Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative

Posted by timothy on from the he-did-it-his-way dept.

An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."

23 of 32 comments (clear)

  1. and the nsa the existing one is fine by Anonymous Coward · · Score: 1

    Its just as secure as we designed it to be

    1. Re:and the nsa the existing one is fine by Jeremiah+Cornelius · · Score: 1

      Exactly. Langner has a framework that will prevent your friendly neighborhood TLA from webcrawling through infrastructure at will.

      NIST will ensure the backdoor is - if not unlocked - has a key, under the mat.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:and the nsa the existing one is fine by TechyImmigrant · · Score: 1

      >NIST isn't all bad

      But it is fairly bad. The numerous 'frameworks' and 'guidelines' lack specificity and a clear certification path, while the many crypto specs are overburdened with buckets of specificity that makes certification onerous.

      Part of the problem is that the NIST specs are not created with anything like a normal standards process where there are competing interests watching out for stupid stuff and jumping on it. That's how we ended up with nightmares like the key derivation spec or the inappropriate online tests in SP800-90B or the fixed block size on AES. Anything contributed from the outside had to play be predetermined rules that did not improve the specs.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. Is NSA backdoor implemented? Nooo? by Anonymous Coward · · Score: 1

    If backdoor for NSA is not included he can forget about the new framework being accepted. Spying and control is the new way of life in the U.S.A

    1. Re:Is NSA backdoor implemented? Nooo? by NatasRevol · · Score: 1

      New?

      --
      There are two types of people in the world: Those who crave closure
  3. Why not do what experts have recommended? by s.petry · · Score: 4, Insightful

    If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks. If you want a monitoring node, counters coming from devices should never be writable to anything but local hardware. Monitoring nodes can access other networks for consolidation of data, but not be writable to other networks.

    I really can not understand how people continue to believe that everything should be connected to everything. Worse, that everything should be able to write to everything else. After nearly 3 decades of being shown it's a bad idea, maybe the mind set of executives should change? It's like continually banging your head on a wall, and will feel really good when you finally stop!

    Does the Government mandate this configuration as a few here have implied? If so, maybe it's time to boot shitbags out of the Government?

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Why not do what experts have recommended? by mlts · · Score: 3, Informative

      In the early to mid 1990s, intrusions did happen, but it would take some doing because someone on DECNet would have to take some doing to jump to a machine on a private x.25 network.

      These days, I've wondered about following the US government's lead with SIPRNet and NIPRNet, and having a "BIPRNet", which would be a switched network using leased lines among companies. Unless access between two machines was prearranged in advance, the boxes will not be allowed to connect to each other or forward packets. For security, the machines either share a symmetric key (like WPA2-AES-PSK), or are paired using public keys similar to Bluetooth pairing. This gives two layers of security. First, the core switch would have to be compromised to allow a third machine to connect, and then both machines would have to be compromised so they would bother interacting with the third machine and not ignore it outright. It isn't perfect, but it would be far stronger for B2B communications than the usual VPNs or SSL/TLS which can be hijacked by compromised CAs.

      This won't replace the Internet by any means, but will provide a way for businesses or internal departments to communicate that is highly resistant to mass IP probing and other attacks.

    2. Re:Why not do what experts have recommended? by TheRealMindChild · · Score: 2

      I really can not understand how people continue to believe that everything should be connected to everything

      Management: I don't care how it works, just make it work

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    3. Re:Why not do what experts have recommended? by spacefight · · Score: 4, Informative

      Not to forget that ther was an air grap at Natanz - so we're talking about more than just shutting off nodes access to the net.

      Stuxnet, as an example, bridged the air gap multiple times via infected USB keys...

    4. Re:Why not do what experts have recommended? by s.petry · · Score: 1

      There is no need to either be networked to everything, or having a computer buried in concrete. That is an absurd claim, and perhaps you did not intend to provide such a poor false analogy.

      Experts have never said it's all or nothing, but as I defined a hybrid approach so that you protect what needs protection.

      Just like we do for application and OS security, we use a triangle and move a pointer toward where we have the most concerns. The pointer should never bee in the corner of an angle.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    5. Re:Why not do what experts have recommended? by mlts · · Score: 1

      If that statement is taken to the real world, with the usual car/vehicle analogy, that means that a mining cart must have access to public roads or it is valueless, same with the extremely large trucks which move the tons of rocks at a quarry.

      Not everything has to be connected to everything else. You can have people connect to interact with a database front-end without having to interact with the DB itself, or have people interact with a VDI that gives a barrier against untrusted code in a company's core.

      Air-gapping is a very good security measure. Yes, it was gotten around by physical "boots on the ground", but for almost (and I repeat almost) all other attacks, if it isn't connected, it isn't hackable.

      My server with my PGP/gpg keys and my domain CA root keys is not going on the Internet anytime soon, and receives patches via updates burned to DVD. Does that mean it is 100% secure? Nope. It means that I have taken steps to minimize intrusion possibilities which are hard to bypass unless someone wanted the data on that box enough to black-bag it.

