Breaking News
Industrial Control DesignLine Blog

Homeland Security Not Amused by Zero-Day Researcher

ICS-CERT Update IGX & Zero Day Vulnerability
Carolyn Mathas
1/23/2014 10:15 AM EST

 5 comments   post a comment
NO RATINGS
View Comments: Threaded | Newest First | Oldest First
Susan Rambo
User Rank
Blogger
Tell me more
Susan Rambo   1/26/2014 5:31:05 PM
NO RATINGS
Hi Carolyn, Thanks for posting these industrial control security advisories from Homeland Security. Can you explain a bit more how they work and why it was a problem for a researcher to announce he found a vulnerability before contacting Homeland Security? Or was it even a problem? I don't understand how to read this.

CMathas
User Rank
Blogger
Re: Tell me more
CMathas   1/26/2014 6:43:31 PM
NO RATINGS
Industrial Control Systems are extremely vulnerable for many reasons. Typically, companies/organizations do not have in place the amount or quality of security that is necessary. As a result, this is a division of Homeland Seurity. They put out notices when anything is found to be easily hacked, and let everyone know how to fix it or where to go to upgrade to ensure the safety of the system. I've noticed that these notiifications are coming out more often so I've decided to post some of them on an ongoign basis. Hopefully, the number of compromised systems will urge a more serious approach and also, there are some services coming on the scene to provide security. Maybe paying up front is better than paying for it when the sysem is shut down as a result of security breaches. Look for more here as they occur.

In this case, an independent researcher identified a vulnerability but didn't coordinate that informtion with NCCIC/ICS-CERT or with the vendor before stating publicly that it existed. The inference here is that not coordinating could have caused additional security breaches between the time the researcher talked about it and the time the fix was available.

Susan Rambo
User Rank
Blogger
Re: Tell me more
Susan Rambo   1/26/2014 7:02:16 PM
NO RATINGS
Thanks! Fascinating. I know protecting SCADA from malicious attacks is a big concern. So, ICS-CERT (US Dept. of Homeland Security) doesn't want anyone around the world (this researcher was Italian) to announce a vulnerability in SCADA unless a fix/patch is available, most importantly? Do other countries have similar government bodies to ICS-CERT or is ICS-CERT a defacto agency acting for the whole world right now? Just curious about how other countries view this or if US is ahead of the curve on SCADA protections.

CMathas
User Rank
Blogger
Re: Tell me more
CMathas   1/26/2014 7:21:04 PM
NO RATINGS
Other countries do have their own and there is cooperation such as CERT-to-CERT information sharing/trust building activities. There is global collaboration and there is work on enacting standards for cyber security worldwide. This is quite the growing area. There's another recent blog covering the EU putting out a Good Practice Guide for CERTs.

 

Sheetal.Pandey
User Rank
Manager
Re: Tell me more
Sheetal.Pandey   1/27/2014 10:02:08 AM
NO RATINGS
People in the system are still very reluctant or hesistant to apply cyber safety policies and procedure that invloves installing a new app. Its more of a cultural issue. Its easy to take decision when it comes to physical safety but anything internet or software related there is always too much of persuasion needed.

Most Recent Comments
_hm
 
Bert22306
 
Susan Rambo
 
Loser99
 
Max The Magnificent
 
Susan Rambo
 
Max The Magnificent
 
fandres17
 
BillM210
Flash Poll
Radio
LATEST ARCHIVED BROADCAST
Join our online Radio Show on Friday 11th July starting at 2:00pm Eastern, when EETimes editor of all things fun and interesting, Max Maxfield, and embedded systems expert, Jack Ganssle, will debate as to just what is, and is not, and embedded system.
Like Us on Facebook

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)
EE Times on Twitter
EE Times Twitter Feed
Top Comments of the Week