At S4x15 The Langner Group will contribute the following talks:

A Process-Based Approach to ICS Security: The RIPE Program in Real Life

Traditional strategies toward ICS security focused on specific technologies such as data diodes or whitelisting, or on high-level guidance for risk management. Examples for the latter are the NIST Cyber Security Framework and ISA-99. The RIPE Program takes a different avenue and focuses on the practical how-to of cyber security governance on the plant floor. It can be thought of as a fast lane to NIST CSF implementation that comes with the added benefit of metrics and scalability.

In this presentation, Ralph Langner will provide a brief introduction to the concepts of and instruments in RIPE. The bulk of the talk will be accomplished by Tomas Nystrom who is in charge of cyber security for the several hundred power plants owned and operated by Nordic energy giant Fortum. Tomas will provide real-world experience on the process of introducing RIPE to an operational nuclear power plant, making the plant both secure against cyber attacks and compliant with national regulation.

Cyber-Physical Attack Engineering

“Visible through the various cyber-physical exploits [used in Stuxnet] is the silhouette of a methodology for attack engineering that can be taught in school and can ultimately be implemented in algorithms. (..) Attack engineering is about reliably taking over control in order to exploit physical vulnerabilities. The way to get there is completely different from IT.”

Such is written in To Kill a Centrifuge. In his talk, Ralph elaborates on the fundamentals of cyber-physical attack engineering as a discipline that must be understood and mastered in order to identify and protect against the worst attack scenarios that sophisticated attackers could pull off against high-value targets. At the same time it also helps to understand where defensive “best practices” are completely worthless.

The subject of the talk, which is also reflected and applied in The Langner Group’s Critical Penetration Analysis, calls for a distinct re-orientation of cyber-physical security. Ralph points out that a pure infosec methodology, spiced up with hacking wisdom, stops short of providing meaningful results for risk mitigation as it does not link vulnerability with potential consequence of exploitation: Where a hacker alleges that by “owning” a SCADA or ICS component he could “do anything”, reality is usually quite different. Nevertheless deterministic routes to disaster may be inherent in a plant design but not understood by asset owners and pen testers alike.

Cyber-physical attack engineering should be seen in line with like-minded efforts such as the groundbreaking work in nuclear security by Gary Johnson (formerly with IAEA) and recent presentations by Bryan Singer (Kenexis), who will pick up on the subject at S4x15.