The Unfinished State of our National ICS Reporting System

Tuesday, August 23, 2011

Chris Blask


As a nation we have a base requirement to be protected by national centers of expertise.

The continued functioning of the "Critical Infrastructures" of water, power, food and economy has always been a priority among those given the responsibility of maintaining such vigilance.

ICS-CERT (Industrial Control Systems - Computer Emergency Readiness Team) is the arm of the Department of Homeland Security currently tasked with managing coordination of the security of the electronic systems used to control our physical infrastructure.

On August 11, 2011 ICS-CERT released an advisory regarding vulnerabilities found in Siemens products. Ralph Langer has subsequently pointed out flaws in this advisory. The advice in the advisory largely missed the point of the vulnerability and the risk it presents.

The advisory also takes a dig at Dillon Beresford, who discovered the vulnerabilities and gave demonstrations at BlackHat and BSides Las Vegas:

"Some of the reported issues were coordinated and resolved with ICS-CERT and Siemens, while others were publicly released by the researcher without coordination."

While I sympathize with the challenges faced by a handful of individuals in a difficult position, this does provide additional evidence that we need to continue efforts to evolve our capabilities. 

Both the technical as well as sociological issues presented by this advisory should cause concern. There is an obvious lack of resources being applied to the task that ICS-CERT has been assigned.

The responsibility for this is more broad than to be laid entirely on the ICS-CERT staff, it is another stained litmus strip that tells us something about the state of our shared experiment addressing this aspect of national security.

Ralph Langer spelled out the technical deficiencies in the advisory. Those indicate a lack of technical process and staffing is being applied to this part of our national defensive infrastructure.

The rather petulant tone of the advisory, however, indicates sociological problems with the way our system is setup as well as insufficient process and staffing being applied to outbound communication from this group.

The resource problem is something that could be addressed with additional staff, the sociology problem is a structural misalignment that will impede efforts in fundamental ways.

The motivations of researchers need to be properly aligned with our national reporting mechanisms or we are going to have real issues.

At present both the economic models of the parties involved and their cultural alignment are off. Testing labs are demotivated economically to work with ICS-CERT. There does not appear to be an successful effort to positively engage the research community.

Certainly, advisories with content and tone like this one are not a step in the right direction.

In the wake of commentary on the flaws with the existing advisory, ICS-CERT released an update of the Siemens advisory [updates in bold].

--------- Begin Update A Part 1 of 1----------

Because of the design decisions made in the control system industry in the past to foster interoperability, it will not be possible to provide near-term patches for all of the reported issues.

--------- End Update A Part 1 of 1---------

We all know that at present there are not enough resources being applied to the overall issue of ICS cybersecurity. This volume of resource will have to increase dramatically over the coming few years to address the topic.

Among those resources must be an appropriately staffed and supported center for coordinating and communicating with affected parties. Logic would assume this grows out of the effort represented today by ICS-CERT.

Certainly our current incarnation of an answer to that need requires more work.


Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!

Possibly Related Articles:
SCADA SIEM Network Security Siemens National Security Dillon Beresford ICS-CERT
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.