There was an interesting comment posted to a discussion on LinkedIn about my blog post from last month about the ICS-CERT report on the Ukraine power outage in December. In that post I complained about the amount of time it was taking ICS-CERT to make a public disclosure about the indicators of compromise for that attack. I was making the point that the IOC could be used by control system engineers and security specialists here in the US to prevent similar types of attack.
One of the comments came from a young European researcher who is making a name for herself in looking at control system security vulnerabilities in manufacturing processes, particularly chemical processes. Marina Krotofil noted that the ICS-CERT team that went to the Ukraine to look at the investigation into that incident probably had to sign a non-disclosure agreement with the government of the Ukraine before they were allowed access to ask their questions. She suggested that that could be the reason that ICS-CERT has not publicly listed the IOC for the incident.
Neither of us knows that that is the case, but it would certainly seem to be a reasonable action for the affected government to take. IOC and other critical details about the attack on their power companies and the response to that attack are properly their information to release. The fact that there is more information available from various private security research firms probably means that they are more experienced at negotiating the terms of an NDA with foreign governments or directly with foreign utilities than is the ICS-CERT.
I am still concerned that the IOC are not being made available to the potentially affected organizations here in the US (other countries should have their own bloggers pounding the same table), but I am willing to concede that ICS-CERT may be legally restricted from sharing that information.
Another interesting take away from this discussion is that NDA’s with foreign governments will not be the only restrictions on sharing actionable intelligence from control system security incidents. Under the information sharing program mandated by Congress last year, companies sharing information with DHS about cyber incidents can put the same sort of restrictions on sharing that information outside of the government.
Again, I can clearly understand why that provision was included. Without that caveat there are many organizations that would not share incident information with the government. Either out of embarrassment for lax security controls, worry about the effect on investor confidence, or even just out of a basic desire to keep private activities private, many companies would prefer not to share information with the government, much less see that information spread before the world.
Organizations like ICS-CERT are going to have to come up with ways to sterilize the information passed to DHS in such a way that actionable intelligence on IOC and attacker methodologies can be distributed to a wider audience without upsetting the sensibilities of board rooms.
One way to deal with this could be to do with known malware that is involved in attacks what ICS-CERT has done with Black Energy that was apparently used in the setup of the attack in the Ukraine. ICS-CERT published YARA rules for detecting that malware and encouraged the reporting of indicators from applying those rules to control system networks. Then when ICS-CERT receives notice of a Black Energy compromised system, they can deploy an away team or contractors that have been taught how to detect the IOC from the Ukraine attacks in their investigation of the potentially compromised system. Attacks could be caught early and appropriately mitigated and friendly nations or companies could feel safe that their dirty security laundry has not been shared with the public.
I would still prefer to see public disclosure of IOC, but when that cannot be done we need to be confident that someone with the knowledge gained from known attacks can respond to help system owners prevent similar attacks on their organizations.