US CERT and Stuxnet – did US-CERT do all they could?

Oct. 22, 2010

 Dale Pederson’s Digital Bond website (http://www.digitalbond.com/) provided an interesting note (thanks Dale) on US-CERT entitled “ICS-CERT: Stuxnet Lesson Learned”. 

According to Dale, ICS-CERT is reaching out to a number of people in the control system community to get some candid information on what they need to do different or better because of their performance on Stuxnet. This is great—and just what we’ve been hoping for.

 Dale Pederson’s Digital Bond website (http://www.digitalbond.com/) provided an interesting note (thanks Dale) on US-CERT entitled “ICS-CERT: Stuxnet Lesson Learned”. 

According to Dale, ICS-CERT is reaching out to a number of people in the control system community to get some candid information on what they need to do different or better because of their performance on Stuxnet. This is great—and just what we’ve been hoping for.

Unfortunately, it appears that a number of very credible ICS people who were actively involved with trying to understand Stuxnet (and previous vulnerability disclosures) were not contacted: Ralph Langner, Bob Radvanofsky, Jake Brodsky, Perry Pederson, Walt Boyes, myself.

Ralph Langner had the following to say about US-CERT and Stuxnet: “What US-CERT has communicated on Stuxnet has little to do with vulnerabilities, exploits, technicalities. It’s all about politics, and it will likely continue this way.” This is not the first time that ICS- CERT has fallen short on ICS vulnerability disclosures or even knowing what was an ICS vulnerability vs an IT vulnerability.  One has to ask – Can we help US-CERT do better? Well, certainly not if they don’t ask.
 
Stuxnet was first disclosed in July by US-CERT. The disclosure process and recommendations were disconcerting enough to warrant holding a session on the disclosure process at the September ACS Conference. Many people were concerned that the US-CERT recommendations could actually shut down the controller and many ICS engineers were not informed – it went to many IT organizations within the companies, but not to Plant IT. Consequently, there was a need to discuss the disclosure process as it applied to Stuxnet. Unfortunately, neither DHS nor US-CERT were in attendance during the Stuxnet discussions.
 
Because of US-CERT’s demonstrated shortfalls (prior to Stuxnet), I devoted an entire chapter in my book to what it takes to establish a credible ICS CERT. There were two fundamental points that do not yet appear to be addressed. The government (US-CERT) should not be the lead as private industry often will not respond due to FOIA concerns. Secondly, a properly constituted ICS-CERT should have credible, trusted ICS experts involved. Based on experience to date, US-CERT has not been as successful as we would all hope.

What will it take to convince DHS that they need to implement these points?

Joe Weiss

Sponsored Recommendations

Measurement instrumentation for improving hydrogen storage and transport

Hydrogen provides a decarbonization opportunity. Learn more about maximizing the potential of hydrogen.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Learn about: Micro Motion G-Series Coriolis Flow and Density Meters

The Micro Motion G-Series is designed to help you access the benefits of Coriolis technology even when available space is limited.