On Friday a blog post over at NYTimes.com explains the
Crain-Sistrunk vulnerabilities and how they are a danger to the electrical
grid. As you would expect with such a technically literate organization, the
blogger (Nicole Perlroth) got a lot of the details a little bit wrong (and she
loves periods way too much), but the post has the broad outline of the process
and the potential threat generally correct.
But missing the small stuff is of little consequence, the
big thing is that the New York F***ing Times is telling the world that this is
a problem. If you see it in the Times, Virginia, you know that it is true. And
besides the politicians are now aware of the problem, probably never having
heard of DigitalBond
or ThreatPost
or the other technical discussion groups where there was more (and more
correct) information available about the problem at an earlier date.
What will be interesting to see is how soon it will be
before Congress will call a hearing to look into the problem. Looking at the
CFATS issues of a year and a half ago as a forecasting tool, I suspect that
someone will call a hearing in March. That is unless there is a significant
portion of the electrical grid shut down by some script kiddy in the meantime.
Then it will be June or July before Congress starts to demand answers about why
no one told them about the problem before the attack.
Of course (Severe Sarcasm Alert) the technically qualified
part of DHS (ICS-CERT, look Nicole, no periods) has been right on top of this
since being approached by Adam and Chris. They have gone out of their way to
make sure that electrical grid and water system owners have been fully advised
about the seriousness of the threat. Nine of the 16 vendors have rushed patches
into the market place and are leading a coordinated evangelical campaign to get
each and every vulnerable device patched or replaced. And the other seven
vendors are so consumed with making things right with their product that they
have inadvertently forgotten to tell owners of their products about the
vulnerability (End of Severe Sarcasm Alert).
No, none of that has been done. ICS-CERT has published
advisories for the vulnerabilities that have had patches developed by the
vendor, but it seems as if they forgot their 45-day limit for withholding vulnerability
alerts to allow vendors to get patches in place. I assume that the seven
no-patch available vendors are working on the issue and that is why ICS-CERT is
holding off on publishing the alerts. Even the master ICS-CERT advisory issued
last week makes the problem sound minor and might as well say “hey man, no
worry, it’s all good” for all of the concern that it will raise..
Now Crain and Sistrunk have not published exploits for their
vulnerabilities so that may also contribute to the ICS-CERT justification for
remaining mute on the uncorrected vulnerabilities. I would like to suggest that
given the simplicity of the exploit as described in the ThreatPost and
DigitalBond posts (enter a poorly secured remote substation, plug in your
communications tool into an open serial port and send almost any message to the
master station and the local system gets a brain freeze and no electricity goes
down the line) that those posts should count as publication of exploits
requiring ICS-CERT to issue alerts so that the facility owners holding
equipment from those 7 vendors will be aware of the fact that they were
specifically targeted.
Oh well. Let me step down from my soap box, catch my breath
and comb my hair. Maybe I caught someone’s attention, but probably not. I’ll
try again later this week.
Posts
No comments:
Post a Comment