Jake Brodsky, a long-time reader, commentor and utility
cybersecurity owner (he owns the system not the utility) left a comment on this
morning’s blog post about ICS-CERT and the secure portal. Jake’s lengthy
comment is worth reading as he defends withholding information about utility vulnerabilities
from the public.
Jake makes some very important and legitimate points about
the difficulties utilities have shutting their systems down to install patches.
While I have no personal experience with utility systems, I do know that 24/7
manufacturing facilities have similar problems. So, any debate about
vulnerability disclosures should certainly take this into account.
That, however, is a continuing debate for another day. Still
being restricted by disclosure rules, that is not what I was talking about. The
two instances that I was addressing deal with:
• A publicly available set of exploits
that have already been discussed by a prominent cybersecurity blogger, and
• A discussion about a widely used
attack methodology specifically relying open source comments by another well
respected security researcher.
Both of these instances address attack methodologies that
are already in place and are being used. Neither Jake’s utilities nor my
manufacturing facilities are being protected by keeping the discussion about
these exploits behind closed doors. ICS-CERT is making it easier for attackers
to exploit these vulnerabilities and tools by keeping the problem under wraps.
In a perfect world ICS-CERT would have contact information
for every cybersecurity manager at every public and privately owned control
system installation in the country. They would have contacted these individuals
and ensured that they were part of the discussion of these vulnerabilities on
the Secure Portal. Unfortunately (to my thinking, though several of my friends
would vehemently disagree) they don’t and haven’t; not by a wide margin. So the only way we can even hope to keep a
small portion of the potential victims involved in the discussion it to conduct
it in public.
Posts
No comments:
Post a Comment