Yesterday the DHS ICS-CERT published the latest version of their Monthly Monitor covering ICS security operations in August. This issue includes a discussion of Shamoon, updated Smart Grid information and many of the repeated features that readers have come to expect.
I have been a strong supporter of the Monthly Monitor from the time that it was first issued, but it seems to me that it is becoming increasingly ineffectual. Part of this is due to the delay in the information presentation. Yesterday was the 11th day of the October and we are just now receiving the September issue. Since there is no breaking news included in this publication, that delay is troubling.
To make matters worse the information in this issue is really from August. The only timely information comes on the ‘Upcoming Events’ page that lists cybersecurity events for October, November and December. Given the fast moving pace of control system security information this delay in presenting information is becoming increasingly irritating and is fast making this publication irrelevant.
This problem is compounded by broad generalities that the editors are forced to speak in when describing ICS-CERT actions in the field. For example in regards to the five on-site assessments that ICS-CERT conducted during August, the editors describe the findings this way:
“General findings included interconnectivity to external networks that require defense-in-depth strategies to protect them from cyber attacks.”
I understand that specifics cannot be made available because of confidentiality agreements and such, but it would be nice to see some sort of characterization of the kinds of interconnectivity (deliberately established, inadvertently established by owner actions, or connections established by programming/documentation errors made by the vendor for example) or even a listing of what types of networks the control systems were connected to (enterprise, security, internet, etc).
Without these types of more detailed information, this ‘ICS-CERT Risk Evaluations’ report is little more than a ‘see what we did’ exercise and 5 on-site assessments in a month just doesn’t sound that impressive. Now if we had been told that a typical assessment took three days on-site and three to four ICS-CERT personnel took part in the average visit, I would be much more impressed.
BTW: They missed the boat on this short report by not informing us of how facility owners could request having ICS-CERT conducting this type of risk evaluation at their site.
I am happy to see that the editors continue to plug away at getting security researchers to coordinate the disclosure of their vulnerability discoveries. List the names of researchers working with ICS-CERT on such matters certainly gives these folks some of the name recognition that should come with this type of work.
What is unstated, but even more impressive is the increase in the number of researchers so listed. The January 2012 issue listed 19 researchers and this issue lists 29. This is almost certainly a good thing for the industry (though I’m not sure that the vendors would necessarily agree), but it certainly is an important measure of how the interest in ICS security matters is expanding in the ‘research community’; too bad there isn’t a similar measure of the black-hat community interest.
BTW: No mention on ICS-CERT website yet about latest Gleg release that I mentioned Wednesday.