Less than a year ago (last September, to be exact) we published a whitepaper on the RIPE Framework, explaining the rationale for and building blocks of a process-oriented approach to ICS security and robustness that allows for empirical verification and measurement. Since then, much activity has been going on that we want to let blog readers know about.
Milestone 1: Turn theoretical framework into executable program
All eight RIPE domains have been turned into executable program segments, detailing the HOW rather than just giving fuzzy high-level advice that requires high-fee consultants to execute. For example, RIPE does not simply suggest to use security policies, plant planning guidelines, or procurement guidelines, it comes with the actual ready-to-go text for these. Also finished and ready-to-go are an overall RIPE implementation guideline and the definition of 70+ metrics that make implementation progress measurable.
Results have been discussed with many asset owners in the private sector, and also with representatives from NERC, the US Nuclear Regulatory Commission, the US Department of Defense, the Idaho National Laboratory, and the Nuclear Threat Initiative.
Milestone 2: Implement RIPE at a critical pilot site
Practical RIPE implementation has started at an operating European nuclear power plant. The objective of the implementation is to arrive at measurable ICS security and meet regulatory requirements.
Milestone 3: Integrate RIPE artifacts in a software portal
Our next milestone is to provide a software portal solution that allows the asset owner (and potentially a regulator) to verify cyber security and robustness by navigating through the RIPE control domains. It’s going to be a far cry from anecdotal risk assessment reports, giving both those responsible for ICS security and those responsible for process reliability and maintainability a completely new, fascinating way to explore their digital plant environment.
The RIPE advantage
The move beyond just another cyber security framework highlights RIPE’s value proposition. We don’t intend to replace ISA-99 or any other high level guidance or regulatory requirements. We intend to make ICS security practical and measurable, cost-effective, and the fast lane to better cyber security of critical infrastructure installations that has been demanded even by President Obama. At this time, RIPE is the fastest road to implementing the NIST CSF.
The level of control exercised on digital assets as offered by RIPE is essential for maintaining cyber robustness and security when moving to the Industrial Internet with all the complexity and security risks associated with it. If you are an asset owner contact us to learn how RIPE can address your ICS security challenges starting tomorrow.