Just as NIST released a draft of the U.S. government’s Cyber Security Framework (PDF) for industrial control systems (ICS), Ralph Langner responded with his proposed RIPE framework that he says is a better fit for Control Systems. Many critical infrastructure operators are looking for answers on where to start understanding ICS security. The NIST framework is designed to outline a core structure to include a user’s guide and an executive overview that describes the purpose, need and application of the drafted framework in critical infrastructure control system environments. NIST has reflected comments that emphasized the importance of executive involvement in managing cyber risks, “the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyber threats and their impacts.” – NIST
Langner, is the German security expert who is credited with deciphering how the Stuxnet malware functioned. Stuxnet targeted the Siemens S7 control system management software responsible for controlling Iran’s Natanz nuclear facility’s uranium enrichment centrifuges.
As per Langner, the Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down plants, with more of a process-based approach than the risk-based NIST Cyber Security Framework. It all starts with these organizations establishing a “security capability,” – Dark Reading.
“ICS environments are notorious for their lack of enforcing security policies, if such even exist, specifically for contractors. The bigger asset owners in critical infrastructure do have policies for staff, but not for contractors. After Stuxnet, this seems quite negligent,” Langner told Dark Reading.
I recently attended the NIST Framework workshop and tend to agree with Ralph on several points. I still think that what is overlooked is the “don’t know what we don’t know” deer in the headlights look on the critical infrastructure asset owners. These industries literally need a Fisher Price version of where to begin. The framework is a good step in getting the ship moving — I am just not sure if we are headed in the right direction. I would estimate that 90% of critical infrastructure asset owners do not have any security focused staff on-board, even more rare is one that actually can understand both the technology and the people and process necessary to get any type of traction.
Several years ago the DHS released the CSET tool hoping for the same impact. This tool resembles a Turbo Tax for securing ICS security type of mindset. I have worked with municipalities trying to understand and utilize this tool and most have abandoned the effort. The asset owners are ill equipped and lack not only the expertise but the manpower to complete the task. Strangely enough the asset owners also lacked the funding to pay expert consultants to assist with the project.
Even though I am seeing critical infrastructure asset owners start to turn the corner of awareness, there is still more work that they can handle. I also want to warn that even though there are a few organizations out there that are for hire to help, there are few and far between.
Regardless of the technology produced by the vendors and frameworks created by the government, asset owners will still rely on an untrained workforce and lack of funds to get the help that they need.
I will say, if they can get the money I would hire the consultants today because tomorrow there will be a long line to get the true experts.