Like all good stories there is an elemet of truth. I would suggest that this is the case with this disclosure and it is the same as last years for those with a good memory just a bit more “inuendo with a touch of cloak and dagger”

Something to remember is – SANS has started their training calander for this year. I see this more as thier annual hype to encourage participation in their courses. They are not bad from all accounts but i don’t know how good they are at controls systems security training.

I will say the same as last year, heart in the right place just not on the best road to travel to arrive at the destination.

Hi CNIOperator. I keep forgetting you are from the UK! It is a shame that you cannot comment in the open but I do understand that many organisations don’t like people commenting on anything full stop.

Jake the UK system is very similar conceptually to the model we have here. I think they have been working together (industry) a bit longer so if anything they are probably a bit more well interconnected! Maybe CNIOperator could confirm if they find they are getting a lot of value out of thier involvement with the SCSIE program. Maybe even a percentage of participation may be some encouraging figures?

From what I have read and researched on the ISAC’s and how they are supposed to operate it does not surprise me that you don’t see much, especially from the water sector.

It is a shame to hear that it is not as effective as it could be, from an end users perspective, especially when you consider the process is a pay for participation service model for some sectors, maybe you can confirm if the water ISAC does charge a fee for services.

At the end of the day these sorts of resources are only as good as the membership allows them to be – how much involvement and participation people put into them.

Let’s face it Jake are you encouraged and rewarded by your organisation to put the amount resources and efforts into security that you do? I think I already can answer that it is, probably the same as what I experience. Still I am not doing this all for them at the end of the day and I am certain you are not either Jake.

I think they have had a fair bit of time Jake. I am of the understanding that the power sector ISAC works quite well, Maybe the problem is one of logistics or resources Jake.

I have seen congressional testimony that the ISAC organizations are all in good shape. Yet, following the Aurora disclosure, we got NOTHING. Note that we have substations too. As a water utility, we have lots of large motors which are theoretically just as subject to the demonstration as any generator.

To be gracious, I think the ISAC managers are still trying to figure things out.

Thanks for that confirmation.

ps i’ll echo jake’s comments for ISAC support — the topic came up several times during the conf.

Once again, this is why I feel an ISAC is an important tool for this sort of information. Sadly, it doesn’t appear to be what the ISAC are doing.

Bland statements like this are counterproductive. Managers typically ask “So what?” in response to this. It doesn’t articulate a threat. It doesn’t identify resources that need to be hardened. Why bother?

Thanks.

Pete

- It forces us into the role of literatur professors who must try to find some sense in what appears as a strange piece of poetry, just as your blog entry clearly points out. Don’t we have better things to do?

- It may create hysteria in the general public, as you have noticed before. This doesn’t help either. Hysteria is not the same as awareness.

- Decision makers, who are less prone to hysteria in general, will simply ignore the smoke cloud altogether, AND will add to their memory another case of insecurity talk with no substance.

While I hate to bash the CIA, the bottom line is that this blurb does nothing to increase security, but something to discredit the research community. The last thing that we need is a government agency tuning into unsubstantiated threat announcements.