Over at the Anfield Blog, CEO Chris Humphreys says:
"3. Does your organization really need a formal standard to tell you that you should be testing any/all third party software/hardware before deploying it within your operational environment?
This is the most alarming concern I have. If you answered “yes” to the above question, the state of security within our industry is in horrible shape. Nothing gets me more fired up than when I speak to a security “expert” at a utility he says: “There’s no NERC requirement for me to do that.” I’m sure that’s exactly what the Iranians said before they installed those PLCs in their nuclear reactor."
{my own emphasis added in the second paragraph.}
I really can't add anything to that, other than it's not just a Supply Chain issue. It sort of places some other people's opinions about the benefit of "Mandatory and Enforceable Standards" in context.
I really can't add anything to that, other than it's not just a Supply Chain issue. It sort of places some other people's opinions about the benefit of "Mandatory and Enforceable Standards" in context.
No comments:
Post a Comment