Vulnerability disclosure framework for industrial control systems
The Industrial Control Systems Joint Working Group (ICSJWG) published “The Industrial Control Systems Common Vulnerability Disclosure Framework”, which is a significant step towards standardization of vulnerability disclosure policies for ICS vendors and system integrators.
ICSJWG was established by the Department of Homeland Security’s National Cyber Security Division’s Control Systems Security Program (CSSP) to assist the industrial control systems stakeholders in better information sharing, raising collaborative efforts and reducing risks related to critical infrastructure.
The newly published framework is to be used as a consensus-based foundation for all involved parties in developing standardized vulnerability disclosure policies. As the framework is aimed towards a diverse set of systems, its content isn’t mandatory but should be used as a valuable starting point towards responsible disclosure.
The document identifies a number of distinct software vulnerability types, mechanisms for their identification and mitigation, vulnerability disclosure scenarios, and provides recommendations on modeling components of a successful policy.
The framework divides industrial control systems software vulnerabilities into architectural, code-based and those in third-party software applications or libraries. Architectural vulnerabilities can occur as a result of insufficient threat modeling in the early phases of software development, as well as in situations where legacy support causes unexpected problems in the seemingly secure environment.
The mitigation of code-based implementation vulnerabilities is not as challenging as that of architectural flaws, since programming errors are easier to identify and patch. Their discovery can be a result of both internal and external analysis and therefore the proposed framework focuses on methods and tools for both approaches.
Third-party software vulnerabilities provide a challenge for ICS vendors, since it is unlikely that they have any direct control over an incorporated library or an embedded application. Because of the complexities that can arise from this type of vulnerability, the document provides some valuable ideas on the remediation process.
An important aspect of the framework proposed by ICSJWG is a four-page write-up on different types of vulnerability disclosure activities. Focusing on both internal and external vulnerability discovery methods, the document examines a set of scenarios including both the discovery of security issues in-house, as well as by a customer or an independent researcher. The framework also identifies three different types of disclosure – private, public, or a third party one. The latter focuses on working with vendor neutral entities such as the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Each company involved in developing and using industrial control systems should have a vulnerability disclosure policy, so the recommendations by ICSJWG in this newly released framework should be used for stepping up the current policy or setting up a new and improved one. The publication of this framework is a direct result of inconsistent disclosure policies that, according to ICSJWG, contributed to a public perception of disorganization within the ICS security community.