[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [smartgrid-discuss] Draft charter for proposed OASIS Energy InteroperationTechnical Committee
Unfortunately, Toby, the sub-committee, while useful from an administrative point-of-view, relegates security to an after-thought and may result in a less than optimal product. Here's why: The main TC will focus on business protocols and "throw it over the wall" to the security SC to secure it when completed. The security SC may or may not have the mandate to change the business protocols if securing it requires changes (depending on what flexibility the TC gives the SC). While the SC can go back to the TC for clarifications and raise potential issues, there will be little appetite in the main TC to change business protocols once completed. As a result, security will be force- fitted, potentially leaving subtle vulnerabilities. On the other hand, if the security goals are explicit in the business charter, and security-minded people were part of the development work in the main TC, there are two benefits: 1) They learn first-hand of the business requirements on a "day-to-day" basis and the rationale for the evolution of the business protocols; and 2) They are in a position to educate the business people of new risks in the industry and in adjusting the business protocol as it is being developed. While this "education" might be considered a distraction to the people in the main TC, it has the immediate benefit of not having to re-write business protocols later on, and the long-term benefit of building security-awareness in the business community. The process will be a little slow in the beginning, but as both sides adjust to the new groove, it will not only move faster, but the end-result will be a great piece of work - from a business *and* security point-of-view. Arshad Noor StrongAuth, Inc. Toby Considine wrote: > > Perhaps a sub-committee could be focused on defining the profiles > assembling existing security standards would be in line. Such a > sub-committee could recomend a profile for market operations (borrow one > of the trading house profiles), a profile for secure operations (the > space SCADA Security is in now) and another for retail operations >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]