Ralph Langner is the founder and CEO of Langner Group. Since 1988, he has gained hands-on experience in cybersecurity issues at power plants, water treatment plants, nuclear facilities, food and beverage manufacturers, automotive plants, steel mills, and many other sectors.
Langner is considered a world-leading expert in cyber defense and has received worldwide recognition for his analysis of the Stuxnet malware.
Together with Jannis Stemmann from CyberCompare, Ralph Langner discusses the state and future of OT security. The topics include the frequency and severity of OT attacks, which types of cybersecurity investments are most likely to pay off for a mid-sized company, and how the future of the cybersecurity market will look like.
Mr. Langner, I tried to think a little bit about how that actually started, that you came up with the topic of OT security in the first place?
When I started my own software company, which was the case in 1988, coincidence actually brought me to the point where my software was sold to industrial companies, which then manufactured the first PCs with industrial devices, i.e. PLCs in a broader sense, and I happened to have just launched a software component for it, basically my first product, if you want to say it that way, that was suitable.
What are the typical inquiries that customers approach your team with today?
It’s basically very simple. We withdrew completely from consulting about five years ago. We only did OT Security Consulting for about 20 years and then I let go on it five years ago. Thus, I gave the company a complete realignment, back to software development and, we can still talk about it if you are interested in the reasons for that, but because we now also have a very clear profile, it is basically clear who comes to us, is interested in OT asset management, is no longer interested in a consulting project, because, I think by now most people have understood, yes, Langner doesn’t do that anymore. That is no longer our focus and now the inquiries are all about asset management.
Now, you and your team are world famous, especially for Stuxnet, for having cracked Struxnet, as well as consulting the U.S. government on the matter. Is there perhaps another very tricky technical challenge, you and your team have solved and that you can tell something about?
Yes, I reckon Stuxnet would be enough for a living, but you want to tickle a little more out. I can tell you something.
Well, we tried to get the quintessence out of the Struxnet analysis and then asked ourselves or the customers, tell me, what should you actually do now if you avoid such threats, which have become clear as a result, if you avoid them and would like to minimize it, and to do this we have been working on an analysis approach for a while, which I have called “Critical Penetration Analysis”. You won’t find any whitepapers or anything like that on it, but we’ve practically developed an internal methodology for ourselves, where we say that these attack vectors are there and that they could then lead to critical consequences.
And, don’t know how well known that is, we’ve also been in the nuclear industry for a few years. We made technical analyzes and from my point of view it was a very exciting thing that ultimately had no consequences and, yes, what a pity, how dumb, but then of course you entrepreneurs have to draw at some point the conclusion, yes , nobody cares. Well, there are a few things. I have published a bit. I have hold a lecture, I think 2016 in Miami at the S4 conference, where, based on this analysis, I tried to clarify the analysis a bit and how to approach it, i.e. I described a credible scenario of how you can cause a core meltdown in a nuclear power plant with a cyberattack. So, if you really try to take it to excess, and I’ll tell you what, also for your viewers, for someone who cares, it’s not a fantasy, this scenario has been very carefully researched.
Well, in part you controversially represent the position saying, ok, to be honest, there weren’t that many OT-specific attacks, or at least they aren’t known.
I don’t know what’s controversial about that, it’s a fact. Well, facts are not controversial. Opinions can be controversy, but not facts.
Yes, ok, exactly, there are also expressions that say, ok, “just because you are not invited to the prom, does not mean there is no dance”, or something like that. That in reality there are a lot more attacks that are OT specific, but […]
Well, that’s complete nonsense. If you ask more precisely, what do you mean there, what kind of attacks are they? Then you come to the most absurd claims. I’ll give you an example of what I thought was very stupid back then.
Israeli water operator: “Yes, we have over a million cyberattacks a day.” Complete nonsense. Yes, if you consider every ping coming to your website from the internet or spam, if you consider that a cyber-attack, then yes ok. Well, then of course it’s clear, then we’re talking about completely different things. There have been no actual cyber-physical attacks. Attempted attacks maybe, but actual attacks, successful attacks, not, and I can tell you, I can explain to you and to the viewers, why we know that, because if there had been, you would know about it immediately because the usual suspects like FireEye or Dragos would open up a huge barrel and would explain to you in the finest detail what happened there and why it is so important and, above all, what could have happened, because usually very very little happens, fortunately. Yes, anything that could have happened. They would read whitepapers about it, they would receive webinars, they would receive invitations, etc. They would hear conference presentations. None of this happened.
