Today the DHS ICS-CERT published their annual review of ICS-CERT activities for the previous calendar year. It is a nice glossy publication worthy of a Fortune 500 annual report. As with such reports, you have to look real close to see anything beyond PR information.
The ICS-CERT Mission
No annual report would be complete without a mission statement. Unfortunately, ICS-CERT has not yet developed a pithy, single complex sentence statement currently favored by the corporate sector. Instead they have broken their mission out into two functional areas; Operations Functions and Risk-Reduction Functions.
Operations includes incident response, vulnerability coordination, situational awareness, and technical analysis. Risk-Reduction includes cybersecurity assessments, the Cyber Security Evaluation Tool (CSET), training, and the Industrial Control Systems Joint Working Group (ICSJWG). Only two of the eight functions can reasonably be called governmental responsibilities; vulnerability coordination and ICSJWG sponsorship. The other six functions operate in direct competition with many private sector entities.
The situational awareness activities of ICS-CERT receive a lot of attention in this Review. The inherent weakness of many of those activities is highlighted by the classified nature of many of the most important briefing. Because industry has so few operations personnel with security classification, it would be illegal for the C-Level attendees at these briefings from further sharing the information with the people who would most need to know the details to effect and efficient response.
ICS-CERT takes a great deal of pride in the Cybersecurity Evaluation Tool (CSET). They note in the Review that two new versions (6.0 and 6.1) were released in 2014. Unfortunately, there is nothing on their web site about the new releases with the CSET Fact Sheet still reflecting version 4 information from 2013.
The Review has a nice section on the incident response activities of ICS-CERT. It includes a listing of generic types of incidents that ICS-CERT responded to (pg 6). Two of those deserve special mention.
ICS-CERT reports that of the 245 incident that they responded to some (more than one?) included exploitation of zero-day vulnerabilities in control system devices and software. Interestingly, of the seven alerts issued in 2014 none mention that the vulnerability had been used in a zero-day attack. I would have thought that that would have been important information to be communicated to owners of the devices and software.
The Review also notes that the incidents two which ICS-CERT responded included incidents initiated by watering hole attacks at ‘strategic web sites’. While details are not included in the Review, this almost certainly included the response to the Havex RAT. This is another instance where ICS-CERT was not fully forthcoming with the ICS community; only releasing the names of the affected web sites on the US CERT secure server.
This is the area that readers of this blog most often hear about when ICS-CERT is mentioned. The section on vulnerability exposure is very light in the Review. Interestingly there is almost no mention of the outside security researchers that are responsible for finding the vulnerabilities that ICS-CERT coordinates with vendors. Instead the Review almost implies that ICS-CERT is responsible for discovering the vulnerabilities.
For example they describe the five step process that ICS-CERT uses to handle vulnerabilities:
∙ Detection and collection;
∙ Mitigation coordination;
∙ Application of mitigation; and
In most instances ICS-CERT is actually only responsible for steps 3 and 5. More and more frequently even those steps are being handled by some of the vendors leaving ICS-CERT to just re-publish the vulnerability for a larger audience.
Just an Annual Report
I have to admit that this is a good looking brochure. It has lots of staged photographs of people doing cyber looking things and I assume that most of them are members of the ICS-CERT team. But this Review has as much relationship to the actual activities of the ICS-CERT as an Annual Report does to a Fortune 500 company operation. The highlights are all here, but if you really want to understand what is going on you are going to need to do your own research.