Framework for Reporting ICS Vulnerabilities

Wednesday, August 1, 2012 @ 06:08 PM gHale

Editor’s Note: This is an excerpt from Practical SCADA Security blog at Tofino Security.

By Ernie Hayden
In a move that may be helpful for critical infrastructure asset owners, on July 23 the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

ICSJWG, established by the U.S. Department of Homeland Security Control Systems Security Program, published the document — Common Industrial Control System Vulnerability Framework. The document’s goal is to provide consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies.

Air Gap Shout Out
Air Gaps a True Myth
Focused Effort: Securing Against APTs
Securing SCADA Systems from APTs

Unfortunately, the industrial control systems/supervisory control and data acquisition (ICS/SCADA) industry has been criticized for less than effective disclosures of vulnerabilities in critical infrastructure systems and products. This new document can provide a foundation for the industry to follow once vulnerabilities are discovered and how the faults should be revealed to the vendors and the operators for remediation.

The ICSJWG said the new paper is “a living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.’’

The document is a good starting point. Key sections include:
• Software Vulnerabilities (Types and Associated Remediation)
• Types of Disclosure (Private, Public, Third-Party)
• Vulnerability Disclosure Policy Components
• Appendix – Terminology/Glossary
• Appendix – Sample Disclosure Policy Overview
• Appendix – References

If you work with ICS/SCADA systems and especially if you could be in a situation where you are aware of vulnerabilities but do not have a sense of how they should be handled and revealed, I’d strongly suggest you look over this framework and use it as your guide.

Secondly, if your company develops and/or tests ICS/SCADA software then you are highly recommended to begin to implement this framework and develop your own internal policy and procedures on how to handle ICS vulnerabilities and their ultimate disclosure.

What are your thoughts on how vendors handle vulnerabilities? If you are an asset owner, would a vendor using the new ICSJWG framework meet your needs for information and mitigation?

Ernie Hayden, CISSP, CEH, is the managing principal — energy security at Verizon Global Energy & Utilities Practice. His email is
Click here to read the full version of the Practical SCADA Security blog.

Leave a Reply

You must be logged in to post a comment.