Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative

Posted by timothy on from the he-did-it-his-way dept.

An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."

32 comments

  1. and the nsa the existing one is fine by Anonymous Coward · · Score: 1

    Its just as secure as we designed it to be

    1. Re:and the nsa the existing one is fine by Jeremiah+Cornelius · · Score: 1

      Exactly. Langner has a framework that will prevent your friendly neighborhood TLA from webcrawling through infrastructure at will.

      NIST will ensure the backdoor is - if not unlocked - has a key, under the mat.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:and the nsa the existing one is fine by mlts · · Score: 0

      Devil's advocate here:

      NIST isn't all bad. They publish pretty good security checklists (NIST SCAP guides) for major operating systems and routers. Most of it is common sense, but there are a few things which are something to consider (AIX's trustchk capability for example to at least warn about new/tampered binaries and shell scripts.) They are mainly intended for FISMA [1] compliance, but they are an excellent reference for anyone needing a good checklist to consider. It isn't a one size fits all, but is a good place to start.

      [1]: It would be nice if all cloud services would be FISMA compliant. This is mainly for USG interests, but it does show active security monitoring and at least trying to follow some good security steps other than the usual "security has no ROI" drumbeat.

    3. Re:and the nsa the existing one is fine by TechyImmigrant · · Score: 1

      >NIST isn't all bad

      But it is fairly bad. The numerous 'frameworks' and 'guidelines' lack specificity and a clear certification path, while the many crypto specs are overburdened with buckets of specificity that makes certification onerous.

      Part of the problem is that the NIST specs are not created with anything like a normal standards process where there are competing interests watching out for stupid stuff and jumping on it. That's how we ended up with nightmares like the key derivation spec or the inappropriate online tests in SP800-90B or the fixed block size on AES. Anything contributed from the outside had to play be predetermined rules that did not improve the specs.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Is NSA backdoor implemented? Nooo? by Anonymous Coward · · Score: 1

    If backdoor for NSA is not included he can forget about the new framework being accepted. Spying and control is the new way of life in the U.S.A

    1. Re:Is NSA backdoor implemented? Nooo? by NatasRevol · · Score: 1

      New?

      --
      There are two types of people in the world: Those who crave closure
  3. Why not do what experts have recommended? by s.petry · · Score: 4, Insightful

    If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks. If you want a monitoring node, counters coming from devices should never be writable to anything but local hardware. Monitoring nodes can access other networks for consolidation of data, but not be writable to other networks.

    I really can not understand how people continue to believe that everything should be connected to everything. Worse, that everything should be able to write to everything else. After nearly 3 decades of being shown it's a bad idea, maybe the mind set of executives should change? It's like continually banging your head on a wall, and will feel really good when you finally stop!

    Does the Government mandate this configuration as a few here have implied? If so, maybe it's time to boot shitbags out of the Government?

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Why not do what experts have recommended? by mlts · · Score: 3, Informative

      In the early to mid 1990s, intrusions did happen, but it would take some doing because someone on DECNet would have to take some doing to jump to a machine on a private x.25 network.

      These days, I've wondered about following the US government's lead with SIPRNet and NIPRNet, and having a "BIPRNet", which would be a switched network using leased lines among companies. Unless access between two machines was prearranged in advance, the boxes will not be allowed to connect to each other or forward packets. For security, the machines either share a symmetric key (like WPA2-AES-PSK), or are paired using public keys similar to Bluetooth pairing. This gives two layers of security. First, the core switch would have to be compromised to allow a third machine to connect, and then both machines would have to be compromised so they would bother interacting with the third machine and not ignore it outright. It isn't perfect, but it would be far stronger for B2B communications than the usual VPNs or SSL/TLS which can be hijacked by compromised CAs.

      This won't replace the Internet by any means, but will provide a way for businesses or internal departments to communicate that is highly resistant to mass IP probing and other attacks.

    2. Re:Why not do what experts have recommended? by Anonymous Coward · · Score: 0

      Metcalfe's law explains why everything connected to everything is a good idea. The value of the network increases the more connectivity exists. Security says that no information should ever be transfered anywhere, but by Metcalfe's law that means the computer without power buried in concrete and locked in a safe with armed security is worthless. The key is that lack of security is a risk and there are costs that come from an exploited risk. People will spend money to mitigate a risk, but that means that security is a cost that detracts from the profits of full network connectivity. Is it worth it? By the way, Stuxnet infected an isolated control network by propogating from an infected USB device.

    3. Re:Why not do what experts have recommended? by Anonymous Coward · · Score: 0

      Yes but how will the Windows Vista computers that are being used to control everything at the facility get windows updates? Those updates are critical! Nonono I said the updates are critical not the nuclear react- oh uh oh the computer crashed and won't restart. Blue screen of death! Blue screen of death!

