Analytics
9/4/2013
06:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Stuxnet Expert Proposes New Framework For ICS/SCADA Security

ICS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach

Critical infrastructure operators that have adopted the security industry's popular risk management mindset are doing it wrong, according to Ralph Langner.

Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework (PDF), which is currently in draft form.

The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a "security capability," Langner says.

"ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent," Langner told Dark Reading.

Then there's the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it's mostly only an annual patching cycle, he says. "If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are," Langner says.

The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don't have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

"If there is one big indicator for cyber security capability, or the lack thereof, it's resources. If a power plant, refinery, oil terminal, pipeline operator--[or] you name it--doesn't even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless," Langner says.

Langner contends that risk-based approaches to security can be fudged and aren't based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which "implementation tier" they fall into, which determines the maturity of their security status.

"An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers," Langner wrote in a blog post today.

[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See SCADA Security 2.0 .]

Risk management has basically become a "religion" in security, says Richard Bejtlich, CSO at Mandiant. "Risk management has been beaten into everyone's head, but below the business level, I don't think most IT security people" are focused on it, he says.

"No one aside from Ralph is really challenging it," Bejtlich says.

RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.

There are templates for deploying each step. "I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure," Langner says. "Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance."

RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.

According to Langner, RIPE is based on insights by plant floor operators, and it's really a practical approach to better locking down these environments. Deploying RIPE isn't a major undertaking that necessarily requires paying consultants, either, he says. "For example, it doesn't require a genius to assemble a system inventory," he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.

Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langner's argument that establishing a baseline security capability before buying security products is crucial.

"Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this," Peterson says in a blog post.

Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. "What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible," he says. "The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE."

He says he's setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jbmisc
50%
50%
jbmisc,
User Rank: Apprentice
9/18/2013 | 7:23:28 PM
re: Stuxnet Expert Proposes New Framework For ICS/SCADA Security
Here here. . .process driven is definitely where it is at, and folks in our space (banking) are hungry for it. It's very rare that a risk assessment tells you anything you don't already know and is certainly a compliance exercise at best. For whatever reason, business professionals typically use a risk management mindset because they really donGÇÖt understand comprehensive information security or cyber security. ItGÇÖs really a case of GÇ£you donGÇÖt know what you donGÇÖt knowGÇ¥. Stop the madness!
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.