Use Purchasing Decisions to Demand better ICS Security

Eric Byres made a very good point in his blog article “S4 SCADA Security Symposium Takeaway: Time for a Revolution” about the user community needing to unite and put pressure on automation vendors to improve the security of their products.  I am writing to be, dare I say, more militant about this point.

The IT World Routinely Pressures Vendors for Better Security

I mentioned BugTraq in my last posting.  It is a tool that has worked well for end users of software applications and operating systems.  Newly-discovered vulnerabilities are listed, and so are the defences against them, where possible - even if that means “avoid or disable until patched.”

I also touched upon the protocol of “You’ve got 30 days before we go public with this vulnerability” whereby an IT vendor would receive 30 days advance warning of its public announcement.  This was to give the vendor time to release a patch before the rest of the world knew there was a problem. The protocol came about for the same reasons we’re seeing in the ICS world – vendor inertia.

Some Organizations “Go Legal” rather than Improve Security

Without the threat of the public humiliation, a lot of organisations (not all) would sit on their hands and ignore security vulnerabilities.  Some even tried to suppress announcements by starting actions under the Digital Millennium Copyright Act (DMCA) against the people who notified them of a vulnerability and said that they would go public in due course.

For example, in 2002, an HP vice president warned SnoSoft, a loosely organized research collective, that its members "could be fined up to $500,000 and imprisoned for up to five years" for its role in publishing information on a bug that lets an intruder take over a Tru64 Unix system.

There are many well-documented cases of this, and you can find them with a simple web search.

I am still amazed that any company thinks it’s better to throw lawyers at a problem instead of just fixing it and learning from the experience.  I know the impact it has had on my purchasing decisions – avoid these organisations if at all possible.

Using Security to Guide Purchasing

For example, about ten years ago I recommended spending over $100,000 USD to replace an application from a vendor that simply refused to provide security patches.  The vulnerability in question would have allowed valuable Intellectual Property (IP) data to be stolen from the end user’s company. The Board of Directors agreed that it was worth spending the money to save the IP.  It was then they told me that actually I had been hired because they had already been hit!

It’s time we got more vocal and named and shamed indifferent vendors on a regular basis.  Plus, we should consider how much assistance a vendor will provide in helping us maintain good security and factor this into our purchasing scorecards.

Nowadays the issue of governance matters to us as professionals and to the Board of Directors of the organizations we work for. Boards have a legal and fiduciary duty to the company and to shareholders to know what’s going on and to protect assets and their value. They won’t want the details, but if you can explain a purchasing choice by saying “this vendor enables me to enforce your policies and the losing bidders don’t” then you shouldn’t have many problems.

The bottom line is that nothing causes change better than negative purchasing decisions.  Choose vendors with good security practices and you certainly won’t lose any sleep wondering when the next incident will hit you.

This article is a special guest contribution by:

David Alexander
Head of Vulnerability Research, Regency IT Consulting
david.alexander@regencyitc.co.uk     

Practical SCADA Security thanks David for this article.

Related Content to Download

Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.

Article - "Revealing network threats, fears"

 

This article by Eric Byres explains how the ANSI/ISA-99 security standards provide a framework for dealing with network security threats.             

It is a good article about the fundamentals of Industrial Control System security.

Related Links

 

 RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

6

I'm also concerned about some of the chronic ICS cyber issues related to inherently insecure protocol.

Does anyone think Modbus will disappear anytime soon?

It's important to consider collectively how the industry collectively will move forward. Shaming a vendor about local exposure vulnerability seems like theater if nothing is being done about weak control protocols.

Evolution takes time and is a fair description of how ICS communications technology has advanced (apologies in advance to the many true instrument and control innovations).

It is time for a revolution.

David makes excellent points in his blog. Vendor inertia exists because customers allow it – the ICS world is not the home consumer market, where the end-user has little power. End-users have real power to both punish the offenders and reward the responsible via the purchase order.

I would also add that naming and shaming is the stick. We shouldn’t forget the carrot – some vendors have made a real effort and should deserve credit. Interestingly, Reid did this in his S4 Basecamp talk, when he mentioned the Honeywell and IGCS as being vendors who have acted responsibly in the past.

Let's not lose sight of where the author and Mr. Byres make their income. It is in their interest to accentuate the risk, of course. I also find the blackmail approach to vendors a bit unethical. Publicly exposing a critical flaw is NEVER a good thing to do in advance of a fix or patch. It is irresponsible at best, illegal at worst.

I am reminded of the hype and fear around Y2K, and the insane profits that many companies made based on that fear, as well as the "protection racket" that has grown up around PC antivirus software. Is anyone so naive as to not think that the antivirus vendors aren't slightly complicit in creating the threats? It's the oldest game in organized crime's bag of tricks.

I am puzzled by your comments regarding "blackmailing approach to vendors". Neither David or myself have ever suggested threatening vendors in any form. Neither of us have ever "exposed a critical flaw in advance of a fix or patch".

Read all my other blogs (and even my comments on this blog) and my position is clear. I have been vocal in my comments against the S4 form of disclosures that do not give the vendor time to develop patches or mitigations.

I believe it is critical that the end-user community demand reliable security in the products they buy. Consultants can not drive this. The security researchers can not drive this. Only an informed end-user community can do this. Is this unethical?

I agree with your sentiment about not exposing flaws before a patch exists, exactly as Eric has commented. That is exactly why vendors were given the 30 days - so they had time to find and fix the vulnerability before any publicity. I'm sorry If that wasn't obvious from the text of my blog post. As for blackmail, that's a strong word. Unfortunately it was the only way to get some companies to act. If that makes me a blackmailer in your eyes, I'll live with it and not lose any sleep. The greater good required it, etc etc.

Hi Folks,

I agree with the need to change the equipment resilience and for end users and industry participants to apply as much pressure and encouragement as we can.

The MS-ISAC folks developed a procurement language that has matured into a very comprehensive product.

I have sat down with a number of vendors and discussed this language as a representative of an owner and operator and as a consultant.

I have to say that the response has been mixed and that some people get the mesage much easier than others. The underlying common response does revolve around ROI for the vendor and the need for end users not in isolation but in larger numbers in a unified way to send the message about improving the product security.

I will throw a curve ball in here where do we point vendors that are keen in improving security without throwing them to the sharks. Where is all the good "foo" to feed them?

Add new comment