RE: Risk/Threat Assessments for Utility specific software/hardwar e

From: Davi Ottenheimer <dottenheimer(at)synchronnetworks.com>
Date: Wed Jan 22 2003 - 14:15:23 EST

I have only limited experience doing technology audit work for gas/electric companies, not water. Don't know if you're looking for specific applications/products or general stuff. So...

I suggest looking at the NIST Critical Infrastructure Protection guidelines (http://www.mel.nist.gov/proj/cip.htm) and National Information Assurance Program (NIAP) Process Control Security Requirements Forum (PCSRF) (http://www.isd.mel.nist.gov/projects/processcontrol/). Here's a good paper to read, which I think was done for the PCSRF and ISO/IEC 15408: http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf

There are lots of SCADA sites, but the Gas Technology Institute/American Gas Association Encryption page has some good pointers (http://www.gtiservices.org/security/)

And here's the Department of Energy (DoE) guide to CyberSecurity. http://oea.dis.anl.gov/documents/21StepsBooklet.pdf Pretty basic, but definitely a good thing to know about to cover your bases if you have to work with them.

I also have industry and government contacts that I potentially ask for more specific information if you have any.

Hope that helps,

+++ ------------------------------------------------------------- +++
Davi Ottenheimer, CISSP                      Synchron Networks, Inc.
Chief Security Engineer                      www.synchronnetworks.com 
email: mailto:davi@synchronnetworks.com      100 Enterprise Way, C230 
emergency: mailto:8315884778@vtext.com       Scotts Valley, CA 95066  

> -----Original Message-----
https://alerts.securityfocus.com/

---

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ Received on Thu Jan 23 12:23:28 2003