There’s been a lot of activity in the past 6 months in various blogs about the need for responsible public disclosure policies for members of the ICS security community.  While the IT community has developed accepted policies and procedures over the last decade, vulnerability disclosure is still recent in the ICS security community, and it is only starting to grapple (as the IT community first did) with the issues of disclosure.  Unfortunately, the differing natures of the critical infrastructure, SCADA and process control industries compared to the IT communities preclude adoption of their relatively mature disclosure mechanisms and policies, and we must develop our own.

But it’s not enough to develop and publish a disclosure policy.  It must also be effective, actionable, understandable, and meet the needs of the industrial automation community. And development of a good policy starts with addressing the W5 questions about disclosure.

Who do I disclose to?
Vulnerabilities need to be disclosed first to vendors, then to the industrial cyber security community, then to the asset owners and operators of critical infrastructure, and finally to the public.

Vendors must take first responsibility to come up with approved patches or workarounds, and to notify their customers where possible on what to do about it.  The industrial cyber security community needs to know early on in order to develop and deploy effective design strategies and security programs to mitigate their customers’ risk.  Asset owners who employ vulnerable devices in their operations need to be informed of the vulnerabilities to understand the effects on operational risk, and how to reduce that risk.  And only then, once the vulnerability has been characterized, patches produced, and strategies employed to mitigate the risk in critical infrastructure operations, should a disclosure be publicly disclosed by a coordinating center such as US-CERT or CERT/CC.

What information do I disclose?
Vendors require as much information as possible that will help them to reproduce the fault associated with the vulnerability, and diagnose the cause. The ICS security community needs to know the effect of the vulnerability, and how it is triggered, plus any mitigation strategies that are known.  Asset owners and operators need to know the effects of the vulnerability and how it impacts the reliability of their operations, and mitigation strategies to reduce or remove the risk associated with the vulnerability.

When should I disclose?
You should disclose the vulnerability as soon as discovered to the device vendor.  It also makes sense to disclose to members of the ICS security community very soon afterward, as it often takes considerable time to produce a patch or workaround, and the ICS security community is in the best position to develop and deploy interim mitigation strategies to quickly reduce the vulnerability’s impact on critical infrastructure operations.  Asset owners should be notified once effective mitigation strategies have been developed, whether interim or permanent. And only once the patches and mitigations have been fully propagated to the ICS community should the vulnerability be publicly disclosed through disclosure bodies such as US-CERT or CERT/CC.

Where should I disclose?
Disclosure should not take place in public forums, as there is little or no control over vulnerability information propagation and use. Instead, disclosure should take place through secure traceable channels of communication with identified authenticated individuals, using appropriate non-disclosure agreements in place restricting the uses as well as the sharing of sensitive information.

Why should I disclose?
It is the responsibility of the industrial control and critical infrastructure communities to maintain the trust of the public with respect to the reliability of operations.  Vulnerabilities affect all of us, and we need to share information that will allow us to reduce both individual and collective risk on the reliable operations of critical infrastructure. Keeping knowledge of a vulnerability a secret is both short sited and does a disservice to us all.

By disclosing vulnerabilities in a responsible manner to the industrial automation community, we ensure that the development and deployment of patches, workarounds, and other remedies take place in an effective manner to the benefit of all.

From Policy to Action
It’s still not sufficient to craft a policy and put it up on your website for all to see. To be truly effective, your vulnerability disclosure policy must become a core value of your organization, and every employee in the company must believe in timportance of adherence to its principles. Only then will it translate into the everyday activities of your business.

To view Wurldtech’s Vulnerability Disclosure Policy, please click here: http://wurldtech.com/legal/disclosure_policy.php

- Breen Liblong

Trackback URI | Comments RSS