Ralph Langner is best known for discovering how Stuxnet actually altered the logic in the Iranian’s S7 PLCs, but he has a history of great research prior to that and is a strategic thinker as well. We gave his last book, Robust Control System Networks, a five star review and are consistently recommending it for both Operations and IT to read.
Ralph’s latest big contribution is out today: The Robust ICS Planning and Evaluation (RIPE) Framework (pdf). In the paper he defines eight different domains and metrics to measure progress in the domains. There is a lot of detail in there for a high-level, 12-page paper.
I had the opportunity to read and digest the paper prior to its publication, and the key point I pulled from it is the term “security capability”. Ralph writes “it is a waste of resources to invest in security controls without having established security capability first. … In order to prioritize security efforts for maximum effectiveness, one must first have established a baseline cyber security capability.”
Clearly there are exceptions, such as establishing an ICS security perimeter, but Ralph raises an important point. We are often talking clients out of expensive software and hardware security purchases because they would provide an illusory sense of security. The security capability term and metrics are a cogent way for us to explain and measure this.
The paper also draws a parallel between quality management and ICS security. “A first lesson from quality management is that process capability is a prerequisite for product quality.” He extends this analogy throughout the paper. Will this analogy be convincing to the Operations Group who is well versed in quality management?
The RIPE Framework is worth reading, setting aside for a few days and reading again.
Image by BluEyedA73