phildom's ramblings

Security norms are only there and exist, because the industry didn’t take of security and didn’t invest in security for too long of a time. And to add some kind of “comparability”.

But in the end, they really don’t matter. Being certified to one of these norms, doesn’t really mean anything, it barely says anything about the state of the security. It doesn’t even mean that the company has implemented any real security measures. Futhermore, some “levels” of security that one apparently has gained after “implementing” these norms are simply arbitrary without any foundation. For example, the mechanisms for the security levels in the IEC 62443 do not have any basis whatsoever. They are just arbitrarily picked.

To somehow determine the current state of security of your system, the only way I currently see, is to do multiple different types of security tests (pentests, “red teaming”, vulnerability scans, static and dynamic tests, …) with different companies and people. In addition, by performing several security audits, again, by different companies and people. Only then will you have a rough idea on the status of the security. This should be the standard! Not some useless certifications of some useless norms!

Focusing on norms uses and wastes a huge amount of resources and time and effort to fulfill these norms, instead of putting these resources into actually making the subject at hand secure.

Even though some authors of these norms don’t really understand security and/or technology, all of these norms do contain good ideas, and some helpful pointers on how to go about security.

But that’s really it: they contain helpful pointers. To actually add meaningful security, you can take these pointers, and then actually implement real security measures.

So go ahead, and implement real security!