Jake Brodsky on public disclosure...

Dec. 20, 2007
From the SCADA list, with permission:  We have been beating around the discussion of public disclosure for some time.  I've made this point on other occasions and I'm going to reiterate it here.  I recognize that there are vulnerabilities we do not wish to disclose to the public at large.    However, we do need information to be disseminated.  So what criteria should we use when discussing such things in a forum such as this?    First, we ought to consider what the vulnerability is....
From the SCADA list, with permission:  We have been beating around the discussion of public disclosure for some time.  I've made this point on other occasions and I'm going to reiterate it here.  I recognize that there are vulnerabilities we do not wish to disclose to the public at large.    However, we do need information to be disseminated.  So what criteria should we use when discussing such things in a forum such as this?    First, we ought to consider what the vulnerability is.  If it is something which has been observed before and is known to the public, we don't gain anything by not discussing it.  The example of removing the transmission tower bolts  is not unknown.    Second, we ought to consider whether most people would be able to take action to defend against the conceived threat.  A software problem in an embedded controller for which there is no patch or work-around isn't worth discussing, unless there are procedures for dealing with the problem available to everyone.    Third, even if a fix is available, is it something a typical asset owner could be expected to implement without assistance?    The second and third points are the basis for why I often decry the release of vulnerabilities to US CERT.  Far too many asset owners have packaged control systems which were delivered on site by a consultant several years ago.  They have no idea how the system works, how to update it, or what components it has.    So when CERT publishes the fact that an OPC driver is deficient, and that there are public fixes and disclosure, I think that's dangerous.  How many asset owners know they have this driver?  We're lucky if they even know what the protocol is on the wire.    The problem is that when these products are purchased, we have no idea where they end up or who the ultimate user is.  So VxWorks could have a flaw, and nobody would know that a PLC based upon it might be embedded in their networked motor control gear.    The solution?  I'm not sure.  The problem needs to be advertised and publicly discussed among asset owners.  Companies need to be available to conduct surveys of equipment to identify what embedded devices there are and to build watch lists of software and embedded systems.  Then, they'll need to review software updates and validate them before installing them on an active customer site.    This is not an easy discussion.  Public disclosure of flaws is an invitation for every hacker to attack.  It only takes a few short weeks before serious flaws reported in Internet Explorer or Firefox provoke hackers to build attacks against them.    I wonder how long it will be before they decide to give control system hacking a try?  I wonder how far we should go before disclosing a flaw in drivers?  Is this a Chicken before Egg problem?    Oh, and by the way, I'd like to say Merry Christmas and Happy New Year to everyone.  If these things don't apply to you, then I wish you a nice bland Seasonal Greeting to you anyway.    Jake Brodsky