ICS-CERT has been busy this week. They updated an alert on Tuesday and issued two advisories yesterday. In two of those three actions there were some interesting questions raised about some of the information provided, or not provided in their documents. Since then some additional information has been made available.
When is a Vulnerability not a Vulnerability?
When ICS-CERT declared that two of the vulnerabilities reported on the Schneider Electric systems during the recent S4 Conference in Miami were not actually vulnerabilities, I thought it kind of odd that a security researcher could make that kind of mistake. I mentioned it in passing in my blog post, but figured that someone else with more experience in the technical side of things would tackle the issue. Sure enough, Dale Peterson had something to say about the issue on the Digital Bond's SCADA Security Portal. It is well worth the read, but have a fire extinguisher handy, Dale is hot.
Quality of Write Ups
In last night’s post about the recent Emerson advisory I had some questions about some things that had been left unsaid in the advisory. Fortunately, Joel Langill (the researcher on the Emerson vulnerabilities) and I have had a number of informational exchanges over the last couple of years, so I asked if he would like to comment on those questions. Sure enough he did. He posted a very detailed comment on that blog post that all should read. He answered my questions and gave some good insights into the vulnerability disclosure/response process. It is well worth the read.
ICS-CERT provides the control system community with a valuable service. Among other responsibilities they act as a clearing house for information on vulnerabilities and their mitigations. Given their budget, number of people on staff and their other important tasks, they do a pretty damn good job. But they have to be careful.
People look at what they say and don’t say in their reports. If they say that one part of a mitigation has been verified but don’t mention the verification status of another part, people can only assume that it hasn’t been verified. That doesn’t help the vendor restore confidence in their system.
And if they publish a vendor’s counter-claim on a vulnerability without giving the researcher a chance to respond, they are going to look like they primarily serve the vendors, not the control system community.
No one is going to be happy with ICS-CERT all of the time, but more attention to the detail that they do put into their alerts and advisories would help maintain their status as a valuable resource to all parts of the control system security community, particularly the system owners and operators.