Apr
15

2014

NIST CSF under the microscope, part 2

In the first part of our analysis of the NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we have seen that the Framework is more of a conceptual model of how to talk and think about cyber risk rather than a method to systematically and verifiably reduce such risk to agreed-upon levels.

This would be nothing bad per se if the NIST CSF hadn’t been sold as the government’s response to, in President Obama’s words, one of the most serious national security challenges we must confront. The CSF was not developed to protect a family-owned cookie factory against spam mail but systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, also called the Critical Infrastructure.

Read more »

Apr
13

2014

Quote of the day

“Traditionally, the cybersecurity community has formulated policies in terms of three kinds of requirements:

  • Confidentiality refers to which principals are allowed to learn what information.
  • Integrity refers to what changes to the system (stored information and resource usage) and to its environment (outputs) are allowed.
  • Availability refers to when must inputs be read or outputs produced.

This classification, as it now stands, is likely to be problematic as a basis for the laws that form a science of cybersecurity.”

Fred B. Schneider, Blueprint for a science of cyber security

Apr
11

2014

NIST CSF under the microscope, part 1

Half a year ago we did already look at the draft NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (CSF), pointing out some puzzling flaws. Now that version 1.0 is out for two months we check if things have improved in a multi-part blog post.

Read more »

Apr
05

2014

Whitepaper on cyber security in nuke plants shows that RIPE meets regulatory criteria

Hardly is there any place where cyber security matters more than in nuclear power plants. That’s why regulators around the world demand that operators of nuke plants demonstrate that their control and safety systems show high assurance against cyber attacks. In the United States, such regulation is distilled in a brief one-and-a-half page document.

In a new whitepaper titled A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants, The Langner Group’s Perry Pederson explains the NRC’s cyber regulation and discusses how it is implemented in NRC’s own Regulatory Guide 5.71 and in the Nuclear Energy Institute’s NEI 08-09 guideline. It is convincingly demonstrated that the RIPE Cyber Security Framework not only meets NRC’s criteria for high cyber security assurance, but also does so arguably more cost-efficiently than the official cyber security programs published by NRC and the industry.

If you want to learn more about The Langner Group’s cyber defense strategy and packaged service offerings for the nuclear industry, ask for our nuclear solution portfolio by email or phone.

Mar
26

2014

Cyber chat @Brookings: Listen to the podcast

Two weeks ago the Brookings Institution hosted a round table with Ralph, Peter Singer, Richard Bejtlich, and Ian Wallace. The discussion was recorded and is available as a podcast.

Topics discussed range from the NIST Cyber Security Framework via the crisis in Ukraine and the Target breach to the fallout of the Snowden revelations. Ralph also focuses briefly on the subject of cyber-physical attack engineering — the application of technical analysis and experiments to identify and implement alterations of cyber systems that cause direct harmful physical effects — and its implications for the future of cyber conflict.

Mar
22

2014

ICS Risk Management Pocket Reference

Security practitioners in the field are admonished time and again to manage the risk, yet are left with a bewildering array of risk management philosophies and methodologies to choose from. Every agency or standards body has put their stamp of approval on a particular approach to “risk inform” your process along with the appropriately colorful visual model to show just how this risk model works to manage risk. However, through diligent study and deep technical analysis, some common threads have emerged and the results are presented here in simplified flow chart form for easy digestion.

Mar
15

2014

Back to the Future: Putting analog hard stops to cyber attacks

While the “Internet of things” may not live up to the hype, the world is going digital. It seems like an inexorable trend away from analog at gigabit speed. In some odd way the move to digital seems like a self-fulfilling prophecy as we hard-code the potential for a disaster into our future.

There are, of course, several good reasons for this accelerating trend in the control systems domain.  Most often we hear statements like ‘digital is cheaper, more convenient (because of remote operation), and more flexible (because of its programmability)’ or ‘we simply can’t find the analog systems or expertise anymore’. During a recent session at the Nuclear Regulatory Commission’s (NRC’s) Regulatory Information Conference (RIC) this sentiment was expressed adamantly by Mr. Tony Pietrangelo, Senior Vice President and Chief Nuclear Officer, Nuclear Energy Institute (NEI) when he said the lack of movement to digital was “shameful”. Read more »

Mar
13

2014

Reflections on the RIC

The Nuclear Regulatory Commission’s (NRC) Regulatory Information Conference (RIC) is typically three days full of information ranging from high-level policy as conveyed by the Commissioners themselves, to deep technical details on design, components, and nuclear fuel.  This year’s RIC 2014 was packed with information on the nuclear industry and drew close to 3,000 attendees.

During one of the plenary sessions there was a panel discussion with leaders from the NRC, the Nuclear Energy Institute, and from a nuclear power plant.  One of the common threads running through several of the panel member’s comments was a general admonition to the industry not to become too dependent on contractors and/or vendors.

The RIPE Framework was designed from the ground up keeping this sentiment in mind; give the automation engineers the governance process to manage their cyber security program and the training and checklists to perform their duties with competence.  Although RIPE users may choose to enjoy an ongoing RIPE license (which provides annual updates and information sharing) the goal is to give the ICS practitioners the tools and methods to gain full knowledge and understanding of their own systems and processes.  In this respect, the RIPE Framework is different from other approaches in the sense that working the process will actually force the indigenous plant staff to become less dependent on the various contractors and/or vendors rather than more so.

Mar
11

2014

Follow The Langner Group on Twitter

The Langner Group is now present on Twitter. For the latest news around critical infrastructure cyber security and notifications on upcoming events follow @langnergroup.

Feb
19

2014

Positioning yourself in the battle of compliance vs. security

How many times have you heard a statement like this: “Compliance does not equal security!”  You’ve probably heard it many times and you can recount examples from your own experience.  There is a general implication that the regulatory bodies that impose requirements on organizations (be they public or private organizations) don’t truly understand cyber security.  Compliance has taken-on such a negative connotation in the cyber security domain that one can feel safe in using the word with a measure of distain.

Read more »

Older posts «