Ralph Langner is co-founder of the Langner Group, an independent cyber defense consultancy, who has a quarter of a century experience working cybersecurity issues that impact critical infrastructure. Langner spoke with The Cipher Brief about how the threats facing our nation’s critical infrastructure have evolved, and what needs to be done to maintain security.
The Cipher Brief: Your experience has been focused primarily on critical infrastructure that relies on industrial control systems. Could you briefly describe what those are?
Ralph Langner: Industrial control systems are small, embedded computers without keyboards, mice, and screens. They execute program code that directly controls the physical actions of pumps, motors, valves, heaters, and all other kinds of industrial equipment. You can find those systems anywhere from within nuclear reactors to elevators and escalators. In respect to the critical infrastructure, they are used prominently in the energy sector, in transportation, chemicals, defense industrial base, dams, critical manufacturing, nuclear, and water.
TCB: What do you see as the greatest threats to industrial control systems, and to the infrastructure that depends upon them?
RL: Presently, the greatest threats to industrial control systems in the majority of critical infrastructure come from adversarial nation states. For example, in the U.S., we have seen large-scale intrusions into systems in the energy sector. It is pretty obvious that the respective attacks have been launched by nation states.
TCB: How have the threats to critical infrastructure changed over time? What do you see as the primary drivers of those changes?
RL: The threats have evolved as they begin to include non-state actors, such as ISIS, which just recently launched a cyber attack against American electrical power companies. While the attack was not successful, only a completely naive observer would believe that this would prompt ISIS to forget about cyber and focus their attention more on decapitations and rape. It is predictable that non-state actors, from terrorists to hacktivists, will target the energy and water sectors more often.
TCB: Are there any challenges that you have seen which are specific to the sectors that use industrial control systems? If so, how can these challenges best be overcome?
RL: The specific cybersecurity challenges in respect to industrial control systems are pretty clear. First, the vast majority of those systems and architectures is insecure by design – rarely are there commonplace security features such as authentication and authorization, encryption, or digital signatures on code. Second, asset owners and vendors are reluctant to drive change in the naive assumption that because the West did not experience a substantial cyber physical attack, it might not be possible, or at least not very likely. Third, we are installing new digital control systems and Internet-based connectivity like crazy, thereby exponentially implementing new vulnerabilities. In five to ten years, the rush to the "Industrial Internet" will most likely be viewed as a rush to non-defendable critical systems.
TCB: What do businesses operating in critical sectors commonly overlook or do wrong in regards to securing their infrastructure?
RL: Most businesses overlook that if they do not approach control system security like any other business task, by implementing a sustainable process with personal accountability and budget, nothing is going to happen. If you want to get an instant overview of the control system security posture of any operation, you don't need to look at technical aspects but at the existence of a formal, written cybersecurity program, at the number of staff members assigned full time to the task, and at their annual budget. In the majority of cases, those numbers are shockingly low.
TCB: What do you see as the government’s role in maintaining the security of critical infrastructure? How can the government and businesses improve their ability to work together in order to achieve that goal?
RL: The only specific role that the government has in respect to the cybersecurity of critical infrastructure is to define red lines and requirements in order to prevent cyber attacks on private sector entities from becoming threats to national security. Unfortunately, this sometimes may involve regulation. Beyond that, I see little benefit in the so-called public/private partnerships. They sound good but have failed to show hardcore results. I strongly believe that the private sector can easily solve the problem of insecure control system architectures in private/private partnerships – we actually don't need the government's help. And if we actually get serious about it, we wouldn't even need regulation.
