I attended a half day workshop on Vulnerability Disclosure — yes there is no permanent escape from this topic. But after taking some time off and listening again I may have had an epiphany.

Let’s go back to the beginning with IT vulns, why were vulnerability coordination centers created? After all, vendors are in the ideal position to evaluate vulns, make corrections, create guidance, and distribute vulnerability information to the customer base. Why involve a third party that can’t really add value?

The reason was vendors were not trusted to do the right thing, often with very good reason. Many vendors ignored reported vulns, did not fully notify customers and inspired skepticism in many ways. And to be fair, some researchers/hackers/vuln discoverers had unreasonable expectations of how fast a vendor should react. So CERT coordination centers mediated this process with a level of clout that often pushed vendors to take reasonable actions.

This is very different than the viewpoint of the majority of the control system community. They view an ISAC or coordination center as ideally as an information sharing vehicle for vetted users. This is not working though. Control system asset owner / operators show little interest in working with anyone but their vendors on vulnerabilities. Vendors believe they can directly and properly handle all vuln handling and disclosure issues and have no interest in reporting vulns to a third party.

Is this trust of control system vendors warranted? In our experience, it isn’t. There are some vendors that handle reported vulns responsibly, but the majority, again in our experience, have the same reluctance to accept and address the problems that IT vendors had.

However if the vendors and users that make up probably over 95% of the community are very happy to work directly with each other, then any ISAC or other control system vuln sharing organization is not necessary. What value does it add? What does it do?

If the asset owners trust the vendors, then all that is really needed is some agreement on the responsibilities and expectations of each party. The vendors had almost completed their take on this as part of PCSF. Get the asset owners to do the same and maybe the community is done.

As stated in earlier blog entries, the person who finds the vuln controls disclosure. We will continue our policy of joint disclosure to the vendor and US-CERT, but we are clearly in the minority.