What I learned from spending two days with Ralph Langner, the man who reverse engineered Stuxnet

I got to meet Ralph Langner in person recently, which for an InfoSec person, is an amazing thing to have happen!  Ralph Langner is, of course, the Engineer who reverse Engineered Stuxnet, his TED talk can be seen here. Ralph Langner and another representative from the Langner Group came to the firm where I am employed to give a presentation on OT Security.

While I cannot blog about any proprietary information about the firm for which I work, nor can I relay any of the technical specifics from the Langner Group presentations, I can talk about the core of what I learned from Ralph Langner about defending Industrial Control Systems, (ICS).

Protecting Operational Technology Systems (OT),  differs greatly from protecting digital assets we have become accustom to in IT.  In In IT Security we rely on detection. We all understand that you cannot prevent 100% of attacks, and thus detection technologies have taken the drivers seat of many company’s IT security programs. We detect, we confirm and we remediate. Wash, rinse and repeat. Prevention is good, but Detection is a must.

In the Operational Technology world, we reverse that methodology. Prevention takes the drivers seat. Attacks against Industrial Control systems use SCL ( Structure Control Language )  and the attacker is simply passing common instructions in SCL to the machine, telling it to do something. These commands would not been seen or recognized by any IDS; because the attacker is not sending a hash or a file into the machine – just instructions. Sniffing and inspecting network traffic, trying to match signatures here is simply is not effective. All focus in OT Security is on prevention. Prevent OT systems from accepting USB sticks. Prevent OT systems from connecting to the internet. Prevent unauthorized changes to a PLC. Prevent unauthorized people from accessing your OT systems.

The other point that was hit home by the Langner group, is that you cannot simply force IT Security Policy on OT Engineers. The playing field is different. Policies cannot be the same in OT. The Infosec Manager who comes into an OT shop and forces Security on OT will most likely break working Engineer’s workstations (and their ability to do their job) and also break the relationships. One of the reasons for this is that the software for Siemens ( and other machine systems ) that is installed on the Engineering work stations is not like any other software – it only works on  versions of windows – not patch friendly – and it is supposed to be this way.  Many of the SCADA systems, PLC, and human-machine interfaces run on proprietary and old software ( many with no authentication mechanisms built in). This is a hard reality for IT Security people to accept and work with.

OT side of the house must be treated differently from a patching, versioning, and policy standpoint. IT Security must build good relationships with the OT teams and work as a single team; and it is very important for IT Security guys to listen and truly understand the OT side of the house and the challenges they face. IT Security guys need to become well versed in what the OT Engineers need to do their jobs – intimately!

The Langner group solution for preventative OT Security is an oversight framework, asset/inventory management and configuration management solution for all industrial control systems they call RIPE. I’ve seen their RIPE software, it was very impressive and well thought through – (what else would I expect from the guys that cracked Stuxnet?).

I am both humbled and grateful for the opportunity to have met Ralph Langner. Thanks for reading!