SCADA Security: New Vulnerability Disclosure Framework a Step Forward

Posted by ernest.hayden on Jul 26 2012

 

This is an excerpt from the Think Forward blog at verizonbusiness.com

 

In a move that may be helpful for critical infrastructure asset owners, on July 23  the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Common Industrial Control System Vulnerability Framework

Industrial Control Systems Joint Working Group (ICSJWG), which was established by the U.S. Department of Homeland Security Control Systems Security Program, published the document - Common Industrial Control System Vulnerability Framework.  The document was developed with the intention of providing consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies.

 

Unfortunately, the industrial control systems/ supervisory control and data acquisition (ICS/SCADA) industry has been criticized for less than effective disclosures of vulnerabilities in critical infrastructure systems and products.  This new document is intended to provide a foundation for the industry to follow once vulnerabilities are discovered and how the faults should be revealed to the vendors and the operators for remediation.

 

The ICSJWG notes that the new paper is “a living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.’’

 

The document can be a good starting point.  Key sections include:
  

•    Software Vulnerabilities (Types and Associated Remediation)
•    Types of Disclosure (Private, Public, Third-Party)
•    Vulnerability Disclosure Policy Components
•    Appendix – Terminology/Glossary
•    Appendix – Sample Disclosure Policy Overview
•    Appendix – References

 

The disclosure of ICS vulnerabilities that affect critical infrastructure such as the electrical grid started to rise dramatically in 2011, following the discovery of Stuxnet. The new framework from ICSJWG could greatly improve how vulnerabilities are disclosed and make it easier for operators to assess and act on threats.

ICS / SCADA Vendors – Start Using this Framework!

As noted in the ICSJWG framework, this is intended to be a “living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.”

 

If you work with ICS / SCADA systems and especially if you could be in a situation where you are aware of vulnerabilities but do not have a sense of how they should be handled and revealed, I’d strongly suggest you look over this framework and use it as your guide.

 

Secondly, if your company develops and/or tests ICS /SCADA software then you are highly recommended to begin to implement this framework and develop your own internal policy and procedures on how to handle ICS vulnerabilities and their ultimate disclosure.


What are your thoughts on how vendors handle vulnerabilities? If you are an asset owner, would a vendor using the new ICSJWG framework meet your needs for information and mitigation?

 

Note from Eric Byres: I have been watching and reporting on the development of this report over the past year. Good job ICSJWG, this is a big step forward!

 

http://www.tofinosecurity.com/sites/default/files/erniehayden2.jpg http://www.tofinosecurity.com/sites/default/files/verizon.jpg

 

    Ernie Hayden, CISSP, CEH

    Managing Principal - Energy Security

    Verizon Global Energy & Utilities Practice

    ernie.hayden@verizon.com

    206-458-8761

 Practical SCADA Security thanks Ernie for this article.

 Related Content to Download

Report:

"Common Industrial Control System Vulnerability Disclosure Framework"

 

In 2011 more ICS vulnerabilities were disclosed than in the past decade. Read this report and learn:
  • The types of vulnerabilities and how they can be remediated

    •  

  • The types of disclosures and recommended disclosure policies

    •  

  • A sample disclosure policy overview

    •  

  • A framework for what responsible vendors should be doing about vulnerabilities
Contribute to better industry-wide vulnerability handling by reading this report and sending your comments to:icsjwg@hq.dhs.gov

Related Links

•    Us-cert.gov Webpage: Industrial Control Systems Joint Working Group (ICSJWG)
•    ICSJWG Email: icsjwg@hq.dhs.gov (Ed. Note: If you have feedback on the ICSJWG Vulnerability Disclosure Framework, send it here)
•    Blog: S4 SCADA Security Symposium Takeaway: Time for a Revolution (Ed. Note: Includes chart showing the dramatic rise in ICS disclosures starting in 2011)
•    Digitalbond.com: Tridium Fails and ICS-CERT Flails (Ed. Note: Example of poor handling of a vulnerability by a vendor)

•    Digitalbond.com: 3 More Vulnerability Handling Suceess Stories

•    Blog: Effective Security Requires Involved Leadership (Ed. Note: Previous blog article by Ernie Hayden)

 

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed


© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand



Submitted by ChrisM (not verified) on Thursday, July 26, 2012.

Vulnerability disclosure

I agree Eric a step forward but I note the phrase “Not disclosing an issue is not discussed; however it remains an option and may be appropriate in some scenarios.”

Although many vendors are now global, I'm hoping the ICSJWG doc will generate some discussion down here (though my first attempt might have been too subtle.)

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is to prevent automated spam submissions. Data entry is case insensitive.
Image CAPTCHA
Enter the characters shown in the image.