There has been a lot of talk about disclosure of control system vulnerabilities. We have been laying low on this issue and letting it percolate after disclosing to US-CERT the initial control system vulnerabilities and kicking the issue off at PCSF two years ago.
With another PCSF annual meeting and disclosure panel coming up next week in San Diego, it is time to reengage. So take a look at our narrated 20 slides, 20 seconds each Pecha Kucha presentation on the topic.
If you can’t spend 6’40”, I’ll sum it up in 4 sentences. Fighting over the ‘proper’ control system vulnerability disclosure procedure and putting up new organizations is a waste of time because the decisions of vendors, asset owners, academia, government, and coordination center do not matter. The only policy that matters is the policy of the person or organization that finds the vulnerability, and many will not play ball with all these new proposed methods and organizations. I know Digital Bond wouldn’t, because we are happy with the results of our policy to disclose to US-CERT. [and we are quite conservative compared to most vuln discoverers] Instead the community, especially vendors but also asset owners, should be focused on how they will process the inevitable vulnerabilities as they arise in increasing numbers.