Ralph Langner

U.S. Cyber Security Framework Is Good News-For Hackers

Ralph Langner, the renowned expert on the security of industrial control- and SCADA systems, warns that the latest draft of the U.S. Government’s Cyber Security Framework (CSF) will do little to make critical infrastructure more resistant to devastating cyber attacks.

an image of a metal tower of Power Lines
Draft US Government guidance on cyber security standards would do little to improve the security of critical infrastructure in the U.S., says one prominent authority.

Writing on his blog, Langner said that a draft of the National Institute of Standards and Technology’s (NIST’s) Preliminary Cybersecurity Framework does little to compel critical infrastructure owners to improve the security of their systems, or guarantee uniform (and robust) cyber security standards in the critical infrastructure space.

NIST released the latest draft of the CSF late last month (PDF). But Langner, writing on Wednesday,  likened the framework to a recipe that, if used by three different chefs, produces three totally different dishes…or just a messy kitchen.

“A less metaphorical words, a fundamental problem of the CSF is that it is not a method that, if applied properly, would lead to predictable results,” Langner wrote.

Rather, the draft succeeds mainly in connecting the dots between cyber risk and existing risk-based standards and methodologies that the group has already endorsed. “Application of the CSF has no predictable effect on empirical system properties and measurable cyber security assurance,” Langner said. 

Starting with mushy standards, the CSF also puts on the kidd gloves when it comes to implementing them, Langner argues. Rather than setting firm standards for what level of cyber security maturity different types of critical infrastructure owners need to attain, the draft CSF from NIST leaves it to organizations, themselves, to choose the level (or “tier”) of cyber security maturity that is right for their organization, then implement the CSF to that level.

Langner warns that such an approach makes it easy for any organization to comply with CSF, simply by choosing a higher or lower implementation tier to aspire to. “It makes everybody happy. Everybody, including potential attackers,” Langner writes.

Ralph Langner
Langner has been a critic of the U.S. emphasis on voluntary, risk-based standards for cyber security with critical infrastructure. (Photo courtesy of Ralph Langner)

The Hamburg, Germany-based security consultant is a leading authority on the security of industrial control systems. He rose to international notoriety in the wake of the Stuxnet worm, when Langner was among a small circle of SCADA and ICS experts to (correctly) deduce that Stuxnet was designed as a targeted attack on Iran’s uranium enrichment facility at Natanz.

Langner has been a vocal critic of the “risk based” methodology advocated by recent U.S. presidential administrations and  lawmakers, and embodied in President Obama’s Executive Order for Improving Critical Infrastructure Cybersecurity. The U.S. relies too much on voluntary compliance with risk-based methodologies. Such an approach has been tried for decades, without measurable success, Langner says, arguing that risk-based approaches”gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.”

A better approach would replace voluntary standards to comply with risk-based frameworks with what Langner describes as “clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities”. 

Read more on Ralph’s blog here.


  1. Here’s my critique of Langner’s critique of risk management. http://exploringpossibilityspace.blogspot.com/2013/09/mr-langner-is-wrong-risk-management.html

    • A really well done analysis, Russell. I think Ralph’s other major point was that the ‘voluntary compliance’ regime favored by the U.S. government is at least as much to blame as the focus on (unproven) risk-based approaches. He seemed to be saying 1) we need to focus on evidence-based approaches to security cyber critical infrastructure and 2) we (that is: the government) needs to set a (high) bar and them compel CI owner/operators to clear it, rather than allowing them to set the bar at whatever height feels comfortable to them. (To use an extended ‘track and field’ analogy.) – Paul