Sunday, June 29, 2014

ICS-CERT and Information Sharing

An interesting series of twitversations were started yesterday about a single sentence in my post about the latest ICS-CERT update on the Havex Trojan. That dialog is important but a little more complicated than can be easily captured in 140 characters. I will try to address my outlook on the question here and welcome comments and opposing points of view to chime in on this discussion.

The Twitversation

What started this was the blog comment about mitigation measures:

“Presumably more up-to-date indicators are available through the US-CERT secure portal. This is another reason for potential targets to request access to the US Cert Secure Portal.”

Dale Peterson from DigitalBond started the twitversation from there noting that “we were told portal access is limited to asset owners”. I don’t know who the US-CERT allows to have access to their secure portal (I have not applied as I would almost certainly be turned down not being an owner or security professional, just a gadfly), but I replied “DHS ought to be fairly broadly defining 'asset owners'”.

I then made the more than a little sarcastic comment that folks in the ICS security business probably would not be included because “Ya'll are competitors after all (SAD)”. This touched a perennial sore spot with Dale who does not think that ICS-CERT/INL should be one of his business competitors (I agree).

Dale also asked: “what about integrators, resellers, vendors, industry groups ...”. To which Andy Robinson chimed in: “we are the ones who usually id and fix”. Again these are both important points.

US-CERT Portal

According to the US-CERT web site describes the US-CERT Portal this way:

“The US-CERT Portal provides a secure, web-based, collaborative system to share sensitive, cyber-related information and news with participants in the public and private sector, including GFIRST, the CISO Forum, NCRCG, ISAC members, and various other working groups. Authorized users can visit the US-CERT Portal.”

Access to the secure portal is provided to individuals or organizations that have been approved by various agencies of DHS. The ICS-CERT is apparently an approving agency for the ‘control systems compartment’ of the portal. Send requests for access to: ics-cert@hq.dhs.gov.

I do not personally know what criteria DHS uses to allow access to this portal. I would assume that representatives from critical infrastructure with cybersecurity exposure would be given access. I would hope that ICS-CERT would provide the widest possible access to control system owner.

I am extremely disappointed to hear that organizations like DigitalBond, an internationally recognized control system security company would have been denied access. I would think that it would be in the best interest of industry if security service providers, integrators and vendors were made an integral part of the information sharing community in the US-CERT secure portal. For a very large portion of the industrial control system owner community, these people are the ones that install, maintain and secure industrial control systems.

Why Restrict Access to Information

There are a number of legitimate reasons that the security and intelligence communities need to restrict access to information about control system vulnerabilities and threat information. For many control system applications, for example, there is no easy way for vendors of an application to reach out to the ultimate owners and users of those applications to ensure that they are informed of mitigation measures before a public release of vulnerability information. The ICS-CERT use of the secure portal to make such information available to the affected community before publicly announcing the vulnerability makes good sense.

When a cyber attack is first identified in the wild the cyber intelligence community needs to be able to share information with other potential targets to be able to identify and limit the effects of the attack. Conducting that outreach in a public forum would just ensure that the adversary make changes to their methodology to avoid further detection.

When cyber attack information is developed by private entities (such as F-Secure, Symantec, or CrowdStrike) using proprietary technology or techniques the sharing of that proprietary information would damage the business of those researchers and limit their ability to continue to develop threat information. Protecting information about those techniques and technology is a legitimate way to encourage those companies to continue to share their intelligence information with the government.

Questions about Status of Specific Information

It is easy for someone on the outside (like myself) to criticize government agencies for what information they share or fail to share. By definition we don’t have all of the information about a particular data release (or non-release) to be completely aware of what actually went into the release decision. Still we have a moral obligation to try to hold the officials involved accountable for their actions.

In a perfect world these decisions are made by professionals who have the best access to the information involved and complete understanding of the consequences of the release or restriction of that information. In the real world professionals are called upon to make these decisions on the fly with incomplete information about sources and consequences. And too frequently these decisions are made by professional politicians not security professionals.

From the outside, a good example of questionable information restrictions is the data about the three compromised web sites in the F-Secure report. I understand why a commercial organization like F-Secure would not publish that information; they are protecting themselves against potential libel and slander charges from the owners of the affected sites.

