Analytics
9/4/2013
06:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Stuxnet Expert Proposes New Framework For ICS/SCADA Security

ICS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach

Critical infrastructure operators that have adopted the security industry's popular risk management mindset are doing it wrong, according to Ralph Langner.

Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework (PDF), which is currently in draft form.

The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a "security capability," Langner says.

"ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent," Langner told Dark Reading.

Then there's the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it's mostly only an annual patching cycle, he says. "If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are," Langner says.

The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don't have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

"If there is one big indicator for cyber security capability, or the lack thereof, it's resources. If a power plant, refinery, oil terminal, pipeline operator--[or] you name it--doesn't even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless," Langner says.

Langner contends that risk-based approaches to security can be fudged and aren't based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which "implementation tier" they fall into, which determines the maturity of their security status.

"An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers," Langner wrote in a blog post today.

[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See SCADA Security 2.0 .]

Risk management has basically become a "religion" in security, says Richard Bejtlich, CSO at Mandiant. "Risk management has been beaten into everyone's head, but below the business level, I don't think most IT security people" are focused on it, he says.

"No one aside from Ralph is really challenging it," Bejtlich says.

RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.

There are templates for deploying each step. "I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure," Langner says. "Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance."

RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.

According to Langner, RIPE is based on insights by plant floor operators, and it's really a practical approach to better locking down these environments. Deploying RIPE isn't a major undertaking that necessarily requires paying consultants, either, he says. "For example, it doesn't require a genius to assemble a system inventory," he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.

Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langner's argument that establishing a baseline security capability before buying security products is crucial.

"Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this," Peterson says in a blog post.

Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. "What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible," he says. "The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE."

He says he's setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jbmisc
50%
50%
jbmisc,
User Rank: Apprentice
9/18/2013 | 7:23:28 PM
re: Stuxnet Expert Proposes New Framework For ICS/SCADA Security
Here here. . .process driven is definitely where it is at, and folks in our space (banking) are hungry for it. It's very rare that a risk assessment tells you anything you don't already know and is certainly a compliance exercise at best. For whatever reason, business professionals typically use a risk management mindset because they really donG«÷t understand comprehensive information security or cyber security. ItG«÷s really a case of G«£you donG«÷t know what you donG«÷t knowG«•. Stop the madness!
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.