Wednesday, July 28, 2010

The NERC audit process is very broken

If the chief objective of the NERC audit process is to improve the security posture of the asset owners and ISOs, then it fails miserably to achieve said goal. Instead, because the auditors can penalize asset owners severely for items that have no bearing on security, the focus shifts from security to compliance with the standards. Standards to which it is fully possible to be entirely compliant with while having a very poor security posture.

In this effort to be compliant in order to avoid penalties, asset owners with limited resources emphasize compliance. After all it is compliance to the standard which allows you to go un-penalized, not security. The audit process and its emphasis of compliance rather than security serves to divert resources from security. Time, money and effort goes into being compliant instead of secure. Again compliant to a standard that has little bearing on true security.

The process is broken, contributing to poorer security through the diverting of resources. Having said that...... I have wracked my brain for a better model and at a loss for a solution, as all the scenarios I come up with involve huge government inclusion into security monitoring and testing.

Monday, July 26, 2010

The Basic Persistent Threat

So Jason Holcomb (of Digital Bond) and I are coining some new phrases in regards to cyber security as it applies to control systems. Control systems are a literal regression to many of IT's worst practices of 10+years ago.

Mine: Security through Divine Intervention. When the coding and basic schema of your products, and architecture are so bad, the only thing that keeps you from being pwned daily is an act of deity.

When we are just glad every morning that that lights still come on, and credit it to divine intervention.

Jason's: Basic Persistent Threat: When your security architecture is so bass-ackwards that no "Advanced" techniques are required to keep a persistent presence. As opposed to the APT, advanced persistent threat.

This means a 12 year old with a stick can poke holes in your architecture and maintain a persistent presence.