Comment from Jake Brodsky
Time: December 31, 2007, 1:28 pm

Dale, this is where you and I disagree on methods. I don’t think the industry is ready for full public disclosure. What SHOULD happen is that the ISAC groups ought to notify their members that this could be an issue. And I won’t say right now if that is or isn’t happening.

I realize that we’re stuck between a rock and a hard place. I challenge you, however, to show that there is any expressed curiousity or outrage from Invensys or Televent customers. We are dealing with a user community which has only the slightest understanding of the issue.

I think that LiveData has chosen a careful medium, given the circumstances. Let’s wait and see what the ISACs do. If nothing comes of this, then we need to light a fire under the ISAC, not publish this to the general public. Of the few people who know what this is, I can almost guarantee that most are script kiddies and hackers.

Comment from Dale Peterson
Time: December 31, 2007, 2:23 pm

Jake - We do have a long standing, often discussed disagreement on public disclosure.

I think there is some potential for common ground in terms of agreeing that all customers, those with and without support contracts, should be notified in some manner about the vulnerability with enough information so they can make an informed decision on whether to patch or not. This is rarely happening even when the vendor does offer a fix to a vuln. We will see what happens in this LiveData case.

On your challenge - - I have to agree there is rarely outrage. We have been in all too many conference calls with asset owner clients discussing serious vulnerabilities with the vendor, and the asset owners are way too accepting of vendor inaction. On a positive note, we have seen cases where this has changed by gently prodding the asset owners. They learn they have some leverage through US-CERT and user groups to force the vendor to do the right thing and fix their bug on their dime.

Finally, I will say in the last instance of a LiveData ICCP vuln that Invensys was all over it and took immediate action. I would be surprised if they don’t in this case as well.

Comment from Ron Southworth
Time: January 2, 2008, 12:55 am

Hi Dale

Hopefully after the next PCSF meeting this month some vigorous discussions will take place (during and after) and we will see some agreed way forward. I think vendors are getting the message, Invensys is one that I think is doing their best to change a culture. They are not alone however. We all have to do our bit on this.

I am going through the process of introducing a lot of security language into our present upgrade program it is a big mountain to climb. I think the procurement section of the process is where it should gain some traction when contracts and configuration specifications are construction.

Jake with the system you have for sharing there I think efficiency in disseminating messages seems to be the underlying problem at the moment, at least for the water sector. I have been informed that not ALL ISAC’s are the same in the USA. -energy is ther big standout but I am also of the understanding that chem is catching up fast?