I was tough on ICS-CERT’s performance on Stuxnet in an earlier post. Now ICS-CERT is reaching out to a number of people in the control system community, including Digital Bond, to get some candid feedback on what they need to do differently or better. There is likely to be a lessons learned session and more information gathering at next weeks ICSJWG.
Here is a summary of what I think went wrong and some suggestions.
ICS-CERT Needs A Different Process For Exploits in the Wild
ICS-CERT treated Stuxnet like a typical researcher reported vuln rather than as an exploit in the wild. They focused on working with the vendor to resolve the issue. What they also needed to do was tell owner/operators how to tell if they were compromised, what the impact or impacts were, and how to remediate and prevent Stuxnet.
An analysis of Stuxnet showed it was attacking a specific process and stopped if it did not find that process. ICS-CERT should have provided the community with an easy way to determine if they were a target. This would be hugely valuable to an owner/operator with Siemens PLC’s who is trying to determine how to respond to Stuxnet. Even at this late date, ICS-CERT has not provided this information, although it is well known now to do Langner, Symantec and others.
Mischaracterizing the Impact
ICS-CERT has never been direct and clear enough on the impact of the PLC throughout the bulletins. Their focus was and is on the Windows portion of the attack, but the ICS in their name should have prodded them to focus on the process related impact. The impact on the PLC is something you would expect an ICS-CERT to have special expertise on compared to a US-CERT.
I’m also certain this was due to some ICS-CERT feeling of caution in giving the bad guys info rather than not knowing the technical details. It was a bad call. Once an exploit is widely available this caution should be set aside and focus on fully informing the affected users.
Where is the Remediation Advice?
Contact vendor is not useful advice. Again this is still an area that is lacking. Stefan Leuders from CERN recently had some remediation advice on using the checksum feature and other admittedly not great Siemens features. Also, why doesn’t ICS-CERT issue one or more IDS signatures?
Where is the advice telling you how to determine if your PLC is compromised and what steps are required to return integrity to the system? We are three months into Stuxnet and this is still not available.
Relying on the Vendor
One of the biggest flaws was continuing to rely on the vendor when they were obviously failing to handle this properly. For researcher identified vulns that are not yet public, a mediation type role with the researcher and vendor may be appropriate for ICS-CERT. When it is out in the wild all consideration has to be given to helping affected customers. If this makes the vendor look bad, so be it.
The funny thing is ICS-CERT was broken out from the normal CERT for their control system expertise, but what they needed in this case was a generic CERT’s experience in dealing with the differences between published exploits and as yet unpublished vulns.