It would have been easy for Ralph Langner to write a first hand book on the twists and turns of the Stuxnet story. Instead, he goes in a completely different direction by writing essentially an engineering practices book, Robust Control System Networks. And it is one heck of a second act to Stuxnet.
This is the first great, 5-star ICS security book … and Ralph will probably protest that it is not an ICS security book. It is the book you should give to ICS engineers who have been pushing back on cyber security. It is the book you should give to ICS security professionals who need to know how to intellectually reach an ICS engineer. I think an honest engineer reading this book will be embarrassed at the realization of how he has allowed fragility in the form of ‘cyber’ to live in his SCADA or DCS.
Importantly it is not a book to learn what SCADA and DCS are, how firewalls, IDS/IPS, and other technical security controls should be applied to ICS, or how to perform an ICS security assessment.
ICS security professionals have been preaching security and cajoling owner/operators to implement security controls for a decade now with very limited success. In this book, Mr. Langner takes a different approach. He talks about inputs and outputs to a process, controlling variances and other techniques that ICS engineers use all the time. But he applies it to the cyber / information realm making the argument that the ICS community has allowed these applications, systems and networks to be built with a fragility that would not be accepted in the physical systems they design.
Langner argues a robust system should both limit and be able to handle variances, while a fragile system may not work properly with a variance from expected inputs. It is a new language where terms like confidentiality-integrity-availability, least privilege, authorization … are replaced with variance, fragility, robustness and resilience. The idea of a security risk assessment is addressed and dismissed quickly because risk and security, particularly related to threat, are hypothetical while fragility and robustness can be proven for certain inputs.
Chapter 2: The Problem of Cyber Fragility in IACS and Chapter 3: Cyber Robustness are the must reads. I think it will change the lexicon of, and approach to, ICS security for many practitioners.
Mr. Langner spends portions of multiple chapters on documentation, both on the specifications and the actual system model. When you consider the disparity between the physical engineering diagrams and the logical interface diagrams it is not surprising that variances cause problems because often times owner/operators (and even the vendors) don’t know the details of logical interface. The documentation may be the hardest sell from the book, but again you can ask the owner/operators if they would deploy and operate a system with a similar lack of physical system understanding and documentation.
The book is very well written and edited. It flows logically and pulls you along a path. The tone and approach is consistent, but there are enough war stories (consistently in italics) to keep it interesting and emphasize the concepts are not just theories.
Those new to ICS should make sure to read the Appendices. They contain story after story about how variances in applications, systems and networks have had negative affects on ICS. The difference is it is not written with the common defensive reflex “ICS are different”. It was my least favorite part of the book, but I’m sure many new the field will enjoy it.
Nits To Pick
There is not much to criticize about this book, but here are two very minor points:
- The book is written for engineers, but I found myself thinking a few times that a certain engineering effort was almost identical to an Information Security (IS) practice. For example the UML diagrams for the cyber process system model in Chapter 4 seemed almost identical to threat modeling. It likely would have ruined the flow of the book to try to include this comparison in each chapter, but the second edition could benefit from an appendix mapping engineering practice to the IS practice.
- Creating and frequently using the words robustifying and robustification. This really is just a writer’s complaint. It is intuitive what they mean, but I hope they don’t become common usage in ICS security.