Call me an information sharing skeptic. The first truth of information sharing is organizations and individuals only share information if it is in their self interest. This dooms most information sharing efforts because members are in receive only mode.
A second truth, at least in the ICS security world, is information sharing is overrated. Even if we could achieve utopia level information sharing, where anyone with information that would benefit your organization shares it, I contend it would make a very small difference in an organization’s actions or security posture.
Let’s look at this with two questions.
1. What Information (that exists) Do You Want?
First – I’d like loyal readers to answer that question, but remember that the information has to exist.
I know many want detailed threat data and advance notice of attack techniques. This is not available unless you are talking to the attacker, … who may be the entity you are asking for the threat data from.
The majority of attacks are coming from traditional attacks on corporate networks — spear-phishing, missing patch exploit attempts, default and brute force password guessing, … There is no information required to know this. And there is no hidden cache of information about control system specific attacks. Owner/operators don’t have it; vendors don’t have it. Maybe there is some government storehouse of data, but the evidence shared to date has been underwhelming and already known by those in the industry.
The most useful information would come from vendors better explaining to customers how to secure the system they sold. Or information from one user to another on a best practice. This information sharing happens in User Groups on industry groups, which should be enhanced. There is no need to create an information sharing framework for this.
2. How Would Your Behavior Change With This Information?
ICS security efforts are still immature in most vendor and asset owner organizations. It is not difficult to determine where and how the most effective, efficient risk reduction can be had. In fact, most consulting engagements are more education and culture change than discovery. It’s hard to imagine a piece of information that is out there that would change the security strategy and prioritized actions at most SCADA and DCS.
For example, the community has known for years that the vast majority of ICS have no integrity. Boreas, rogue firmware uploads, Stuxnet, Project Basecamp, … nothing has changed that. There is no information sharing required to know that an ICS that can be accessed can be easily exploited due to a lack of integrity.
There are many information sharing proponents out there, including some of the best and most experienced in ICS security. I’d like to hear what information you think is out there and how it would change a SCADA or DCS owner’s security program.
My view is that information sharing is a happy distraction that keeps the ICS security community from focusing on actually fixing the security problems in products and deployments.
Image by heathbrandon