Any system vulnerabilities should be no suprise since all systems are vulnerable to something.
Vulnerabilies aren't the issue, the issue is always the institution of mitigating factors. All too often security folks are hindered from instituring mitigating factors due to the usual rounds of fear, uncertainty, doubt and in this case political motivations.
The folks who cry 'these systems are connected to the internet' obviously don't know what they're talking about since any power company taking security seriously will cordon off critical systems as required by NERC CIP.
What's needed here is less politics, not more. Give clear, centralized responsibilities for security (interpretations,compliance and implementations) within power companies rather than siloed distributed roles and interpretations and you will get mitigations for 'vulnerabilities'.
Vulnerabilies aren't the issue, the issue is always the institution of mitigating factors. All too often security folks are hindered from instituring mitigating factors due to the usual rounds of fear, uncertainty, doubt and in this case political motivations.
The folks who cry 'these systems are connected to the internet' obviously don't know what they're talking about since any power company taking security seriously will cordon off critical systems as required by NERC CIP.
What's needed here is less politics, not more. Give clear, centralized responsibilities for security (interpretations,compliance and implementations) within power companies rather than siloed distributed roles and interpretations and you will get mitigations for 'vulnerabilities'.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/944/2896#2896