I am pleased to announce that Justine Bone of MedSec agreed to an interview on the Main Stage at S4x17. Vulnerability disclosure is and has been a contentious topic in ICS. I generally don’t write much about it because the person or organization that finds the vulnerability decides what is the responsible and appropriate disclosure. Full stop.
We have seen all sorts of disclosure approaches at S4, and even had a bit of a controversy ourselves around pointing out insecure by design issues in PLC’s and RTU’s as part of Project Basecamp at S4x12. However this or any other type of disclosure has not been as aggressive and controversial as the MedSec/Muddy Waters disclosures of vulnerabilities in St. Jude Medical’s devices.
MedSec had performed assessments on a variety of medical devices over 18 months and felt that St. Jude “stood out as lagging far behind” in security. You can see some demonstrations of the security issues at the profitsoverpatients.com site. Now the question was what to do with this information. Justine wrote:
In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message.
The time has come for us to re-think the way cyber security is managed. We acknowledge that our departure from traditional cyber security practices will draw criticism, but we believe this is the only way to spur St Jude Medical into action. Most importantly, we believe that both potential and existing patients have a right to know about their risks. Consumers need to start demanding transparency from these device manufacturers, especially as it applies to the quality and functionality of their products.
Muddy Waters publicly shorted the stock and issued analysis saying they expected revenue to decrease up to 50% over the next two years due to recalls and remediation costs, and “MedSec is receiving compensation related to investment profits from the funds Muddy Waters manages”.
There are a lot of questions around this approach in terms of legality, ethics, disclosing vulnerabilities without detail, effectiveness in getting the issues fixed, impact on the security research community and much more. I will have no difficulty coming up with questions to fill the 30 minute interview, but we decided to open this up to the ICS security community. What would you like to see Justine Bone asked in the onstage interview?