Comment from Jake Brodsky
Time: April 27, 2008, 5:03 pm

Looking at what “juliewolf” posts, she doesn’t get many comments. I guess that if the issue of SCADA security can’t be construed as yet another thing to hate the right wing/left wing for, we aren’t going to attract all that much notice among the political ‘blogs.

Frankly, I think that’s just as well. The last thing we need is hopeless polarization one way or the the other.

Comment from Ron Southworth
Time: April 30, 2008, 12:36 pm

Hi Dale Re your recent Podcast. Thanks for an excellent discussion from three people in the industry that I personally admire and deeply respect. Jake and Bryan many thanks for a very articulate discussion.

I do of course have some differences of opinion as to how to resolve or approach some of our common problems. Hopefully some time this year there will be a means by which these can be shared perhaps.

With respect to your questions of where to spend research monies I do confess that I see the need for both theoretical and applied research to be undertaken and I am a bit greedy in this respect.

I am of the opinion that both are under funded along with how much money we are investing in training future science discipline people (more so with the pure engineering disciplines)

I personally think that the applied sciences research that is occurring is not necessarily being well highlighted when it is producing good results.

The DHS funded efforts have been generally very successful and excellent returns on investment from my review so far to date.

ISA and NIST have also produced some excellent work the latter with the regulatory nightmare and conformance requirements burden are my exception. The recent NIST risk assessment methodology would be an example of a very complex way of describing risk. The document is more bloated on referencing all the complex rules and what the method and sections it is related to and will effect and does nothing of any real value towards making an effective document on explaining how to do risk assessments let alone objective ones. I do confess and make no apology to pushing ASNZ4360 and I will continue to do so. I am biased as it is a simple and scalable approach to risk assessment Iit is easy to understand!

If a guy that digs ditches for a living can use it just as effectively as a person with a doctorate or two it is pretty solid.

The point Jake made on the legacy of the built infrastructure gifted by our fathers and grandfathers becoming old and tired is very much related to the core of the problems in the lack of vision in understanding the real need for investing in the future NOW. We need to also speak more about changing this cultural trait.

With respect to regulation I do agree that there is a need for regulation in some form, just like there is a need for some standards or ethic of how we live our lives. The regulation burden needs to be placed in a way so that it does not cripple an organisation or a country from functioning and for the burden of responsibility to remain “at the top”, co-indecently the same spot we need to target our message on awareness towards for real change to be driven from!

I know Dale that you are a fan of open and public disclosure however I just don’t think the industry is ready (mature) enough for this to occur (I don’t think mainstream corporate world IT are truly ready by the way) and more in trust forms of sharing need to be established that are effective in real and meaningful communication .

Many thanks and keep up your efforts in these podcasts Dale as I do genuinely think to date they have all been an excellent if not some times very thought provoking resource.