    6. Re:Why not do what experts have recommended? by aaarrrgggh · · Score: 1

      The article has a few good points well targeted to their audience, and I agree with the concepts. The NIST document (like the original document for the nuclear industry) has a few good ideas, but no practical plan-- mainly a bureaucratic solution.

      Reality is that you need to network equipment that poses facility risk. IT are typically the ones pushing for a collapsed network rather than a facility network ironically. For maybe less than 24 points, you can have firewall rules, switch rules, and other tools to manage intrusion risk, but once you get beyond that point you have a generally unmanageable system.

      If you choose to not collapse the network, and firewall between sides as it should be done, IT disowns the network and you are stuck with not having someone to manage network security beyond the firewall. The article alludes to this as one of the major problems; often nobody owns security on the SCADA network.

      There is much more to SCADA security than the network security though; it really is about defense in depth. You need the depth to prevent various vendors from being able to access the whole network and system.

    7. Re:Why not do what experts have recommended? by rhysweatherley · · Score: 2

      If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks...

      Because those experts are morons. It ignores the economic cost of companies having to run a separate parallel Internet. Take electricity suppliers that need to monitor and control remote switching devices, for example. GSM/CDMA networks are just there, already deployed by the telecommunications industry. A cheap GSM modem and an account with the local telecomms supplier is economically better at contacting remote stations than running ones own wires out to single-point stations in the suburbs and the bush.

      Isolated networks also don't work. Putting a dodgy default-passworded device on an internal network doesn't work when your attacker walks up to the remote station, cuts off the padlock, and installs their own device straight onto your wide-open "no one could possibly hack this because it's disconnected" network. Which is basically how Stuxnet got deployed - direct intervention onto a private network at a weak point.

      This problem cannot be solved with simplistic "if you don't want people to hack it, don't connect it to the Internet" solutions. How about building it to be difficult to hack in the first place? Or making VPN layers the default way the Internet works rather than an afterthought? Or teaching (mostly non-software) engineers security techniques that were honed over decades of fighting malware on the open Internet? Or any of a million other practical solutions that don't boil down to "la la, I can't hear you so you can't hear me".

    8. Re:Why not do what experts have recommended? by Kookus · · Score: 1

      I'll see you're isolated networks and raise you this:
      http://www.computerworld.com/s/article/9218214/Government_tests_show_security_s_people_problem?pageNumber=1

      As for write protecting... If it has ram, it'll be written to.

    9. Re:Why not do what experts have recommended? by Anonymous Coward · · Score: 1

      I really can not understand how people continue to believe that everything should be connected to everything

      Management: I don't care how it works, just make it work as cheaply as possible.

      FTFY

    10. Re:Why not do what experts have recommended? by s.petry · · Score: 1

      Wait, you call "experts" morons while claiming the only thing that matters is cost? I think you need to consider your ad hominems much more carefully. Most everything else you state is stories to back that position, and not reality. Switch gear made within the last 10 years all have VLAN capabilities which allow separation without additional hardware. Your "dodgy default-passworded" coment is foolish, because password policy is flexible and cdoes not have to be "dodgy". If a company really had to worry more about someone with bolt cutters than WI-FI access, we would not have such severe security problems now.

      This was never stated. "This problem cannot be solved with simplistic "if you don't want people to hack it, don't connect it to the Internet" solutions" I did not go into the depth of the thousands of things that can be done. My statements were that an "everything always connected to everything" approach was wrong, and gave some examples to demonstrate that the approach was wrong.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    11. Re:Why not do what experts have recommended? by sjames · · Score: 1

      It ignores the economic cost of companies having to run a separate parallel Internet.

      How expensive is it when Suki decides it would be really funny if the skyline went dark when you turn her lamp off?

      JUST isolating from the internet doesn't work because that still leaves you with a network that could be spliced in to (but it does kill attacks from outside the country dead). You need defense in depth.

    12. Re:Why not do what experts have recommended? by anhduy · · Score: 1

      http://mgamepro.xtgem.com/

  4. Good luck with that by T5 · · Score: 1

    Given the federal government's complete aversion to risk post-9/11, good luck with that capabilities based approach. The fed push with IT security these days is toward risk management - period.

  5. Re:What does it matter? by Anonymous Coward · · Score: 1

    As if to underscore my point, this just in:

    The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

    And:

    “The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”

    New York Times: N.S.A. Foils Much Internet Encryption

    What an utter joke! So, yeah, what is this bullshit discussion about "cybersecurity" meant to accomplish? Participating in this ridiculous dog-and-pony-show is collaborating in a conspiracy of silence.

  6. Here's the link to Ralph's blog by GODISNOWHERE · · Score: 1

    http://www.langner.com/en/2013/09/04/what-a-cyber-security-framework-for-industrial-control-systems-needs-to-look-like/

  7. Gah FLA saturation by skids · · Score: 1

    Great one more four-letter IT acronym on top of the pile of Réseaux IP Européens and RACE Integrity Primitives Evaluation. People should just name their stuff creatively and screw the acronyms. Just call it "Bruce" or something.

    --
    Someone had to do it.
  8. Securing ICS/SCADA systems .. by codeusirae · · Score: 1

    Connect them through encrypted VPNs on embedded hardware ..