Vulnerability Disclosure Panel

See Digital Bond’s Take On Vulnerability Disclosure

Ted Angevaare of Shell is only interested in sharing any vulnerabilities with the vendor. Not a coordination center, not any public disclosure.

Nate Kube of Wurldtech does not believe in widespread dissemination of control system vulnerability information.

Art Manion of CERT/CC believes there needs to be a public record of vulnerabilities, including control system vulnerabilities. There may be considerations about the amount of information. Interesting IT Vulnerability Response Evolution slide, Denial followed by Anger followed by Acceptance.

Yurie Ito from Japanese CERT, JPCERT, is providing overview of an international cert. They use the same disclosure model for IT and control system vulns. “Make sure the system users are aware of the risk and can make a decision how to respond.” They have a policy that if a vendor knows and can contact all users there may not be a public disclosure. [I don't like that]. They also have a vendor point of contact list so they know who do contact [that would be a big help in the control system space where it can take 6 months plus to find the right person.]

Kevin Sullivan of Microsoft - - “we need the help of security researchers; no vendor can imagine or identify all vulnerabilities in their code; our updates must run correctly on every single machine”. ICASI is an effort among global IT vendors to coordinate response to a widespread problem with a multi-vendor response. Open lines of communication - - where can researchers report vulns.

Aaaahh . . . finally a control system vendor on the big panel, Al Rivero from Telvent. Their customers do not want the vulnerability publicly disclosed, but they want to know about it from Telvent. Their patch mgmt program has a 5-day business commitment for patch verification, service packs take longer. Information available to customers through a secure Extranet. They have an RSS feed for this info, nice. Not really talking at all about what happens when a vuln is found in their software.

Ivan Arce of Core Security Technologies is the last on the big panel. They were the ones who recently found and disclosed the Wonderware and Citect vulns. Core disclosure is not a revenue generation activity. They do it to gain knowledge, promote brand and name, and “help vulnerable organizations understand and mitigate risk”. [Well maybe not direct revenue, but it is part of their strategy. Which is fine; no one is pure] “Extend the vendor the courtesy of notifying them first, but do not rely on the vendor to solve the problem”. Believe if they found the vuln, others have found it. They do coordinate with other organizations when necessary, but not most of the time only when they hit roadblocks. They push for transparency all communications are documented [this makes for interesting reading]. They assume the vulnerability is exploitable unless there is some strong evidence it cannot be.

Ted of Shell is making a big point that systems cannot be shut down to be patched without having a business impact. [this should not be a problem if adequate redundancy is in place, but of course it takes time and $]. Ted’s second comment, what about vulns in the vendor’s freezer - - vulns the vendor knows about but hasn’t fixed.

Question from the audience - - companies that say we know and don’t fix. How long does CERT wait? Art says that threat to disclosure is the only stick. Ivan says they don’t see disclosure as a threat. If vendor is not addressing it they disclose so end users can address the problem.

Question about IPv6.

Summary: Lots of interesting comments from the panel, but it was way too big. Should have been cut in half so the intro comments did not take up 75% of the session time.

UPDATE: 4 PM PDT, Dale Peterson

The law enforcement panel included RCMP and FBI. FBI has trained cyber squads in all 56 field offices, and they even have dedicated analysts focused on control systems.

Most interesting factoid is the first SCADA-related prosecution is under way for a crime in the water sector.

Safeguarding asset owner information is now possible given the Protected Critical Infrastructure Information Act which eliminates FOIA access. Confiscating equipment was an issue they were ’sensitive’ to for critical infrastructure equipment. Not sure ’sensitive’ gives me comfort.

I’ll be live blogging the vulnerability disclosure panel.

UPDATE: 3:00 PM PDT, Jason Holcomb

Feedback from the those around my table is that the plenary sessions have been interesting but lacking some detail. The first day  tackles some high level issues. The workshops and demonstrations over the next two days should be a little more detail-oriented.

One of our DOE-funded research projects, Bandolier, got a brief plug earlier today in the Energy Sector Roadmap Update. I think the immediate, usable results make it an attractive project. I’m looking forward to talking about it more in our Thursday session.

Some observations in the current session “Control System Cyber Incident Handling: A Law Enforcement Perspective Panel”… This may be old news to some, but just in case you didn’t know, the FBI has its own Process Control Systems Analyst. And it’s good to see participation from the RCMP, also represented on the panel.

UPDATE: 2PM PDT, Dale Peterson

The lunch program provided an overview of the Energy Sector Roadmap and the Water Sector Roadmap. Not really anything new here.

Tim Roxey of Constellation Energy and the Nuclear Sector Coordinating Council provided some detail on the AURORA vulnerability including the equipment necessary for an attack, the access and knowledge required to launch the attack, and the time [less than one minute] to execute the attack. A four question check list was created, simplified version in the presentation such as “Does the facility contain rotating AC electrical equipment identified as a critical asset? and Is this rotating equipment connected to commercial power at any time?, was provided to asset owners to determine if their was vulnerable. There is an Official Use Only version of this briefing with more info.

Next up is the Law Enforcement and Vulnerability Disclosure panels.

- - - - -

The 2008 PCSF Annual Meeting kicked off this morning in La Jolla just outside of San Diego. Well … actually it is now the Process Control System Industry Conference and DHS is not here! Officially they were “not able to attend” and were “frustrated and disappointed” by this. The unofficial buzz was there was a last minute issue about whether it was legal/allowed for DHS to participate or spend money on this type of event. Can’t say I know the exact story, and it really doesn’t matter. It is just highly regrettable that the team from DHS couldn’t participate in what is largely a DHS sponsored event.

On a happier note there are about 200 people here from 17 different countries, and the weather is beautiful when the marine fog burns off around noon.

Keynote - Phyillis Schneck, Founding Chairman and Chairman Emeritus of InfraGard, currently with Secure Computing

This was an interesting choice for a keynote. In some ways InfraGard, especially with SCADAgard, overlaps what PCSF does, but when asked about that Phyllis sidestepped the question. However, InfraGard went through a number of changes in approach and structure over 8 years to become what it is today - - a successful organization with 86 chapters and more than 26K members. It shows those trying to make PCSF a success that it takes persistence and an ability to adjust. You don’t usually get it right the first time.

One of the main benefits of InfraGard, according to Phyllis, is the ability to “know who you’re going to call before you need to”. InfraGard members have a relationship with their local FBI agents, and these relationships can dramatically reduce response times. One other interesting point is each of the 26K members of InfraGard have undergone a records check.

Two Closed Presentations

The next two presentations are closed to the press, which seems unnecessary, but I’ll respect that. I attended the first closed presentation, “Security Challenges Facing the Control Systems Environment”. No comment allowed.

I skipped the second session “Should We Be Scared-a SCADA?” by Team Cymru. If you want to see what I imagine will be the Cymru presentation see http://www.cylab.cmu.edu/seminars/default.asp and click on Page 2. It requires a Windows machine to view the presentation. Some interesting info on Internet traffic on control system ports, but my expectation is PCSF attendees would not be using the Internet as a plaintext control system WAN.

Check back throughout the day for updates.