A government agency might take the same action based upon those concerns, but they are much better isolated from such liability claims than would be an organization like F-Secure. However, when ICS-CERT publicly announces that the identity of these sites is available on the US-CERT secure portal it is obvious that they are not trying to avoid litigation from the sites involved. Even the claim that they are protecting F-Secure from such litigation would be hard to accept in light of the public announcement of the information being available.

This is one of those times that it appears that the politicians have made a decision to protect information for a non-security related reason. And as is usual when security decisions are made for political reasons, this decision has put people (control system owners) at risk unnecessarily. This information should be given the widest possible dissemination to allow potentially affected system owners to evaluate their particular risk.

Lack of Cybersecurity Information Sharing Rules

It is situations like this one that illustrate the problem with the lack of information sharing rules for cybersecurity issues. Without a full and complete political discussion about what information should be shared by whom, with whom and under what conditions, the politicians within the executive branch are making these decisions on an ad hoc basis behind closed doors.

Now I understand and agree that the sharing of personally identifiable information is an important concern within the personal liberties community (and that community should be very large and important). How to protect individual information from abuse by large corporations and the government is a very complex and politically sensitive issue.


Fortunately, that portion of the cybersecurity problem is not very prevalent in industrial control system security issues. Perhaps Congress ought to take a first pass at cybersecurity sharing legislation that focuses on the narrow issue of information sharing about industrial control system security issues. This would allow that very important part of the security problem to be addressed and would allow the government to work out information sharing protocols that could be adopted to the broader cybersecurity problems without putting personal information at risk during the development process.

1 comment:

Dale Peterson said...

Patrick,

140-characters is limiting. Here is a bit more.

Access To Info

Originally we had the opportunity to join the US-CERT Secure Portal, or whatever it was called at the time. We declined because we did not see info in the limited access advisories that we did not already know. I was concerned that we would write something learned independently, without encumbrance, and the USG would claim we violated the agreement on the use of the info.

Last year an asset owner client shared one of the Secure Portal products, under NDA, that had useful information we did not know. I still believe it is rare, based on the Secure Portal info that we get passed from sources, but there would be circumstances where we could help our clients more if we had access to the Secure Portal.

Our solution was to have one Digital Bond consultant sign up to the secure portal and abide by the restrictions. If there was something we needed to know for a client engagement, he would tell the client to sign up for the portal and get the document.

When our consultant tried to gain access, he was denied because it was restricted to asset owners.

The main value ICS-CERT seems to have today is as an aggregator of public information. If they want asset owners to get the info, they shouldn't have this secure portal. It is as effective as a paywall in significantly reducing the number of people who will access the info.

I have my own theory why the Secure Portal exists. When you talk to DHS / INL / ICS-CERT people off the record they will complain about the difficulty of getting things through review and published. A lot of the limited value language reads like it has been edited by five people, each removing something of value. My guess is it is quite a bit easier to get info release approved for the Secure Portal.

Of course the "bad guys" get a copy of the info through others; I know we can and do whenever we want. However, even though we have not signed anything restricting our use, we abide by the restrictions in the rare cases where info is not yet public.

Competition

You misunderstand my complaint and issue here. I have no problem with DHS/INL/ICS-CERT (or anyone else) competing. We believe we provide much better results for our clients.

What drives me crazy is INL has told me numerous times that they are not allowed to compete with industry ... and they clearly do in training, assessments, incident response and most other ICSsec areas.

Early on when I would write that they were our biggest competitor I would get a call from INL, DHS, DoE or others telling me they don't compete and asking why I wrote that. I no longer get those calls, and the competition aspect is increasing significantly in security consulting. It won't change anything, but I can't resist tweaking them from time to time.

On a more serious note, DHS should be focusing resources on things that they can uniquely do and that will impact critical infrastructure security. I covered this a bit in my ICSJWG presentation in Indy. Instead they are pursuing numbers that probably look good during reports to Congress.

Dale Peterson
@digitalbond

 
/* Use this with templates/template-twocol.html */