Ralph Langner, of specific Stuxnet fame and a recognized control system security expert, has an interesting post on his corporate blog about the general ineffectiveness of the proposed Cybersecurity Framework and his own detailed proposal for an industrial control system security framework; Robust ICS Planning and Evaluation (RIPE). A review of RIPE will have to wait for a time when I have more time available to closely read the 12 page document, but his comments about the proposed NIST Framework deserve immediate attention.
Ralph makes an important point early in his post when he states that “a fundamental problem of the CSF is that it is not a method that, if applied properly, would lead to predictable results”. The reason for that is clearly because the Framework is not, at its base, a document about cybersecurity, but rather a political document. It effectively transfers political risk from the Federal Government to facility owners. It allows the government to politically assign blame for a successful cyber-attack to the corporate victim.
As we saw after the fall of the Twin Towers the US public, and to a lesser extent, the business community, clearly placed the blame for the success of the attacks on the government’s inability to ‘connect the dots’ and intercept the attackers before they got to the aircraft. Little or no mention was made about the poor security posture of the airlines that allowed the attackers to take weapons onto the airplanes or to take control of the cockpits once they were on the aircraft.
The airlines security failures were seen as a lesser problem because no one could have foreseen that the aircraft would be used as weapons because no one had done so before. Ralph points out in his RIPE paper that this is a predictable application of ‘risk-based’ reasoning. He notes that:
“Cyber attacks against industrial control system installations are extremely rare, making it appear like a waste of company resources to protect against them. The generally accepted policy is to accept the risk and only after having seen a significant successful attack at home within the same industry, then figure out how to protect.” (pg 1)
Since industry has effectively killed every attempt to write actual cybersecurity legislation that could require industry to take even the most rudimentary positive protective actions, it has become necessary for the government to protect itself from future claims of blame for successful cyber-attacks on those industries.
One of the reasons that the airlines had such a poor security posture, even after three decades of successful terrorist hijackings, was that they had done a cost benefit analysis of the hijack risks. It was clear, in a corporate sense, that the monetary and public relations costs of adequate security was much higher that the relatively rare loss of an aircraft and its passengers. We still see this today, even after the events of 2001, in the complaints about the costs and inconveniences associated with TSA and its airport screening measures.
One of the reasons that the airlines were not held to account for the failure of the risk assessments was that there was never a public accounting of those decisions. The Framework will change that for high-risk critical infrastructure organizations. The Tier process that I described in an earlier post and Ralph takes to task in his post is clearly an attempt to make management make a recordable statement about their risk management decisions; a statement that will clearly be able to assign responsibility for poor (in hind sight) decisions that led up to a successful cyber-attack.