Today the DHS ICS-CERT took the unusual step of issuing an advisory very briefly summarizing the information that had already been summarized in 9 earlier DNP3 system advisories based upon the work of Adam Crain and Chris Sistrunk. I have addressed the individual advisories here in this blog.
What has undoubtedly driven this unusual publication is the recent discussion about the very real potential consequences of the vulnerabilities that have been taking place over the last couple of days in various cybersecurity venues on the internet. A good example can be found at DigitalBond.com where Dale Peterson describes how easily these vulnerabilities could be used to shut down much of the electrical distribution system in the US.
ICS-CERT does not acknowledge these discussions as the reason for the issuance of this advisory. In fact, they completely ignore the scope of the problem that is being discussed quite widely in the control system security community. If one were to read just this advisory, it would seem that this is just the common, garden-variety denial of service advisory that we have been seeing for the last couple of years.
Part of this is due to the lack of grandstanding by Adam and Chris. Because of their professional backgrounds, I am sure that they are fully aware of how easily these vulnerabilities could be exploited to bring down electrical (or gas, or water, or whatever SCADA controlled distribution system is using DNP3 based devices) transmission systems. Instead of yelling from the mountain top, they have calmly gone through the coordinated disclosure process and worked with ICS-CERT and the vendors to get patches developed for these systems.
BTW: Have I mentioned lately that there are still 15 Crain-Sistrunk vulnerabilities that have yet to see the light of day? They are still wending their way through the disclosure process, and some of them may do for Modbus what has already been done for DNP3.
So it has taken public discussions by other members of the control system community to get ICS-CERT to react to the real scale of the potential problem. Unfortunately, while ICS-CERT has stepped up to the plate, they waited until the pitched ball was in the catcher’s mitt to feebly wuff the bat vaguely over the plate. This is real surprising from an organization that annually exaggerates the number of attacks on control systems (equating IT attacks on corporate networks as attacks on control systems owned by those companies).
It would have been nice if this advisory had even mentioned that the lax physical security at remote transmission sites would make it easy for an attacker to gain access to the whole SCADA network or shut down key nodes of that network. Then maybe readers of the advisory would begin to see the scale of this vulnerability and why it really did justify a summary advisory that ICS-CERT pretended to issue today.
Looking at the last two advisories to come out of ICS-CERT it is clear that, while ICS-CERT understands the microcosmic aspects of control system security, they either fail to grasp or just plain ignore the macrocosmic scope of control system security problems. Somebody needs to readjust their focus and it won’t be a former DOD lawyer and political crony of the President.