Friday, June 5, 2015

Security: A Never Ending or a not Yet Started Story?

Everybody talks about security! Who is working on it? Some people are working on meeting compliance requirements like those defined in NERC CIP. Very few are dealing with measures to make and keep systems secure.

What's the difference between compliance and security? Does being compliant also mean being secure? NO – not at all. Being compliant may let you sleep better …

Two excellent publications touch on these issues:

1. NERC CIP v5 Suggests Compliance Does Not Equal Security

2. What effective legislation would you write for CI ICS

The first article closes:

“Compliance means you won't be fined. Security means you won't end up in the headlines. A friendly security suggestion would be to look beyond CIP compliance and use it as a baseline for your security policies.”

and the second:

“Hopefully, industry can get behind some sort of meaningful control system
security legislation before we end up with a catastrophic attack on a control

Since most people likely not yet have tried to implement security measures … the following sign (I purchased the other day) wouldn’t help either:


Try it again or the first time. But don’t give up before you have a process for a higher level of security in operation. And never give up to improve.

No comments: