On Tue, 10 Nov 2009 05:37:44 -0800 (PST), [email protected] wrote:
>
>One of the problems with identifying and attributing cyber attacks against
>things like grids is that there are so many other things that could have gone
>wrong. If there was a desire to downplay the incident (for which the
>motivation is very high) it is trivial to deliver an alternate story.
>
>Does this mean the Brazilian alternative story is a cover up? Probably not,
>but almost no one (not even the utility employees) would be able to gainsay it
>if it was.
You're implying the Brazilian utility story may be a cover-up and that
the motivation to do so was very high. And further, not even the
participants in this alleged cover-up would be able to deny it was
one. Interesting.
>The point remains: control systems (not just grid systems, but everywhere) are
>extremely unprepared for cyber attack. The amount of effort applied to cyber
>security as a percentage of resources applied to these systems is virtually
>unmeasurably small, and where there has been any at all it is almost always a
>one-off custom engagement. Control system networks make the IT networks we
>all complain about look like Fort Knox.
Not true for electric utilities. They're spending fortunes on NERC
CIP. Electric utilities understand FERC/NERC are really just getting
started. The smart grid ("from the toaster to the generator") cyber
security standards will make NERC CIP look small.
>We need to regularize our approach to CIP cybersecurity or we aren't going to
>make any headway at all.
I disagree.
--
Ned
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
