Today, DHS Released the public exercise report on CyberStorm, which was something I participated in, well, starting almost a year ago.

Although SCADA played a prominent role in exercise, the only real mention is the final report is excerpted below:

Finding 8: Improvement of Processes, Tools, and Technology

There was a great deal of research and discovery in the area of Supervisory Control and Data Acquisition (SCADA) patching processes during the exercise planning process. This process identified and demonstrated the various difficulties that would result in recovery if a vulnerability existed.

Since I was quite involved in the planning/exercise design in the Electricity cell and was an observer/controller on-site at INL during game play, I wouldn’t want to comment too much.

However, I will say that although the “worker bee” side of me would have picked a different conclusion on SCADA for the final report, it is probably not a bad thing that the topic of patching of SCADA vulns bubbled up. And just to be clear, the reference is to “hypothetical” vulnerabilities in SCADA applications and protocols and how vendors and end users might respond–not to Microsoft/Cisco vulns that might impact SCADA. So yes, the topic of disclosure did come up.

It will be interesting to see the press coverage on the exercise.