310 CHAPTER 11 Common Pitfalls and Mistakes compliance controls to specific security events, so that as incident(s) occur the responsible security analysts are immediately aware of the impact that the incident(s) may have on the organization's compliance goals. Chapter 10, "Standards and Regulations," begins the process of mapping compliance and security controls together. This effort may also be facilitated through the use of the Unified Compliance Framework (www.unifiedcompliance.com). SCOPE AND SCALE Another common mistake made when attempting to secure a control system is to think of the industrial network as an isolated system. While once air-gapped from the rest of the organization, industrial and automated control systems are now dependent on and heavily influenced by many other systems: the business or enter- prise network, new communications infrastructures that are integrated with power systems (i.e., the smart grid), new technologies, tools, etc. The result is that con- trol systems must be assessed (at least for security purposes) as a dynamic system. Without sufficient planning for outside influences and unforeseen growth, the best- laid plans can fail after implementation. CAUTION When implementing new security products, proper sizing and configuration of those products is critical. However, most vendors rate products differently. Similar products may be marketed using entirely different metrics, making it difficult to choose the correct tool for the job. Especially in an industrial network (where there is likely a compliance requirement to thoroughly test new assets in any case), insist on a trial of significant length to ensure that the product is sufficient for the scope and scale of the network it will be deployed in. Because it is also difficult to effectively measure the various necessary qualities of a network, this trial should be performed in a full test network environment that replicates the production network as closely as possible. Such a test environment should be maintained in its own isolated and secured enclave, and to the greatest degree possible it should contain the same network assets and systems that are in production environments. The use of virtual machines (VMs) can simplify the process of establishing test networks by enabling the easy reimaging of certain systems. However, while certain systems may be able to be virtualized for simplicity, due to the nature of many industrial assets, at least a partly built physical test environment will likely be required. Project-Limited Thinking Two common axioms in information security are "Security is a Process, not a Product" and "Every door is a back door." Taking this advice under consideration, security cannot be treated as a onetime project, with limited scope and definable goals. Rather, security policies should be continuously assessed and reassessed as