RE: Risk/Threat Assessments for Utility specific software/hardwar e
From: Davi Ottenheimer (dottenheimer@synchronnetworks.com)
Date: 01/22/03
- Previous message: David Barnett: "Risk/Threat Assessments for Utility specific software/hardware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Davi Ottenheimer <dottenheimer@synchronnetworks.com> To: 'David Barnett' <dbarn064@earthlink.net>, pen-test@securityfocus.com Date: Wed, 22 Jan 2003 11:15:23 -0800
I have only limited experience doing technology audit work for gas/electric
companies, not water. Don't know if you're looking for specific
applications/products or general stuff. So...
I suggest looking at the NIST Critical Infrastructure Protection guidelines
(http://www.mel.nist.gov/proj/cip.htm) and National Information Assurance
Program (NIAP) Process Control Security Requirements Forum (PCSRF)
(http://www.isd.mel.nist.gov/projects/processcontrol/). Here's a good paper
to read, which I think was done for the PCSRF and ISO/IEC 15408:
http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf
There are lots of SCADA sites, but the Gas Technology Institute/American Gas
Association Encryption page has some good pointers
(http://www.gtiservices.org/security/)
And here's the Department of Energy (DoE) guide to CyberSecurity.
http://oea.dis.anl.gov/documents/21StepsBooklet.pdf
Pretty basic, but definitely a good thing to know about to cover your bases
if you have to work with them.
I also have industry and government contacts that I potentially ask for more
specific information if you have any.
Hope that helps,
+++ ------------------------------------------------------------- +++
Davi Ottenheimer, CISSP Synchron Networks, Inc.
Chief Security Engineer www.synchronnetworks.com
email: mailto:davi@synchronnetworks.com 100 Enterprise Way, C230
emergency: mailto:8315884778@vtext.com Scotts Valley, CA 95066
> -----Original Message-----
> From: David Barnett [mailto:dbarn064@earthlink.net]
> Sent: Friday, January 17, 2003 2:13 PM
> To: pen-test@securityfocus.com
> Subject: Risk/Threat Assessments for Utility specific
> software/hardware
>
>
>
>
> A company I am consulting with does Water and Energy
> consulting work. I
>
> have built up a good relationship with them during my
> security assessment
>
> consultations. They are now trying to bid on Government work
> concerning the
>
> safety of Utility Companies. I was asked about my knowledge
> of vertical
>
> software such as Embedded OSes and their Utility software
> applications.
>
> Does anyone have any experience in this area, or can point me
> to any such
>
> information.
>
>
>
> Many thanks,
>
>
>
> David Barnett
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA) Service. For more information on
> SecurityFocus' SIA service which automatically alerts you to
> the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Next message: Kurt Seifried: "Re: Risk/Threat Assessments for Utility specific software/hardware"
- Previous message: David Barnett: "Risk/Threat Assessments for Utility specific software/hardware"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
