Thursday, December 2, 2010

ICS-CERT Page Update

The folks at the DHS Control Systems Security Program have been playing with the design of their ICS-CERT web page and it looks like they have settled on a new design that provides access to more information. They have reduced the number of advisories and alerts listed on the page to just three (and a link to More) and reduced the old pull down menus for ‘Critical Infrastructure News’ and ‘Reporting’ to links to separate pages for the same information.

I think that the most important change is the addition of links to four pages; the last two of which I had not previously seen on this site. Those pages are:

ICS-CERT vulnerability disclosure policy
US-CERT Vulnerability Notes
Cyber Threat Source Descriptions
Overview of Cyber Vulnerabilities
Cyber Threat Source Description

This page provides a brief description of the different types of attackers that might be expected to be involved cyber incidents involving control systems. The short descriptive definitions help those who do not closely follow cyber attacks understand who the players are in the field. Most of the descriptions come from to referenced documents (one from the CIA and one from the GAO); unfortunately there are no links to those documents to allow visitors to find more detailed information.

Overview of Cyber Vulnerabilities

Other than the listing of current vulnerability alerts and advisories, the most valuable information for the control system security novice is the page that describes the different ways that control systems are vulnerable. Each description of a vulnerability is accompanied by a generic control system diagram that shows what components of the system are actually attacked.

The developers of this page provide a number of different manufacturing process examples to make the descriptions more understandable to industrial process folks. For example in the discussion of ‘Discovery of the Process’ starts off with the following introductory paragraph:

“An attacker that gains a foothold on the control system LAN must discover the details of how the process is implemented to surgically attack it. If a dozen chemical engineers were tasked with creating a talcum powder plant, each of them would use different equipment and configure the equipment in a unique way. An attacker that wants to be surgical needs the specifics in order to be effective. An attacker that just wants to shut down a process needs very little discovery.”
Professionals in the ICS security field will find little new information on this page. For security people that are coming from the IT security realm will find this page to be an excellent starting point to get a basic introduction to the new field. This page will be most valuable for process professionals just getting introduced to the idea that their control systems are vulnerable to attack. If I were tasked to provide a control system security awareness training program for the process community, I don’t think that I would need much more information than is provided on this page.

There is a sentence in the opening paragraph on this page that points to my only real complaint about this page; “This discussion provides a high level overview of these topics but does not discuss detailed exploits used by attackers to accomplish intrusion.” This page is excellent as far as it goes and hopefully the ICS-CERT folks will continue to expand the provided information.

The high-level information on this page could be linked to a more detailed explanation of exploits on separate pages. Those pages could in turn be linked to specific vulnerability alerts and advisories that exemplify the exploit. These exploit description pages could also be used as additional information sources that could be referred to in the alerts and advisories that ICS-CERT produces.

In short, this page could be used as the landing page for an encyclopedic source of control system security information. That would be a very valuable addition to the ICS-CERT web site. If they don’t have the manpower or time to develop such an information source, they might want to consider adopting the WIKI model and allow a selected audience of control system security professionals in the industry to provide the exploit articles.

No comments:

/* Use this with templates/template-twocol.html */