The SCADA and RFID scenarios are lame and do not seem to be coming from someone with enough background information about the various industries and technologies being described. It is worthy of note that many of the doomsday prophets in the information security arena are really sensationalist who have limited knowledge of the industries they depict and more sensational power in their admixture of partial knowledge and confusion.
Ira Winkler claimed to have taken over banks and nuclear facilities' SCADA system? An interesting claim to review.
One thing is for sure, there is a great deal of difference of views in the security industry. The vendor's perspectives often always different than the service provider's perspective and researchers also have their own perspectives which more often than not is increasingly being determined by the perspectives of their sponsor. Everyone's got a bone to grind in the information security space and that does not bode well for the long term goal of providing holistic, effective and cost effective solutions.
Earlier today, John Chambers of Cisco got it right when he said that an architectural approach is required for an holistic security environment, he however missed the point in not seeing an architecture from the purist perspectives not just as an integration of security capabilities in various devices and integrating security into the network infrastructure, but in the development of infrastructure around security as is done with the case of reliability.
Ofcourse, the questions often arise as it did during this long conference, about what constitutes acceptable security. Many in the industry still hold the opinion that security is an immeasurable and intangible concept, more like its intangibility makes it immeasurable, however, it should be understood that every concept remains immeasurable so long as specific characteristics or features are not identified around which metrics can be defined.
Interesting features and characteristics in the information security workspace include but are not limited to :
1. Risk Measures : Annualized, Normalized, Time-Series , etc
2. State Measures : Review of known state and predicted states based on configuration changes or other related, impacting activities
3. Threat Metrics : Based on available information about enterprise and global security incidence and system vulnerability pastures.
Other Measures could also be defined, but the definition of measures will depend on the clear articulation of the security pasture, and this is made clearer in the presence of clear architectures.
Since organizations differ in their implementations, needs and types, their architectural needs will expectedly be different too, however, concepts necessary for developing successful architectures are universal, same as holds true in many other industry including the structural architectural industry. Thus an architectural framework or set of guidelines and rules or procedural standards required for an effective holistic information security architecture will provide a sound starting point.
In the late 1970's Zachman's framework definition resulted into efforts that today drive the implementation of robust integration framework for enterprise Information Technology projects. Organizations relying on Zachman's or some other architectural framework as the foundation of their IT projects and space have reported gains in various business significant areas including productivity gains, cost-effectiveness and agility across the enterprise. Resource re-use, user empowerment and cohesive working environments have also been reported, resulting in the increasing adoption of some framework for other business related goals such as the service oriented architectures, which have as their underlying goals, focus on the consumer.
Security Architectures, will tie in into the other types and provide an engine or driving force if you may for metrics.
One common denominator amongst the various industry players is self preservation and in the ensuing turf battles, the consumer risk loosing not just resources but confidence in the underlying infrastructures as they lies that belies much of the claims and fear mongering gets out in the open.
Some of the questions asked at the IDC conference in Boston indeed raised the question, albeit indirectly, about the relevance of many of the current vendors. Much of the services being touted are either unnecessary or overrated in that the end user/consumer should not need to have to outsource basic operations because someone else can do it better as an enterprise. In many of the managed security space, the consumer transfers the operational risks, but maintains the business risk. The unfortunate thing for many corporations out their is that as they outsource majority of their critical IT functions in the name of managed security, they tremendously increase their exposure footprint and their risk for privacy breach also increases.
In the coming days, I hope to get a list of titles of all security personnel at the Boston event. Reason? A research on what Info security professionals are being referred to are calling themselves in the enterprise. I may extend this in the future to all US enterprise!
Also, I will do a more detailed review on the Boston IDC event in the coming days, time permitting.
2 comments:
Boston!? How does Long Beach sound to you!?!?:
Remote Monitoring & Networking 2006 -- SCADA, Data Acquisition, Device Networking, M2M and Security for Remote Sites and Onsite Power -- Offgrid, Standby and Back-up Power for Mission Critical Operations will be held November 9-10, 2006 Long Beach, California at the The Westin Long Beach.
These technology-driven and solution oriented conferences bring together the innovators and users from multiple industries, including utilities, power, oil & gas, telecom, industrial, water & public utilities, agriculture and facilities management.
Remote Monitoring & Networking 2006 will focus on the leading advancements for the monitoring and management of distributed equipment and facilities, remote assets, automated process & system controls and device networks. Large-scale users and industry experts will speak on SCADA, security, control, automation, M2M, networking, telemetry and condition monitoring.
Onsite Power 2006 will cover the latest advancements in back-up, UPS, emergency and standby power systems, and design strategies for monitoring & controlling distributed, remote and mission-critical equipment and facilities. MORE INFO AT:
http://www.remotemagazine.com/rem_conf_index.htm
Office 2007 ISO 690 Bib style trick
http://channel9.msdn.com/ShowPost.aspx?PostID=262998
Post a Comment