Stuxnet Expert Proposes New Framework For ICS/SCADA Security

ICS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach

Critical infrastructure operators that have adopted the security industrys popular risk management mindset are doing it wrong, according to Ralph Langner.
Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Irans Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. governments
Cyber Security Framework
(PDF), which is currently in draft form.
The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a security capability, Langner says.
ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent, Langner told
Dark Reading
.
Then theres the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, its mostly only an annual patching cycle, he says. If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are, Langner says.
The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators dont have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.
If there is one big indicator for cyber security capability, or the lack thereof, its resources. If a power plant, refinery, oil terminal, pipeline operator--[or] you name it--doesnt even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless, Langner says.
Langner contends that risk-based approaches to security can be fudged and arent based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which implementation tier they fall into, which determines the maturity of their security status.
An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers, Langner wrote in a blog post today.
[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See
SCADA Security 2.0
.]
Risk management has basically become a religion in security, says Richard Bejtlich, CSO at Mandiant. Risk management has been beaten into everyones head, but below the business level, I dont think most IT security people are focused on it, he says.
No one aside from Ralph is really challenging it, Bejtlich says.
RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.
There are templates for deploying each step. I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure, Langner says. Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance.
RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.
According to Langner, RIPE is based on insights by plant floor operators, and its really a practical approach to better locking down these environments. Deploying RIPE isnt a major undertaking that necessarily requires paying consultants, either, he says. For example, it doesnt require a genius to assemble a system inventory, he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.
Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langners argument that establishing a baseline security capability before buying security products is crucial.
Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this, Peterson says in
a blog post
.
Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible, he says. The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE.
He says hes setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available
here
(PDF) for download.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Stuxnet Expert Proposes New Framework For ICS/SCADA Security