influence on security culture and changing vendors than I think CIP will. Don't get me wrong, CIP is a good standard to hang the culture of off, but I think CPNI's networks are promoting a longer lasting culture. Of course that's only possible because we're a smaller country...
>
> What do you think of ENISA?
>
> Joe,
>
> I'm glad you see this as a global issue. I'm also pleased people feel this is the right forum for those of us on the other side of the puddle to air our thoughts. I know there are more non-American readers out there, and I hope there will be a little less lurking by us in the future. Not that we're not interested in the American perspective, and all the good work being done by the INL, Sandia, and others. Just that we need a little 'airtime' of our own on this side of the Atlantic.
>
> Cheers,
>
> ?ireann
>
> _________________
>
> ?ireann Leverett CSSA
> BEng (Hons) Artificial Intelligence & Software Engineering
>
> DialCom:           * 41 51 293
> Direct:       01506 591 1293
> Email:       eireann.leverett at ge.com
> www.ge.com
>
> Lauder House,
> Almondvale Business Park,
> Livingston, West Lothian, EH54 6BX
> GE Energy
>
> > NOTICE: The information contained in this e-mail is privileged, confidential and intended solely for the use of the addressee named above. If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please destroy this e-mail as well as any copy. Thank you.
> >
> >
> >
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec


_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec

To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html

scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec


------------------------------

Message: 4
Date: Fri, 23 May 2008 13:52:42 +0200
From: "Stephan Beirer" <s.beirer at gai-netconsult.de>
Subject: Re: [SCADASEC] British/European Standards
To: <scadasec at news.infracritical.com>
Message-ID:
        <886F0FFA4621794C93833C12BCBBEA3899F7CC at crow.gai-netconsult.de>
Keywords: disclaimer
Content-Type: text/plain;       charset="iso-8859-1"


Hi list,


>I would support the idea that this is the correct forum to also discuss
>European (including UK) perspectives on this topic.  I am UK-based, working
>for an international consulting firm as the principal consultant on this
>topic throughout EMEA (Europe, Middle East and Africa).
>
>Regarding the European SCADA test bed idea, I know that a number of
>consortia have submitted proposals to the European Commission for funding,
>but I'm not sure what the current status is.  Perhaps Eric or Henrik are
>subscribers to this list and will respond with any further information that
>they have.


some information on the German CIP program can be found here
http://www.bsi.de/fachthem/kritis/index.htm

here is the English version (less details)

http://www.bsi.de/english/topics/kritis/kritis_e.htm
http://www.bsi.de/english/topics/kritis/ciip_en.pdf


the German utilities industry association is expected to release
"recommemdations" (ie. not a 'standard') on technical aspects of
IT security in the near future. Since I'm bound by an NDA I can't
provide more information at the moment..


regards,

stephan


 --
-------------------------------------------------------------------
Dr. Stephan Beirer               E-Mail: s.beirer at gai-netconsult.de
IT Security                      Phone:           +49-30-417898-230

GAI NetConsult GmbH - Am Borsigturm 58 - 13507 Berlin
Amtsgericht Charlottenburg HRB 52068 - USt.Id.Nr. DE 165533789
Gesch?ftsf?hrer: Wilfrid Kettler - Detlef Weidenhammer
Telefon +49(30)417898-0 - Fax +49(30)417898-300 - Web: www.gai-netconsult.de

Diese E-Mail enth?lt vertrauliche und/oder rechtlich gesch?tzte Informationen.
Sollten Sie nicht der vorgesehene Empf?nger sein, informieren Sie bitte den Absender
und vernichten Sie anschlie?end diese E-Mail. Das unerlaubte Kopieren sowie die
unbefugte Weitergabe dieser E-Mail ist nicht gestattet. Aufgrund der leichten Manipulierbarkeit
von E-Mails k?nnen wir keine Haftung f?r den Inhalt ?bernehmen.




------------------------------

_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec

To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html

scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec

End of scadasec Digest, Vol 4, Issue 17
***************************************


This e-mail and its contents are subject to the DISCLAIMER at http://www.tno.nl/disclaimer/email.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 17181 bytes
Desc: not available
Url : http://news.infracritical.com/pipermail/scadasec/attachments/20080523/49c1af76/attachment.bin

More information about the scadasec mailing list