The reason I attended ICSJWG was I had the surprising opportunity to participate in a vulnerability disclosure panel. Surprising because DHS knew I was likely to be quite critical of certain vendors and ICS-CERT.
The panelists had ten minutes for a presentation then it was open discussions. The major points in my presentation [pdf] were:
- Talking about responsible disclosure is a waste of time. Stop doing it. The person who finds the vulnerability will do whatever they want, and every person has unique experience, motivations and self-interest. I gave Project Basecamp as the example. Everyone in the room could agree on the responsible disclosure process, but it would not matter. Digital Bond and the Basecamp team, as the finder of the vulns, decides how we will disclose the vulns. (Not to ICS-CERT in advance because no need for coordination help, advance notice to some consulting clients, a small portion coordinated with vendors, and most disclosed at S4 along with enumeration tools and exploit modules).
- ALL EFFORT should be on “Effective Disclosure” – giving owner/operators of ICS the information to understand the details and impact of the vulnerability, mitigations (if available) and compensating controls so the ICS customer can determine how to address the change in risk.
- ICS vendors have the primary responsibility for providing honest, forthright and clear information to their customers. ICS-CERT has two roles in Effective Disclosure. 1) Use their bigger megaphone to get the information out to those ICS users and support organizations the vendor may not reach. And 2) provide honest, forthright and clear information about the vuln when the vendor does not. (ICS-CERT has met #1 and failed on #2)
Check out the presentation (pdf) to see examples of negative examples from Siemens, positive examples from Rockwell Automation, and both positive and negative examples of ICS-CERT. The key is if the vendor is providing the owner/operator with the information needed and often hinge on being forthright and clear. I will try to record the voice track for this presentation.
Unfortunately, based on the panel and audience discussion, I made few converts. The room seemed determined to work on the intractable responsible or coordinated disclosure issue. Trying to convince all who find vulnerabilities to play ball with some responsible or coordinated method that vendors, ICS-CERT and owner/operators agree is appropriate. That’s an issue that we refuse to spin our wheels on any more. Our focus is on getting the right info to the owner/operators however a vulnerability is made known to the vendor.
There also is a hesitancy to say vendor A is good at this and vendor B is bad at that. Why can’t we just say that Siemens was not honest, forthright and clear about the Beresford vulns rather than say all ICS vendors need to improve? Similarly there were comments about ICS vendors not supporting anti-virus or not responding to customer security issues. The anti-virus has been a solved issue in most SCADA and DCS for five years or more. Who doesn’t support anti-virus? Let’s name names. Give credit where credit is due and call out those that are far behind.
Another area that both DHS and I raised, actually in agreement, was the reassessment of what ICS-CERT should be doing. They have had a 753% increase in ICS vulns. Do we really want ICS expertise spent coordinating 76 freeware HMI vulns that Rios & McCorkle found? It would be better if they spent more time analyzing vulns that had a big impact on the critical infrastructure. Ernie Rakaczky of Invensys was on the panel and discussed that DHS should have a good idea by now of what ICS are prevalent in each sector and could use that for prioritization.
Kevin Hemsley of ICS-CERT said the increase in vulns and expected continuation of this trend has them looking at prioritization of work and different ways to handle the deluge and increase focus on the most serious issues. No conclusions yet from ICS-CERT on this area, but nice to hear.
DHS and INL are actually receptive and actively listen to both positive and negative feedback. They are going to need to step up their game and pace of change to be effective, and it is uncertain if a government effort can do this.
Image by Dottie Mae