SCADA Security: New Vulnerability Disclosure Framework a Step Forward

This is an excerpt from the Think Forward blog at

In a move that may be helpful for critical infrastructure asset owners, on July 23  the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Common Industrial Control System Vulnerability Framework

Industrial Control Systems Joint Working Group (ICSJWG), which was established by the U.S. Department of Homeland Security Control Systems Security Program, published the document - Common Industrial Control System Vulnerability Framework.  The document was developed with the intention of providing consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies.

Unfortunately, the industrial control systems/ supervisory control and data acquisition (ICS/SCADA) industry has been criticized for less than effective disclosures of vulnerabilities in critical infrastructure systems and products.  This new document is intended to provide a foundation for the industry to follow once vulnerabilities are discovered and how the faults should be revealed to the vendors and the operators for remediation.

The ICSJWG notes that the new paper is “a living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.’’

The document can be a good starting point.  Key sections include:

  • Software Vulnerabilities (Types and Associated Remediation)
  • Types of Disclosure (Private, Public, Third-Party)
  • Vulnerability Disclosure Policy Components
  • Appendix – Terminology/Glossary
  • Appendix – Sample Disclosure Policy Overview
  • Appendix – References

The disclosure of ICS vulnerabilities that affect critical infrastructure such as the electrical grid started to rise dramatically in 2011, following the discovery of Stuxnet. The new framework from ICSJWG could greatly improve how vulnerabilities are disclosed and make it easier for operators to assess and act on threats.

ICS / SCADA Vendors – Start Using this Framework!

As noted in the ICSJWG framework, this is intended to be a “living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.”

If you work with ICS / SCADA systems and especially if you could be in a situation where you are aware of vulnerabilities but do not have a sense of how they should be handled and revealed, I’d strongly suggest you look over this framework and use it as your guide.

Secondly, if your company develops and/or tests ICS /SCADA software then you are highly recommended to begin to implement this framework and develop your own internal policy and procedures on how to handle ICS vulnerabilities and their ultimate disclosure.

What are your thoughts on how vendors handle vulnerabilities? If you are an asset owner, would a vendor using the new ICSJWG framework meet your needs for information and mitigation?

Note from Eric Byres: I have been watching and reporting on the development of this report over the past year. Good job ICSJWG, this is a big step forward! Hayden, CISSP, CEH
Managing Principal - Energy Security
Verizon Global Energy & Utilities Practice

 Practical SCADA Security thanks Ernie for this article.

 Related Content to Download

"Common Industrial Control System Vulnerability Disclosure Framework"

In 2011 more ICS vulnerabilities were disclosed than in the past decade. Read this report and learn:

  • The types of vulnerabilities and how they can be remediated
  • The types of disclosures and recommended disclosure policies
  • A sample disclosure policy overview
  • A framework for what responsible vendors should be doing about vulnerabilities
Contribute to better industry-wide vulnerability handling by reading this report and sending your comments

Related Links


RSS Feed Subscribe to the "Practical SCADA Security" news feed



I agree Eric a step forward but I note the phrase “Not disclosing an issue is not discussed; however it remains an option and may be appropriate in some scenarios.”

Although many vendors are now global, I'm hoping the ICSJWG doc will generate some discussion down here (though my first attempt might have been too subtle.)

ICSJW came in to existence with lots of promises but unfortunately it had some limitations which resulted in many criticisms. From the reports it is clear that the new frame work is so much efficient to provide solutions on concerned matters. Thanks for the post. Keep updating with us.

Add new comment