funsec mailing list archives
Re: Foul
From: chris () blask org
Date: Tue, 10 Nov 2009 16:59:41 -0800 (PST)
--- On Tue, 11/10/09, Ned Fleming <ned () kaw us> wrote:
Moreover, the grid is only a (very large) small part ofdeployed control systems. There are an extremely large number of control systems deployed in an enormous range of applications throughout the infrastructure, and beyond some parts of the grid virtually none of them are being addressed at all. These systems are in both 'trivial' and non-trivial applications.
Okie dokie.
Not to belabor the point (or perhaps, *to* belabor the point), but when people think CIP these days (if they think of it at all) they think about the grid. While it's nice that we have attention there, the fact that there is little or no attention in all of the other vulnerable sectors is a problem itself.
I disagree that the regularization plan (CIP itself) is any good.
I'm not likely to argue a whole lot on the detail side of things, but the overall direction of things is good (if painful). Ten years ago virtually no-one (myself included) gave a half-thought to control system security, today there is a good bit of focus and more people qualified to cogitate on it. External bodies are trying to develop standards, however ham-fistedly, that with a little luck and involvement will move in a positive direction over the long (maybe very long) term. When I say "regularization" I don't just mean "regulation", I mean we need to make the process of addressing these facilities into a more regular and repeatable process and less of a custom one-off situation.
Yeah, I'd agree with the caveat that the standards be more security-driven and less auditor-driven.
Ideally we can do both. If you have really good security you can tell it is (otherwise how do you know?) and because you can you can prove it to someone else as well. Ask Heartland about the difference between being able to show an auditor that you are "secure" at one point and actually being secure over time. Ultimately regulations should/will evolve to include more real-time awareness, but today most folks don't have real-time situational awareness and most control system networks are effectively incapable of having it, so regulations won't require it. -best -chris _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Foul, (continued)
- Re: Foul chris (Nov 10)
- Re: Foul Ned Fleming (Nov 10)
- Re: Foul chris (Nov 10)
- Re: Foul Ned Fleming (Nov 10)
- Re: Foul chris (Nov 10)
- Re: Foul quispiam lepidus (Nov 11)