RIPE, the Robust ICS Planning and Evaluation Program by The Langner Group, is continually improved based on real-world customer feedback. We produce new versions annually. The new version, dubbed RIPE 16 (16 instead of 2016), will be released at the beginning of May. Here are some of the highlights. Read more »
If you follow the media coverage of the Industrial Internet (of Things), you may already have realized that reporters and vendors alike have become a bit angry about the slow adoption of the concept and its associated products and services. Why are plant managers slow to jump on a bandwagon that promises breakthrough grows in productivity and revenue, and threatens doom if you don’t? A recent survey among asset owners provides answers.
Carnac the Magnificent was a character played by Johnny Carson on late night television. He had mystic powers that allowed him to know the answers to questions he had not seen. He would proclaim the answer and then open the envelope, wherein he would find the question. Cyber security assessments seem to be like this. In other words, with some statistical shoring, Carnac the Magnificent could probably divine the current cyber security posture of your operational technology (OT) environment. He could choose from the following list and be right more often than the local fortune teller:
- Your asset inventory is subpar
- Your network diagrams are incomplete and/or outdated
- Your firewalls are misconfigured
- Your network is not properly architected
- You have access control issues
- There is unmonitored Web browsing from the control network
- Etc., etc., etc.
An assessment does indeed provide a “to-do” list and may provide some leverage in the next budget cycle. You may even be required by regulation to have a third-party perform an assessment for you. In any case, don’t lose sight of the true objective. The true objective is to determine the root cause of these symptoms and deal with the disease directly rather than with symptoms after the fact.
In many instances, the major root cause is the lack of a dedicated OT security program. Obviously, you can (and many do) just point to a document on the shelf and say you have a program. However, an effective program is backed by adequate organizational resources (dedicated budget, empowerment, accountability) and a robust governance process with comprehensive reporting. This is what is typically found on the IT side of the equation, but OT remains the proverbial “blind spot.”
There are different levels of rigor to OT cyber security assessments and you may not be ready (i.e., your management may not be ready) for a full-blown in depth walk-down assessment. You may have to start with a smaller scoped effort. To help get you started, The Langner Group has developed a self-assessment tool based on our RIPE framework which is being used in sectors from nuclear to water. The tool is call RIPE Self-Assessment Tool (RSAT) and there is no cost or obligation to use it.
Tool link: RIPE Self-Assessment Tool (RSAT)
So, by all means, get that assessment done, but take a larger view of the findings. Like Carnac the Magnificent, you may already know the answer, but look beyond the answers to find the question: what is the root cause of all these symptoms? As a person responsible for the health of your company’s revenue generating processes, you owe it to yourself and management to make the case to cure the disease.
The Langner Group sponsors the SCADA Security Scientific Symposium, or S4 for short, which is being held by Digital Bond in Miami from Jan 12-15 2016.
S4 emerged as the primary ICS security conference over the last couple of years, and it is no surprise that Ralph has attended every single conference since 2007 when S4 was introduced. The only other person to attend all S4 conferences — except Dale Peterson himself – is Zach Tudor who now, to our great honour, is a member of the RIPE SME Advisory Board which independently reviews and validates RIPE instruments.
Ralph presented at S4 four times. His Stuxnet Deep Dive was judged by Dale as the quintessential S4 talk. The talk was also filmed by CBS’ 60 Minutes and appears in their episode on Stuxnet, moderated by Steve Kroft.
At S4x16 we will present the myRIPE Operations Technology Management System, which is, in a nutshell, RIPE put into a user-friendly, high-powered software package.
Don’t miss the action in Miami in January — and, if you have visited previous S4 conferences… don’t forget to thank Ralph for eight long years of tedious work of convincing Dale to move the whole show to SoBe, avoiding boring bus shuttles.
Two more nuclear facilities are introducing the RIPE OT Security and Robustness Program to address cyber security in a sustainable and measurable manner, and to comply with tightened regulation at the same time.
Olkiluoto Nuclear Power Plant
The Olkiluoto nuclear power plant, operated by TVO, consists of three units. Unit 1 and 2 produce 860 MW power each and are operational since 1979 and 1982. Unit 3 is in the construction phase and is scheduled to go on the grid in 2018, delivering additional 1600 MW electrical power.
Since the Loviisa nuclear power plant, operated by Fortum, is already covered under RIPE, the recent deal means that the whole nuclear power production of one country (Finland) is now protected against cyber threats by The Langner Group’s RIPE program.
Posiva Spent Fuel Storage Facility
The other facility now covered by RIPE is the Finnish spent fuel storage, operated by Posiva. We believe this development is particularly important because Finland is one of the first countries to extend cyber security regulation to the fuel cycle, thereby underlining its globally leading position in nuclear cyber security.
This weekend, Nobel laureate John Nash died in a car accident. If there is any theory I could think of that could explain what we’re seeing in international cyber conflict, I believe it’s his theory of non-cooperative games, especially the “Nash equilibrium”. The theory is the centerpiece of Nash’s 30 page inaugural dissertation from 1950, simply titled non-cooperative games.
The Nash equilibrium basically expresses that adversaries may arrive at a choice of strategy that minimizes their mutual losses, thereby reaching a stable state. Read more »
In 2013 Ralph wrote this brief ten point manifesto that became one of the foundational pieces of the RIPE OT Security and Robustness Program. Two years later, it still looks pretty accurate.
- By addressing the problem of critical infrastructure cyber insecurity with security concepts and appliances borrowed from IT, we have tried to cure the symptoms rather than the disease.
- We have been poking around in largely undocumented digital environments guided by fuzzy threat intelligence, and applied band-aids (a.k.a. security controls) as the remedy of choice. However, a threat-driven approach to critical infrastructure cyber security is like wagging the dog. Being reactive by default, it fails to address the prevalent problem of systems that are insecure by design rather than because of software defects that would just needed to be “patched”, or hidden behind a firewall.
- We have been focusing on determining appropriate target security levels for individual plants rather than on establishing the means to reliably maintain any given security level regardless of criticality or industry. We have taken cyber security capability for granted without ever bothering to understand its characteristics and requirements.
- The design, configuration, operation and maintenance of industrial control systems in any reasonably secure manner requires a governance process. In absence of such a governance process, the security or insecurity of ICS applications and environments will always be subject to non-controllable external forces such as new vulnerabilities, new contractors who violate policy, or new threats, resulting in a constant decay of cyber security.
- The governance process is not threat-driven. It is a proactive and continuous activity based on the understanding that a non-governed cyber environment is insecure by default. Today, non-governed cyber environments are the norm in ICS installations. The popular excuse is that environments have “grown organically” (which is actually not an excuse but just stating a fact). However they will continue to “grow” until restricted by governance.
- The two major areas of the governance process are asset and configuration management (on the technology side), and workforce and supply chain management (on the people and procedures side).
- The foundation of the governance process is a verifiable cyber system and process model. Such a model can be created and maintained easily because system complexity is very low compared to IT environments, and most control system installations are extremely static. Creating a system and process model for an existing installation may require sweat, but it is anything but an intellectual or technological challenge.
- The governance process is identical for all industries. The basic activities of the governance process can be standardized in form of templates and can be audited in order to establish compliance.
- The task of setting appropriate target security levels can be isolated from the governance process as such. Setting target security levels may be based on the concept of risk, or may be based on alternative, policy-driven concepts.
- Based on a cyber security governance framework, templates can be extended and fine-tuned to measure and achieve sector-specific and application-specific performance targets. A framework of standardized templates and performance indicators also offers the opportunity for meaningful information sharing and benchmarking.