From Dale Peterson's ScadaSecurityBlog for:
2005-04-04
Best Practice?
A security consultant not recommending best practice? The horror.
This came up a number of times in class last week. A student walks up during the break and explains his SCADA system, and then asks if he should implement the best practice configuration we just discussed. In a perfect world the answer is of course yes. Implement best practice.
Most SCADA systems are far from a perfect world today. So the real question is where and in what order limited resources should be applied to improve information security. Maybe something short of best practice will dramatically improve security and the remaining resources are better placed on another security control.
This is similar to risk mitigation. You address the highest risks first, but you may not completely eliminate the risk. Instead, you may just lower the risk until it is less than or equal to other risks.
Best practice should be in most long term plans, but striving for perfection in one area while ignoring others is not recommended. If you get an assessment with a variety of remediation recommendations remember to ask for some prioritization and a deployment plan.
// posted by Dale Peterson @ 4:44 PM 0 comments