It’s a great idea for ICS-CERT to write a year in review document, especially with sections on lessons learned. That said it is so disappointing to see ICS-CERT continue to ignore the PLC/RTU ramifications of Stuxnet, fail to acknowledge their serious mishandling of Stuxnet, and most importantly what they will do differently in the future. The closest they come to acknowledging an ICS-CERT problem is:

Timely information sharing of threats and analysis is of chief importance in empowering and protecting public and private sector partners.

Here are some of the items I was hoping to see in the Lessons Learned:

  • ICS-CERT has created new processes for dealing with ICS 0days that emphasizes speed in getting information to the affected owner/operators rather than coordination with the vendor as is typical in a coordinated disclosure. The new processes focus on gathering and publishing information as fast as possible that will inform owner operators on how to determine if their ICS is vulnerable to the 0day, the impact of the 0day, and mitigations or compensating controls to the 0day.
  • Owner/operators should be concerned about attacks on PLC/RTU/field controller that affect the integrity of the process due to the lack of authentication in these devices. Owner/operators should develop methods to periodically verify the process has not been modified until source and data authentication is available from users.
  • Owner/operators with Siemens S7 controllers should verify the integrity of the process in the S7 more frequently as the Stuxnet attack framework can be modified to attack all S7 controllers rather than a specific process. Stuxnet can also be modified to have a different affect on the process.
  • PLC, RTU and other field device vendors should prioritize adding security features authenticating the source and data sent to the device before acting on it for critical functions such as process changes, firmware uploads, writes, etc.

Outstanding Questions for ICS-CERT

There are two simple questions that ICS-CERT / DHS has still failed to answer.

1. When did they become aware that Stuxnet attacked a specific process and owner/operators with S7 could easily determine if their process would be affected by checking a couple of data blocks? [Note1: Ralph broke this information in mid-September, two months after Stuxnet was first discussed as an ICS 0day. Note2: Sean McGurk of DHS has repeatedly stated that DHS knew all about how Stuxnet worked.]

2. If ICS-CERT knew what Stuxnet did and how to determine if an ICS would be affected, why did they choose not to tell anyone?

Here’s the problem. ICS-CERT and DHS are pretending like they did a great job on Stuxnet, btw shockingly Siemens is as well. How is the community to know if this is a brave public front and changes have taken place to prevent it from happening next time, or that they have learned lessons, changed processes and will likely to better next time. It is understandable that ICS-CERT/DHS made mistakes facing something like Stuxnet the first time, but have they really accepted the mistakes and made changes? It is not evident from the Year in Review or any public statements.

And a third question keeps bubbling up in my mind.

3. Why is ICS-CERT / DHS not pressuring PLC/RTU vendors, Siemens and others, to fix this gaping hole in security functionality? The bulletins read that Stuxnet is a Windows HMI/EWS problem that is solved. Where is the leadership on this issue that INL identified and demonstrated in 2004 and now has been exploited in Stuxnet.