Wednesday, November 23, 2011

ICS-CERT Reports on Water Hack and Published Monthly Monitor

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a bulletin on the cyber security talk of the last week, the report of a water hack of a water control system in Illinois and the latest issue of their Monthly Monitor. Both provide important information on industrial control system security.

No Water Hack in Illinois

All of us who have been talking about the report from the Illinois Statewide Terrorism & Intelligence Center (ISTIC) are going to have to do some explaining about our apparent overreaction to a premature report. According to an Information Bulletin issued today by ICS-CERT the fly away team has looked into situation and cannot find any information to support the preliminary conclusion from the ISTIC that a cyber-attack was involved in the pump failure Curran-Gardner Public Water District. The report states that:

• There is no evidence of a cyber-intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois;

• There is no evidence to support claims that any credentials were stolen; and

There was no malicious or unauthorized traffic from Russia or any foreign entities.

It seems that we all reacted to Joe Weiss’ report about the ISTIC report as if it were established fact. While most of us included appropriate weasel words (I prominently included: ‘If this happened’ at the start of my initial tirade) it was apparent that we took the report at face value. This is probably because most of us know that it is just a matter of time that this will happen for real. Unfortunately, we have some egg on our face with people inevitably talking about the boy who cried wolf.

I still believe that ICS-CERT could have nipped a lot of this yelling and screaming in the bud if they had published an alert on the initial ISTIC report (even though they received it six days after the alert was published) much the same way that they do with initial reports of uncoordinated-disclosures of a new soft-ware vulnerabilities. Then the report published today would have been their follow-up and most of us would have commenting on the over reaction of ISTIC.

The bigger problem, in the long run, is that ICS-CERT is so unknown outside of a relatively small circle of control system security experts that a State intelligence agency did not contact them immediately upon receiving  the initial report of a control system incident. This is an issue that DHS needs to address through its network of fusion centers.

November Monthly Monitor

ICS-CERT published the latest issue of their November Monthly Monitor today. This is one of the tools that ICS-CERT uses to communicate with the control system security community. This issue addresses vulnerability disclosure, researcher acknowledgment, Duqu and internet facing control systems.

They have a nice brief piece on the recent discussions about responsible disclosure that ICS-CERT participated in at the recent ICSJWG fall meeting. With their typical class, they gave recognition to Dale Peterson, one of their vocal critics on this topic. One of the results of the discussion was that ICS-CERT has reviewed and modified their policy on providing attribution for uncoordinated disclosures of newly identified vulnerabilities. They will now provide the name of security researchers (unless the researcher requests anonymity) for all vulnerability discoveries, even if the researcher does not participate in the coordinated disclosure program.

There is a nice summary article about Duqu. There is no new information that has not already been published by ICS-CERT. They do provide a summary of the differences between Stuxnet and Duqu, noting that their analysis of the “code and each malware’s characteristics indicates significant differences between Duqu and Stuxnet, lending more fuel to the debate about common authorship”.

There is a short piece on internet facing systems that notes that Eireann Leverett, at Cambridge
 University has discovered “thousands of Internet facing control system devices throughout the world”. ICS-CERT “responded to reports of over 70 instances of Internet facing control system devices, mostly in the water sector” in the month of April alone.

No comments:

/* Use this with templates/template-twocol.html */