A joint presentation by CyberX’s Phil Neray and Emerson Automation Solutions’ Neil Peterson held at the ICS Cyber Security Conference on October 25 described how responsible disclosure works in the ICS space. Without naming the particular vulnerability CyberX flagged for Emerson and enabled them close, they described the process they followed that enabled them to increase system security:

  1. CyberX researchers first informed ICS-CERT of their discovery.
  2. They contacted Emerson through ICS-CERT, essentially establishing trust and credibility through this mutually trusted third party.
  3. CyberX demonstrated the exploit to Emerson.
  4. Emerson convened its product incident response team.
  5. Emerson made and verified patches.
  6. Emerson privately pushed the patches to its own customers.
  7. Emerson publicly disclosed the issue to warn the community at large.
  8. And, finally, they acknowledged the researchers and their work.

The importance of the trusted intermediary, in this case ICS-CERT, is worth noting. It’s also worth noting that there are trust issues between security firms and ICS vendors as well as between security personnel and factory personnel. In both cases it’s possible to establish trust, and there are well-understood approaches to doing so.