Comments on: Control Systems Must Be Scanned! http://www.digitalbond.com/index.php/2006/11/29/control-systems-must-be-scanned/ This Month in Control System Security Fri, 30 Jul 2010 09:35:51 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: David http://www.digitalbond.com/index.php/2006/11/29/control-systems-must-be-scanned/comment-page-1/#comment-243 David Thu, 30 Nov 2006 20:14:09 +0000 http://www.digitalbond.com/index.php/2006/11/29/control-systems-must-be-scanned/#comment-243 In the title you use the word "must," and overall you present a good paper. I read the paper and the posting. Something was off and it wasn’t until I re-read the posting that it hit me. You say, right at the end, "...to scan safely and raise the security bar." And my question to you is, does raising the security bar raise security spending? And from that flow a bunch of questions/issues about how much the bar is raised (resulting from the knowledge of vulnerability) VS. how much spending is increased. I think those questions can only be answered within the confines of "risk," and vulnerability does not a risk make. So I would disagree with your statement and say, no control systems do not need to be scanned; but that the risks to control systems need to be known. And to that end I would submit that the white paper be modified. Such that during the selection process prior to scanning you include the variable, threat. And by threat I mean attacker motivation, means/opportunity, system exposure, and ROI for attempting the attack on system A or system B. I feel that this additional level of complexity will multiply the value that comes from scanning; in both the eyes of the personnel that must take the time to react to scanning results and in the eyes of the personnel that pay for the scanning. So, I'll rephrase the question, does scanning alone raise the security bar enough to warrant the rise in security spending? Thank you for entertaining my comments, David In the title you use the word “must,” and overall you present a good paper. I read the paper and the posting. Something was off and it wasn’t until I re-read the posting that it hit me.

You say, right at the end, “…to scan safely and raise the security bar.”

And my question to you is, does raising the security bar raise security spending?

And from that flow a bunch of questions/issues about how much the bar is raised (resulting from the knowledge of vulnerability) VS. how much spending is increased.

I think those questions can only be answered within the confines of “risk,” and vulnerability does not a risk make.

So I would disagree with your statement and say, no control systems do not need to be scanned; but that the risks to control systems need to be known.

And to that end I would submit that the white paper be modified. Such that during the selection process prior to scanning you include the variable, threat.
And by threat I mean attacker motivation, means/opportunity, system exposure, and ROI for attempting the attack on system A or system B.

I feel that this additional level of complexity will multiply the value that comes from scanning; in both the eyes of the personnel that must take the time to react to scanning results and in the eyes of the personnel that pay for the scanning.

So, I’ll rephrase the question, does scanning alone raise the security bar enough to warrant the rise in security spending?

Thank you for entertaining my comments,
David

]]>