08 January, 2007

Comments - Wireless Conserns and Realitive Risk

Ron has a good comment up on the Physical security post. It deals mainly with various aspects of the wireless discussion and the use of reserved vs. common bandwidths. It also touches on something I should have expounded on better.

Any of the items I mentioned might be too extreme or not extreme enough depending on what the relative risk level is for a given system. For one system (on the physical protection level) an electrified fence with constantine wire, an armed guard and trained guard dog may be appropriate. For another a padlocked plywood door might do.

One of my key points from the post was that certain design factors of the physical system can be considered mitigating factors for information security risks related to the ACS.

Alex at Riskanalys deals very well with mechanisms of determining how significant potential issues can be. Hopefully some time in the future he an I might be able identify subsections of impact modifiers, threats and controls specific to DCS and SCADA.

1 comment:

Alex said...

Hey Jim,

I'd love to (and I owe you a post answer from last year I know), but this AM my host did something for the sake of PHP security (hooray!) that disabled posting and commenting in all blogs (boo!).

I'm at the whim of tech support right now, and as you can imagine, that's a nasty place to be.

In my mind, the key to understand what we need to do starts with: "who do we need to protect against?" Pick a category:


Internal Priveledged Technical

Internal Priveledged Non-Technical

Internal Non-Priviledged Technical

Internal Non-Priviledged Non-Technical

External Professional Technical

External Professional Non-Technical

External Amateur

Some folks break Force Majeure and Malware into their own separate categories.

Now I (we?) have a tendency to go right at "Professional Technical"... but that might not be the case.

For example, for SCADA equipment with 802.11x equipment we might actually be more inclined to go with "external non-technical".

So there's a start, anyway. If I get blogging back, I'll try to cover physical security, vulnerability, and risk more in depth.