Feedback from INL/LiveData Post
It probably is not a big surprise to loyal blog readers that I received several off-the-record calls on the “What does it mean? INL Testing LiveData ICCP Server”. The main reason for off-the-record is it takes a whole process to issue comments even to a blog / pseudo-press. Here are a few things I can share without violating anyones confidence.
- Success Story - there has been a public disclosure of an INL testing success story, most recently at the PCSF Annual Meeting. A security patch that resulted from INL testing has been downloaded 49 times. 49 asset owners having a more secure system is a great success story.
- National Labs policies are not monolithic - While INL may agree to allow vendors to control the decision on how and when, if ever, vulnerabilities are shared with asset owners, other National Labs do not necessarily follow this approach. This may be a moot distinction since the vast majority of vendor testing occurs at INL.
- National Lab competition with private industry - this was the topic I received the most comments on with many swearing this does not and cannot happen. I mentioned that Digital Bond would have a logical competitor for the LiveData work since we had arguably done more research and work on ICCP and perform white box testing for vendors. By chance a much better and broader example arrived the same day I was getting most of these calls, the March issue of InTech magazine. The cover article, “What happens in plant stays in plant - INL control system plant assessments reveal inconsistencies that prompt a primer on security measures“. Plant and other asset owner assessments are Digital Bond’s most popular consulting engagement, and we have been performing them since 2000. In fact there are many commercial companies, large and small, that do this exact work including Verano/Plantdata, Dyonyx, Byres Security, Wurldtech, ISS/IBM, Symantec, … Every INL plant assessment is directly in competition with Digital Bond and many other commercial companies.
Again to be clear, we have no problem competing against INL or any other National Lab. They have a leg up based on the halo they get from their DHS/DoE programs, but they also have a lot of bureaucracy, political sensitivities and related costs. It is up to Digital Bond to market and sell our services as being superior to any of our competitors. Just don’t expect me to agree that the National Labs don’t compete when they are our toughest competitor for consulting and research.
Author: Dale Peterson
Posted: March 23rd, 2007 under National Labs, Vulnerability Disclosure.
Comments: 3
Comments
Comment from Ron Southworth
Time: March 23, 2007, 11:28 am
Dale I thought about sending you some words off blog. Like everyone I do this from time to time if it is more apropriate etc. The challenge for us all is to be as open about what we discuss as we can. I hope you did not see me as having a go at you as this was not what i was trying to convey at all. I commend that you are trying to consistantly convey a hig degree of openness.
I subscribe to the AUSCERT listings and the USCERT notifications but I dont know how many others would say the same as an end user. I can understand your conviction in regards to seing a method of sharing vulnerabilities but I dont’ know if the market is ready for the public openness you are trying to promote with vulnerabilities.
I think that the goal has merit perhaps a question of time or maybe for control systems a different approach is needed.
I can but only agree with Jake’s assessment as a general rule for the water industry - there are always exceptions.
The concerns he expressed are quite farmiliar.
An alternate apporach perhaps an answer maybe to look at developing a trust based information sharing system not just on vulnerabilities but also on qualitive threat analasys and mitigation techniques and other related subject matter.
Who do you bring together in the environment ? The government, vendors, consultants, end users and researchers.
This is something that a couple of us have been muting around these parts and it is early days but so far so good.
There is a need to take the IT info and have it filtered and put into this trust sharing system mabe even use the sharing arrangements as part of the analasys and quantification process. There is a need to have credible analised threat information, assistance with forensics and in maintianing buisness continuity and probalby a host of other things that I have not mentioned.
Can you see some merrit in this alternate approach or is this the area where you have a fundamental difference of view?
Comment from Dale Peterson
Time: March 23, 2007, 11:53 am
Ron - don’t worry about offending me with comments. The comments that disagree are usually more interesting and thought provoking than the amen comments.
In the US there are Information Sharing and Analysis Centers, see http://www.isaccouncil.org/about/, by vertical industry that are trying the approach you describe. I have heard a couple are working ‘ok’, but most have not been very helpful. The problem is most participants are hesitant to share any information. They don’t see the benefit and worry about a possible leak. When stock prices and public confidence are at stake it is hard to argue their concerns are unwarranted.
This is one of the reasons we included Sandia’s paper on anonymous information sharing at S4. I’m not sure if they hit on the exact solution (it may be too complex), but the concept was interesting.
The NERC CIP standards requiring reporting cyber security incidents so that should be interesting to watch.
Comment from Ron Southworth
Time: March 24, 2007, 3:55 am
From my research to date I have found that the ISAC’s seem to be unidirectional. The info is flowing up to the top but not going back down. The exception may be the energy sector . The other aspect of making it a direct user pays system does not help. I think the shared burden model is much more appealing. I don’t think the concept of the ISAC is exactly the same as what I am talking about as teh concept is a bit more lateral and has provision for sector sharing. When we bed down things a bit better I will send you some graphical representations off blog of how we are trying to bring it all together.
Have a great weekend
Write a comment