Matt’s last post is so important that I’ve held off blogging so it would remain on top for a few days. It is gratifying to see the process work (with the notable exception of 9 of the 11 companies not being able to respond to CERT if they were vulnerable or not), and the PCSF session on this issue should be very interesting.

My question is why did it take so long? I’m not talking about the vendor response time because that issue is not limited to the SCADA vendor world. I’m referring to the fact that this is the first, as far as we know, SCADA vulnerability and fix that has been published through a responsible disclosure process in the US.

I think back over the last 6 years about the number of vulnerabilities Digital Bond has identified in assessments and our research lab and wonder why we didn’t push harder for this to happen. Granted the new emphasis on control systems at US-CERT and CERT-CC have helped make this easier today than in previous years, but we have no evidence that these organizations would not have handled SCADA vulnerabilities properly.

Our previous process was to contact and work with the vendor to get a fix or patch. All too often the vendor refused or presented a quote to fix an inherent vulnerability. This was followed by compensating controls to reduce the risk to an acceptable level, and I don’t think the need for creative compensating controls is going away.

Why didn’t we and why doesn’t the community report vulnerabilies to an organization like CERT? To borrow a line, I think it was the “soft bigotry of low expectations”. How often have we all heard the line, SCADA is different. Certainly it is in many ways, but it is not different in the fact that software developers are going to make implementation errors that lead to vulnerabilities and the vendor should be held responsible for fixing their errors that could lead to a security breach. If anything, the difference is these patches should be expedited given the critical processes these systems control.

For over six months now we have changed our approach. When we identify vulnerabilities from research in our lab we report it to the vendor and CERT. When we identify vulnerabilities in an assessment, we attempt to convince our clients that it is in their interest to get CERT involved and push the vendor to responsible disclosure and correction of the vulnerability. (I’ll blog on the benefits to the asset owner of responsible disclosure later) So far our clients have responded very positively once they understand the issue.

This is my call to all members of the community – - asset owners, researchers, vendors, consultants – - report the SCADA vulnerabilities you identify. Here is the link to report a vulnerability to US-CERT.