There was an interesting Twitversation last night that was started by my Tweet on the failure of ICS-CERT to acknowledge the researcher, Blake, who was responsible for the vulnerability disclosures that were the basis for the two latest ICS-CERT alerts. You can see the entire conversation by viewing Adam Crain’s Tweet. This is a perennial discussion in the ICS security community and I would like to take this opportunity to explain my point of view on the topic.
First let me start off by clearly stating that I think the most effective (from the user’s perspective) form of vulnerability disclosure is a coordinated disclosure through ICS-CERT. This way the vendor has a chance to correct/mitigate the vulnerability before it becomes publicly available. I prefer the disclosure through ICS-CERT over direct disclosure through the vendor because ICS-CERT has a policy of publicly disclosing the vulnerability within 45-days if the vendor “is unresponsive, or will not establish a reasonable timeframe for remediation”.
Public disclosures of a control system vulnerability before the vendor has a chance to see/fix the vulnerability are generally a bad thing for the control system user community. It allows a much wider range of potential attackers to take pot shots at our devices. It is not, however, the worst option from a user perspective. That would be the sale of the vulnerability on the black/grey market to someone who would announce the vulnerability by actually using it to attack a live control system.
Encouraging Security Researchers
Because there will always be security vulnerabilities in any complex piece of software/firmware/hardware the ICS community needs to encourage independent security researchers to continue to look for new and innovative ways to compromise such systems. It is only through discovery and disclosure that these security holes will be discovered. In an era where it has become obvious that cyber-warfare is not only possible, but likely, it is obvious that the community is better served by public disclosure/repair policies than by allowing black-market sales to attackers.
As vendors get more proficient at making their products more secure, it will be harder and more expensive for researchers to find new vulnerabilities. We will find fewer and fewer researchers who will be willing to take on the vulnerability search just out of love of a challenge. They will need to have some sort of recompense for their expenses at the very least.
We have already seen a number of attempts made to turn security research into commercial enterprises, some with more success than others. All of these have some sort of draw backs as seen from the wider user perspective in that there is no guarantee that the discovered vulnerabilities are going to get directly back to the vendor so that corrective actions can be taken to eliminate the vulnerability. Lacking an effective bug-bounty program we are going to see even more of these attempts at grey-hat research organizations.
The age of the independent researcher as the main source of vulnerability discoveries has passed. That doesn’t mean, however, that they have disappeared from the landscape. There will always be the independent who loves to try his skills against corporate computing. This will also continue to be the breeding ground for young researchers who are trying to establish reputations that will ensure their access to jobs with the more formal research community.
The ICS community needs to encourage these independent researchers to move into the larger community. This cannot be achieved by ignoring their accomplishments. Failure to provide public recognition of the efforts will drive them to the black-hat community that thrives on notoriety or into the hands of the black-marketeers that will financially reward them for their efforts.
Intellectual Property Protection
As an independent blogger, I have a great deal in common with the independent security researcher. I write this blog because of a love for the industry and the challenge of changing society. The only compensation that I receive for this work (and there are lots of hours put into this, just ask my wife) is the recognition of my efforts and the knowledge that in some small way I am making a difference.
It is important to me that my ideas are shared, but it is also important that my work is acknowledged when it is shared. Most people, when they quote my ideas will give credit either to this blog or to me personally; that is all I ask. However, when someone quotes my work without giving me credit, they are stealing my work. They are misappropriating my intellectual property.
This is what ICS-CERT is doing when they publish a vulnerability discovered by an independent researcher yet fail to disclose either who that researcher is or from where they obtained the information. Just because they are a government agency does not make that misappropriation any less real or any less costly to the researcher. In fact, it can be argued that misappropriation by a government agency is even worse because it gives the appearance that such theft is socially acceptable or even legal.
Change the Policy
ICS-CERT needs to change their policy on disclosing the identity of independent researchers who publicly disclose ICS vulnerabilities without coordinating that disclosure with either ICS-CERT or the vendor. They are not going to stop such disclosures by failing to recognize their sources, they will only drive them firmly into the opposing camp and ensure that the zero day vulnerability will become public only when it is used as a weapon.
Needless to say, I will continue to give credit where it is due whenever I can discover who was behind the initial disclosure.