funsec mailing list archives

Re: Foul

From: chris () blask org
Date: Tue, 10 Nov 2009 16:59:41 -0800 (PST)

--- On Tue, 11/10/09, Ned Fleming <ned () kaw us> wrote:

Moreover, the grid is only a (very large) small part of

deployed control systems.  There are an extremely large
number of control systems deployed in an enormous range of
applications throughout the infrastructure, and beyond some
parts of the grid virtually none of them are being addressed
at all.  These systems are in both 'trivial' and
non-trivial applications.

Okie dokie.


Not to belabor the point (or perhaps, *to* belabor the point), but when people think CIP these days (if they think of 
it at all) they think about the grid.  While it's nice that we have attention there, the fact that there is little or 
no attention in all of the other vulnerable sectors is a problem itself.

I disagree that the regularization plan (CIP itself) is any
good.


I'm not likely to argue a whole lot on the detail side of things, but the overall direction of things is good (if 
painful).  Ten years ago virtually no-one (myself included) gave a half-thought to control system security, today there 
is a good bit of focus and more people qualified to cogitate on it.  External bodies are trying to develop standards, 
however ham-fistedly, that with a little luck and involvement will move in a positive direction over the long (maybe 
very long) term.

When I say "regularization" I don't just mean "regulation", I mean we need to make the process of addressing these 
facilities into a more regular and repeatable process and less of a custom one-off situation.

Yeah, I'd agree with the caveat that the standards be more
security-driven and less auditor-driven.


Ideally we can do both.  If you have really good security you can tell it is (otherwise how do you know?) and because 
you can you can prove it to someone else as well.

Ask Heartland about the difference between being able to show an auditor that you are "secure" at one point and 
actually being secure over time.  Ultimately regulations should/will evolve to include more real-time awareness, but 
today most folks don't have real-time situational awareness and most control system networks are effectively incapable 
of having it, so regulations won't require it.

-best

-chris


      

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Foul, (continued)
- - - Re: Foul Valdis . Kletnieks (Nov 09)
    - Re: Foul Drsolly (Nov 09)
    - Re: Foul Paul M Moriarty (Nov 10)
    - Re: Foul Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 10)
    - Re: Foul Hubbard, Dan (Nov 10)
    - Re: Foul Paul M. Moriarty (Nov 10)
    - Re: Foul chris (Nov 10)
    - Re: Foul Ned Fleming (Nov 10)
    - Re: Foul chris (Nov 10)
    - Re: Foul Ned Fleming (Nov 10)
    - Re: Foul chris (Nov 10)
- Re: Foul Les Bell (Nov 10)
  - Re: Foul chris (Nov 10)
    - Re: Foul Paul M Moriarty (Nov 10)
    - Re: Foul Valdis . Kletnieks (Nov 10)
  - Re: Foul Jacob Appelbaum (Nov 11)
    - Re: Foul quispiam lepidus (Nov 11)
- Re: Foul Les Bell (Nov 11)