In the final part of our analysis of the NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we look at the big picture and elaborate on similarities and differences between the CSF and our own RIPE Framework. Read more »
You’ve heard and read about the RIPE Framework and want to learn more? Here’s your chance. For the first time we present all the details to a limited audience:
- See all the RIPE templates (policies and SOPs, plant planning guidelines, procurement guidelines, cyber security program, metrics etc.) in their full-length real version
- Learn about the rationale behind RIPE – how to build up cyber security capability and arrive at measurable performance
- Learn about favored implementation strategies and requirements
- Learn why a nuclear power plant chose RIPE to meet regulatory ICS security requirements
- Learn about the attractive fixed-price RIPE package offerings and get a discount when ordering within two weeks after the event
The RIPE Experience is scheduled at the following locations and dates:
Munich, Germany: May 12, 2014
Washington DC: June 24, 2014
Contact us to receive a detailed agenda and registration form.
In the third part of our analysis of the NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we focus on the 98 “subcategories” of the Framework Core that provide most of its meat. The Subcategories identify various cyber security activities along with desired outcomes. Let’s look at some examples:
ID.AM-1: “Physical devices and systems within the organization are inventoried”
ID.GV-1: “Organizational information security policy is established”
PR.AT-1: “All users are informed and trained”
DE.CM-4: “Malicious code is detected”
This may lead the cursory reader to believe that the NIST CSF is some kind of performance-based tool which would, if applied properly, allow users to assess or even measure cyber security posture of a given facility within the critical infrastructure. However, nothing would be more of a misconception. Read more »
The big debate now seems to be: Can any industry, let alone an individual company, actually provide a level of security (physical or cyber) consistent with national security requirements?
Jesse Berst in a recent article quoted the CEO of the North American Electric Reliability Corp (NERC) Gerry Cauley as saying,
“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous.”
I don’t know where Mr. Cauley gets this idea, but I can guess. My guess: it’s simply the consensus of those that NERC represents — the owners and operators of the bulk power system. My next guess (less of a guess and more deductive reasoning) is that any regulation costs money and the rate paying public may not be convinced of the need. This reality should be reflected in public policy, but at some point we simply must accept that secure systems (e.g., the grid) are more costly and less convenient than equivalent insecure systems (“Langner’s Law”). Read more »
In the first part of our analysis of the NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we have seen that the Framework is more of a conceptual model of how to talk and think about cyber risk rather than a method to systematically and verifiably reduce such risk to agreed-upon levels.
This would be nothing bad per se if the NIST CSF hadn’t been sold as the government’s response to, in President Obama’s words, one of the most serious national security challenges we must confront. The CSF was not developed to protect a family-owned cookie factory against spam mail but systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, also called the Critical Infrastructure.
“Traditionally, the cybersecurity community has formulated policies in terms of three kinds of requirements:
- Confidentiality refers to which principals are allowed to learn what information.
- Integrity refers to what changes to the system (stored information and resource usage) and to its environment (outputs) are allowed.
- Availability refers to when must inputs be read or outputs produced.
This classification, as it now stands, is likely to be problematic as a basis for the laws that form a science of cybersecurity.”
Fred B. Schneider, Blueprint for a science of cyber security
Hardly is there any place where cyber security matters more than in nuclear power plants. That’s why regulators around the world demand that operators of nuke plants demonstrate that their control and safety systems show high assurance against cyber attacks. In the United States, such regulation is distilled in a brief one-and-a-half page document.
In a new whitepaper titled A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants, The Langner Group’s Perry Pederson explains the NRC’s cyber regulation and discusses how it is implemented in NRC’s own Regulatory Guide 5.71 and in the Nuclear Energy Institute’s NEI 08-09 guideline. It is convincingly demonstrated that the RIPE Cyber Security Framework not only meets NRC’s criteria for high cyber security assurance, but also does so arguably more cost-efficiently than the official cyber security programs published by NRC and the industry.
If you want to learn more about The Langner Group’s cyber defense strategy and packaged service offerings for the nuclear industry, ask for our nuclear solution portfolio by email or phone.
Topics discussed range from the NIST Cyber Security Framework via the crisis in Ukraine and the Target breach to the fallout of the Snowden revelations. Ralph also focuses briefly on the subject of cyber-physical attack engineering — the application of technical analysis and experiments to identify and implement alterations of cyber systems that cause direct harmful physical effects — and its implications for the future of cyber conflict.
Security practitioners in the field are admonished time and again to manage the risk, yet are left with a bewildering array of risk management philosophies and methodologies to choose from. Every agency or standards body has put their stamp of approval on a particular approach to “risk inform” your process along with the appropriately colorful visual model to show just how this risk model works to manage risk. However, through diligent study and deep technical analysis, some common threads have emerged and the results are presented here in simplified flow chart form for easy digestion.