US CERT and Stuxnet – did US-CERT do all they could?

Oct. 22, 2010

 Dale Pederson’s Digital Bond website (http://www.digitalbond.com/) provided an interesting note (thanks Dale) on US-CERT entitled “ICS-CERT: Stuxnet Lesson Learned”. 

According to Dale, ICS-CERT is reaching out to a number of people in the control system community to get some candid information on what they need to do different or better because of their performance on Stuxnet. This is great—and just what we’ve been hoping for.

 Dale Pederson’s Digital Bond website (http://www.digitalbond.com/) provided an interesting note (thanks Dale) on US-CERT entitled “ICS-CERT: Stuxnet Lesson Learned”. 

According to Dale, ICS-CERT is reaching out to a number of people in the control system community to get some candid information on what they need to do different or better because of their performance on Stuxnet. This is great—and just what we’ve been hoping for.

Unfortunately, it appears that a number of very credible ICS people who were actively involved with trying to understand Stuxnet (and previous vulnerability disclosures) were not contacted: Ralph Langner, Bob Radvanofsky, Jake Brodsky, Perry Pederson, Walt Boyes, myself.

Ralph Langner had the following to say about US-CERT and Stuxnet: “What US-CERT has communicated on Stuxnet has little to do with vulnerabilities, exploits, technicalities. It’s all about politics, and it will likely continue this way.” This is not the first time that ICS- CERT has fallen short on ICS vulnerability disclosures or even knowing what was an ICS vulnerability vs an IT vulnerability.  One has to ask – Can we help US-CERT do better? Well, certainly not if they don’t ask.
 
Stuxnet was first disclosed in July by US-CERT. The disclosure process and recommendations were disconcerting enough to warrant holding a session on the disclosure process at the September ACS Conference. Many people were concerned that the US-CERT recommendations could actually shut down the controller and many ICS engineers were not informed – it went to many IT organizations within the companies, but not to Plant IT. Consequently, there was a need to discuss the disclosure process as it applied to Stuxnet. Unfortunately, neither DHS nor US-CERT were in attendance during the Stuxnet discussions.
 
Because of US-CERT’s demonstrated shortfalls (prior to Stuxnet), I devoted an entire chapter in my book to what it takes to establish a credible ICS CERT. There were two fundamental points that do not yet appear to be addressed. The government (US-CERT) should not be the lead as private industry often will not respond due to FOIA concerns. Secondly, a properly constituted ICS-CERT should have credible, trusted ICS experts involved. Based on experience to date, US-CERT has not been as successful as we would all hope.

What will it take to convince DHS that they need to implement these points?

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...