Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative

An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."

and the nsa the existing one is fine

[Anonymous Coward]

Its just as secure as we designed it to be

Re:

[Jeremiah Cornelius]

Exactly. Langner has a framework that will prevent your friendly neighborhood TLA from webcrawling through infrastructure at will.

NIST will ensure the backdoor is - if not unlocked - has a key, under the mat.

Re:

[mlts]

Devil's advocate here:

NIST isn't all bad. They publish pretty good security checklists (NIST SCAP guides) for major operating systems and routers. Most of it is common sense, but there are a few things which are something to consider (AIX's trustchk capability for example to at least warn about new/tampered binaries and shell scripts.) They are mainly intended for FISMA [1] compliance, but they are an excellent reference for anyone needing a good checklist to consider. It isn't a one size fits all, but

Re:

[TechyImmigrant]

>NIST isn't all bad

But it is fairly bad. The numerous 'frameworks' and 'guidelines' lack specificity and a clear certification path, while the many crypto specs are overburdened with buckets of specificity that makes certification onerous.

Part of the problem is that the NIST specs are not created with anything like a normal standards process where there are competing interests watching out for stupid stuff and jumping on it. That's how we ended up with nightmares like the key derivation spec or the inapp

Is NSA backdoor implemented? Nooo?

[Anonymous Coward]

If backdoor for NSA is not included he can forget about the new framework being accepted. Spying and control is the new way of life in the U.S.A

Re:

[NatasRevol]

New?

Why not do what experts have recommended?

[s.petry]

If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks. If you want a monitoring node, counters coming from devices should never be writable to anything but local hardware. Monitoring nodes can access other networks for consolidation of data, but not be writable to other networks.

I really can not understand how people continue to believe that everything should be connected to everything. Worse, that everything should be able to write to everything else. After nearly 3 decades of being shown it's a bad idea, maybe the mind set of executives should change? It's like continually banging your head on a wall, and will feel really good when you finally stop!

Does the Government mandate this configuration as a few here have implied? If so, maybe it's time to boot shitbags out of the Government?

Re:Why not do what experts have recommended?

[mlts]

In the early to mid 1990s, intrusions did happen, but it would take some doing because someone on DECNet would have to take some doing to jump to a machine on a private x.25 network.

These days, I've wondered about following the US government's lead with SIPRNet and NIPRNet, and having a "BIPRNet", which would be a switched network using leased lines among companies. Unless access between two machines was prearranged in advance, the boxes will not be allowed to connect to each other or forward packets. For security, the machines either share a symmetric key (like WPA2-AES-PSK), or are paired using public keys similar to Bluetooth pairing. This gives two layers of security. First, the core switch would have to be compromised to allow a third machine to connect, and then both machines would have to be compromised so they would bother interacting with the third machine and not ignore it outright. It isn't perfect, but it would be far stronger for B2B communications than the usual VPNs or SSL/TLS which can be hijacked by compromised CAs.

This won't replace the Internet by any means, but will provide a way for businesses or internal departments to communicate that is highly resistant to mass IP probing and other attacks.

Re:

[s.petry]

There is no need to either be networked to everything, or having a computer buried in concrete. That is an absurd claim, and perhaps you did not intend to provide such a poor false analogy.

Experts have never said it's all or nothing, but as I defined a hybrid approach so that you protect what needs protection.

Just like we do for application and OS security, we use a triangle and move a pointer toward where we have the most concerns. The pointer should never bee in the corner of an angle.

Re:

[mlts]

If that statement is taken to the real world, with the usual car/vehicle analogy, that means that a mining cart must have access to public roads or it is valueless, same with the extremely large trucks which move the tons of rocks at a quarry.

Not everything has to be connected to everything else. You can have people connect to interact with a database front-end without having to interact with the DB itself, or have people interact with a VDI that gives a barrier against untrusted code in a company's core.

A

Re:

[TheRealMindChild]

I really can not understand how people continue to believe that everything should be connected to everything

Management: I don't care how it works, just make it work

Re:

[Anonymous Coward]

I really can not understand how people continue to believe that everything should be connected to everything

Management: I don't care how it works, just make it work as cheaply as possible.

FTFY

Re:Why not do what experts have recommended?

[spacefight]

Not to forget that ther was an air grap at Natanz - so we're talking about more than just shutting off nodes access to the net.

Stuxnet, as an example, bridged the air gap multiple times via infected USB keys...

Re:

[anhduy]

http://mgamepro.xtgem.com/ [xtgem.com]

Re:

[aaarrrgggh]

The article has a few good points well targeted to their audience, and I agree with the concepts. The NIST document (like the original document for the nuclear industry) has a few good ideas, but no practical plan-- mainly a bureaucratic solution.

Reality is that you need to network equipment that poses facility risk. IT are typically the ones pushing for a collapsed network rather than a facility network ironically. For maybe less than 24 points, you can have firewall rules, switch rules, and other tools

Re:

[rhysweatherley]

If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks...

Because those experts are morons. It ignores the economic cost of companies having to run a separate parallel Internet. Take electricity suppliers that need to monitor and control remote switching devices, for example. GSM/CDMA networks are just there, already deployed by the telecommunications industry. A cheap GSM modem and an account with the local telecomms supplier is economically better at contacting remote stations than running ones own wires out to single-point stations in the suburbs and the bu

Re:

[s.petry]

Wait, you call "experts" morons while claiming the only thing that matters is cost? I think you need to consider your ad hominems much more carefully. Most everything else you state is stories to back that position, and not reality. Switch gear made within the last 10 years all have VLAN capabilities which allow separation without additional hardware. Your "dodgy default-passworded" coment is foolish, because password policy is flexible and cdoes not have to be "dodgy". If a company really had to worry

Re:

[sjames]

It ignores the economic cost of companies having to run a separate parallel Internet.

How expensive is it when Suki decides it would be really funny if the skyline went dark when you turn her lamp off?

JUST isolating from the internet doesn't work because that still leaves you with a network that could be spliced in to (but it does kill attacks from outside the country dead). You need defense in depth.

Re:

[Kookus]

I'll see you're isolated networks and raise you this:
http://www.computerworld.com/s/article/9218214/Government_tests_show_security_s_people_problem?pageNumber=1 [computerworld.com]

As for write protecting... If it has ram, it'll be written to.

Good luck with that

[T5]

Given the federal government's complete aversion to risk post-9/11, good luck with that capabilities based approach. The fed push with IT security these days is toward risk management - period.

Re:

[Anonymous Coward]

As if to underscore my point, this just in:

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

And:

“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptogra

Here's the link to Ralph's blog

[GODISNOWHERE]

http://www.langner.com/en/2013/09/04/what-a-cyber-security-framework-for-industrial-control-systems-needs-to-look-like/ [langner.com]

Gah FLA saturation

[skids]

Great one more four-letter IT acronym on top of the pile of Réseaux IP Européens and RACE Integrity Primitives Evaluation. People should just name their stuff creatively and screw the acronyms. Just call it "Bruce" or something.

Securing ICS/SCADA systems ..

[codeusirae]

Connect them through encrypted VPNs on embedded hardware ..