ICS-CERT has been busy this week. They updated
an alert on Tuesday and issued
two advisories yesterday. In two of those three actions there were some
interesting questions raised about some of the information provided, or not
provided in their documents. Since then some additional information has been
made available.
When is a Vulnerability
not a Vulnerability?
When ICS-CERT
declared that two of the vulnerabilities reported on the Schneider Electric
systems during the recent S4 Conference in Miami were not actually
vulnerabilities, I thought it kind of odd that a security researcher could make
that kind of mistake. I mentioned it in passing in my blog post, but figured
that someone else with more experience in the technical side of things would
tackle the issue. Sure enough, Dale Peterson had something
to say about the issue on the Digital Bond's SCADA Security Portal. It is well worth the
read, but have a fire extinguisher handy, Dale is hot.
Quality of Write Ups
In last night’s post about the recent Emerson advisory I had
some questions about some things that had been left unsaid in the advisory.
Fortunately, Joel Langill (the researcher on the Emerson vulnerabilities) and I
have had a number of informational exchanges over the last couple of years, so
I asked if he would like to comment on those questions. Sure enough he did. He
posted a very
detailed comment on that blog post that all should read. He answered my
questions and gave some good insights into the vulnerability disclosure/response
process. It is well worth the read.
Responsible ICS-CERT
ICS-CERT provides the control system community with a
valuable service. Among other responsibilities they act as a clearing house for
information on vulnerabilities and their mitigations. Given their budget,
number of people on staff and their other important tasks, they do a pretty
damn good job. But they have to be careful.
People look at what they say and don’t say in their reports.
If they say that one part of a mitigation has been verified but don’t mention
the verification status of another part, people can only assume that it hasn’t
been verified. That doesn’t help the vendor restore confidence in their system.
And if they publish a vendor’s counter-claim on a
vulnerability without giving the researcher a chance to respond, they are going
to look like they primarily serve the vendors, not the control system
community.
No one is going to be happy with ICS-CERT all of the time,
but more attention to the detail that they do put into their alerts and
advisories would help maintain their status as a valuable resource to all parts
of the control system security community, particularly the system owners and
operators.
Posts
No comments:
Post a Comment