Overnight I have been hearing some interesting information
about the Yokogawa Advisory issued by ICS-CERT late yesterday afternoon. It
seems as if at least a couple of folks had received emails from ICS-CERT
notifying them that an advisory about Yokogawa vulnerabilities had been
released to the US-CERT restricted portal.
This would normally have been a standard action to be taken
with vulnerabilities in a device/application that is widely used in critical
infrastructure or in cases where the vulnerabilities were severe enough that
exploitation of the vulnerabilities could reasonably be expected to put
facilities at risk. It would certainly seem as if both those conditions were
relevant in this case.
The whole point of releasing advisories to the secure portal
is to allow critical infrastructure a window of opportunity to take action to
protect themselves against exploitation of a control system vulnerability
before disclosure is made to the public. People working in critical
infrastructure get information about such vulnerabilities pushed to them if
they are registered with US-CERT (quite obviously I am not so certified, nor do
I, quite correctly, have access to the secure portal; I don’t have an
appropriate need-to-know).
In a true coordinated disclosure, I would assume that
ICS-CERT would reach an understanding with the vulnerability discoverer about
public disclosure of the vulnerability while the corresponding advisory was
being closely held within the Secure Portal. There is no indication that Rapid7
disclosed this vulnerability to ICS-CERT. Their disclosure policy (which I
noted last night) clearly indicates that they coordinate their disclosure with
the Carnegie Mellon CERT (CERT/CC).
I would have like to have thought (and certainly did before
last night) that with vulnerabilities as potentially serious as this one, that
ICS-CERT would have initiated conversations with the vulnerability disclosure
to arrange for a reasonable period of at least limited disclosure to allow the
release of the vulnerability in the Secure Portal for some reasonable amount of
time. With an organization like Rapid7, that might include allowing them to
privately notify their paying clients, but not making general public
notification of the vulnerability until ICS-CERT published their public
advisory.
For whatever reason, that does not appear to have been done
in this case; or at least not effectively. With ICS-CERT apparently releasing
this to the secure portal at about the same time that Rapid7 was publishing
public notice (with Metasploit modules) indicates that there was some serious
miscommunication between the two organizations.
Since yesterday afternoon’s advisory release from ICS-CERT
did not include the standard Secure Portal disclosure statement it doesn’t seem
that they are willing to publicly discuss this issue for whatever reason. I
suspect that it is a political (small ‘p’) issue with ICS-CERT trying to
maintain reasonably good relations with the security research community,
particularly those that coordinate their disclosures with vendors and/or CERTs.
I understand that kind of effort since ICS-CERT has little enough that they can
give in the way of incentives to that community to responsibly disclose these
vulnerabilities.
This particular situation, however, is quite serious. The
disclosure of the Metasploit modules at the same time as the public disclosure
of the vulnerability always gives an edge to the potential attackers. Given the
fact that that Yokogawa systems are used in critical infrastructure this
potentially puts the public at risk. If miscommunication was responsible for
that risk, then we need to know about what steps are being taken to prevent
such incidents from happening in the future.
At the very least the DHS OIG needs to take a look at this
particular incident. Congressional committee’s looking at cybersecurity issues
also need to look at this situation and determine what their legislative responsibilities
are to help prevent such occurrences from being repeated.
Let’s hope that the owners of these Yokogawa systems,
particularly those in critical infrastructure, are able to get these
vulnerabilities mitigated before someone aggressively exploits them. I sure don’t
like relying in hope.
Posts
1 comment:
Patrick - I think the complexity of the situation and limited information makes it very difficult to determine what happened in the CERT/ICS-CERT/JP-CERT/Yokogawa/researcher chain.
The US sales of Yokogawa are a small percentage, less than 10%, of their global sales. Japan is about a one-third of sales and Asia over half. This coordination should have been (and probably was) led from JP-CERT / Japan. JP-CERT has a long history working with CERT and ICS-CERT since it was stood up. I should note that JP-CERT also has something similar to the secure portal, and their approach to critical infrastructure disclosure is closer to the UK than US.
The CENTUM VP is the system you see most in critical infrastructure, not the CENTUM CS. For example CENTUM VP competes with Honeywell and Emerson for a lot of the refinery and large petrochemical plants. I'm less sure how widespread the CENTUM CS is which leads me to an important point about the ICS-CERT alerts and advisories ...
ICS-CERT should know more about the actual usage of these systems than pulling a line off the product marketing web page. The lack of prioritization in vulnerability handling continues to be a major flaw in ICS-CERT/DHS.
The Yokogawa bulletin had an interesting and important line "Other products being affected by these vulnerabilities are under investigation. Upon finding out the results, we will publicize the information without delay." The English is a bit tortured there, since it is not their first language. However, it's great to see them acknowledge these vulns could affect other products, they are investigating, and will make the results public.
Yokogawa actually did much better than most vendors in handling the first vuln. They actually fixed it; provided a free upgrade to a version that can be patched; acknowledged it may be in other products.
Final comment - this also supports my contention that is not worth spending a lot of time on rules for coordinated disclosure. The person or organization who finds it, in this case Rapid7, will do what they feel is best.
Dale Peterson
Digital Bond, Inc.
@digitalbond
Post a Comment