Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:02 PM
Connect Directly

Stuxnet Expert Proposes New Framework For ICS/SCADA Security

ICS/SCADA expert Ralph Langner shoots down risk management mindset in critical infrastructure security and proposes a more process-oriented approach

Critical infrastructure operators that have adopted the security industry's popular risk management mindset are doing it wrong, according to Ralph Langner.

Langner, the German security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, today released a proposed cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework (PDF), which is currently in draft form.

The so-called Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST-led Cyber Security Framework. It all starts with these organizations establishing a "security capability," Langner says.

"ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent," Langner told Dark Reading.

Then there's the patching conundrum for ICS/SCADA systems: while most of these organizations claim to have a patching regimen, it's mostly only an annual patching cycle, he says. "If you dig even deeper, you may find that from the systems that should have been patched per policy, only about half of them really are," Langner says.

The bottom line is that cybersecurity is a low priority in private ICS environments. Langner estimates that some 95 percent of critical infrastructure operators don't have a dedicated security professional for their systems, and their ICS security makes up less than one percent of their IT budget for process and ICS equipment and services.

"If there is one big indicator for cyber security capability, or the lack thereof, it's resources. If a power plant, refinery, oil terminal, pipeline operator--[or] you name it--doesn't even have a single individual on staff dedicated full time to ICS security, any further discussion about ICS security capability is pretty much worthless," Langner says.

Langner contends that risk-based approaches to security can be fudged and aren't based on empirical data or the reality of the ICS environment. He notes that the NIST Cyber Security Framework lets organizations determine the direction of their adoption of the framework based on which "implementation tier" they fall into, which determines the maturity of their security status.

"An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cybersecurity process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers," Langner wrote in a blog post today.

[Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. See SCADA Security 2.0 .]

Risk management has basically become a "religion" in security, says Richard Bejtlich, CSO at Mandiant. "Risk management has been beaten into everyone's head, but below the business level, I don't think most IT security people" are focused on it, he says.

"No one aside from Ralph is really challenging it," Bejtlich says.

RIPE details eight areas of the plant system that should be documented and measured to determine the security posture: system population, or software and hardware inventory; network architecture, including a network model and diagrams; component interaction, or process flow diagrams; workforce roles and responsibilities, a database of identities, privileges, and policies for all staffers and contractors; workforce skills and competence development, or training curriculum and records of operations and maintenance staff; procedural guidance, aka policies and Standard Operating Procedures; deliberate design and configuration change, or plant planning and change management procedures; and system acquisition, or procurement guidelines for systems.

There are templates for deploying each step. "I would say that if you use our templates, or make other efforts to achieve measurable results in the eight domains mentioned, you have a very high chance of actually increasing your cyber security posture as an asset owner in critical infrastructure," Langner says. "Whoever uses RIPE will less be interested in compliance than measurable cybersecurity assurance."

RIPE also includes metrics for benchmarking and scoring each of the eight domains, for example.

According to Langner, RIPE is based on insights by plant floor operators, and it's really a practical approach to better locking down these environments. Deploying RIPE isn't a major undertaking that necessarily requires paying consultants, either, he says. "For example, it doesn't require a genius to assemble a system inventory," he says. And you can get system documentation from vendors and integrators without having to re-invent the wheel, he says.

Dale Peterson, CEO of ICS consulting and research firm Digital Bond, points to Langner's argument that establishing a baseline security capability before buying security products is crucial.

"Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this," Peterson says in a blog post.

Meanwhile, Langner is hopeful that RIPE will influence the direction of the NIST Cyber Security Framework in its final form. "What we are looking at presently is a draft that was published by NIST to prompt for feedback. So in theory, changes to the CSF are possible," he says. "The bigger question is if NIST has any desire to consider changes that are pretty fundamental, as suggested by RIPE."

He says he's setting up a U.S. subsidiary to assist critical infrastructure asset owners who want to implement RIPE. A white paper on the RIPE Framework is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/18/2013 | 7:23:28 PM
re: Stuxnet Expert Proposes New Framework For ICS/SCADA Security
Here here. . .process driven is definitely where it is at, and folks in our space (banking) are hungry for it. It's very rare that a risk assessment tells you anything you don't already know and is certainly a compliance exercise at best. For whatever reason, business professionals typically use a risk management mindset because they really donGt understand comprehensive information security or cyber security. ItGs really a case of Gǣyou donGt know what you donGt knowGǥ. Stop the madness!
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.