And, what many people don’t understand, the orders of magnitude have just gotten completely out of whack. You can easily understand that. Your viewers will know that too, at trade conferences: “Listen. Yeah, there was, look, there was Stuxnet and then here in […] Florida and then there was back in 2000, there was the Vitek Boden in Australia, in Maroochy Shire, the brackish water was […]”. And then you count around 10 alleged attacks and usually […] then there are things that have nothing to do with OT at all. […] Now let’s stick with the number 10. We have omitted a few more, that’s 20. What many are now missing, 20 is nothing. You just have to look at the scale. Compare that to IT attacks, i.e. ransomware, which we see practically every day these days. Compare that to cyber espionage. They’re talking about a completely different order of magnitude, about hundreds of thousands. So that’s why I’m only roughly categorizing it and why I say it like that.
I think if you don’t do that reality check, then at least you lose credibility with customers because anyone who can think logically will face the same consequences. “Come on, there wasn’t that much.” And for me, the whole thing really changed after Stuxnet, because I was really scared at the time. I was panicking. I thought, look, there must be people who now understand, just as we understood it, yes, you can modify this attack and drive differently and then we have a huge problem. Back then, I didn’t even think about the critical infrastructure, but the topic for us was of course Germany as a business location. You can launch a similar attack against the entire German automotive industry and shut it down. Could have, like that. – And now we see ten years later, it didn’t happen. Thank God it didn’t happen, could have happened but didn’t happen. And then I drew the conclusion from that, yes, we were lucky and whatever the reason the packers did not attack it, I just acknowledge the fact and say, yes, we were lucky, and now we don’t have to exaggerate the issue, but instead focus on approaching the issue in such a way that we really deliver real added value to the customer, and that doesn’t lie in reducing imaginary risks, but in other aspects that we make life a little bit easier for the maintenance staff, for example.
Many of our customers come from medium-sized companies. Does that mean, conversely, that you would say to them, “Okay, such an investment in OT security is actually not worth it for you”?
I wouldn’t say that. I think the trick is to make the investments where it will bring something. And that’s not so easy, and here, consultants play a role. Because spending money in OT Security is insanely easy. To spend money without getting anything in return, except maybe a good feeling. “Ha! Nothing can happen to us now”, which of course is nonsensical.
You have to invest something, leave alone out of business due diligence. You can’t ignore the topic, but actually everyone knows that nowadays. So, everyone already knows as a private user that there are hackers and that beyond the hackers, that there are nation states that are doing their mischief here on a massive scale. I think medium-sized companies understood that very well. Medium-sized companies, German medium-sized companies, are massively affected by a very specific issue, namely industrial espionage. So, saying China – that’ s going on a grand scale. And I think they know that and that’s why some of them are doing something. Whether they are doing enough now and in the right place, I don’t know. But I think the topic is already present and to say now: “Yes, so far there have been no shutdowns of production plants, there have been no catastrophic cyber-attacks here, nothing has exploded, so we don’t have to do anything”, which of course is completely naive.
I know it’s always hard to make blanket statements, but if you have as managing director done little in the area of OT security of an SME, where would you normally start?
Yes, of course, that’s a good question for me now, because the answer is very simple: you have to start with asset management.
That is the factual basis of everything else. Because otherwise, as long as you do not know what is installed in your networks and where there are transitions, for example remote maintenance access, then your talk about cyber security is just talk. Then it just happens in imaginary space. And everything you do then will only remain imaginary. That would be very important, and I think it’s still a major problem for SMEs, that it is just very difficult for the smaller companies – by the way, you can also see that in the critical infrastructure, in the water supply or with the electricity network operators, where we also have many smaller operators – to secure the entire remote maintenance access, all the laptops that are brought into the companies by external companies, to control it to some extent, although that would actually be one of the main tasks, to bring a bit of order into it. This is very difficult for smaller companies. The big car manufacturers simply say: “No, you don’t come in here with your laptop. Period. And if you want to work for, I don’t know, Daimler or BMW, then yes, that’s not possible. We’ll put the laptop there for you, you can then sit down, but your laptop stays outside.” And of course, you can’t afford that now as a small medium-sized company.
