Overnight I have been hearing some interesting information about the Yokogawa Advisory issued by ICS-CERT late yesterday afternoon. It seems as if at least a couple of folks had received emails from ICS-CERT notifying them that an advisory about Yokogawa vulnerabilities had been released to the US-CERT restricted portal.
This would normally have been a standard action to be taken with vulnerabilities in a device/application that is widely used in critical infrastructure or in cases where the vulnerabilities were severe enough that exploitation of the vulnerabilities could reasonably be expected to put facilities at risk. It would certainly seem as if both those conditions were relevant in this case.
The whole point of releasing advisories to the secure portal is to allow critical infrastructure a window of opportunity to take action to protect themselves against exploitation of a control system vulnerability before disclosure is made to the public. People working in critical infrastructure get information about such vulnerabilities pushed to them if they are registered with US-CERT (quite obviously I am not so certified, nor do I, quite correctly, have access to the secure portal; I don’t have an appropriate need-to-know).
In a true coordinated disclosure, I would assume that ICS-CERT would reach an understanding with the vulnerability discoverer about public disclosure of the vulnerability while the corresponding advisory was being closely held within the Secure Portal. There is no indication that Rapid7 disclosed this vulnerability to ICS-CERT. Their disclosure policy (which I noted last night) clearly indicates that they coordinate their disclosure with the Carnegie Mellon CERT (CERT/CC).
I would have like to have thought (and certainly did before last night) that with vulnerabilities as potentially serious as this one, that ICS-CERT would have initiated conversations with the vulnerability disclosure to arrange for a reasonable period of at least limited disclosure to allow the release of the vulnerability in the Secure Portal for some reasonable amount of time. With an organization like Rapid7, that might include allowing them to privately notify their paying clients, but not making general public notification of the vulnerability until ICS-CERT published their public advisory.
For whatever reason, that does not appear to have been done in this case; or at least not effectively. With ICS-CERT apparently releasing this to the secure portal at about the same time that Rapid7 was publishing public notice (with Metasploit modules) indicates that there was some serious miscommunication between the two organizations.
Since yesterday afternoon’s advisory release from ICS-CERT did not include the standard Secure Portal disclosure statement it doesn’t seem that they are willing to publicly discuss this issue for whatever reason. I suspect that it is a political (small ‘p’) issue with ICS-CERT trying to maintain reasonably good relations with the security research community, particularly those that coordinate their disclosures with vendors and/or CERTs. I understand that kind of effort since ICS-CERT has little enough that they can give in the way of incentives to that community to responsibly disclose these vulnerabilities.
This particular situation, however, is quite serious. The disclosure of the Metasploit modules at the same time as the public disclosure of the vulnerability always gives an edge to the potential attackers. Given the fact that that Yokogawa systems are used in critical infrastructure this potentially puts the public at risk. If miscommunication was responsible for that risk, then we need to know about what steps are being taken to prevent such incidents from happening in the future.
At the very least the DHS OIG needs to take a look at this particular incident. Congressional committee’s looking at cybersecurity issues also need to look at this situation and determine what their legislative responsibilities are to help prevent such occurrences from being repeated.
Let’s hope that the owners of these Yokogawa systems, particularly those in critical infrastructure, are able to get these vulnerabilities mitigated before someone aggressively exploits them. I sure don’t like relying in hope.