I may (or may not) have done a vulnerability assessment at TVA a few years ago. Wasn't very productive. Let's just say that the constraints for what we could and couldn't test were.... ummm... preposterous.
But the routers were fine... :) Matt Kurt Grutzmacher wrote: > To be fair, the TVA report came from the GAO and I've yet to read a GAO > report on "cyber security" that wasn't bad news for the organization > being audited. If they were to go to any other utility company in the > world I'm sure they'd find similar issues as their standards are > (rightfully so) very high. > > That's not to say there aren't problems at TVA as I'm sure there are. > NERC is more concerned on keeping the power running which includes > things like life and health safety, flowing electricity between long > distances and different companies, making sure generation is there, etc. > Cyber security is on the list and if companies don't follow their CIP > standard they face huge fines (up to $1m a day of non-compliance). > > Suffice to say power companies are an old lot here in the US and as such > have an air of self-importance which leads to the "we know what's best" > syndrome. After all, they have to keep the lights on and the hospitals > running. > > > > On Sun, Jun 1, 2008 at 9:58 PM, Juha-Matti Laurio > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: > > From Forbes.com: > > "..... > I think we could search far and wide and not find a more > disorganized response to a national security issue of this import," > said Rep. James Langevin (D-R.I.), chairman of the Subcommittee on > Emerging Threats, Cybersecurity and Science and Technology. > He pointed a finger to several groups: the DHS for giving scanty > details of its video-taped simulation; the power industry for > working too slowly to mitigate the threat; and the North American > Electric Reliability Corporation, an industry group, for failing in > its role as the self-regulatory body assigned to ensure a consistent > national power supply. > "Everything about the way this vulnerability was handled … leaves me > with little confidence that we're ready or willing to deal with the > cyber security threat," he said. > > The House's criticisms focused primarily on the electric utility > industry group, NERC. They argued that the advisories issued by NERC > are ineffective and that it has repeatedly misled the House in its > investigation of the Aurora vulnerability." > --clip-- > > More at > > http://www.forbes.com/technology/2008/05/22/cyberwar-breach-government-tech-security_cx_ag_0521cyber.html > > And CNN's Study finds TVA vulnerable to hacking: > http://www.cnn.com/2008/US/05/21/cyber.attack/ > > "The Tennessee Valley Authority, which supplies power to almost 9 > million Americans, "has not fully implemented appropriate security > practices to protect the control systems used to operate its > critical infrastructures," leaving them "vulnerable to disruption," > the Government Accountability Office found." > --clip-- > > There are many readers (including me) happy now about living outside > of US... > > Juha-Matti > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
