Friday News and Notes
- The Wired Science blog listed “five nodes in the energy distribution network” that would have a huge impact if disrupted. For example, the Enridge pipeline provides 20% of the oil for the US. Also listed are Abqaiq processing facility, Ras Tanura offshore oil terminal and the Straits of Hormuz and Malacca.
- The Microsoft Patch Tuesday bulletins showed no difference between Server 2008 and Server Core. We continue to track the potential reduced patching benefits of Server Core on a SCADApedia page.
- Marketing run amok. From the Industrial Defender Newsletter [requires registration] “With the acquisition of Teltone Corporation and its Gauntlet secure substation communications solution, we’ve made it possible to . . . as well as fully comply with mandatory NERC CIP critical infrastructure cyber security requirements.” Or even worse “The Server offers powerful reporting features, including ‘one-click’ AutoAudit™ reports which contain all NERC CIP required documentation“. I’m sure the products will help meet some CIP requirements, but the electric sector has matured a lot in the last two years and will scoff at such claims. Tell us what specific CIP requirements will be met and what audit evidence is provided. The Industrial Defender consulting team [a competitor] is first rate; we have clients very satisfied with their products; – - but they need to get a grip on the marketing team.
Author: Dale Peterson
Posted: July 11th, 2008 under Uncategorized.
Comments: 2
Comments
Comment from Michael Toecker
Time: July 11, 2008, 1:27 pm
With regards to “Marketing Run Amok”, the statements “fully comply with mandatory NERC CIP” and “contain all NERC CIP required documentation” are incredibly frightening to me as a consulting engineer.
The past few years, it was possible to use language like this, there were no fines and public reports associated with NERC CIP non-compliance. The publicly available 2007 Reliability Standards reports had all this information removed before posting by NERC, oftentimes relegating CIP to a “discussion only”.
However, this year we are getting into the “Compliant” and “Substantially Compliant” phases, where a lot more is at stake. Fines are on the table, and public disclosure of compliance/non-compliance (ala the GAO’s review of the TVA) is a distinct possibility. There is actual DAMAGE associated with non-compliance, and vendors/service providers who advertise a NERC CIP Compliant product should be careful they aren’t biting off more than they can chew.
Mike Toecker
P.S. How did this soapbox get here?
Comment from Todd Nicholson
Time: July 11, 2008, 6:45 pm
Hello Dale,
Thank you for your input regarding the Industrial Defender quarterly newsletter. Clearly North American utility providers will be required to support a significant amount of documentation in order to meet the large list of NERC-CIP compliance requirements which cover many different areas beyond cyber security. The purpose of the AutoAudit reporting feature is to provide customers with a tool to consolidate and categorize data to assist customers with meeting NERC-CIP cyber security compliance requirements for elements of CIP-003 Security Management Controls, CIP-004 Personnel and Training, CIP-005 Electronic Security Perimeter, CIP-007 Systems Security Management, and CIP-008 Incident Reporting and Response Planning. Though our professional services team can assist customers with their needs in other key NERC-CIP compliance areas including physical security, cyber asset identification and recovery planning these areas are not part of our technology offering. We have updated the quarterly newsletter to reflect the details of the solution.
Todd Nicholson
Industrial Defender, Inc.
Write a comment