Monday, September 19, 2011

ICS-CERT Publishes September Monthly Monitor

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the September edition of their Control System Monitor. Articles in this issue included reports on the latest spear-phishing campaign, hurricane response, and an update on the cross-vendor working group.

Spear Phishing Campaign

The newsletter reports on what appeared to be a focused campaign of spear phishing attacks on the energy, nuclear and government sectors. ICS-CERT reports that their analysis showed that this campaign appeared to be targeting control systems engineers. The article notes that ICS-CERT issued two alerts on this campaign in July.

The last bit of information will be news to most readers of this blog, as I certainly didn’t report on those alerts. The reason is that they were published on the US-CERT Control Systems Center secure portal. ICS-CERT explains that limited dissemination by stating that:

“While ICS-CERT strives to make as much information publicly available as possible, the indicators in these Alerts are considered sensitive and cannot be disseminated through public or unsecure channels.”

These alerts would be essentially counter-intelligence reports and there is always a fine line that has to be drawn about releasing such information. Too wide a release will alert the adversary about the means used to detect their attack which would allow the refinement of the attack. Too little release would leave the targeted organizations unaware of the potential threat. It is easy to criticize such decisions in hind sight and without responsibility for protecting the information.

Having said that, I would think that it would have been helpful for ICS-CERT to have published a limited information alert on their open access web page with a note for the potentially affected industries to get more information from the secure portal. That is, after all, what this article in the Monthly Monitor is doing. A more timely alert on the same lines may have protected more systems from potential attack or identified successful attacks earlier. At the very least it would have ensured that bloggers, like me, would have addressed the issue, spreading the word to a wider audience.

Interestingly it appears that this campaign may have been the reason that the previous issue of the Monthly Monitor included an article on the topic of spear phishing. If so, kudos to ICS-CERT for a creative partial-solution to the timely disclosure problem.

Hurricane Response

The article on the ICS-CERT monitoring efforts during Hurricane Irene helps to remind people that a full look at security includes protecting an organization against the effects of natural hazards as well as human attacks. The article provides a brief discussion about the importance of contingency plans for response to interruptions caused by both man-made and natural disasters.

Cross-Vendor Working Group

There is an interesting but brief article on the kick-off meeting of the cross-vendor working group of ICSJWG that is trying to “develop a unified approach for addressing serious security issues that exist across many vendor platforms”. One particular sentence in report may draw some criticism from the control system security blogger community;

“An inaccurate perception exists that the vendor community does not fully understand control system security challenges.”

There will certainly be a disagreement about the extent of the ‘community’ that does or does not ‘fully understand’ the control system security challenge. I think that we all can agree however, that a wider and fuller understanding would be helpful in all parts of the community.

No comments:

/* Use this with templates/template-twocol.html */