This afternoon the DHS ICS-CERT published a new update to their Moxa alert (originally issued on April 8th and then updated on April 20th). The new update adds an acknowledgement of the original disclosure and more details about the ports involved in the vulnerabilities.
The Alert now reports that Reid Wightman of Digital Bonds Labs was the original reporter of the five vulnerabilities upon which this alert was based. It also now acknowledges that Reid did coordinate with Moxa (but not, shame for shame, with ICS-CERT).
A paragraph has also been added to the mitigation section of the report that lists the ports that Moxa recommends should be either blocked or have access restrictions applied. The list of ports was in the original alert, but was removed in the first update. The port information in this update is more complete in that it distinguishes between the ports that are not needed by the device and the ports that may be used in normal operation. The same information was available in the DBLabs report that was responsible for the initiation of this alert.
I am glad to see that ICS-CERT is finally giving Reid credit for discovering these vulnerabilities. ICS-CERT has had an on-again, off-again policy of disclosing the researchers responsible for alerts. I understand that ICS-CERT would prefer that they (or some other CERT) would be used as a disclosure intermediary. Their thought is that their official office can apply more pressure to vendors to take vulnerability reports more seriously. While that may be true (more on that later) that should have nothing to do with giving credit where credit is due. Not giving credit smacks of theft of intellectual property.
Now as to the larger question of the role of ICS-CERT as a coordinator of vulnerability disclosures, let’s take a look at that role. First off, I have seen nothing in legislation or regulation that provides ICS-CERT with any specific authority to act as such a coordinator. That probably is not really necessary as long as researchers and vendors mutually recognize ICS-CERT as an independent arbiter of disagreements about the legitimacy of vulnerability claims, on the one hand, and the legitimacy of vendor mitigations on the other hand.
It is becoming increasingly obvious that there are elements within the research community that no longer have much respect for ICS-CERT as a dispassionate intermediary. I have read a number of social media comments over the last year or so from a number of different researchers that expressed their concerns about the apparent willingness of ICS-CERT to side with the vendors when there is a disagreement on vulnerabilities.
Appearance of Favoring Vendors
In my very limited interactions with ICS-CERT, I have never had any problems. But then again, I am a security gadfly not a researcher. But that really does not make any difference. As I told young NCO’s in numerous leadership classes; it doesn’t make a damn bit of difference if you are or are not prejudiced. If those that report to you think you are prejudiced, then they are going to respond to you as if you were prejudiced.
At the very least ICS-CERT has a problem with the appearance that they favor vendors when there is a dispute between researchers and vendors. That appearance is going to help drive away researchers, particularly those without enough of an industry reputation to have their disclosures stand on their own merit. Those researchers are going to take less desirable modes of disclosure, public zero-day disclosures or, even worse, sell disclosures to the highest bidder.
This is particularly disturbing as the ICS security world is expanding by leaps and bounds. The number of researchers in this space is continuing to expand as new researchers (and established researchers from other fields) continue to see ICS research as an expanding field. Even more important the number of vendors affected by ICS vulnerabilities is also increasing as more industries (medical, automotive, aircraft, and security controls) begin to realize that their control systems have important security vulnerabilities that are no longer masked by obscurity.
Need for Coordination
The other question that this specific set of vulnerabilities raises is whether or not a disclosure coordinator is really needed. A legitimate case can be made that new researchers in the field, without a well established reputation, probably do need to have an independent agency act as a go between particularly when the security issues being raised are novel or difficult to understand.
That was certainly not the case here. Reid Wightman is not, by anyone’s measure, an ICS neophyte. He has a well-established personal reputation built across a number of organizations. That plus his current association with Digital Bond Labs should provide as much weight to the vulnerability disclosure as could ICS-CERT. He should be able to approach any ICS vendor in the world and have his report of vulnerabilities taken seriously and promptly acted upon. I question the commitment to security of any vendor that fails to respond promptly to a researcher of Reid’s stature and knowledge.
To take over a year to correct serious security vulnerabilities (and we are hoping that they will be completed in August as promised) is inexcusable. Particularly when the devices in question exist in a critical communications nexus in so many critical installations. Even if there is a legitimate reason for it taking a year to correct all of the problems (and I find that difficult to believe) most of these issues could certainly have been corrected well before now.
The Siemens model of disclosing a vulnerability even before all of the affected devices have patches/updates available is one that deserves close study by the industry. This is particularly true when there are legitimate methods of reducing the risk of vulnerability exploits that the owner can take while waiting for an update to become available.
A Good Step Forward
In closing, I want to make a clear statement that I think ICS-CERT took a valuable and correct step today with their making these changes to the Moxa Alert. Reid deserves credit for the vulnerability discovery and for his efforts to properly disclose those vulnerabilities to Moxa. System owners deserve to have the information on mitigation measures that are now available in the Alert. I continue to believe that ICS-CERT has an important role to play in coordinating vulnerability disclosures. The changes made today will help to ensure that they look like they are playing the role of a disinterested intermediary that both sides can respect and trust.