Although, we mustn’t forget, medium-sized companies are a flexible area, there are also very large ones who try to enforce this against their suppliers, but this is such a neuralgic point that is very difficult to tackle because everyone knows it , well, if he can bring his thing with him, where all his engineering software etc. is on it, all his projects, then that makes a lot of things easier. Yes, only he doesn’t just bring his projects with him, he may also bring his malware with him, which of course he doesn’t know about. And that’s a problem that I see as very important and urgent, because the usual suspects are in the area, I’ll use the keyword “China” again, of course they know exactly where they can get in. And that would be especially the case with external companies, with engineering offices, which usually have practically nothing in terms of cyber security, but which have an Internet presence, which can be found on some mailing lists, which are therefore also susceptible to spear phishing et cetera. That’s where you would start. Yes, not an easy issue.
If we stick to the topic of inventorying. Which aspects are perhaps not so obvious if you want to create an inventory not only of the IT but also of the OT assets and to update it?
Yeah, well, I guess, which isn’t obvious, you have to have such an inventory and you can’t do it by hand.
You have known the OT area for over 30 years. What do you think: will the market continue to consolidate or will there always be new niche players? Are there perhaps also solutions or companies where you estimate that they will probably be among the winners?
Yes, I believe that we are only at the beginning because you mustn’t forget one thing: in OT, in automation technology, the time flows by ten times slower than in the rest of the world. But I think what will change the most, that’s a prediction I’m making, that’s the consulting industry. The cybersecurity consulting industry in the OT, it will continue to exist, must continue to exist, because we can only automate it to a certain extent, security-wise. And I think the upheaval that is ahead of us in the consulting industry, promoted by Covid, will be affecting these projects massively where you do 20 workshops on site with the client, we’ll get away from that.
What are half-truths or sometimes false statements that you have come across or that you may have recently come across again?
Yes, well, I think the most important nonsense to state is: the number of attacks is constantly increasing. This is complete nonsense.
And apart from that, I am of the opinion, yes, when it comes to cybersecurity in the ICS environment, one should always point out that there are no patent remedies, such as ICS detection products or threat intelligence or something like that, it is important to create a mix of measures, in which issue the consultants still have an important role.
Mr. Langner, if you could send an e-mail to every CIO or CISO in the world, what would the key message be? What would perhaps be written in the subject line?
I would say, be careful. We now have to make sure that this topic of cybersecurity in production doesn’t get completely out of hand. Because we have now reached the point and this point is basically called Industry 4.0 or Digital Transition.
We now know quite clearly that the digitalization of production is picking up speed and that a few years ago it was not that clear yet. Well, I can still remember times when the prevailing opinion was, yes, this whole thing with IT in production with PCs for visualization was all just an add-on, that is, a piece of cake. Just skip it completely, nobody cares. By now, a few years later, everyone knows, keyword “Colonial Pipeline” – No, that’s no longer the case. Now IT or digital components and architectures are hooked into everything and have become like an octopus, you can’t do without them anymore. The problem we have is that if you no longer know this octopus exactly and no longer understand it, then you actually no longer control your company and your production. Yes, and we are now getting closer to this, the American would say “Inflection Point”. If you can’t get it under control now, it’s over.
Well, I can only advise everyone to deal with the topic and, above all, not to lose heart and say: “Oh, it’s all so terrible with the threats. And the Russians and APT 5 and APT 16 and so on …” – All nonsense.
I would recommend this especially to the German audience. It’s a technically exciting topic, which can also be solved technically, and more people should be involved in it than has been the case up to now.
Nice final words.
Mr. Langner, thank you very much again for your time and your contributions and we wish you all the best for the future and we would of course be happy to stay in touch.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.