Apr
23

2014

NIST CSF under the microscope, part 3

In the third part of our analysis of the NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we focus on the 98 “subcategories” of the Framework Core that provide most of its meat. The Subcategories identify various cyber security activities along with desired outcomes. Let’s look at some examples:

ID.AM-1: “Physical devices and systems within the organization are inventoried”

ID.GV-1: “Organizational information security policy is established”

PR.AT-1: “All users are informed and trained”

DE.CM-4: “Malicious code is detected”

This may lead the cursory reader to believe that the NIST CSF is some kind of performance-based tool which would, if applied properly, allow users to assess or even measure cyber security posture of a given facility within the critical infrastructure. However, nothing would be more of a misconception. Read more »

Apr
17

2014

Nothing to Fear but Fear (i.e., Regulation) Itself

The big debate now seems to be: Can any industry, let alone an individual company, actually provide a level of security (physical or cyber) consistent with national security requirements?

Jesse Berst in a recent article quoted the CEO of the North American Electric Reliability Corp (NERC) Gerry Cauley as saying,

“The notion of … a single government agency giving an order to direct changes in the grid is extremely dangerous.”

I don’t know where Mr. Cauley gets this idea, but I can guess. My guess: it’s simply the consensus of those that NERC represents — the owners and operators of the bulk power system. My next guess (less of a guess and more deductive reasoning) is that any regulation costs money and the rate paying public may not be convinced of the need. This reality should be reflected in public policy, but at some point we simply must accept that secure systems (e.g., the grid) are more costly and less convenient than equivalent insecure systems (“Langner’s Law”). Read more »

Apr
15

2014

NIST CSF under the microscope, part 2

In the first part of our analysis of the NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF) we have seen that the Framework is more of a conceptual model of how to talk and think about cyber risk rather than a method to systematically and verifiably reduce such risk to agreed-upon levels.

This would be nothing bad per se if the NIST CSF hadn’t been sold as the government’s response to, in President Obama’s words, one of the most serious national security challenges we must confront. The CSF was not developed to protect a family-owned cookie factory against spam mail but systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters, also called the Critical Infrastructure.

Read more »

Apr
13

2014

Quote of the day

“Traditionally, the cybersecurity community has formulated policies in terms of three kinds of requirements:

  • Confidentiality refers to which principals are allowed to learn what information.
  • Integrity refers to what changes to the system (stored information and resource usage) and to its environment (outputs) are allowed.
  • Availability refers to when must inputs be read or outputs produced.

This classification, as it now stands, is likely to be problematic as a basis for the laws that form a science of cybersecurity.”

Fred B. Schneider, Blueprint for a science of cyber security

Apr
11

2014

NIST CSF under the microscope, part 1

Half a year ago we did already look at the draft NIST Cyber Security Framework for Improving Critical Infrastructure Cybersecurity (CSF), pointing out some puzzling flaws. Now that version 1.0 is out for two months we check if things have improved in a multi-part blog post.

Read more »

Apr
05

2014

Whitepaper on cyber security in nuke plants shows that RIPE meets regulatory criteria

Hardly is there any place where cyber security matters more than in nuclear power plants. That’s why regulators around the world demand that operators of nuke plants demonstrate that their control and safety systems show high assurance against cyber attacks. In the United States, such regulation is distilled in a brief one-and-a-half page document.

In a new whitepaper titled A Cost-Efficient Approach to High Cyber Security Assurance in Nuclear Power Plants, The Langner Group’s Perry Pederson explains the NRC’s cyber regulation and discusses how it is implemented in NRC’s own Regulatory Guide 5.71 and in the Nuclear Energy Institute’s NEI 08-09 guideline. It is convincingly demonstrated that the RIPE Cyber Security Framework not only meets NRC’s criteria for high cyber security assurance, but also does so arguably more cost-efficiently than the official cyber security programs published by NRC and the industry.

If you want to learn more about The Langner Group’s cyber defense strategy and packaged service offerings for the nuclear industry, ask for our nuclear solution portfolio by email or phone.

Mar
26

2014

Cyber chat @Brookings: Listen to the podcast

Two weeks ago the Brookings Institution hosted a round table with Ralph, Peter Singer, Richard Bejtlich, and Ian Wallace. The discussion was recorded and is available as a podcast.

Topics discussed range from the NIST Cyber Security Framework via the crisis in Ukraine and the Target breach to the fallout of the Snowden revelations. Ralph also focuses briefly on the subject of cyber-physical attack engineering — the application of technical analysis and experiments to identify and implement alterations of cyber systems that cause direct harmful physical effects — and its implications for the future of cyber conflict.

Mar
22

2014

ICS Risk Management Pocket Reference

Security practitioners in the field are admonished time and again to manage the risk, yet are left with a bewildering array of risk management philosophies and methodologies to choose from. Every agency or standards body has put their stamp of approval on a particular approach to “risk inform” your process along with the appropriately colorful visual model to show just how this risk model works to manage risk. However, through diligent study and deep technical analysis, some common threads have emerged and the results are presented here in simplified flow chart form for easy digestion.

Mar
15

2014

Back to the Future: Putting analog hard stops to cyber attacks

While the “Internet of things” may not live up to the hype, the world is going digital. It seems like an inexorable trend away from analog at gigabit speed. In some odd way the move to digital is like a self-fulfilling prophecy as we hard-code the potential for a disaster into our future.

There are, of course, several good reasons for this accelerating trend in the control systems domain.  Most often we hear statements like ‘digital is cheaper, more convenient (because of remote operation), and more flexible (because of its programmability)’ or ‘we simply can’t find the analog systems or expertise anymore’. During a recent session at the Nuclear Regulatory Commission’s (NRC’s) Regulatory Information Conference (RIC) this sentiment was expressed adamantly by Mr. Tony Pietrangelo, Senior Vice President and Chief Nuclear Officer, Nuclear Energy Institute (NEI) when he said the lack of movement to digital was “shameful”. Read more »

Mar
13

2014

Reflections on the RIC

The Nuclear Regulatory Commission’s (NRC) Regulatory Information Conference (RIC) is typically three days full of information ranging from high-level policy as conveyed by the Commissioners themselves, to deep technical details on design, components, and nuclear fuel.  This year’s RIC 2014 was packed with information on the nuclear industry and drew close to 3,000 attendees.

During one of the plenary sessions there was a panel discussion with leaders from the NRC, the Nuclear Energy Institute, and from a nuclear power plant.  One of the common threads running through several of the panel member’s comments was a general admonition to the industry not to become too dependent on contractors and/or vendors.

The RIPE Framework was designed from the ground up keeping this sentiment in mind; give the automation engineers the governance process to manage their cyber security program and the training and checklists to perform their duties with competence.  Although RIPE users may choose to enjoy an ongoing RIPE license (which provides annual updates and information sharing) the goal is to give the ICS practitioners the tools and methods to gain full knowledge and understanding of their own systems and processes.  In this respect, the RIPE Framework is different from other approaches in the sense that working the process will actually force the indigenous plant staff to become less dependent on the various contractors and/or vendors rather than more so.

Older posts «

» Newer posts