[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [smartgrid-discuss] Pricing from the NIST TWIKI
"Guaranteed" messages with non-repudiation are important, for instance being used by single enterprises for billions of dollars per year in purchasing / sales, a situation with some parallels to contracting for energy. In other cases, for example, a secure channel, typically SSL/TLS, with best effort delivery has been "good enough" for other types of messages. Decisions were made considering the nature of the business relationship where one size does not fit all, and delivery mode, non-repudiation, and other options are different dimensions to meet the business requirements. -----Original Message----- From: Arshad Noor [mailto:arshad.noor@strongauth.com] Sent: Tuesday, December 30, 2008 11:47 AM To: Larry Lackey Cc: Toby Considine; smartgrid-discuss@lists.oasis-open.org Subject: Re: [smartgrid-discuss] Pricing from the NIST TWIKI Unfortunately, allowing for this is type of distinction has allowed "phishing" to become one of the most lucrative attacks for attackers in the financial industry today. A bank can choose to send messages to its customers using "best effort, advisory" messages, or it can send "guaranteed, signed" messages. What do you think they do today that allows attackers to mimic messages on a daily basis about " your account has been compromised" and to "login and update your credentials"? If you think that the smartgrid is going to remain impervious to attackers, think again. Any time a power-supplier sends out "best effort, advisory" messages, it will be used to attack consumers and systems if the attackers can make a buck out of it (and they will figure out a way to do it). My recommendation: make *ALL* messages guaranteed and non-repudiable. This is the only way to assure yourselves that you have a chance of preventing the kind of mess the financial industry has created for itself using "best effort, advisory" messages. There is no guarantee that "guaranteed, signed" messages will prevent "phishing" attacks on the smartgrid, but it certainly raises the cost significantly for attackers - perhaps even enough to completely prevent the attacks (unless real-world, physical controls are compromised and insiders collude to game the system). Arshad Noor StrongAuth, Inc. Larry Lackey wrote: > Messaging standards such as JMS provide different qualities of service, > QoS, to meet different business requirements. Both "best effort" and > "guaranteed" have their place depending upon the situation, for example: > > Guaranteed in situations where messages have significant legal > implications and services such as non-repudiation (mentioned below) are > appropriate. > > Best effort in advisory type messages.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]