06:02 PM
Connect Directly

Stuxnet Expert Proposes New Framework For ICS/SCADA Security

ICS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach

Critical infrastructure operators that have adopted the security industry's popular risk management mindset are doing it wrong, according to Ralph Langner.

Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework (PDF), which is currently in draft form.

The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a "security capability," Langner says.

"ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent," Langner told Dark Reading.

Then there's the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it's mostly only an annual patching cycle, he says. "If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are," Langner says.

The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don't have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

"If there is one big indicator for cyber security capability, or the lack thereof, it's resources. If a power plant, refinery, oil terminal, pipeline operator--[or] you name it--doesn't even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless," Langner says.

Langner contends that risk-based approaches to security can be fudged and aren't based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which "implementation tier" they fall into, which determines the maturity of their security status.

"An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers," Langner wrote in a blog post today.

[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See SCADA Security 2.0 .]

Risk management has basically become a "religion" in security, says Richard Bejtlich, CSO at Mandiant. "Risk management has been beaten into everyone's head, but below the business level, I don't think most IT security people" are focused on it, he says.

"No one aside from Ralph is really challenging it," Bejtlich says.

RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.

There are templates for deploying each step. "I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure," Langner says. "Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance."

RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.

According to Langner, RIPE is based on insights by plant floor operators, and it's really a practical approach to better locking down these environments. Deploying RIPE isn't a major undertaking that necessarily requires paying consultants, either, he says. "For example, it doesn't require a genius to assemble a system inventory," he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.

Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langner's argument that establishing a baseline security capability before buying security products is crucial.

"Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this," Peterson says in a blog post.

Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. "What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible," he says. "The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE."

He says he's setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/18/2013 | 7:23:28 PM
re: Stuxnet Expert Proposes New Framework For ICS/SCADA Security
Here here. . .process driven is definitely where it is at, and folks in our space (banking) are hungry for it. It's very rare that a risk assessment tells you anything you don't already know and is certainly a compliance exercise at best. For whatever reason, business professionals typically use a risk management mindset because they really donGt understand comprehensive information security or cyber security. ItGs really a case of Gǣyou donGt know what you donGt knowGǥ. Stop the madness!
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.