Sunday, November 24, 2013

Restricted Cybersecurity Information

I am loosely affiliated with a couple of different organizations that are able to provide me with information about government issued cybersecurity reports that have restricted distribution markings on them; not classified just a variety of sensitive but unclassified markings. Of course, part of the condition of my receipt of copies of this is that I am not able to publicly disclose the information contained in those reports. So, the following discussion will be a tad bit vague as I describe a disturbing trend in such information sharing activities.

We all know that US-CERT  provides a limited distribution web site where adequately vetted members of the various affected private sector organizations (this does not include me) can get up-to-date unclassified information about trends and issues in the cybersecurity realm. ICS-CERT has a portion of that portal that they use to discuss vulnerabilities in control systems and attacks on those systems that they don’t want widely disseminated so as to not allow control system adversaries to know what we know about their activities. This also includes information about specific vulnerabilities and fixes for those vulnerabilities that are being disseminated to system owners that will subsequently be publicly released on the ICS-CERT web site.

Now all of the above is clearly a good thing. Critical infrastructure organizations can get up to the minute information (okay day or week, not minute) about vulnerabilities that might affect their operations while the bad guys don’t know how much the good guys know about what is going on. On a number of occasions I have recommended that every control system owner apply for access to this portal.

It has come to my attention that in the last couple of weeks there have been two restricted access advisories published on the ICS-CERT portion of this portal that have dealt with vulnerabilities that have been publicly disclosed and discussed in the open press (including this blog). Now I have not seen the actual advisories, but the discussions about them on the Portal do not seem to fall into the realm keeping the bad guys in the dark while the good guys fix the problem. The advisories sound more like the ‘see how special we are because we know sensitive stuff’ types of advisories.

Now a certain amount of that is going to go on in any organization, even a very loose organization like this portal; membership becomes as important as the purpose of the membership. But, this portal serves an important purpose and US-CERT and ICS-CERT have a special obligation to ensure that information gets to the general cybersecurity community (not just this subset of it) as soon as practically possible. Playing ‘see how important you are because you belong to this group’ games does not serve well the purpose that group or the safety of the larger society.

If US-CERT and ICS-CERT are really interested in information sharing, and that is their mandate, then they need to keep a close eye on how they manage their information sharing tools. Some things need to more tightly held than others, but the widest dissemination of vulnerability information to the affected community must be a very high priority for these two organizations. And limiting discussions to a limited few must only be done when there is a real security reason for that limitation.

1 comment:

Jake Brodsky said...

We are stuck between two extremely difficult problems. Security experts from the office IT world believe in maximum information dissemination. They believe that secrecy does more harm than good. And to a large extent they're right.

The problem is that for industrial infrastructure, this assumption falls apart. It is all well and good to say, patch, patch, patch and you will be okay --as long as your operations can be backed up. And most office applications can be backed up very well.

The problem is that once I send water down the pipeline, it isn't coming back and there is nothing I can do about it! If you trash a control system and cause bad things to happen, there will be a physical manifestation that may not be easily reset or cleaned up. In particular, if you compromise a safety system, you can not restore someone's lost limbs or life.

So the question is: when can we patch? Well, there are good times and there are bad times. In the Water and Electric power industries, fall and spring are good times to pull equipment from service to patch and test properly. Summer and Winter are high stress times when we simply may not have the excess capacity or system resiliency to properly test a patch.

Literally, for some large utilities, there are entire seasons when patching certain key assets is not practical. We COULD build in extra capacity. The costs would be ridiculous and the ratepayers would revolt. Nobody will foot the bill to build extra infrastructure to the tune of hundreds of Billions of dollars nationwide just so that we can have the capacity to patch the embedded controller that run it.

So DHS is keeping a lid on vulnerabilities and quietly distributing them to utilities so that they have time to take action as soon as practical.

Ultimately, we need a decentralized utility model. We have built massive infrastructure because it was supposed to be more efficient and practical. Today, that's no longer as true as it was during the days of our great-grandparents. However, until we can re-arrange and reconstruct our infrastructure toward these smaller models, we'll have to live with the difficulty of dealing with these vulnerabilities.

I wish we had the luxury of going public with every vulnerability as soon as it is discovered. However, the attackers will always have a lead time of at least several months before we can patch the critical embedded controllers. Do you feel sanguine about handing that kind of lead time over to the rest of the disgruntled world? I don't.

/* Use this with templates/template-twocol.html */