What the Power Industry Has to Learn about Cyber Vulnerability Disclosure

Details

Written by Manimaran Govindarasu and Adam Hahn

Although advanced metering infrastructures enable more dynamic generation, distribution and consumption, smart meters, wireless repeaters and routers must operate in physically unprotected environments and communicate with potentially hostile consumer systems. What is more, expanded bandwidth requirements tempt system designers to rely on non-dedicated and often un-trusted networks because of their lower costs. A combination of expanded cyber dependencies and greater public exposure will increase potential impacts from software vulnerabilities discovered within these systems. Thus, software vulnerability management is more problematic than ever.

Software vulnerabilities continue to be a major limitation in the design of secure cyberspaces. Vulnerabilities often result from incorrect memory management, poorly designed authentication mechanisms, and incorrect assumptions about user inputs. While engineers have gone to great lengths to develop more secure software, systems remain insecure—hence Microsoft's monthly Patch Tuesday, for example, and the government-sponsored National Vulnerability Database, which indexes thousands of new vulnerabilities every year.

Vulnerabilities can typically be categorized as issues resulting from either the software design or implementation processes. Design issues generally arise from inaccurate understanding of system security requirements, leading to insufficient authentication mechanisms, weak encryption ciphers or limited software configurability. Implementation vulnerabilities are typically the result of software programming mistakes, such as inappropriate memory allocation, errors implementing encryption mechanisms, or missing user input validation. Within this domain both implementation and design issues are very common because of inadequate focus on security in the development process; however, design inadequacies have become increasingly worrisome, as many currently deployed software platforms possess insufficient security mechanisms, such as authentication, encryption and auditing.

In fact, the wide prevalence of these design issues has led ISC-CERT, the DHS-sponsored organization that handles public vulnerability disclosure, to modify their disclosure policy to exclude these design layer issues. Although this decision may seem alarming, it reflects the added difficulty of mitigating these design layer vulnerabilities, which generally cannot be addressed through a simple software patch. While the decision by ISC-CERT could negatively impact consumer's security awareness, it may also help limit the public release of vulnerabilities which do not have complete or sufficient mitigations.

Resulting policy and ethical concerns will be just as troublesome. Software vulnerabilities are often first discovered by security researchers unaffiliated with the vendor. Whenever a new vulnerability is detected, the researcher must decide how the sensitive information is best disclosed. One option is "full disclosure", that is, the unrestricted release of complete vulnerability details through public mailing lists or web sites. Another option is to limit disclosure to only the vendor and a computer emergency response team, such as ISC CERT, thereby giving the vendor a reasonable time frame to create a fix or patch before the vulnerability is publicly disclosed. This method is typically referred to as "responsible disclosure" because it reduces the time when the vulnerability is publicly known but cannot be appropriately mitigated. Unfortunately, many researchers feel that vendors abuse the responsible disclosure process by not prioritizing the release of timely fixes.

Many traditional IT vendors maintain formal vulnerability management and disclosure policies, acknowledging their willingness to work with researchers, and their responsibility to release fixes in a timely fashion. For example, Microsoft has the Coordinated Vulnerability Disclosure (CVD) practice to document its handling of occurrences. Google acknowledges and provides a financial reward to researchers who initially disclose the vulnerability information privately to ensure they can release an appropriate fix before the information is publicly released.

But many power industry vendors have limited experience dealing with the vulnerability disclosure process. So software vulnerability problems often produce disagreements between vendors and researchers as to the severity of vulnerabilities and appropriate mitigation efforts. Additional difficulties arise for utilities during the deployment of updates or patches because systems are so spread out geographically, network bandwidth is limited, or testing environments and procedures are inadequate.

The vulnerability disclosure problem is critical to ensuring the overall security of the electricity grid and will require greater cooperation, accountability and consideration of all involved parties. Security researchers should analyze potential negative impact of vulnerability information and utilize responsible disclosures whenever possible. Vendors must embrace a stronger focus on security, work openly with security researchers and accept responsibility for making timely mitigations.

Although little can be done to directly control how researchers disclose vulnerability information, vendors can encourage adoption of responsible disclosure practices by acknowledging and cooperating with researchers. As vendors develop formal disclosure policies, researchers may gain confidence in vendors' commitment to addressing security concerns.

Regulatory agencies such as the North American Electric Reliability Council (NERC) can provide additional assistance. NERC already enforces cyber security requirements for utilities through the Critical Infrastructure Protection (CIP) standards, which state requirements and time frames for utilities to install vendor patches. While utilities fall under these requirements and must perform timely vulnerability patching, software vendors lack any requirements stating when or if they decide to release a patch. Instead vendor mitigation decisions are primarily driven by consumer demand for timely mitigation. Yet in contrast to traditional IT software platforms, in electric power smaller customer bases and heavy vendor lock-in often limit consumer influence. These issues can be addressed by formalizing vendor software support and interoperability requirements for all system acquisitions.

Software vulnerabilities, whether they affect a few isolated control centers or millions of publicly exposed smart meters, should be expected occurrences in the development of a smarter grid. Because information about vulnerabilities is so sensitive, methods of disclosure and resultant impacts must be well understood through the power industry. Although intelligent attackers will eventually discover such information, better practices by researchers, vendors, utilities and regulatory agencies can help ensure that problems are remedied before potential cyber adversaries mount their attacks.