From metadata to model-driven OT security, or why you don’t really need content

From all the OT security startups in the last couple of years, the vast majority focuses on network monitoring, trying to identify malicious packets in realtime. No matter if you look at Dragos, NexDefense, RadiFlow, SecurityMatters (to name just a few), their basic technology is deep packet inspection, even when it is called more fancy names like “deep protocol behavior inspection”. In this niche, the terms of the trade are PCAP (packet capture) files, IP addresses, and anomaly detection.

However, this trend, if it is one, may be driven more by the capability of software developers to use Snort rather than by the technology’s demonstrated great success in spotting cyber-physical attacks (the more sophisticated ones will never show up in wire traffic). Even more puzzling, the deep packet inspection game with its obvious self-limitation to network packets is anything but logical. Let’s examine why. Read more »



What is the one thing engineers need to be reminded of?

I cannot even tell you how many times I have seen the Wizard of Oz. It was a family tradition in an era with only three television channels and the programming was still mostly black and white. So, forgive me if I see the parallels. Unlike the fairy tales of my youth, the current fantasy of connecting everything to everything may not have a happy ending. But, if it is to be a happy ending, it’s the engineers that will lead the way. Perhaps, like Dorothy, some have forgotten that they’ve always had the power.

Read more »



The five top reasons why spreadsheets are a bad choice for OT system inventories

A majority of asset owners tries to keep track of their OT infrastructure using spreadsheet applications such as Microsoft Excel. We explain the severe limitations of this approach for today’s complex digital environments. Read more »



RIPE 16 to be released in two weeks

RIPE, the Robust ICS Planning and Evaluation Program by The Langner Group, is continually improved based on real-world customer feedback. We produce new versions annually. The new version, dubbed RIPE 16 (16 instead of 2016), will be released at the beginning of May. Here are some of the highlights. Read more »



RIPE NIST CSF Profile for OT



Reader’s Digest Version of the Ukraine Story

ICS-CERT published an alert on the Ukrainean power outage based on a series of interviews that representatives of the US government had conducted in Ukraine. Here’s a reader’s digest version. Read more »



Nitro Zeus Fact Check and Big Picture

Documentary film makers have uncovered plans for an extended cyber attack against Iran, code-named Nitro Zeus. While I appear in the movie, I haven’t seen it yet and base the following on the reporting in the New York Times. Read more »



Asset owners see cyber security as the biggest challenge of the Industrial Internet

If you follow the media coverage of the Industrial Internet (of Things), you may already have realized that reporters and vendors alike have become a bit angry about the slow adoption of the concept and its associated products and services. Why are plant managers slow to jump on a bandwagon that promises breakthrough grows in productivity and revenue, and threatens doom if you don’t? A recent survey among asset owners provides answers.

Read more »



What is the Value of Assessing OT Networks?

Carnac the Magnificent

Carnac the Magnificent was a character played by Johnny Carson on late night television. He had mystic powers that allowed him to know the answers to questions he had not seen. He would proclaim the answer and then open the envelope, wherein he would find the question. Cyber security assessments seem to be like this. In other words, with some statistical shoring, Carnac the Magnificent could probably divine the current cyber security posture of your operational technology (OT) environment. He could choose from the following list and be right more often than the local fortune teller:


  1. Your asset inventory is subpar
  2. Your network diagrams are incomplete and/or outdated
  3. Your firewalls are misconfigured
  4. Your network is not properly architected
  5. You have access control issues
  6. There is unmonitored Web browsing from the control network
  7. Etc., etc., etc.


An assessment does indeed provide a “to-do” list and may provide some leverage in the next budget cycle. You may even be required by regulation to have a third-party perform an assessment for you. In any case, don’t lose sight of the true objective. The true objective is to determine the root cause of these symptoms and deal with the disease directly rather than with symptoms after the fact.


In many instances, the major root cause is the lack of a dedicated OT security program. Obviously, you can (and many do) just point to a document on the shelf and say you have a program. However, an effective program is backed by adequate organizational resources (dedicated budget, empowerment, accountability) and a robust governance process with comprehensive reporting. This is what is typically found on the IT side of the equation, but OT remains the proverbial “blind spot.”


There are different levels of rigor to OT cyber security assessments and you may not be ready (i.e., your management may not be ready) for a full-blown in depth walk-down assessment. You may have to start with a smaller scoped effort. To help get you started, The Langner Group has developed a self-assessment tool based on our RIPE framework which is being used in sectors from nuclear to water. The tool is call RIPE Self-Assessment Tool (RSAT) and there is no cost or obligation to use it.


Tool link: RIPE Self-Assessment Tool (RSAT)


So, by all means, get that assessment done, but take a larger view of the findings. Like Carnac the Magnificent, you may already know the answer, but look beyond the answers to find the question: what is the root cause of all these symptoms? As a person responsible for the health of your company’s revenue generating processes, you owe it to yourself and management to make the case to cure the disease.




The Langner Group sponsors S4

The Langner Group sponsors the SCADA Security Scientific Symposium, or S4 for short, which is being held by Digital Bond in Miami from Jan 12-15 2016.

S4 emerged as the primary ICS security conference over the last couple of years, and it is no surprise that Ralph has attended every single conference since 2007 when S4 was introduced. The only other person to attend all S4 conferences — except Dale Peterson himself – is Zach Tudor who now, to our great honour, is a member of the RIPE SME Advisory Board which independently reviews and validates RIPE instruments.

Ralph presented at S4 four times. His Stuxnet Deep Dive was judged by Dale as the quintessential S4 talk. The talk was also filmed by CBS’ 60 Minutes and appears in their episode on Stuxnet, moderated by Steve Kroft.

At S4x16 we will present the myRIPE Operations Technology Management System, which is, in a nutshell, RIPE put into a user-friendly, high-powered software package.

Don’t miss the action in Miami in January — and, if you have visited previous S4 conferences… don’t forget to thank Ralph for eight long years of tedious work of convincing Dale to move the whole show to SoBe, avoiding boring bus shuttles.

Older posts «