|
and Re-Analysis of Security
Policies
Policies
and procedures need to be written to state how often re-analysis of the
existing policies and security infrastructure needs to occur (given no
successful attack or repeated attempted attacks being detected). The policy for
re-analysis needs to recognize that shifts in the world political environment
(just think of before 9/11 versus now) and technology advances all need to be
taken into account.
Figure 5: General trend is security
vulnerabilities (extracted from EPRI Report 1008988)
Figure
5 shows the probability of a successful attack. It depicts a high probability
prior to security measures being implemented. At the time the security measures
are implemented, this represents the “lowest” probability of successful attack
if the security process has worked properly. However, the figure accurately
reflects that over time the probability of successful attack increases. Thus it
is important to understand and specify the periodicity of security
re-evaluation in order to keep the probability of successful attack at an
acceptable level.
Thus
the aforementioned represent the general types of problems that must be faced
when developing an overall Security Domain security policy. However, there are
technology specific policies that also need to be addressed.
Note:
ISA-99, Integrating Electronic Security into the Manufacturing and Control
Systems Environment is a document worth reading. It discusses, in more detail,
the aspects of policy development.
|
