I am loosely affiliated with a couple of different
organizations that are able to provide me with information about government
issued cybersecurity reports that have restricted distribution markings on
them; not classified just a variety of sensitive but unclassified markings. Of
course, part of the condition of my receipt of copies of this is that I am not
able to publicly disclose the information contained in those reports. So, the
following discussion will be a tad bit vague as I describe a disturbing trend
in such information sharing activities.
We all know that US-CERT
provides a limited distribution web site where adequately vetted members
of the various affected private sector organizations (this does not include me)
can get up-to-date unclassified information about trends and issues in the
cybersecurity realm. ICS-CERT has a portion of that portal that they use to
discuss vulnerabilities in control systems and attacks on those systems that
they don’t want widely disseminated so as to not allow control system
adversaries to know what we know about their activities. This also includes
information about specific vulnerabilities and fixes for those vulnerabilities
that are being disseminated to system owners that will subsequently be publicly
released on the ICS-CERT web site.
Now all of the above is clearly a good thing. Critical
infrastructure organizations can get up to the minute information (okay day or
week, not minute) about vulnerabilities that might affect their operations
while the bad guys don’t know how much the good guys know about what is going
on. On a number of occasions I have recommended that every control system owner
apply for access to this portal.
It has come to my attention that in the last couple of weeks
there have been two restricted access advisories published on the ICS-CERT
portion of this portal that have dealt with vulnerabilities that have been
publicly disclosed and discussed in the open press (including this blog). Now I
have not seen the actual advisories, but the discussions about them on the
Portal do not seem to fall into the realm keeping the bad guys in the dark
while the good guys fix the problem. The advisories sound more like the ‘see
how special we are because we know sensitive stuff’ types of advisories.
Now a certain amount of that is going to go on in any
organization, even a very loose organization like this portal; membership
becomes as important as the purpose of the membership. But, this portal serves
an important purpose and US-CERT and ICS-CERT have a special obligation to
ensure that information gets to the general cybersecurity community (not just
this subset of it) as soon as practically possible. Playing ‘see how important
you are because you belong to this group’ games does not serve well the purpose
that group or the safety of the larger society.
Posts
1 comment:
We are stuck between two extremely difficult problems. Security experts from the office IT world believe in maximum information dissemination. They believe that secrecy does more harm than good. And to a large extent they're right.
The problem is that for industrial infrastructure, this assumption falls apart. It is all well and good to say, patch, patch, patch and you will be okay --as long as your operations can be backed up. And most office applications can be backed up very well.
The problem is that once I send water down the pipeline, it isn't coming back and there is nothing I can do about it! If you trash a control system and cause bad things to happen, there will be a physical manifestation that may not be easily reset or cleaned up. In particular, if you compromise a safety system, you can not restore someone's lost limbs or life.
So the question is: when can we patch? Well, there are good times and there are bad times. In the Water and Electric power industries, fall and spring are good times to pull equipment from service to patch and test properly. Summer and Winter are high stress times when we simply may not have the excess capacity or system resiliency to properly test a patch.
Literally, for some large utilities, there are entire seasons when patching certain key assets is not practical. We COULD build in extra capacity. The costs would be ridiculous and the ratepayers would revolt. Nobody will foot the bill to build extra infrastructure to the tune of hundreds of Billions of dollars nationwide just so that we can have the capacity to patch the embedded controller that run it.
So DHS is keeping a lid on vulnerabilities and quietly distributing them to utilities so that they have time to take action as soon as practical.
Ultimately, we need a decentralized utility model. We have built massive infrastructure because it was supposed to be more efficient and practical. Today, that's no longer as true as it was during the days of our great-grandparents. However, until we can re-arrange and reconstruct our infrastructure toward these smaller models, we'll have to live with the difficulty of dealing with these vulnerabilities.
I wish we had the luxury of going public with every vulnerability as soon as it is discovered. However, the attackers will always have a lead time of at least several months before we can patch the critical embedded controllers. Do you feel sanguine about handing that kind of lead time over to the rest of the disgruntled world? I don't.
Post a Comment