Not sure how new this is (and whether it has been officially “launched” yet) but as the maintainer of a couple of control systems security sites, I received an email this morning saying my site was now linked to the US-CERT Control Systems Security Site.

Apart from the links to national labs, industry organizations, and other “usual suspects” — on the bottom of the main page, there are two buttons: one to report an incident and the other to report a product vulnerability. The incident link takes to a web form (over https) but the report a vulnerability it fires up your email client with a message directed to CERT/CC and carbon-copied to the US-CERT SOC.

I would encourage folks (whether end users, researchers, or consultants, assuming you client gives you the sign off) to report your SCADA/EMS/PLC/IED vulnerabilities here but make sure you use GPG/PGP! You don’t have to have a PGP key yourself to submit a vuln, but you do need to get the recipients’:

• CERT/CC PGP Key
• US-CERT PGP key

If there’s interest, I’ll do a more detailed blog on what to include when reporting SCADA vulns. At a high level, it would be the conditions which triggered the vulnerability, any packet traces or system logs, specific product version and platform information, impact, workarounds, and access required to exploit it. Remember to do your best santize information that could tie a product vulnerability to a specific system vulnerability in the real world. At a minimum, that means IP addresses and host names–but probably more.

This is the process we are using. It is going relatively smoothly so far. We usually give the vendor a chance to respond first before going to a CERT, but some bug finders carbon copy CERTs on initial vulnerability reports to vendors, because they’ve found the process move quicker if a trusted third party is in the loop from the beginning.

Without “spilling the beans” on the PCSF talk in June, we, too, have found that some vendors have been more responsive if they get a call from a CERT.

For Non-US Folks
We’ve also worked with the good folks at NISCC and they, too, “know SCADA.” So if you are in the UK and have an existing relationship with them, that would be your best bet for reporting product vulnerabilities. Although I’ve heard very postive things about SCADA Security efforts in Australia, I have no knowledge of the AusCERT’s control system capabilities.