[Ics-security] New report on setting best practices for ICS Vulnerability Disclosure

Robert Lukens rlukens at jlab.org
Fri Aug 10 14:29:50 EDT 2012 

Kelly,

Thanks for the reference.

Reporting suspected new vulnerabilities to the vendor and to ICS-CERT is
a good idea.  We (IT security) would like to be copied on such reports.

Of course, an effort should be made to make other Lab people aware of a
potential problem.  An effective way is to use this mailing list, as you
have been doing.  I think that this would not be considered a "public
disclosure" (which would provide the hacker community with a back door)
but would help the Lab's security.  The issue still remains on whether
to make a public report when a vendor does not offer timely remediation
-- sometimes public pressure is the only way to get results.

On a related note, when there is evidence of an actual intrusion, please
contact IT security (email to security at jlab.org or call Greg Nowicki).
The lab is required to report cyber incidents through specific channels.
 Whether an incident report goes up the line and whether it is actually
classified as an "incident" depend on the severity of the intrusion.

If a vulnerability has actually been used to compromise one of our
systems , it is a good idea to also provide a 'sanitized' report to the
manufacturer and/or support vendor to underscore the need for a fix --
real systems are at risk. "Sanitized" means removing items that might
identify people, sensitive processes, internal architectures, or
unmitigated weaknesses in our systems.

Bob

On 07/27/2012 07:54 AM, Kelly Mahoney wrote:
> The US ICS Joint Working Group just released a new report on
> recommendations on security vulnerability reporting (disclosure) for
> control systems.  A copy is attached.  Although aimed at the security
> administrators, it has some good recommendations and guidance for
> reporting in general.   Of course, JLab's IT security is ahead of the
> curve on many aspects.
> 
> Questions -
> 
> Do you think there should there be a separate reporting process
> specifically for JLab controls security?
> 
> If I find a vulnerability in a control system component now (PLC, IOC,
> embedded controller, BMS, LabView SW,...)  should I work through JLab IT
> security or directly with the vendor and/or ICS-CERT?
> 
> What do/would you do?
> 
> 
> Kelly Mahoney
> 
> 
> This body part will be downloaded on demand.
>

More information about the ICS-Security mailing list