FOUO-- ICS-CERT releases report and then says you can't read it. #pauto #siemens #cybersecurity #homelandsecurity

This is Walt Boyes, taking over Joe Weiss' blog to do something Joe is unaware of:

Someboday sent me a copy of

ICS-ALERT-11-139-01AP--SIEMENS PROGRAMMABLE LOGIC CONTROLLER
VULNERABILITIES
UPDATE A
June 03, 2011

The report details several vulnerabilities that Dillon Beresford tried to report but was asked not to give his paper. Dillon has posted here since. The report states that ICS-CERT, Beresford and Siemens are working hard to generate fixes.

Unfortunately,

Warning:This document is FOR OFFICIAL USE ONLY (FOUO).

It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C.552).

It is to be controlled,stored,handled,transmitted,distributed,and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public or other personnel who do not have a valid "need-­‐to-­‐know" without prior
approval of an authorized DHS/ICS-­‐CERT official.

No portion of this report should be furnished to the media, either in written or verbal form.

So. I shouldn"t have a copy of the report, and I cannot tell you what it is. What I can tell you is that if you have control systems using Siemens PLCs, you need to read it, and do the mitigations ICS-CERT suggests, but which I can't tell you about.

Too bad, that. The report says some very important things.

And even if you  do not use Siemens controllers, you should be paying attention. This could have happened to any controller vendor, and some of the vulnerabilities Beresford and Siemens have discovered could have their analogs in other controllers made by other manufacturers.

But I can't tell you about them.

You may never get to see this report. As of this writing, the ICS-CERT on the Aurora vulnerability, even though it has been publicly disclosed and discussed by DHS and INL personnel, is still FOUO-- which is a sort of "we can't classify this, but we'll make it super secret secret squirrel" anyway to show how much authority we have.

We have been over and over the fact that you cannot protect a control system by obscurity. Unfortunately, the Department of Homeland Security has NOT been listening.

If you have any manufacture of programmable controllers, Siemens or other, you should call DHS and ask them for a copy of this report. Here's where you ask:

ICS-CERT Operations Center
1-877-776-7585
ICS-CERT@DHS.GOV

One last thing. Yes, I am a member of the media. But as a member of the ISA99 standard committee, I also have a valid "need-to-know."

Walt Boyes

 

 

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> I haven't got a hold of the alert, but my understanding from Siemens' communication on the subject is that Beresford's vulns are ALL related to the S7-1200. This is a micro-PLC that is neither in common use in critical infrastructure nor really compatible with the bread-and-butter PLCs of the same vendor, a.k.a. S7-300 and S7-400. So we got a classified alert out, while for months there is exploit code in the wild (a.k.a. Stuxnet) that injects code into the main sweep of S7-300s and 400s, devices that are actually used in US critical infrastructure, and ICS-CERT didn't bother to even issue a warning? If somebody understands this, I don't. </p>

    Reply

  • <p> I think the reason everyone is confused is because DHS is attempting to distribute this data without letting potential hackers get hold of it.  </p> <p> The problem? They don't have the customer list. And even if they had this customer list, it doesn't tell you who is ultimately responsible for patching these PLCs.   </p> <p> Jake Brodsky </p>

    Reply

  • <p> Actaully, Walt, the press disclosure of FOUO information is a well established tradition and is not illegal. I have done it many times on my blog and there are a number of sites that routinely post such documents. </p> <p> The interesting thing is that government employees and contractors have actually gotten in trouble for reading such publicly released documents (though I haven't yet heard of anyone getting in trouble yet for reading an FOUO document. On my blog I alway preface such disclosure by warning people about the Obama Administration's Wiki Leaks Disclosure Rules.   </p> <p> Patrick Coyle </p> <p> Chemical Facility Security News </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments