Joe Weiss has an interesting blog post on ControlGlobal.com criticizing ICS-CERT for their inappropriate coverage of SCADA/HMI vulnerabilities. He notes data from Bob Ravanovsky analyzing the “advisories, alerts, bulletins and notices” published by ICS-CERT from March 11th, 2010 through February 14th 2011 showing that 76.55% of those publications have been about HMI vulnerabilities and only 11.82% have been about actual vulnerabilities in control systems and their components. He closes by saying:
“It appears that ICS-CERT seems to be focusing on the lesser important issues.”
Now this isn’t new criticism of ICS-CERT. Dale Peterson at DigitalBond.com has been making the same complaint for some time. And this isn’t even the first time that Joe has made this general complaint, just the first with this particular empirical data. While I respect both of these individuals, and many of the other people voicing the same complaint, I’m afraid that I think their complaints are a little overblown; at least as they refer to the relative amount of time spent on HMI issues.
First off, ICS-CERT was established as a ‘Cyber Emergency Response Team’ not a research organization. Their alerts and advisories are information sharing exercises where they translate the work of independent security researchers and the responses of vendors into documents that are readily available to the ICS community. If the bulk of the research work of these independents has been focused on HMI systems not control systems that is not the fault of ICS-CERT.
Besides, it hasn’t been until relatively recently that the general view of the control system community was that their systems were isolated from various networks so that the only possible route of vulnerability was via the HMI. That made these applications fair game for researcher efforts. As Stuxnet made clear to the control system owner/user community that their isolated systems were actually vulnerable and researchers began to take detailed looks into that vulnerability.
Now, thanks to the work of Dillon Beresford and the folks working on Project Base Camp, it is clear that there are a large number of relatively simple to find vulnerabilities in the hardware-software (HIS) interface side of the control systems. I suspect that we will begin to see more and more ‘control system’ alerts and advisories out of ICS-CERT.