How many times have you heard a statement like this: “Compliance does not equal security!” You’ve probably heard it many times and you can recount examples from your own experience. There is a general implication that the regulatory bodies that impose requirements on organizations (be they public or private organizations) don’t truly understand cyber security. Compliance has taken-on such a negative connotation in the cyber security domain that one can feel safe in using the word with a measure of distain.
At JPCERT’s annual control systems security conference held in Tokyo on February 5, Ralph will explain the approach chosen in the RIPE Framework towards ICS security, focusing on continuous improvement and measurable cumulative progress. It is noteworthy that the RIPE approach aligns perfectly with the Japanese concept of Kaizen that was and continues to be a major factor in propelling the Japanese automobile industry to a leading global market position, copied by international competitors.
Ralph Langner and Perry Pederson will both be speaking at ICSage, an international conference on cyber weapons organized by Digital Bond as a new addendum to their popular SCADA Security Scientific Symposium (S4). The conference will be held on January 17 in Miami.
Ralph will do a Q & A on stage about cyber weapons in the wake of Stuxnet. His last appearance at S4 was two years ago when he took the audience for a Stuxnet Deep Dive, a line-by-line explanation of central pieces of Stuxnet’s attack code which is regarded the most technical talk on the subject to date.
Perry will give a backgrounder on Project Aurora, the DHS-funded (successful) experiment to destroy an electrical generator by a cyber attack. While demonstrated to provide for a valid attack vector, the Aurora vulnerability remains existing in the majority of electrical generators to date, waiting to be exploited.
“The Stuxnet malware makes for a textbook example how interaction of these layers can be leveraged to create physical destruction by a cyber attack. Visible through the various cyber-physical exploits is the silhouette of a methodology for attack engineering that can be taught in school and can ultimately be implemented in algorithms.”
Such is written in To Kill a Centrifuge. As a case in point, Ralph will give a lecture on cyber weapons at Harvard on January 13, 2014, hosted by Brigadier General Kevin Ryan (U.S. Army retired), Director, Defense and Intelligence Projects at Harvard Kennedy School’s Belfer Center for Science and International Affairs.
Langner’s final analysis of the Stuxnet malware comes with several surprises that call for a re-assessment of Operation Olympic Games. The report, summing up three years of research and including plant floor footage from Natanz, comes with a comprehensive de-composition of Stuxnet’s “forgotten” attack against S7-417 controllers. It explains the attacked cascade protection system in detail and puts the two attacks in context, arriving at conclusions about shifting priorities during the operation.
Major surprises include:
- The attack against the S7-417 is the ultimate in aggressiveness and stealthyness; without the later (and less sophisticated) Stuxnet variant that received so much public attention, it would never have been discovered
- In the 417 attack, compromise is carried forward to the field level, manipulating sub-controllers for pressure control
- During mission progress, the attackers went from complex and stealthy to simple and crude, accepting risk of discovery
The report also addresses common misconceptions about Stuxnet, such as the theory that the malware would have escaped from Natanz due to a programming error, or that nation-state capabilities would be required to pull off copycat attacks against critical infrastructure installations.
Last but not least, it is pointed out by an analysis of plant floor footage that Iran has changed the design of their centrifuge cascades to allow for dynamic reconfiguration by valves, which has implications on the time needed to break out of the IAEA regime and produce weapons-grade highly enriched uranium.
Ralph Langner is expanding his consulting business to the United States and managed to recruit a true luminary in the world of ICS security: Perry Pederson, well-known to most in the critical infrastructure protection community, is co-founder of The Langner Group (based in Arlington, VA) and will be in the driver’s seat for US operations, starting at the beginning of next year.
Perry began protecting critical infrastructure against cyber attacks with the US Department of Defense and continued that effort as the Director of the Control Systems Security Program (CSSP) at the US Department of Homeland Security. At DHS, he managed projects such as AGA-12 (cryptographic protection of SCADA communications) and the Aurora project where it was demonstrated that electrical generators can be destroyed by a cyber attack. Perry then moved to the US Nuclear Regulatory Commission where he helped to build the regulatory framework for cyber security at US nuclear power reactors and has consulted with the International Atomic Energy Agency on applying security controls to digital instrumentation and control systems globally. He received the 2006 SANS Process Control / SCADA Security leadership award and served as an inaugural member of the Governing board for the Smart Grid Interoperability Panel.
Says Ralph, “I’m truly excited to get Perry on board. There is only a handful of talented people out there with his experience and integrity. With this strategic move we now do have a good chance to make a difference in protecting critical infrastructure against sophisticated cyber attacks.”
No, say Nadia Heninger and Alex Halderman in a recent article in Foreign Affairs. Their verdict is based on evidence that NIST had standardized and promoted a weak encryption algorithm in order to allow the NSA to crack respective implementations easily.
“There is now credible evidence that the NSA has pushed NIST, in at least one case, to canonize an inferior algorithm designed with a backdoor for NSA use. Dozens of companies implemented the standardized algorithm in their software, which means that the NSA could potentially get around security software on millions of computers worldwide. Many in the crypto community now fear that other NIST algorithms may have been subverted as well. Since no one knows which ones, though, some renowned cryptographers are questioning the trustworthiness of all NIST standards.”
“Risk assessments are always, by design, subjective exercises. (…) Organizations should measure facts about the process of risk assessment itself, rather than worry too much about how to quantify the risk.”
Last week NIST published a draft of the US government’s Cyber Security Framework (CSF). If the CSF was a recipe that was used by three different chefs, one of them could end up with fish soup, the next with apple pie, and the third with nothing but a messy kitchen. In less metaphorical words, a fundamental problem of the CSF is that it is not a method that, if applied properly, would lead to predictable results. The CSF is just another take on how to approach cyber risk in a way that is somehow aligned with NIST-800, ISA-99/IEC-62443, NERC CIP, ISO/IEC 27001, ES-C2M2, and COBIT. However, application of the CSF has no predictable effect on empirical system properties and measurable cyber security assurance.
There are two major reasons for this. The first is the reliance on the concept of risk, which was, oddly enough, mandated by Presidential Executive Order 13636. Regardless of the popularity of risk parlance, risk-based approaches in ICS security lack empirical foundation, and the outcome of a risk assessment can be stretched in any direction. For an in-depth discussion see the Bound To Fail paper by Ralph Langner and Perry Pederson.
The second reason is the introduction of implementation tiers in the CSF, which basically correspond with cyber security capability maturity levels. According to the CSF, the organization is free to choose its desired implementation tier, depending on organizational goals and feasibility. Quote: “Organizations should determine the desired Tiers at the Category level, ensuring that the selected levels meet the organizational goals, reduce cybersecurity risk to critical infrastructure, and are feasible to implement”. An organization can simply decide that their target implementation tier is zero, which basically means a completely immature cyber security process, and still be conformant with the CSF. The CSF allows any organization, no matter how good or bad at cyber security, to be CSF-conformant. It makes everybody happy. Everybody, including potential attackers.
So what does a cyber security framework need to look like that avoids these flaws and makes a difference? We created one for industrial control system installations that we call RIPE, an acronym for Robust ICS Planning and Evaluation. A brief description of the framework is given in a technical whitepaper that is available for download. Asset owners interested in implementing RIPE are encouraged to contact us.