In our business we routinely come across information about new vulnerabilities in industrial control systems (ICS), cyber threats to specific organizations, and ongoing or past campaigns by a range of threat actors, from nation-states to lone-wolf hackers. Our process for disclosing this information to the appropriate parties is governed by ethics, policy, and in some cases, statute or regulation.
Let’s be honest with ourselves. There are those in our industry who place the marketing value of this information in higher regard than the interests of cyber-attack victims, product manufacturers, end-users, and the security industry as a whole. This isn’t okay, and it runs counter to Claroty’s mission of protecting industrial networks and the critical processes they run.
This inherent conflict between parties on the subject of disclosure is not unique to the security industry. In fact, the U.S. government has dedicated significant resources to reforming the Vulnerability Equities Process (VEP) -- the policy that adjudicates whether the government discloses a software or hardware bug to the manufacturer, or restricts knowledge of the vulnerability to the Intelligence Community for their unique purposes. As an industry we might consider formalizing a similar charter to avoid undue risk and reputational harm. In the meantime, though, we want everyone to know where we stand on the subject.
First, we will never publish information on an ICS vulnerability without first notifying the manufacturer of the affected product and validating that either a patch has been issued or a compensating control is available and reasonably implementable. Unlike IT systems, industrial control systems, if exploited, can cause physical consequences to our critical infrastructure. For this reason we are dedicating resources to not only finding these vulnerabilities, but also working with ICS vendors to implement a fix and then -- and only then -- grow awareness among the end-user community. Organizations who publicly disclose vulnerabilities, without following coordinated disclosure practices, put systems, people and expensive equipment at risk.
Second, we will always prioritize the interests of asset owners and the ICS vendors over our own when it comes to reporting or commenting on known threats. Because most ICS threats are highly tailored and therefore targeted at specific equipment, the manufacturers of this equipment are also victimized by cyber-attacks, as are the organizations that own and operate the equipment. Consider the recent example of the HatMan (aka TRITON and TRISIS) malware attack on Schneider Electric’s Triconex Safety Instrumented System (SIS) at a petrochemical facility in the Middle East. Schneider, like the petrochemical company, suffered considerable costs and damages as a result of what we assess to be a state-sponsored cyber operation. As we did in this case and will do in others, we will always coordinate messaging content and timing to our customers with the victimized vendor. As with HatMan, we prefer to influence the vendors’ reporting with our analysis, rather than publish duplicative reports for public consumption. The one exception to this rule, of course, is if we assess that the vendor is irresponsibly or dangerously withholding information from their customers or the ICS community at large. In our experience, however, this indeed is the exception and ICS vendors are both assertive and cooperative incident responders.
Third and lastly, we are committed to sharing information and resources in good faith with others in the cybersecurity industry, even if they are direct competitors to Claroty. I joined Claroty because, among other reasons, we posses incredibly rich and diverse insights into the cyber risks facing critical infrastructure owners and operators. While these insights are primarily obligated to our customers, it is morally incumbent upon us to contribute to the overall improvement of ICS security throughout the world. In the coming months we will reveal more about our plans to serve as a global convening authority of thought leadership and research on topics that will raise barriers to entry for attackers and mitigate the costs associated with an increasingly interconnected world without forfeiting all of the benefits. As we say, it’ll take a village to secure the world’s critical infrastructure from cyber-attack, and this will must include perspectives that span different industry, intellectual, and geographical domains. For this reason, any decision about disclosing information on vulnerabilities and threats heavily weighs the preservation of our reputation as an altruistic and benevolent contributor to everyone’s cybersecurity, not just our customers’.
In my short time at Claroty, I’ve witnessed a healthy discourse between marketing and research stakeholders about the timing and scope of disclosures pertaining to information that we have obtained or discovered through the course of our work. In the end I’m proud to say that our culture has a strong bias for sacrificing the media spotlight in favor of a responsible and ethical approach that puts our customers, vendors, and end-users first.