On Friday a blog post over at NYTimes.com explains the Crain-Sistrunk vulnerabilities and how they are a danger to the electrical grid. As you would expect with such a technically literate organization, the blogger (Nicole Perlroth) got a lot of the details a little bit wrong (and she loves periods way too much), but the post has the broad outline of the process and the potential threat generally correct.
But missing the small stuff is of little consequence, the big thing is that the New York F***ing Times is telling the world that this is a problem. If you see it in the Times, Virginia, you know that it is true. And besides the politicians are now aware of the problem, probably never having heard of DigitalBond or ThreatPost or the other technical discussion groups where there was more (and more correct) information available about the problem at an earlier date.
What will be interesting to see is how soon it will be before Congress will call a hearing to look into the problem. Looking at the CFATS issues of a year and a half ago as a forecasting tool, I suspect that someone will call a hearing in March. That is unless there is a significant portion of the electrical grid shut down by some script kiddy in the meantime. Then it will be June or July before Congress starts to demand answers about why no one told them about the problem before the attack.
Of course (Severe Sarcasm Alert) the technically qualified part of DHS (ICS-CERT, look Nicole, no periods) has been right on top of this since being approached by Adam and Chris. They have gone out of their way to make sure that electrical grid and water system owners have been fully advised about the seriousness of the threat. Nine of the 16 vendors have rushed patches into the market place and are leading a coordinated evangelical campaign to get each and every vulnerable device patched or replaced. And the other seven vendors are so consumed with making things right with their product that they have inadvertently forgotten to tell owners of their products about the vulnerability (End of Severe Sarcasm Alert).
No, none of that has been done. ICS-CERT has published advisories for the vulnerabilities that have had patches developed by the vendor, but it seems as if they forgot their 45-day limit for withholding vulnerability alerts to allow vendors to get patches in place. I assume that the seven no-patch available vendors are working on the issue and that is why ICS-CERT is holding off on publishing the alerts. Even the master ICS-CERT advisory issued last week makes the problem sound minor and might as well say “hey man, no worry, it’s all good” for all of the concern that it will raise..
Now Crain and Sistrunk have not published exploits for their vulnerabilities so that may also contribute to the ICS-CERT justification for remaining mute on the uncorrected vulnerabilities. I would like to suggest that given the simplicity of the exploit as described in the ThreatPost and DigitalBond posts (enter a poorly secured remote substation, plug in your communications tool into an open serial port and send almost any message to the master station and the local system gets a brain freeze and no electricity goes down the line) that those posts should count as publication of exploits requiring ICS-CERT to issue alerts so that the facility owners holding equipment from those 7 vendors will be aware of the fact that they were specifically targeted.
Oh well. Let me step down from my soap box, catch my breath and comb my hair. Maybe I caught someone’s attention, but probably not. I’ll try again later this week.