Less than a year ago (last September, to be exact) we published a whitepaper on the RIPE Framework, explaining the rationale for and building blocks of a process-oriented approach to ICS security and robustness that allows for empirical verification and measurement. Since then, much activity has been going on that we want to let blog readers know about.
Several people have expected that at some point in time the crisis in Ukraine might involve cyber conflict. Well maybe the time has come.
We don’t know if today’s explosion of a gas pipeline in Ukraine was caused by a cyber attack, but it would be a perfect example of digital sabre-rattling that avoids kinetic action and all the military, legal, and political issues that come with it. It’s not about cyber war, it’s about cyber coercion.
Three years ago, the German government established a national cyber defense center (“Nationales Cyber-Abwehrzentrum”). The stated objective was to establish a government entity that would coordinate and bundle the activities of various agencies that are tasked with cyber security, in order to give them more punch on a national scale.
In a classified assessment by the German Bundesrechnungshof (equivalent to the US GAO) that was leaked to the German newspaper Süddeutsche Zeitung and to German national TV, the government’s financial controllers frankly suggest to shut the operation down as in its present form it appears to be nothing but a waste of money.
The facts in a nutshell:
- The center’s only scheduled activity is a daily discussion of the situation.
- Several of the center’s ten (!) employees, which are on lease from other agencies, don’t show up on a regular basis.
- Strategic advice is issued by the center only in annual reports, obviously foiling the center’s stated objective of “quick assessments and call to action”.
- The center lacks the expertise to execute its stated mission.
- No procedure or workflow has been defined for what the center is supposed to do in the event of a substantial cyber attack against Germany.
The criticism can hardly surprise. We had already pointed out the center’s ridiculously tiny footprint and weak mission statement at the time of its creation. Hopefully, the present reporting will make German business decision makers aware of the fact that in time of cyber crisis, the government will hardly be able to provide any help – a phantasy that some CEOs used to nurture to justify their own inaction for providing appropriate cyber defenses.
ISA-99 has published a draft set of cyber security metrics that is worth a closer look. Metrics are an indispensable part of every cyber security program because without them such program
a) will not be fact-based
b) lacks the capability of systematic improvement (you cannot improve what you can’t measure).
You’ve heard and read about the RIPE Framework and want to learn more? Here’s your chance. For the first time we present all the details to a limited audience:
- See all the RIPE templates (policies and SOPs, plant planning guidelines, procurement guidelines, cyber security program, metrics etc.) in their full-length real version
- Learn about the rationale behind RIPE – how to build up cyber security capability and arrive at measurable performance
- Learn about favored implementation strategies and requirements
- Learn why a nuclear power plant chose RIPE to meet regulatory ICS security requirements
- Learn about the attractive fixed-price RIPE package offerings and get a discount when ordering within two weeks after the event
The RIPE Experience is scheduled at the following locations and dates:
Munich, Germany: May 12, 2014
Washington DC: June 24, 2014
Contact us to receive a detailed agenda and registration form.
In the third part of our analysis of the NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we focus on the 98 “subcategories” of the Framework Core that provide most of its meat. The Subcategories identify various cyber security activities along with desired outcomes. Let’s look at some examples:
ID.AM-1: “Physical devices and systems within the organization are inventoried”
ID.GV-1: “Organizational information security policy is established”
PR.AT-1: “All users are informed and trained”
DE.CM-4: “Malicious code is detected”
This may lead the cursory reader to believe that the NIST CSF is some kind of performance-based tool which would, if applied properly, allow users to assess or even measure cyber security posture of a given facility within the critical infrastructure. However, nothing would be more of a misconception. Read more »
The big debate now seems to be: Can any industry, let alone an individual company, actually provide a level of security (physical or cyber) consistent with national security requirements?
Jesse Berst in a recent article quoted the CEO of the North American Electric Reliability Corp (NERC) Gerry Cauley as saying,
“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous.”
I don’t know where Mr. Cauley gets this idea, but I can guess. My guess: it’s simply the consensus of those that NERC represents — the owners and operators of the bulk power system. My next guess (less of a guess and more deductive reasoning) is that any regulation costs money and the rate paying public may not be convinced of the need. This reality should be reflected in public policy, but at some point we simply must accept that secure systems (e.g., the grid) are more costly and less convenient than equivalent insecure systems (“Langner’s Law”). Read more »
In the first part of our analysis of the NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we have seen that the Framework is more of a conceptual model of how to talk and think about cyber risk rather than a method to systematically and verifiably reduce such risk to agreed-upon levels.
This would be nothing bad per se if the NIST CSF hadn’t been sold as the government’s response to, in President Obama’s words, one of the most serious national security challenges we must confront. The CSF was not developed to protect a family-owned cookie factory against spam mail but systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, also called the Critical Infrastructure.