Wednesday, August 4, 2010

Sensitive Information

Dale Peterson has an interesting post today over at DitialBond.com. He discusses the US-CERT practice of posting vulnerabilities on their secure portal where only appropriately registered and vetted members can access the information. As part of the discussion he writes:
“I don’t subscribe to the US-CERT portal because we know or hear much of this information from other sources, and I want to avoid any problems with blogging on these issues. But maybe you and I and everyone else with an interest in control system security needs to be on the US-CERT Secure Portal?”
Now this is a common problem with many types of security information. Legitimately, the government doesn’t want the details of security vulnerabilities to be made public until there is a reasonable opportunity to correct the problem. The problem is that there is no good way to get the information out to the smaller facilities that may be affected because they don’t have permanent security staff to monitor the secure sources of information. Dale recommends that an alternative communication system be made available where limited information about vulnerability is published with recommendations for people with possibly affected equipment to contact vendors. More detailed information could be made available for professional security personnel on sites like the US-CERT Secure Portal or the more general Homeland Security Information Network (HSIN). Many facilities have a similar problem with just keeping up with non-sensitive government information sources. I know that I spend a good hour every day scanning a relatively small selection of government web sites to keep up with what DHS and Congress are doing on chemical security related issues. Most facilities do not have the personnel/time available to do this for the large variety of government programs that might impact their facility operations. This is an area where bloggers such as Dale and I provide a service to industry. We monitor what is going on and provide appropriate notification in a short and accessible format. If the information is applicable to a specific reader, then they can use the links provided in the blog to access detailed information.

No comments:

 
/* Use this with templates/template-twocol.html */