Forgot your password?
typodupeerror
Security Government IT

Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative 32

Posted by timothy
from the he-did-it-his-way dept.
An anonymous reader writes "Ralph Langner, the security expert who deciphered how Stuxnet targeted the Siemens PLCs in Iran's Natanz nuclear facility, has come up with a cybersecurity framework for industrial control systems (ICS) that he says is a better fit than the U.S. government's Cyber Security Framework. Langner's Robust ICS Planning and Evaluation, or RIPE, framework takes a different approach to locking down ICS/SCADA plants than the NIST-led one, focusing on security capabilities rather than risk. He hopes it will help influence the final version of the U.S. government's framework."
This discussion has been archived. No new comments can be posted.

Stuxnet Expert Dismisses NIST Cyber Security Framework, Proposes Alternative

Comments Filter:
  • by Anonymous Coward

    Its just as secure as we designed it to be

    • Exactly. Langner has a framework that will prevent your friendly neighborhood TLA from webcrawling through infrastructure at will.

      NIST will ensure the backdoor is - if not unlocked - has a key, under the mat.

      • by mlts (1038732) *

        Devil's advocate here:

        NIST isn't all bad. They publish pretty good security checklists (NIST SCAP guides) for major operating systems and routers. Most of it is common sense, but there are a few things which are something to consider (AIX's trustchk capability for example to at least warn about new/tampered binaries and shell scripts.) They are mainly intended for FISMA [1] compliance, but they are an excellent reference for anyone needing a good checklist to consider. It isn't a one size fits all, but

        • >NIST isn't all bad

          But it is fairly bad. The numerous 'frameworks' and 'guidelines' lack specificity and a clear certification path, while the many crypto specs are overburdened with buckets of specificity that makes certification onerous.

          Part of the problem is that the NIST specs are not created with anything like a normal standards process where there are competing interests watching out for stupid stuff and jumping on it. That's how we ended up with nightmares like the key derivation spec or the inapp

  • by Anonymous Coward

    If backdoor for NSA is not included he can forget about the new framework being accepted. Spying and control is the new way of life in the U.S.A

  • by s.petry (762400) on Thursday September 05, 2013 @02:36PM (#44767797)

    If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks. If you want a monitoring node, counters coming from devices should never be writable to anything but local hardware. Monitoring nodes can access other networks for consolidation of data, but not be writable to other networks.

    I really can not understand how people continue to believe that everything should be connected to everything. Worse, that everything should be able to write to everything else. After nearly 3 decades of being shown it's a bad idea, maybe the mind set of executives should change? It's like continually banging your head on a wall, and will feel really good when you finally stop!

    Does the Government mandate this configuration as a few here have implied? If so, maybe it's time to boot shitbags out of the Government?

    • by mlts (1038732) * on Thursday September 05, 2013 @02:58PM (#44767969)

      In the early to mid 1990s, intrusions did happen, but it would take some doing because someone on DECNet would have to take some doing to jump to a machine on a private x.25 network.

      These days, I've wondered about following the US government's lead with SIPRNet and NIPRNet, and having a "BIPRNet", which would be a switched network using leased lines among companies. Unless access between two machines was prearranged in advance, the boxes will not be allowed to connect to each other or forward packets. For security, the machines either share a symmetric key (like WPA2-AES-PSK), or are paired using public keys similar to Bluetooth pairing. This gives two layers of security. First, the core switch would have to be compromised to allow a third machine to connect, and then both machines would have to be compromised so they would bother interacting with the third machine and not ignore it outright. It isn't perfect, but it would be far stronger for B2B communications than the usual VPNs or SSL/TLS which can be hijacked by compromised CAs.

      This won't replace the Internet by any means, but will provide a way for businesses or internal departments to communicate that is highly resistant to mass IP probing and other attacks.

    • I really can not understand how people continue to believe that everything should be connected to everything

      Management: I don't care how it works, just make it work
      • by Anonymous Coward

        I really can not understand how people continue to believe that everything should be connected to everything

        Management: I don't care how it works, just make it work as cheaply as possible.

        FTFY

    • by spacefight (577141) on Thursday September 05, 2013 @03:15PM (#44768095)
      Not to forget that ther was an air grap at Natanz - so we're talking about more than just shutting off nodes access to the net.

      Stuxnet, as an example, bridged the air gap multiple times via infected USB keys...
    • by aaarrrgggh (9205)

      The article has a few good points well targeted to their audience, and I agree with the concepts. The NIST document (like the original document for the nuclear industry) has a few good ideas, but no practical plan-- mainly a bureaucratic solution.

      Reality is that you need to network equipment that poses facility risk. IT are typically the ones pushing for a collapsed network rather than a facility network ironically. For maybe less than 24 points, you can have firewall rules, switch rules, and other tools

    • If you want "networked" configuration nodes, an isolated network should be the only thing accessing equipment. That node should not access anything else, or any other networks...

      Because those experts are morons. It ignores the economic cost of companies having to run a separate parallel Internet. Take electricity suppliers that need to monitor and control remote switching devices, for example. GSM/CDMA networks are just there, already deployed by the telecommunications industry. A cheap GSM modem and an account with the local telecomms supplier is economically better at contacting remote stations than running ones own wires out to single-point stations in the suburbs and the bu

      • by s.petry (762400)

        Wait, you call "experts" morons while claiming the only thing that matters is cost? I think you need to consider your ad hominems much more carefully. Most everything else you state is stories to back that position, and not reality. Switch gear made within the last 10 years all have VLAN capabilities which allow separation without additional hardware. Your "dodgy default-passworded" coment is foolish, because password policy is flexible and cdoes not have to be "dodgy". If a company really had to worry

      • by sjames (1099)

        It ignores the economic cost of companies having to run a separate parallel Internet.

        How expensive is it when Suki decides it would be really funny if the skyline went dark when you turn her lamp off?

        JUST isolating from the internet doesn't work because that still leaves you with a network that could be spliced in to (but it does kill attacks from outside the country dead). You need defense in depth.

    • by Kookus (653170)

      I'll see you're isolated networks and raise you this:
      http://www.computerworld.com/s/article/9218214/Government_tests_show_security_s_people_problem?pageNumber=1 [computerworld.com]

      As for write protecting... If it has ram, it'll be written to.

  • Given the federal government's complete aversion to risk post-9/11, good luck with that capabilities based approach. The fed push with IT security these days is toward risk management - period.

  • Great one more four-letter IT acronym on top of the pile of Réseaux IP Européens and RACE Integrity Primitives Evaluation. People should just name their stuff creatively and screw the acronyms. Just call it "Bruce" or something.

  • Connect them through encrypted VPNs on embedded hardware ..

Some people have a great ambition: to build something that will last, at least until they've finished building it.

Working...