Friday, April 14, 2017

Do you really need a requirement for that?

Over at the Anfield Blog, CEO Chris Humphreys says:

"3. Does your organization really need a formal standard to tell you that you should be testing any/all third party software/hardware before deploying it within your operational environment? 
This is the most alarming concern I have. If you answered “yes” to the above question, the state of security within our industry is in horrible shape. Nothing gets me more fired up than when I speak to a security “expert” at a utility he says: “There’s no NERC requirement for me to do that.” I’m sure that’s exactly what the Iranians said before they installed those PLCs in their nuclear reactor."
{my own emphasis added in the second paragraph.}

I really can't add anything to that, other than it's not just a Supply Chain issue. It sort of places some other people's opinions about the benefit of "Mandatory and Enforceable Standards" in context.

No comments:

Post a Comment