Picking up where Reid left off, I want to promote seven simple things ICS vendors can do to stink less when it comes to managing security (okay, number 2 isn’t so simple, but it is important!):
7. List security contact info on your Web page
This shows you are ready and willing to talk with researchers (or users) who have a security concern with the prodcut you created. Then respond promptly and courteously when contacted.
6. Put your own advisories on your own Web page
Look, it’s *your* product. Don’t rely on the ICS-CERT, US-CERT, CERT/CN etc. to communicate with *your* customers. What they are doing is a public service. What you are doing is supporting the product *you* wrote and *your* customers purchased. Do *your* job.
5. Proofread the vulnerability advisories you write
If you don’t have a clue what that advisory means, there is a good chance no one else (including your customers) has a clue either. Hire someone who has a security background and can communicate effectively to author these important communications.
4. Monitor for vulnerabilities in the thrid party components your products rely on
Lots of bugs exist in third party code. Some of these have been known for years. Don’t keep these buried and pretend like no one will ever know.
3. Keep public details about case studies to a minimum
If you tell the world all about the system you built for your customers, you could be making your customers a target.
2. Monitor your own networks for security breaches
Think about it, your support infrastructure, your code management infrastructure, and your Web site, if compromised can be easily leveraged against your customers. As such, those resources are all high value targets.
1. Alert your customers when your networks suffer a breach
Don’t sweep it under the carpet. Your risk is their risk.
These aren’t the only ideas out there. Read the Microsoft Security Development Lifecycle book and Web site. Read guidance documents such as the Organization for Internet Safety’s “Guidelines for Security Vulnerability Reporting and Response” or National Infrastructure Advisory Council’s “Vulnerability Disclosure Framework“.
Most of all, put yourself in the shoes of the critical infrastructure firms who are relying on your product and your expertise. Put yourself in the shoes of the citizens who rely on electricity, water, oil and natural gas. What do they want to know, what do they deserve to know? Don’t stink! Smell like a security champ!