Over in Japan this week for a variety of reasons including participation and presentation at the FIRST Technical Colloquium. It is great to see FIRST and the coordination centers around the world gearing up for what we are certain will be an increasing number of control system vulnerabilities as these systems come under scrutiny.

One area we will highlight is the importance of vendors having an effective process for handling vulnerabilities reported by customers, researchers or really anyone. The recent experience with GE Fanuc taking almost a year to get the researcher provided information to the right person is all too common for a first vuln handling experience. I’d like to note that once it got to the right person the security patches were quickly issued, and the report handling process modified. Some researchers will not wait 11 months and release the vuln.

Last week the issue of vulnerability disclosure reared its head in some control system blogs and mailing lists. Matt convinced me long ago that there was no need to create a whole new system of coordination centers. Rather we need to focus on educating the control system community on how to handle responsible disclosure and work with the existing coordination centers. Our experience with US-CERT and CERT/CC has been very positive as has some of the other researchers we have assisted.

One last point - - the community can come up with whatever disclosure mechanisms and rules they want, but in the end it is the decision of the researcher, asset owner or vendor who finds the vulnerability that will carry the day. They will decide how, when and what to disclose. We encourage all parties to be clear about their vulnerability disclosure policy. Here is Digital Bond’s Vulnerability Disclosure Policy.