Jun
14

2016

Two Steps to IIoT Security Nirvana

Yes, of course this is a simplification, but just because it’s obvious, does not mean it’s wrong.

You can indeed begin your journey to IIoT security nirvana by adopting this simple two-step strategy. While the details matter, this simple two-step strategy can help you quickly discern what is helping you on your journey or what is a distraction or worse, a complete waste of your time.

Step 1 – Get a complete and accurate system inventory that includes hardware and software. Furthermore, capture the meta data as well. Meta data can also be described as the context. For example, where exactly is that system/device located? What is its function? This additional information is important for trouble shooting and maintenance as well as security, that you can never discover by using deep packet inspection. How can you possibly secure something that you don’t even know exists? Automated discovery tools can help accelerate the process, but at some point you’ll have to roll-up your sleeves and do a full walkdown if you really want to know what you have. After all that work, it would certainly make sense to implement some kind of change control so your investment of time and effort is not wasted.

Step 2 – Produce complete and accurate network and data flow diagrams. Admittedly, this will take significant time and effort. In some cases, it may even require reverse engineering the network because it has grown organically over time to the point where you are no longer sure what is connected to what. Furthermore, if you can already admit that you are not sure what is connected to what, then you certainly don’t understand system dependencies. The network diagrams help you see connections between systems while the data flow diagrams help you see the interdependencies. Just like the system inventory, the network and data flow diagrams are critical to efficient trouble shooting and maintenance as well as better security. Similar to capturing a system inventory, automated tools can help, but you will have to fill-in the blanks yourself.

If you can just focus on these two steps, then so much of your other work can build on a solid foundation. Not only that, but this repository of system information also supports the process of knowledge transfer as you bring on new engineering staff. How refreshing would it be to have a measure of confidence in the system documentation when faced with an unexpected plant trip?

The Langner Group can provide you with the configuration management database (CMDB) that can support your journey to IIoT security nirvana and it’s called myRIPE. The myRIPE software has many additional capabilities that can make your journey much easier and faster. Contact us today at info@langner.com for an online demo and see what myRIPE can do for you.

 

May
17

2016

From metadata to model-driven OT security, or why you don’t really need content

From all the OT security startups in the last couple of years, the vast majority focuses on network monitoring, trying to identify malicious packets in realtime. No matter if you look at Dragos, NexDefense, RadiFlow, SecurityMatters (to name just a few), their basic technology is deep packet inspection, even when it is called more fancy names like “deep protocol behavior inspection”. In this niche, the terms of the trade are PCAP (packet capture) files, IP addresses, and anomaly detection.

However, this trend, if it is one, may be driven more by the capability of software developers to use Snort rather than by the technology’s demonstrated great success in spotting cyber-physical attacks (the more sophisticated ones will never show up in wire traffic). Even more puzzling, the deep packet inspection game with its obvious self-limitation to network packets is anything but logical. Let’s examine why. Read more »

May
14

2016

What is the one thing engineers need to be reminded of?

I cannot even tell you how many times I have seen the Wizard of Oz. It was a family tradition in an era with only three television channels and the programming was still mostly black and white. So, forgive me if I see the parallels. Unlike the fairy tales of my youth, the current fantasy of connecting everything to everything may not have a happy ending. But, if it is to be a happy ending, it’s the engineers that will lead the way. Perhaps, like Dorothy, some have forgotten that they’ve always had the power.

Read more »

May
01

2016

The five top reasons why spreadsheets are a bad choice for OT system inventories

A majority of asset owners tries to keep track of their OT infrastructure using spreadsheet applications such as Microsoft Excel. We explain the severe limitations of this approach for today’s complex digital environments. Read more »

Apr
16

2016

RIPE 16 to be released in two weeks

RIPE, the Robust ICS Planning and Evaluation Program by The Langner Group, is continually improved based on real-world customer feedback. We produce new versions annually. The new version, dubbed RIPE 16 (16 instead of 2016), will be released at the beginning of May. Here are some of the highlights. Read more »

Mar
25

2016

RIPE NIST CSF Profile for OT

Mar
01

2016

Reader’s Digest Version of the Ukraine Story

ICS-CERT published an alert on the Ukrainean power outage based on a series of interviews that representatives of the US government had conducted in Ukraine. Here’s a reader’s digest version. Read more »

Feb
22

2016

Nitro Zeus Fact Check and Big Picture

Documentary film makers have uncovered plans for an extended cyber attack against Iran, code-named Nitro Zeus. While I appear in the movie, I haven’t seen it yet and base the following on the reporting in the New York Times. Read more »

Feb
09

2016

Asset owners see cyber security as the biggest challenge of the Industrial Internet

If you follow the media coverage of the Industrial Internet (of Things), you may already have realized that reporters and vendors alike have become a bit angry about the slow adoption of the concept and its associated products and services. Why are plant managers slow to jump on a bandwagon that promises breakthrough grows in productivity and revenue, and threatens doom if you don’t? A recent survey among asset owners provides answers.

Read more »

Feb
06

2016

What is the Value of Assessing OT Networks?

Carnac the Magnificent

Carnac the Magnificent was a character played by Johnny Carson on late night television. He had mystic powers that allowed him to know the answers to questions he had not seen. He would proclaim the answer and then open the envelope, wherein he would find the question. Cyber security assessments seem to be like this. In other words, with some statistical shoring, Carnac the Magnificent could probably divine the current cyber security posture of your operational technology (OT) environment. He could choose from the following list and be right more often than the local fortune teller:

 

  1. Your asset inventory is subpar
  2. Your network diagrams are incomplete and/or outdated
  3. Your firewalls are misconfigured
  4. Your network is not properly architected
  5. You have access control issues
  6. There is unmonitored Web browsing from the control network
  7. Etc., etc., etc.

 

An assessment does indeed provide a “to-do” list and may provide some leverage in the next budget cycle. You may even be required by regulation to have a third-party perform an assessment for you. In any case, don’t lose sight of the true objective. The true objective is to determine the root cause of these symptoms and deal with the disease directly rather than with symptoms after the fact.

 

In many instances, the major root cause is the lack of a dedicated OT security program. Obviously, you can (and many do) just point to a document on the shelf and say you have a program. However, an effective program is backed by adequate organizational resources (dedicated budget, empowerment, accountability) and a robust governance process with comprehensive reporting. This is what is typically found on the IT side of the equation, but OT remains the proverbial “blind spot.”

 

There are different levels of rigor to OT cyber security assessments and you may not be ready (i.e., your management may not be ready) for a full-blown in depth walk-down assessment. You may have to start with a smaller scoped effort. To help get you started, The Langner Group has developed a self-assessment tool based on our RIPE framework which is being used in sectors from nuclear to water. The tool is call RIPE Self-Assessment Tool (RSAT) and there is no cost or obligation to use it.

 

Tool link: RIPE Self-Assessment Tool (RSAT)

 

So, by all means, get that assessment done, but take a larger view of the findings. Like Carnac the Magnificent, you may already know the answer, but look beyond the answers to find the question: what is the root cause of all these symptoms? As a person responsible for the health of your company’s revenue generating processes, you owe it to yourself and management to make the case to cure the disease.

 

Older posts «