Tuesday, January 4, 2011

Recent Vulnerabilities Analyzed

Dale Peterson over at DigitalBond.com has an interesting blog posting looking at the recent spate of vulnerabilities reported by ICS-CERT. I have only been watching these closely since the advent of Stuxnet news, so I wasn’t aware that this number was unusual. Dale has been covering this field for quite some time and he has some valuable insights into the situation.

Are ICS Vendors checking for their own vulnerabilities?

Dale explains something that I had noticed but haven’t commented upon; all of the recent vulnerabilities published by ICS-CERT have been from the smaller control system suppliers; with the exception of Siemens and Stuxnet, none of the top line system suppliers have been hit. It seems (paraphrasing Dale so if I get it wrong it’s not his fault) that the top of the line systems are just too expensive and tightly controlled for ‘security researchers’ to get their hands on without the active cooperation of the vendor.

One would like to think that the major ICS vendors would be doing a lot of that security research themselves. After all, their systems are being used in facilities that we would expect the bad guys to want to attack. That means that the large vendors would have a special interest in finding the vulnerabilities in-house and fixing them before anyone knew about them.

Are they doing it? I don’t know. I haven’t touched a control system in a couple of years now, so I don’t know how often security updates are being sent out to the users. None of these guys are as large as Microsoft so there isn’t a major industry reporting their every hiccup. And if I were one of the big-guys, I wouldn’t be making public pronouncements when I sent out patches, explaining what the vulnerabilities are. After all we know that it is a major project to do a software update on a large control system and they frequently just don’t get done. Public notices would make too many sensitive customers potential targets.

So how does a security manager at a high-risk chemical company know if the vendor they use is doing a good job checking their systems for cyber vulnerabilities, fixing the problem and sending out patches? If the facility only receives one patch notice a year is that because the system is mature and relatively free of vulnerabilities? Or, is the vendor just bundling a bunch of small patches to make it easier for the user? Or, is the vendor just not doing the job? I guess that you could ask, but I doubt anyone would ever get told that the last option described above was in effect.

Cyber Vulnerabilities and CFATS

If you are a CFATS covered facility I would recommend asking, in writing. And ask (demand if you’re big enough) for a written reply. It may not get you the complete, unvarnished truth, but it will show that you are taking the control system security issue seriously.

If you get a patch notice from your ICS vendor, the first thing you have to do is recall that every vulnerability advisory issued by ICS-CERT contains the recommendation to conduct “proper impact analysis and risk assessment” before applying mitigation measures. And record that analysis and assessment in writing. If I were a chemical facility inspector checking your cyber security measures, I would want to see your patch log. If all of the vendor patches were not applied I would want to know why.

All of that will help you remain compliant, but won’t protect you against a zero-day vulnerability that the vendor wasn’t looking for. Nothing guarantees that the bad-guys aren’t going to find these vulnerabilities first, but the odds are reduced if there is an active effort by the good-guys to find the same vulnerabilities.

This is one area of ICS security that is going to have to be addressed in any realistic cyber security legislation. Either the folks at ICS-CERT are going to have to be given the resources (money, manpower and equipment) to do the vulnerability searches in-house (or the money to contract it out) or there is going to have to be a way to verify that ICS vendors are making a significant effort of their own.

Vulnerability Notice Coverage

Dale closes his blog by noting that he won’t be reporting the standard vulnerability announcements made by ICS-CERT any longer. This certainly makes sense for his blog, since the bulk of his readers are cyber experts who should probably be tracking those announcements themselves.

My readers are a more diverse group. While there are a number of cyber security people reading this blog there are also regulators, politicians, facility security people, even the occasional activist (and a host of others I’m sure). I will continue to summarize the reports issued by ICS-CERT. For those of you who are actually dealing with control systems, please go to the ICS-CERT site and read their alerts and advisories. Even if your control system is not the one involved, the increase in your knowledge of potential vulnerabilities will make you a better defender of your control system.

No comments:

 
/* Use this with templates/template-twocol.html */