In 2013 Ralph wrote this brief ten point manifesto that became one of the foundational pieces of the RIPE OT Security and Robustness Program. Two years later, it still looks pretty accurate.
- By addressing the problem of critical infrastructure cyber insecurity with security concepts and appliances borrowed from IT, we have tried to cure the symptoms rather than the disease.
- We have been poking around in largely undocumented digital environments guided by fuzzy threat intelligence, and applied band-aids (a.k.a. security controls) as the remedy of choice. However, a threat-driven approach to critical infrastructure cyber security is like wagging the dog. Being reactive by default, it fails to address the prevalent problem of systems that are insecure by design rather than because of software defects that would just needed to be “patched”, or hidden behind a firewall.
- We have been focusing on determining appropriate target security levels for individual plants rather than on establishing the means to reliably maintain any given security level regardless of criticality or industry. We have taken cyber security capability for granted without ever bothering to understand its characteristics and requirements.
- The design, configuration, operation and maintenance of industrial control systems in any reasonably secure manner requires a governance process. In absence of such a governance process, the security or insecurity of ICS applications and environments will always be subject to non-controllable external forces such as new vulnerabilities, new contractors who violate policy, or new threats, resulting in a constant decay of cyber security.
- The governance process is not threat-driven. It is a proactive and continuous activity based on the understanding that a non-governed cyber environment is insecure by default. Today, non-governed cyber environments are the norm in ICS installations. The popular excuse is that environments have “grown organically” (which is actually not an excuse but just stating a fact). However they will continue to “grow” until restricted by governance.
- The two major areas of the governance process are asset and configuration management (on the technology side), and workforce and supply chain management (on the people and procedures side).
- The foundation of the governance process is a verifiable cyber system and process model. Such a model can be created and maintained easily because system complexity is very low compared to IT environments, and most control system installations are extremely static. Creating a system and process model for an existing installation may require sweat, but it is anything but an intellectual or technological challenge.
- The governance process is identical for all industries. The basic activities of the governance process can be standardized in form of templates and can be audited in order to establish compliance.
- The task of setting appropriate target security levels can be isolated from the governance process as such. Setting target security levels may be based on the concept of risk, or may be based on alternative, policy-driven concepts.
- Based on a cyber security governance framework, templates can be extended and fine-tuned to measure and achieve sector-specific and application-specific performance targets. A framework of standardized templates and performance indicators also offers the opportunity for meaningful information sharing and benchmarking.