    4. Re:Why not do what experts have recommended? by TheRealMindChild · · Score: 2

      I really can not understand how people continue to believe that everything should be connected to everything

      Management: I don't care how it works, just make it work

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    5. Re:Why not do what experts have recommended? by spacefight · · Score: 4, Informative

      Not to forget that ther was an air grap at Natanz - so we're talking about more than just shutting off nodes access to the net.

      Stuxnet, as an example, bridged the air gap multiple times via infected USB keys...

    6. Re:Why not do what experts have recommended? by s.petry · · Score: 1

      There is no need to either be networked to everything, or having a computer buried in concrete. That is an absurd claim, and perhaps you did not intend to provide such a poor false analogy.

      Experts have never said it's all or nothing, but as I defined a hybrid approach so that you protect what needs protection.

      Just like we do for application and OS security, we use a triangle and move a pointer toward where we have the most concerns. The pointer should never bee in the corner of an angle.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    7. Re:Why not do what experts have recommended? by mlts · · Score: 1

      If that statement is taken to the real world, with the usual car/vehicle analogy, that means that a mining cart must have access to public roads or it is valueless, same with the extremely large trucks which move the tons of rocks at a quarry.

      Not everything has to be connected to everything else. You can have people connect to interact with a database front-end without having to interact with the DB itself, or have people interact with a VDI that gives a barrier against untrusted code in a company's core.

      Air-gapping is a very good security measure. Yes, it was gotten around by physical "boots on the ground", but for almost (and I repeat almost) all other attacks, if it isn't connected, it isn't hackable.

      My server with my PGP/gpg keys and my domain CA root keys is not going on the Internet anytime soon, and receives patches via updates burned to DVD. Does that mean it is 100% secure? Nope. It means that I have taken steps to minimize intrusion possibilities which are hard to bypass unless someone wanted the data on that box enough to black-bag it.

    8. Re:Why not do what experts have recommended? by aaarrrgggh · · Score: 1

      The article has a few good points well targeted to their audience, and I agree with the concepts. The NIST document (like the original document for the nuclear industry) has a few good ideas, but no practical plan-- mainly a bureaucratic solution.

      Reality is that you need to network equipment that poses facility risk. IT are typically the ones pushing for a collapsed network rather than a facility network ironically. For maybe less than 24 points, you can have firewall rules, switch rules, and other tools to manage intrusion risk, but once you get beyond that point you have a generally unmanageable system.

      If you choose to not collapse the network, and firewall between sides as it should be done, IT disowns the network and you are stuck with not having someone to manage network security beyond the firewall. The article alludes to this as one of the major problems; often nobody owns security on the SCADA network.

      There is much more to SCADA security than the network security though; it really is about defense in depth. You need the depth to prevent various vendors from being able to access the whole network and system.

    9. Re:Why not do what experts have recommended? by rhysweatherley · · Score: 2

      If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks...

      Because those experts are morons. It ignores the economic cost of companies having to run a separate parallel Internet. Take electricity suppliers that need to monitor and control remote switching devices, for example. GSM/CDMA networks are just there, already deployed by the telecommunications industry. A cheap GSM modem and an account with the local telecomms supplier is economically better at contacting remote stations than running ones own wires out to single-point stations in the suburbs and the bush.

      Isolated networks also don't work. Putting a dodgy default-passworded device on an internal network doesn't work when your attacker walks up to the remote station, cuts off the padlock, and installs their own device straight onto your wide-open "no one could possibly hack this because it's disconnected" network. Which is basically how Stuxnet got deployed - direct intervention onto a private network at a weak point.

      This problem cannot be solved with simplistic "if you don't want people to hack it, don't connect it to the Internet" solutions. How about building it to be difficult to hack in the first place? Or making VPN layers the default way the Internet works rather than an afterthought? Or teaching (mostly non-software) engineers security techniques that were honed over decades of fighting malware on the open Internet? Or any of a million other practical solutions that don't boil down to "la la, I can't hear you so you can't hear me".

    10. Re:Why not do what experts have recommended? by Kookus · · Score: 1

      I'll see you're isolated networks and raise you this:
      http://www.computerworld.com/s/article/9218214/Government_tests_show_security_s_people_problem?pageNumber=1

      As for write protecting... If it has ram, it'll be written to.

    11. Re:Why not do what experts have recommended? by Anonymous Coward · · Score: 1

      I really can not understand how people continue to believe that everything should be connected to everything

      Management: I don't care how it works, just make it work as cheaply as possible.

      FTFY

    12. Re:Why not do what experts have recommended? by s.petry · · Score: 1

      Wait, you call "experts" morons while claiming the only thing that matters is cost? I think you need to consider your ad hominems much more carefully. Most everything else you state is stories to back that position, and not reality. Switch gear made within the last 10 years all have VLAN capabilities which allow separation without additional hardware. Your "dodgy default-passworded" coment is foolish, because password policy is flexible and cdoes not have to be "dodgy". If a company really had to worry more about someone with bolt cutters than WI-FI access, we would not have such severe security problems now.

