Another nuclear power plant adopts the RIPE OT Security Program

Finnish nuclear operator Fennovoima has adopted the RIPE OT Security Program for their Hanhikivi-1 nuclear power plant.

The step is significant because the reactor is presently in the planning stage. By incorporating the RIPE Program in the planning phase, Fennovoima assures that OT security is done right from the beginning instead of getting bolted on after commissioning. Vendors and contractors are bound to cyber policy from day one, and system designers follow secure design guidelines and documentation procedures.

Hanhikivi-1 features the new AES-2006 reactor with a thermal power of 3200 MW and an electrical output of 1200 MW. The new build will act as a reference design for other nuclear power plants using this reactor type.

Fennovoima isn’t the first nuclear facility to use RIPE in order to protect against cyber attacks and become compliant with regulation. Other nuclear facilities using the RIPE OT Security Program are:

Loviisa Nuclear Power Plant

  • Operator: Fortum
  • 2 units with VVER-440 pressurized water reactors (1000 MW electrical output)

Olkiluoto Nuclear Power Plant

  • Operator: TVO
  • 2 units with VVER-860 boiling water reactors (1740 MW electrical output)
  • 1 unit with EPR pressurized water reactor (1600 MW electrical output)

Posiva Final Nuclear Waste Storage

  • Operator: Posiva
  • The world’s first final nuclear waste storage

However, the RIPE OT Security Program isn’t just used in the nuclear sector. Presently, RIPE is used to protect more than 1000 plants in the chemical industry, the pharmaceutical industry, and in the electric power industry.

Contact The Langner Group today to find out how to jump-start your OT security effort with a proven and trusted standardized solution.



Energy giant Fortum rolls out RIPE OT security program to fleet of 400 power plants

In 2014, energy giant Fortum selected The Langner Group’s RIPE Program to provide a robust, comprehensive program for managing the cyber security of its nuclear power plants. Fortum was so impressed by the positive results they achieved in their most critical facility that they have selected the RIPE Program to be their OT security standard for their nearly 400 power generation facilities in seven countries.

Fortum’s cyber security manager Tomas Nystrom on the decision to go global with RIPE:

“By implementing the RIPE Program, we created a standardized documentation system with consistently applied solutions, clear policies, standard operating procedures, and training. Most importantly, we had a way to measure our progress on every element. In doing so, we not only identified and corrected configuration issues, we are now able to quickly troubleshoot and perform root cause analyses, saving us hundreds of hours of engineering time.”

Read the full story here (PDF).




Two Steps to IIoT Security Nirvana

Yes, of course this is a simplification, but just because it’s obvious, does not mean it’s wrong.

You can indeed begin your journey to IIoT security nirvana by adopting this simple two-step strategy. While the details matter, this simple two-step strategy can help you quickly discern what is helping you on your journey or what is a distraction or worse, a complete waste of your time.

Step 1 – Get a complete and accurate system inventory that includes hardware and software. Furthermore, capture the meta data as well. Meta data can also be described as the context. For example, where exactly is that system/device located? What is its function? This additional information is important for trouble shooting and maintenance as well as security, that you can never discover by using deep packet inspection. How can you possibly secure something that you don’t even know exists? Automated discovery tools can help accelerate the process, but at some point you’ll have to roll-up your sleeves and do a full walkdown if you really want to know what you have. After all that work, it would certainly make sense to implement some kind of change control so your investment of time and effort is not wasted.

Step 2 – Produce complete and accurate network and data flow diagrams. Admittedly, this will take significant time and effort. In some cases, it may even require reverse engineering the network because it has grown organically over time to the point where you are no longer sure what is connected to what. Furthermore, if you can already admit that you are not sure what is connected to what, then you certainly don’t understand system dependencies. The network diagrams help you see connections between systems while the data flow diagrams help you see the interdependencies. Just like the system inventory, the network and data flow diagrams are critical to efficient trouble shooting and maintenance as well as better security. Similar to capturing a system inventory, automated tools can help, but you will have to fill-in the blanks yourself.

If you can just focus on these two steps, then so much of your other work can build on a solid foundation. Not only that, but this repository of system information also supports the process of knowledge transfer as you bring on new engineering staff. How refreshing would it be to have a measure of confidence in the system documentation when faced with an unexpected plant trip?

The Langner Group can provide you with the configuration management database (CMDB) that can support your journey to IIoT security nirvana and it’s called myRIPE. The myRIPE software has many additional capabilities that can make your journey much easier and faster. Contact us today at for an online demo and see what myRIPE can do for you.




From metadata to model-driven OT security, or why you don’t really need content

From all the OT security startups in the last couple of years, the vast majority focuses on network monitoring, trying to identify malicious packets in realtime. No matter if you look at Dragos, NexDefense, RadiFlow, SecurityMatters (to name just a few), their basic technology is deep packet inspection, even when it is called more fancy names like “deep protocol behavior inspection”. In this niche, the terms of the trade are PCAP (packet capture) files, IP addresses, and anomaly detection.

However, this trend, if it is one, may be driven more by the capability of software developers to use Snort rather than by the technology’s demonstrated great success in spotting cyber-physical attacks (the more sophisticated ones will never show up in wire traffic). Even more puzzling, the deep packet inspection game with its obvious self-limitation to network packets is anything but logical. Let’s examine why. Read more »



What is the one thing engineers need to be reminded of?

I cannot even tell you how many times I have seen the Wizard of Oz. It was a family tradition in an era with only three television channels and the programming was still mostly black and white. So, forgive me if I see the parallels. Unlike the fairy tales of my youth, the current fantasy of connecting everything to everything may not have a happy ending. But, if it is to be a happy ending, it’s the engineers that will lead the way. Perhaps, like Dorothy, some have forgotten that they’ve always had the power.

Read more »



The five top reasons why spreadsheets are a bad choice for OT system inventories

A majority of asset owners tries to keep track of their OT infrastructure using spreadsheet applications such as Microsoft Excel. We explain the severe limitations of this approach for today’s complex digital environments. Read more »



RIPE 16 to be released in two weeks

RIPE, the Robust ICS Planning and Evaluation Program by The Langner Group, is continually improved based on real-world customer feedback. We produce new versions annually. The new version, dubbed RIPE 16 (16 instead of 2016), will be released at the beginning of May. Here are some of the highlights. Read more »



RIPE NIST CSF Profile for OT



Reader’s Digest Version of the Ukraine Story

ICS-CERT published an alert on the Ukrainean power outage based on a series of interviews that representatives of the US government had conducted in Ukraine. Here’s a reader’s digest version. Read more »



Nitro Zeus Fact Check and Big Picture

Documentary film makers have uncovered plans for an extended cyber attack against Iran, code-named Nitro Zeus. While I appear in the movie, I haven’t seen it yet and base the following on the reporting in the New York Times. Read more »

Older posts «