--- On Tue, 11/10/09, Ned Fleming <[email protected]> wrote:
> >Moreover, the grid is only a (very large) small part of
> deployed control systems. There are an extremely large
> number of control systems deployed in an enormous range of
> applications throughout the infrastructure, and beyond some
> parts of the grid virtually none of them are being addressed
> at all. These systems are in both 'trivial' and
> non-trivial applications.
> Okie dokie.
Not to belabor the point (or perhaps, *to* belabor the point), but when people
think CIP these days (if they think of it at all) they think about the grid.
While it's nice that we have attention there, the fact that there is little or
no attention in all of the other vulnerable sectors is a problem itself.
> I disagree that the regularization plan (CIP itself) is any
> good.
I'm not likely to argue a whole lot on the detail side of things, but the
overall direction of things is good (if painful). Ten years ago virtually
no-one (myself included) gave a half-thought to control system security, today
there is a good bit of focus and more people qualified to cogitate on it.
External bodies are trying to develop standards, however ham-fistedly, that
with a little luck and involvement will move in a positive direction over the
long (maybe very long) term.
When I say "regularization" I don't just mean "regulation", I mean we need to
make the process of addressing these facilities into a more regular and
repeatable process and less of a custom one-off situation.
> Yeah, I'd agree with the caveat that the standards be more
> security-driven and less auditor-driven.
Ideally we can do both. If you have really good security you can tell it is
(otherwise how do you know?) and because you can you can prove it to someone
else as well.
Ask Heartland about the difference between being able to show an auditor that
you are "secure" at one point and actually being secure over time. Ultimately
regulations should/will evolve to include more real-time awareness, but today
most folks don't have real-time situational awareness and most control system
networks are effectively incapable of having it, so regulations won't require
it.
-best
-chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
