ICS-CERT Publishes October Monthly Monitor

This morning the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the October edition of their Monthly Monitor, a publication that

 highlights recent activities and information products affecting industrial control systems (ICS).

As we have come to expect with this publication we can find a combination of discussions about nearly current (the October issue address issues from September) ICS security issues, descriptions of various ICS-CERT activities, and probably most importantly extensive links to more detailed information. Anyone involved with industrial control systems should make it a habit to read this brief newsletter.

Risk Reporting and Evaluation

In their discussion of the “Dynamic Nature of Vulnerability Reporting and Disclosure” ICS-CERT reminds us that “each issue identified with potential impact to ICS systems must be assessed, understood, and addressed to minimize the overall risk to critical infrastructure and key resources (CIKR) owners and operators”. This appears to be a response to some recent criticism that ICS-CERT is spending too much time responding to common HMI vulnerabilities like those disclosed by Luigi rather than larger problems like general PLC communication security issues. As is usual in controversies of this sort, both sides have valuable points in their favor, making this an issue that needs further ‘frank and open’ discussions to reach a reasonable compromise.

Incident Information

One of the things that this publication does poorly is addressing current incidents. For instance, they mention in passing that:

“ICS-CERT recently responded to a particular incident relating to Internet facing substations. Access to monitoring and diagnostic functions could have been exploited using a known authentication bypass vulnerability. This is but one of many examples that have been brought to the attention of ICS-CERT over the past month.” (page 2)

Generally speaking ICS-CERT cannot report on any details regarding incidents that they respond to. First there is the confidentiality issues concerning system details of supported organizations; if they violate that confidentiality, no one will come to them for help ever again. Secondly they don’t want to give attackers any feedback on how effective their efforts were.

Having said that; it would be beneficial to the ICS community if a little more statistical detail were made available about the types of attacks discussed. Further down the page in a separate article they report that the FY 2011 incidents were up from the previous year (130 vs 40). Similar generic information could be provided about the types of incidents; for example how many internet facing control system incidents were reported? How many of them were just identification of vulnerabilities? How many of them were exploits that had been attempted and how many of those were ‘successful’?

You could have the same type of data available for a variety of incident types; DOS, information theft, system compromise, etc. This data could help industry and researchers prioritize their work.

Uncoordinated Disclosure Credit

More than a few of us that routinely blog about ICS security issues have questioned the ICS-CERT policy of not disclosing the name of researchers that publicly disclose newly discovered vulnerabilities rather than go through a coordinated disclosure process directly through the vendors or through reporting agencies like ICS-CERT. While that remains the official policy of ICS-CERT this edition does give back-door credit to Luigi Auriemma for his most recent batch of disclosures; they quote a PCWorld.com article about the disclosures and include Luigi’s name in that quote.

This final section of the Monitor “Open Source Situational Awareness Highlights” is a valuable contribution to the discussion within the community. I think that there is generally a good mix of sources include, though the quoting of blogs is kind of lite. While the Threat Post blog is quoted twice I have yet to see informative ICS blogs like those by Dale Peterson, Joel Langill, Eric Byres, or even mine (okay that’s a stretch but the other three are important contributors to the cyber security community).