Embed Size (px)
Citation preview
The RIPE Cyber Security and Robustness Program Bringing Quality Management to ICS Security
Ralph Langner The Langner Group Washington DC | Hamburg | Munich
Founded 1988 Cyber defense consultancy Focus on critical infrastructure & large-‐scale manufacturing Vendor-‐independent Located in Germany + USA
About Langner
About Langner
„The definitive analysis of Stuxnet“ (Bruce Schneier): www.langner.com/en/wp-‐content/uploads/2013/11/To-‐kill-‐a-‐centrifuge.pdf
About Langner
www.twitter.com/langnergroup
www.langner.com
What‘s wrong with ICS security?
Progress cannot be measured
Budgeting is difficult
Too expensive
RIPE Fundamentals
Measurable, cummulative progress
Cheaper than existing art
Curing the disease rather than the
symptoms
WTF is RIPE?
RIPE = R obust I ndustrial Control Systems P lanning and E valuation A process-‐driven approach based on governance, verification and measurement, and engineering principles
How do we achieve our objectives?
Industrial mass production
Quality management
Continous improvement
Practical Implementation
RG 5.71, NEI 08-‐09
10 CFR 73.54
ISA, ISO, IEC
NIST CSF
NERC CIP
Req’s
Guidance
The conceptual “what” of ICS
security
The practical “how” of ICS security
Real-‐world Stakeholders
Actual architecture & behavior on the plant floor
??? Chasm
Position of RIPE to existing frameworks
Practical Implementation
RG 5.71, NEI 08-‐09
10 CFR 73.54
ISA, ISO, IEC
NIST CSF
NERC CIP
Req’s
Guidance
The conceptual “what” of ICS
security
The practical “how” of ICS security
Real-‐world Stakeholders
Actual architecture & behavior on the plant floor
Rain Dance
Traditional approach: Bringing in the witch doctor
???
Practical Implementation
RG 5.71, NEI 08-‐09
10 CFR 73.54
ISA, ISO, IEC
NIST CSF
NERC CIP
Req’s
Guidance
The conceptual “what” of ICS
security
The practical “how” of ICS security
Real-‐world Stakeholders
Actual architecture & behavior on the plant floor
Methods & Templates
RIPE approach: Bringing in quality management
Gover-‐nance & Metrics
Capability Indicators
Collective Intelligence
Continuous improvement
Plant Floor Systems + Procedures
Verify & Measure
Analyze & Report
Improved Instruments
Deploy & Enforce
Asset Owner or 3rd Party
Langner
1 Year Cycle
Cyber Security and Robustness
Plant Planning & System
Procurement
System Inventory
Network and Data Flow Diagrams
Policies and SOPs Training Workforce
Management
Factors affecting ICS security
The RIPE instrument structure
Without documented data flow, full system understanding is not possible
RIPE teaches how to get there
Example: Data flow diagrams
RIPE comes with ready-‐to-‐use policies and SOPs for contractors, operators, and engineers Sample use cases: -‐ Legitimate system use -‐ Mobile systems + media -‐ File exchange
Example: Policies and SOPs
RIPE comes with a ready-‐to-‐use digital plant planning guideline for system designers and CS engineers Sample focal areas: -‐ Network architecture -‐ Network infrastructure services -‐ Network components -‐ Endpoint systems
Example: Plant planning guideline (Configuration)
RIPE comes with a ready-‐to-‐use system procurement guideline Sample focal areas: -‐ Product documentation -‐ Software integrity assurance -‐ Network resilience -‐ Access control capabilities -‐ Vendor QM procedures
Example: System procurement guideline
Q & A
