US CERT and Stuxnet – did US-CERT do all they could?

 Dale Pederson’s Digital Bond website (http://www.digitalbond.com/) provided an interesting note (thanks Dale) on US-CERT entitled “ICS-CERT: Stuxnet Lesson Learned”. 

According to Dale, ICS-CERT is reaching out to a number of people in the control system community to get some candid information on what they need to do different or better because of their performance on Stuxnet. This is great—and just what we’ve been hoping for.

Unfortunately, it appears that a number of very credible ICS people who were actively involved with trying to understand Stuxnet (and previous vulnerability disclosures) were not contacted: Ralph Langner, Bob Radvanofsky, Jake Brodsky, Perry Pederson, Walt Boyes, myself.

Ralph Langner had the following to say about US-CERT and Stuxnet: “What US-CERT has communicated on Stuxnet has little to do with vulnerabilities, exploits, technicalities. It’s all about politics, and it will likely continue this way.” This is not the first time that ICS- CERT has fallen short on ICS vulnerability disclosures or even knowing what was an ICS vulnerability vs an IT vulnerability.  One has to ask – Can we help US-CERT do better? Well, certainly not if they don’t ask.
 
Stuxnet was first disclosed in July by US-CERT. The disclosure process and recommendations were disconcerting enough to warrant holding a session on the disclosure process at the September ACS Conference. Many people were concerned that the US-CERT recommendations could actually shut down the controller and many ICS engineers were not informed – it went to many IT organizations within the companies, but not to Plant IT. Consequently, there was a need to discuss the disclosure process as it applied to Stuxnet. Unfortunately, neither DHS nor US-CERT were in attendance during the Stuxnet discussions.
 
Because of US-CERT’s demonstrated shortfalls (prior to Stuxnet), I devoted an entire chapter in my book to what it takes to establish a credible ICS CERT. There were two fundamental points that do not yet appear to be addressed. The government (US-CERT) should not be the lead as private industry often will not respond due to FOIA concerns. Secondly, a properly constituted ICS-CERT should have credible, trusted ICS experts involved. Based on experience to date, US-CERT has not been as successful as we would all hope.

What will it take to convince DHS that they need to implement these points?

Joe Weiss

 

What are your comments?

Join the discussion today. Login Here.

Comments

  • Joe,

    If you read my blog you know I'm not an ICS-CERT apologist, but in this case I don't think they deserve to be tarred, at least not yet, because they have not contacted the people you mention or others yet. I think they are just starting this lessons learned effort and will be soliciting a lot of feedback at ICSJWG next week. 

    They had to start somewhere and calling someone early on who very publicly called FAIL at least shows they don't want only positive feedback. 

    Dale 

     

      

    Reply

  • I'm not sure where you get "tarring" Dale.  What I thought Joe was trying to do, when I read his blog post pre-publication, was to suggest that there are more people to talk to than those that had been invited to. It is good to hear that US CERT is thinking about talking to people like Joe, Jake Brodsky and Bob Radvanofsky, and Ralph Langner...

    I _do_ think that they need to answer Ralph's critique-- and saying so, I trust, is not "tarring" them.

     Walt Boyes

    Reply

RSS feed for comments on this page | RSS feed for all comments