Subscribe to US-CERT Secure Portal?

Last week I learned of a new vulnerability and security patch for it on a popular control system application. The good news is the process of the researcher working with the vendor to fix and disclose this vuln is a success story. In fact, we are seeing many vulns being handled in a professional and timely manner, as well as hearing good things about ICS-CERT’s assistance in vuln handling.

When I searched US-CERT and ICS-CERT for their announcement, I found nothing. After a bit of digging, I learned that it is currently only available for US-CERT Secure Portal members. Talking with ICS-CERT I learned a version will be published in the near future on CERT/CC.

I don’t subscribe to the US-CERT portal because we know or hear much of this information from other sources, and I want to avoid any problems with blogging on these issues. But maybe you and I and everyone else with an interest in control system security needs to be on the US-CERT Secure Portal?

My preference would be to see some very limited public announcement of a vulnerability at the same time as more info is available from the vendor and through the US-CERT Secure Portal. For example, “Vendor Application Version x.y has a new published vulnerability. Contact Vendor for a security patch or other remediation methods for this vulnerability. Additional information is available on the US-CERT Secure Portal”. This would get passed through multiple web sites that distribute vulnerability information and have a better chance of reaching affected owner operators.

6 comments to Subscribe to US-CERT Secure Portal?

  • Dale,

    Thanks for the suggestion, I couldn’t agree more. We will take a look at our procedures, solicit feedback from community leaders such as yourself for proposed content and start posting the updates to our public website and RSS feeds.

    Best regards,

    Seán

  • Hi Seán,

    Good to see you about the public spaces!

    I for one think it would be a great thing if there is a way to be able to share between different parties a number of the great products that are available from the secure portal. I have resisted seeking out a direct means to gain access (which has been offered) in order that the community in this part of the world can benefit & not just an individual .

    I’ve been trying to encourage one product in particular to be shared between trusted parties for over 18 months now so it seems that procedures and red tape are still getting in the way of progress at least from the perspective of a measureable outcome with one product that I think would be of some measureable benefit.

    To be balanced I think the RSS feed material and other web products that are now coming out of ICS -CERT are a great step forward and the speed at which information is becoming available is improving each time. Still not as fast as open source research but it is improving.

    I hope ultimately that it is possible to encourage a responsible approach to information sharing I think this is possible to have both awareness and closed community resource sharing methodologies and that we can participate in both arenas with some degree of comfort.

  • With the owner and operator hat firmly on, the challenge is Dale in making any public announcement about “vendor x has a vulnerability” before the community has had a chance to mitigate does move risk from being less kinetic to being more tactile.

    My own open source research at hand to date with a number of the ICS vulnerabilities that have been made public confirms that within a very short window of time after being announced a measureable level of reconnaissance or less subtle occurs “from the wild” looking at for the very least for the published ports and services or deeper technical info for product X and product Y.

    I know that you and Matt for that matter are uncomfortable with the principals of keeping vuln disclosures quiet until they are mitigated. The whole “boys club mis-trust debate and kindred overtones” however we as a community are small enough IMHO. My suggestion is that successful mitigation of a vulnerability by all in and out of support affected customers is quite an achievable reality even to the point of the vulnerability not being made public. I think that as the community evolves and as systems become more current and less legacy in nature the disclosure process can evolve to a model that you and he are more comfortable with.

    It is still arguable by many, and the data in many reports supports the argument, that disclosures on any vulnerability, 0 Day or otherwise do indirectly encourage and motivate people to engineer attack tools and workarounds to patches etc.

    In fact one recent article even suggested that there are more issues with public vulnerabilities than ones that are not made public.

  • Ron,

    I think you misunderstand the blog and my comment. A researcher found a vuln, and the vendor fixed it. There is a patch available and people should know to patch. Let’s use our SCADA Honeynet as an example. How would it hurt to release:

    “A security vulnerability has been found in Digital Bond’s SCADA Honeynet Version 1.1, and a patch to resolve this issue is available. Customers should contact Digital Bond for the patch, and more information is available from the US-CERT Secure Portal.”

    There is no information on the vuln, and quite frankly every product has vulns. The key point is there is a patch available.

    Walt recently pointed out on a SCADASEC list that a pipeline owner who had WinCC didn’t know about Stuxnet, so I would say getting the info out through multiple channels would help.

  • Hi Dale I think your example is not a good one to use mainly as a honeypot is not an operational system however I understand what you are trying to convey and that you are deliberately not using any sort of real world example.

    It depends on where your hat is “at” and the impact a given vulnerability has to you, your role and the enterprise affected if it is govt, security vendor product vendor or end user.

    The nature and impact of a given vulnerability has a large part to play on what the kinetic risk profile is likely to be with respect to each party.

  • bryan

    A reboot of vunerability disclosure has been requested for ICSJWG vendor forum agenda on (August 23, 2010 at 2 pm EST). Group membership is not limited to vendors…consultancy and owner operators are welcome too.

    Portal membership and the limited public announcement could be within scope for a task team if there is an action item taken.

    Not to poison the well but among the many takeaways from Stuxnet is how many ‘vendors’ were directly involved: Microsoft,Siemens,Verisign,VirusBlokAda to name a few.

    Disclosure challenges are moving well beyond a single supplier vulnerability and response model. The good guy eco-system needs to develop much better response capabilities. Who really wants to go it alone anyway?

    ICS-CERT is a great start but we are only just crawling. Vendor’s as a group could help accelerate the program – constructive feedback, dependency mapping, global response drills, resource exchange programs etc.

    In summary, an effective response capability is in the best interest of all ICS stakeholders. Could even provide a viable alternative to those who feel the need for public disclosure.

Leave a Reply