US CERT and Stuxnet – did US-CERT do all they could?
Dale Pederson’s Digital Bond website (http://www.digitalbond.com/) provided an interesting note (thanks Dale) on US-CERT entitled “ICS-CERT: Stuxnet Lesson Learned”.
According to Dale, ICS-CERT is reaching out to a number of people in the control system community to get some candid information on what they need to do different or better because of their performance on Stuxnet. This is great—and just what we’ve been hoping for.
Unfortunately, it appears that a number of very credible ICS people who were actively involved with trying to understand Stuxnet (and previous vulnerability disclosures) were not contacted: Ralph Langner, Bob Radvanofsky, Jake Brodsky, Perry Pederson, Walt Boyes, myself.
Ralph Langner had the following to say about US-CERT and Stuxnet: “What US-CERT has communicated on Stuxnet has little to do with vulnerabilities, exploits, technicalities. It’s all about politics, and it will likely continue this way.” This is not the first time that ICS- CERT has fallen short on ICS vulnerability disclosures or even knowing what was an ICS vulnerability vs an IT vulnerability. One has to ask – Can we help US-CERT do better? Well, certainly not if they don’t ask.
Stuxnet was first disclosed in July by US-CERT. The disclosure process and recommendations were disconcerting enough to warrant holding a session on the disclosure process at the September ACS Conference. Many people were concerned that the US-CERT recommendations could actually shut down the controller and many ICS engineers were not informed – it went to many IT organizations within the companies, but not to Plant IT. Consequently, there was a need to discuss the disclosure process as it applied to Stuxnet. Unfortunately, neither DHS nor US-CERT were in attendance during the Stuxnet discussions.
Because of US-CERT’s demonstrated shortfalls (prior to Stuxnet), I devoted an entire chapter in my book to what it takes to establish a credible ICS CERT. There were two fundamental points that do not yet appear to be addressed. The government (US-CERT) should not be the lead as private industry often will not respond due to FOIA concerns. Secondly, a properly constituted ICS-CERT should have credible, trusted ICS experts involved. Based on experience to date, US-CERT has not been as successful as we would all hope.
What will it take to convince DHS that they need to implement these points?