Ralph Langner, of specific Stuxnet fame and a recognized
control system security expert, has an interesting
post on his corporate blog about the general ineffectiveness of the
proposed Cybersecurity Framework and his own detailed proposal for an
industrial control system security framework; Robust
ICS Planning and Evaluation (RIPE). A review of RIPE will have to wait for
a time when I have more time available to closely read the 12 page document,
but his comments about the proposed NIST Framework deserve immediate attention.
Unpredictability
Ralph makes an important point early in his post when he
states that “a fundamental problem of the CSF is that it is not a method that,
if applied properly, would lead to predictable results”. The reason for that is
clearly because the Framework is not, at its base, a document about
cybersecurity, but rather a political document. It effectively transfers
political risk from the Federal Government to facility owners. It allows the
government to politically assign blame for a successful cyber-attack to the
corporate victim.
As we saw after the fall of the Twin Towers the US public,
and to a lesser extent, the business community, clearly placed the blame for
the success of the attacks on the government’s inability to ‘connect the dots’
and intercept the attackers before they got to the aircraft. Little or no
mention was made about the poor security posture of the airlines that allowed
the attackers to take weapons onto the airplanes or to take control of the
cockpits once they were on the aircraft.
The airlines security failures were seen as a lesser problem
because no one could have foreseen that the aircraft would be used as weapons
because no one had done so before. Ralph points out in his RIPE paper that this
is a predictable application of ‘risk-based’ reasoning. He notes that:
“Cyber attacks against industrial
control system installations are extremely rare, making it appear like a waste
of company resources to protect against them. The generally accepted policy is
to accept the risk and only after having seen a significant successful attack
at home within the same industry, then figure out how to protect.” (pg 1)
Since industry has effectively killed every attempt to write
actual cybersecurity legislation that could require industry to take even the
most rudimentary positive protective actions, it has become necessary for the
government to protect itself from future claims of blame for successful
cyber-attacks on those industries.
Risk Management
One of the reasons that the airlines had such a poor
security posture, even after three decades of successful terrorist hijackings,
was that they had done a cost benefit analysis of the hijack risks. It was
clear, in a corporate sense, that the monetary and public relations costs of
adequate security was much higher that the relatively rare loss of an aircraft
and its passengers. We still see this today, even after the events of 2001, in
the complaints about the costs and inconveniences associated with TSA and its
airport screening measures.
One of the reasons that the airlines were not held to
account for the failure of the risk assessments was that there was never a
public accounting of those decisions. The Framework will change that for
high-risk critical infrastructure organizations. The Tier process that I described
in an earlier
post and Ralph takes to task in his post is clearly an attempt to make
management make a recordable statement about their risk management decisions; a
statement that will clearly be able to assign responsibility for poor (in hind
sight) decisions that led up to a successful cyber-attack.
Posts
1 comment:
Here's my critique of Langner's critique of risk management: http://exploringpossibilityspace.blogspot.com/2013/09/mr-langner-is-wrong-risk-management.html
Post a Comment