Jake Brodsky, a long-time reader, commentor and utility cybersecurity owner (he owns the system not the utility) left a comment on this morning’s blog post about ICS-CERT and the secure portal. Jake’s lengthy comment is worth reading as he defends withholding information about utility vulnerabilities from the public.
Jake makes some very important and legitimate points about the difficulties utilities have shutting their systems down to install patches. While I have no personal experience with utility systems, I do know that 24/7 manufacturing facilities have similar problems. So, any debate about vulnerability disclosures should certainly take this into account.
That, however, is a continuing debate for another day. Still being restricted by disclosure rules, that is not what I was talking about. The two instances that I was addressing deal with:
• A publicly available set of exploits that have already been discussed by a prominent cybersecurity blogger, and
• A discussion about a widely used attack methodology specifically relying open source comments by another well respected security researcher.
Both of these instances address attack methodologies that are already in place and are being used. Neither Jake’s utilities nor my manufacturing facilities are being protected by keeping the discussion about these exploits behind closed doors. ICS-CERT is making it easier for attackers to exploit these vulnerabilities and tools by keeping the problem under wraps.
In a perfect world ICS-CERT would have contact information for every cybersecurity manager at every public and privately owned control system installation in the country. They would have contacted these individuals and ensured that they were part of the discussion of these vulnerabilities on the Secure Portal. Unfortunately (to my thinking, though several of my friends would vehemently disagree) they don’t and haven’t; not by a wide margin. So the only way we can even hope to keep a small portion of the potential victims involved in the discussion it to conduct it in public.