Wednesday, March 12, 2014

More on Yokogawa Advisory

Overnight I have been hearing some interesting information about the Yokogawa Advisory issued by ICS-CERT late yesterday afternoon. It seems as if at least a couple of folks had received emails from ICS-CERT notifying them that an advisory about Yokogawa vulnerabilities had been released to the US-CERT restricted portal.

This would normally have been a standard action to be taken with vulnerabilities in a device/application that is widely used in critical infrastructure or in cases where the vulnerabilities were severe enough that exploitation of the vulnerabilities could reasonably be expected to put facilities at risk. It would certainly seem as if both those conditions were relevant in this case.

The whole point of releasing advisories to the secure portal is to allow critical infrastructure a window of opportunity to take action to protect themselves against exploitation of a control system vulnerability before disclosure is made to the public. People working in critical infrastructure get information about such vulnerabilities pushed to them if they are registered with US-CERT (quite obviously I am not so certified, nor do I, quite correctly, have access to the secure portal; I don’t have an appropriate need-to-know).

In a true coordinated disclosure, I would assume that ICS-CERT would reach an understanding with the vulnerability discoverer about public disclosure of the vulnerability while the corresponding advisory was being closely held within the Secure Portal. There is no indication that Rapid7 disclosed this vulnerability to ICS-CERT. Their disclosure policy (which I noted last night) clearly indicates that they coordinate their disclosure with the Carnegie Mellon CERT (CERT/CC).

I would have like to have thought (and certainly did before last night) that with vulnerabilities as potentially serious as this one, that ICS-CERT would have initiated conversations with the vulnerability disclosure to arrange for a reasonable period of at least limited disclosure to allow the release of the vulnerability in the Secure Portal for some reasonable amount of time. With an organization like Rapid7, that might include allowing them to privately notify their paying clients, but not making general public notification of the vulnerability until ICS-CERT published their public advisory.

For whatever reason, that does not appear to have been done in this case; or at least not effectively. With ICS-CERT apparently releasing this to the secure portal at about the same time that Rapid7 was publishing public notice (with Metasploit modules) indicates that there was some serious miscommunication between the two organizations.

Since yesterday afternoon’s advisory release from ICS-CERT did not include the standard Secure Portal disclosure statement it doesn’t seem that they are willing to publicly discuss this issue for whatever reason. I suspect that it is a political (small ‘p’) issue with ICS-CERT trying to maintain reasonably good relations with the security research community, particularly those that coordinate their disclosures with vendors and/or CERTs. I understand that kind of effort since ICS-CERT has little enough that they can give in the way of incentives to that community to responsibly disclose these vulnerabilities.

This particular situation, however, is quite serious. The disclosure of the Metasploit modules at the same time as the public disclosure of the vulnerability always gives an edge to the potential attackers. Given the fact that that Yokogawa systems are used in critical infrastructure this potentially puts the public at risk. If miscommunication was responsible for that risk, then we need to know about what steps are being taken to prevent such incidents from happening in the future.

At the very least the DHS OIG needs to take a look at this particular incident. Congressional committee’s looking at cybersecurity issues also need to look at this situation and determine what their legislative responsibilities are to help prevent such occurrences from being repeated.

Let’s hope that the owners of these Yokogawa systems, particularly those in critical infrastructure, are able to get these vulnerabilities mitigated before someone aggressively exploits them. I sure don’t like relying in hope.

1 comment:

Anonymous said...

Patrick - I think the complexity of the situation and limited information makes it very difficult to determine what happened in the CERT/ICS-CERT/JP-CERT/Yokogawa/researcher chain.

The US sales of Yokogawa are a small percentage, less than 10%, of their global sales. Japan is about a one-third of sales and Asia over half. This coordination should have been (and probably was) led from JP-CERT / Japan. JP-CERT has a long history working with CERT and ICS-CERT since it was stood up. I should note that JP-CERT also has something similar to the secure portal, and their approach to critical infrastructure disclosure is closer to the UK than US.

The CENTUM VP is the system you see most in critical infrastructure, not the CENTUM CS. For example CENTUM VP competes with Honeywell and Emerson for a lot of the refinery and large petrochemical plants. I'm less sure how widespread the CENTUM CS is which leads me to an important point about the ICS-CERT alerts and advisories ...

ICS-CERT should know more about the actual usage of these systems than pulling a line off the product marketing web page. The lack of prioritization in vulnerability handling continues to be a major flaw in ICS-CERT/DHS.

The Yokogawa bulletin had an interesting and important line "Other products being affected by these vulnerabilities are under investigation. Upon finding out the results, we will publicize the information without delay." The English is a bit tortured there, since it is not their first language. However, it's great to see them acknowledge these vulns could affect other products, they are investigating, and will make the results public.

Yokogawa actually did much better than most vendors in handling the first vuln. They actually fixed it; provided a free upgrade to a version that can be patched; acknowledged it may be in other products.

Final comment - this also supports my contention that is not worth spending a lot of time on rules for coordinated disclosure. The person or organization who finds it, in this case Rapid7, will do what they feel is best.

Dale Peterson
Digital Bond, Inc.

/* Use this with templates/template-twocol.html */