The Entertainment of Ralph Langner's Posts
This fine evening for a few hours I binged on posts on LinkedIn from Ralph Langner. By doing so, it was pure entertainment. I’m not sure if many people would find it entertaining, I think you must appreciate context to truly understand his posts and how funny and entertaining they are. I think my appreciation of the posts is because of my longevity in the security market, and my interconnection into physical operations for a similar period.
I’ve been in IT for 32 years, and Security for over 25. He’s picked on materials that I was a direct contributor in their creation when I was at Fortinet. More later about that. I’ve been enjoying the Purdue model posts, as anyone with any sense of history and understanding of Purdue Enterprise Reference Architecture (PERA) know that it is not a Security Model. Period. There shouldn’t be any dialog to the contrary. It's a Manufacturing Reference Architecture.
In context to his posts, he’s bringing up some exceptional points that we in the industry truly need to hear, and it’s not just OT Security, his points need to be heard by the greater community, IT, IT security, marketing, media and hype engines of big corporations.
These are not his words, but mine, in interpretation of a combination of his posts. We all need to wake up! Wake up people!!
Summary
· Security is sold by too many with FUD. Fear, Uncertainty and doubt. His posts always try to focus on underlining the need for technical fact, and engineering truth.
Recommended by LinkedIn
· OT Breaches are overhyped in the media, picked up and spread in social media, in many circumstances in an effort to sell a product or service. They are hyped to a point where facts about these breaches are muddied.
· Purdue model is not a Security model. I think he bring this up because of his engineering background, he knows better. Purdue model isn’t a Security model, it doesn’t describe networks, or segmentation of networks or networked services. Many vendors, and IT people use Purdue model to help find common ground to explain security concepts to a point where many Security professionals in IT would think it is a Security Model.
· IT created the name of OT for the same reason why IT thinks Purdue model is a Security Model, to try to bring common ground. Explainability. Simplicity. IT people need to understand OT isn’t the discipline, it’s just a nickname that IT coined, at the highest level it’s engineering. The term operational technology as applied to industrial control systems was first published in a research paper from Gartner in May 2006, a Global research and advisory firm who has a strong focus on IT. Prior to the latest upswing in IDS visibility vendors(2013 or so), I had never heard the term OT, yet, I had been selling security solution to operations and engineering for over a couple of decades at that point.
· He likes to pick on his competition, the posts I truly enjoy are ones where he is pointing to press releases about threat research into vulnerabilities of tools and devices that are not common. His point that I take away, and he makes it many of his other posts, Security is much more than Visibility and Vulnerability. He’s making a point that to be able to secure environments it is about understanding the complexities of risk and exposures, not just device vulnerabilities. It’s about process and putting in the hard work, not just shiny tools. He mentions context a lot, and I hope people take away from his posts that we must understand context. There is so much nuance to the word context, and when he is using it, he’s using it in a nuanced way. I like to think about the engineering of a plant floor, and the need to understand the application or applications designed by the Engineers for the output (I am not talking IT Applications here). If we understand the context, then we can also quantify the risk to the application, and it’s not all Cyber-Physical. Ralph points this fact out many times in his post.
His point that I take away, and he makes it many of his other posts, Security is much more than Visibility and Vulnerability. He’s making a point that to be able to secure environments it is about understanding the complexities of risk and exposures, not just device vulnerabilities. It’s about process and putting in the hard work, not just shiny tools.
· He does imply, and is also direct, that we have too many unqualified organizations, and people selling security today. Many times in his posts.
When writing inside a word processor, and then copying to Linkedin, make sure the content is copied properly. Also, when writing articles late at night, let the audience know that you are doing so. I haven't edited my thoughts, just rambling of an individual that sees Ralph's points. I do find irony in his company name, OT base. Yet I love the name.
Excellent!!
I’m Just a guy who likes to help people reach their potential and solve problems
9moI really appreciate your breakdown of Ralph’s post. I tend to share many of Ralph and your sentiments here. What are your thoughts on many of US DHS CISAs and EPAs current announcements around cyber/physical targets? Is ICS industry really unaware of threats and threat actors? When I speak with many in the industry, it seems to be a mixed bag.