What do severity ratings REALLY mean? I read a blog on Digital Bond’s Bandolier project (www.digitalbond.com,
Cyber security for the Process Industries
ISA SP99 is working on the Part II standard. The current discussion is on risk. I am including my response looking for discussion on this subject. My premise is that traditional risk methodology (frequency * consequence) does not apply to control system cyber security.
From the press release:
How isolated are control system networks? There is a prevailing view by many that corporate firewalls and DMZ's provide adequate screening and protection to minimize "hits" on control system networks. Consequently, there is an expectation that control system firewalls (if they even exist) will see very little traffic.
Over on SoundOFF! Walt's posted a thought provoking piece by Wurldtech's Bryan Singer, who is also chair of SP99. Singer, who started out as an IT person, has made his bones in automation, and talks about why he agrees with Walt that process security is different. ...
Control systems are different Control systems control the industrial infrastructure. Control system engineers are system engineers. Consequently they are conversant in control theory, electrical engineering, mechanical engineering, chemistry, physics, computer programming, and for nuclear plants, nuclear engineering.
Some Congresspeople have been asking questions-- intelligent, insightful questions, that indicate that the policymakers are really going to understand and take a role in cybersecurity: Question from the Honorable Michael T. McCaul: 1. What are the principal differences between the ISA 99 standards and the NIST best practices found in Special...