Unfettered Blog

FERC climbs on the cybersecurity bandwagon…finally!

From the article: WASHINGTON (AP) - Federal energy regulators said Monday they have asked the White House to approve a rule that requires the electric industry to submit detailed reports about its progress in addressing potential cyber-security vulnerabilities. I...

From SANS Bites…

The following is from SANS Bites 12.11.2007 with my comments boldfaced :  [Editor's Note (Paller): This is a stunning development. NERC's cyber security standards were coming to be seen as almost totally ineffective (That statement is wrong- the industry has been fighting tooth and nail to justify and keep the...

IT versus Control Systems…a word from a “recovering IT person”

Over on SoundOFF! Walt's posted a thought provoking piece by Wurldtech's Bryan Singer, who is also chair of SP99. Singer, who started out as an IT person, has made his bones in automation, and talks about why he agrees with Walt that process security is different. ...

Control systems ARE different

Control systems are different Control systems control the industrial infrastructure. Control system engineers are system engineers. Consequently they are conversant in control theory, electrical engineering, mechanical engineering, chemistry, physics, computer programming, and for nuclear plants, nuclear engineering.

ON the subject of Aurora…

Next Thursday, the NERC Critical Infrastructure Protection Committee (CIPC) will have a session on Aurora - the Idaho National Lab demonstration of destroying a diesel generator via a cyber attack. The session will include utilities and vendors.

More disclosure fun…what game are these people playing?

US CERT issued an information notice on cyber incidents suspected of impacting private sector networks dated November 28, 2007. According to the notice, "US-CERT is aware of sophisticated attempts to compromise private sector networks, including critical infrastructures.

Disclosures, FUD, and the need to maintain credibility

The issue of disclosure is not just of software and programming vulnerabilities, but also disclosure of events. I have been following the issue of disclosures and FUD for quite a while and generally have been silent on the discussion.

Get your answers here…

Some Congresspeople have been asking questions-- intelligent, insightful questions, that indicate that the policymakers are really going to understand and take a role in cybersecurity: Question from the Honorable Michael T. McCaul: 1. What are the principal differences between the ISA 99 standards and the NIST best practices found in Special...

Winning with NERC CIP and still losing

You can be NERC CIP compliant, and still get fined...

Educating the narod on cybersecurity…control systems ARE different

The need for education for the "vast unwashed" is still extreme. Last Thursday and Friday, DOE sponsored the GridWise Interop Conference in Albuquerque. Generally, there are few common participants between security and interoperability discussions. It is not clear if the final rule on cyber security will impact the interoperability considerations...