Is ICS-CERT Focused on the Right Issues?

Tuesday, February 21, 2012

Joe Weiss


How valuable is the ICS-CERT? Is it focused on the right issues?

A control system is generally composed of a human-machine interface (HMI) that is often a Windows-based system and field controllers.

The HMI is essentially an IT system with IT vulnerabilities. The field controllers generally use proprietary real time operating systems or embedded processors. Field controllers generally have minimal cyber security and minimal cyber logging and forensic capabilities.

Bob Radvanovsky has been working on a private project to correlate and analyze data from recent DHS ICS-CERT advisories, alerts, bulletins and notices.  What he found should not surprise anyone, nor is there much information other than what he is revealing from the public-facing U.S. CERT (ICS-CERT page) web site.

Bob will be providing a more detailed, more comprehensive report reflecting specific statistical information at a future date (undisclosed and TBD).


There are 203 reports that have been publicly made available; the first report was made available on 11-Mar-2010 (ICSA-10-070-01 - Rockwell Automation RSLINX Classic EDS Hardware Installation Buffer Overflow) on the U.S. CERT website.

Of the 203 reports that are currently, publicly available (includes all reports from 11-Mar-2010 up to and including the 3 recent update reports from 14-Feb-2012), the breakdown is as follows:

GPS-related                                                                 2      0.99%
Malware-related                                                          12     5.91%
Miscellaneous (cannot accurately put into a category) 7     3.45%
Network-related                                                             1     0.49%
Software-related                                                            2     0.99%
SCADA/HMI console-related                                      155    76.55%
Control systems-related (includes PLC, DCS, RTU)    24    11.82%

When I analyze the results of my control system cyber incident database, the most significant U.S. incidents from an impact perspective were control system-related.

These include the four control system cyber incidents that killed people, two major-cyber related electric outages, two nuclear plant shutdowns, etc.

The SCADA/HMI console-related incidents were generally of low impact other then the 2003 Northeast Outage (which did not damage equipment).

It appears that ICS-CERT seems to be focusing on the lesser important issues.

Cross-posted from's Unfettered Blog - copyright 2012 and ff by Putman Media Inc. All rights reserved.

Possibly Related Articles:
Industrial Control Systems
SCADA Vulnerabilities Infrastructure DHS Advisory ICS Incident Management ICS-CERT Industrial Control Systems Joe Weiss human-machine interface HMI
Post Rating I Like this!
Clint Stewart So, having complained in particular about ICS-CERT misalignment of reporting, what is your prescription for corrective action?

Are you asserting that ICS-CERT is not reporting on other more appropriate and applicable findings that are submitted to them for inclusion/validation/publication...?

HMI vulnerabilities exceeds 75% of what ICS-CERT has published. Should HMI vulnerabilities not be reported? If HMI is the user interface employed to manage and control real-time systems [IED/PLC/SCADA], does this fact make control systems HMI an "IT thing", hence not a legitimate concern for control systems security?
Clint Stewart Bob Radvanovsky's analysis reveals proof-positive that control systems engineers need to focus more on continuous education to understand new technologies that increasingly "encroach" into the technical domain of control systems technology. I think its fair to say that IT systems and technology are the bane of operational planning for the control systems domain. But, that's not all. Cyber security expertise is also a point of anxiety in the control systems domain. Even physical security prowess is lacking in the control systems arena. Anyone doubting this simply has to notice how many electric substations are equipped with effective physical protection commensurate with the critical nature of the infrastructure asset.

All of these examples are fundamentals of security knowledge that could be championed by continuous education.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.