      This was never stated. "This problem cannot be solved with simplistic "if you don't want people to hack it, don't connect it to the Internet" solutions" I did not go into the depth of the thousands of things that can be done. My statements were that an "everything always connected to everything" approach was wrong, and gave some examples to demonstrate that the approach was wrong.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    13. Re:Why not do what experts have recommended? by sjames · · Score: 1

      It ignores the economic cost of companies having to run a separate parallel Internet.

      How expensive is it when Suki decides it would be really funny if the skyline went dark when you turn her lamp off?

      JUST isolating from the internet doesn't work because that still leaves you with a network that could be spliced in to (but it does kill attacks from outside the country dead). You need defense in depth.

    14. Re:Why not do what experts have recommended? by anhduy · · Score: 1

      http://mgamepro.xtgem.com/

  4. Good luck with that by T5 · · Score: 1

    Given the federal government's complete aversion to risk post-9/11, good luck with that capabilities based approach. The fed push with IT security these days is toward risk management - period.

    1. Re:Good luck with that by Anonymous Coward · · Score: 0

      attacking Iran's Natanz nuclear facility, a pretty bold statement the gov continues to make, and yet Iran's Nuclear program appears to not have been affected, BBC has been reporting off and on over how Iran seems to have had no adverse effects from this supposed Cyber Attack!!! and it hasn't even thrown there schedule they are still moving ahead.

      I even question how much IT the gov has online that could be attacked, other then there data collection centers. And the attack on Iran had to be an inside job or Siemens put it into the hardware before shipping. I'm still curious as to how this attack was actually conducted!!! I doubt I or we will truly know..

    2. Re:Good luck with that by Anonymous Coward · · Score: 0

      Really? Are you a Stuxnet denier?

      I've been in conferences with guys who worked with samples, they said the code infected the Siemens software (IDE) you wrote the instructions in, infected all of your instruction sets on the same machine and when the centrifuges failed, they reloaded the controllers with the same instruction sets over again, or used an older version of the instruction set which was also now infected.

      Forgive me, I'm certain instruction set isn't what the scripting for a PLC is called.

      These machines were not online, they were infected with USB flash drives.

      Yes there are also SCADA systems online, real fuel consuming, power producing plants online. Different conference I sat through a packed talk with a speaker who does incident response on Industrial Control Systems. My office has a tiny group who tries to bring security information to industry and get the ICS/SCADA people in a room with the security people and get them talking.

      Just because you don't know the stories, or don't believe the Stuxnet or any other stories, doesn't mean things are not happening.

      I have seen insinuations in open source new articles that the USB sticks were targeted at certain individuals, but none of the security researchers I've heard had much comment on the human side of the attack.

    3. Re:Good luck with that by Anonymous Coward · · Score: 0

      The BBC is the post-Soviet version of Pravda. They are now about as credible as Fox News, MSNBC, and all of the other politically-motivated news outlets.

  5. What does it matter? by Anonymous Coward · · Score: 0

    If the greatest threat to IT security is the NSA, with its IXP taps and its offensive cyberwar posture, then what's the point of this discussion other than to divert attention? Yes, geopolitical rivals can and will pose a threat to IT systems belonging to the US government, but the US government's systems pose a far greater threat to its own citizens.

    So what rampant cognitive dissonance enables this self-deluded folly to continue?

    1. Re:What does it matter? by Anonymous Coward · · Score: 1

      As if to underscore my point, this just in:

      The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

      And:

      “The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”

      New York Times: N.S.A. Foils Much Internet Encryption

      What an utter joke! So, yeah, what is this bullshit discussion about "cybersecurity" meant to accomplish? Participating in this ridiculous dog-and-pony-show is collaborating in a conspiracy of silence.

  6. It's about CYA by Anonymous Coward · · Score: 0

    The more I see of CIP the more I realize that it really isn't about security. It's about politicians, CEOs, etc to be able to say we did everything we could when we get compromised. The other goal is to be able to nail any internal threat to the wall with absolute proof of wrongdoing. Outside of those two goals (which arguably do make it somewhat more secure) security is not the main focus.

  7. Here's the link to Ralph's blog by GODISNOWHERE · · Score: 1

    http://www.langner.com/en/2013/09/04/what-a-cyber-security-framework-for-industrial-control-systems-needs-to-look-like/

  8. Gah FLA saturation by skids · · Score: 1

    Great one more four-letter IT acronym on top of the pile of Réseaux IP Européens and RACE Integrity Primitives Evaluation. People should just name their stuff creatively and screw the acronyms. Just call it "Bruce" or something.

    --
    Someone had to do it.
  9. Securing ICS/SCADA systems .. by codeusirae · · Score: 1

    Connect them through encrypted VPNs on embedded hardware ..