This is an excerpt from the Think Forward blog by Ernie Hayden at 

In a move that may be helpful for critical infrastructure asset owners, on July 23 the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Common Industrial Control System Vulnerability Framework

Industrial Control Systems Joint Working Group (ICSJWG), which was established by the U.S. Department of Homeland Security Control Systems Security Program, published the document - Common Industrial Control System Vulnerability Framework. The document was developed with the intention of providing consensus-based guidance to vendors and system integrators in helping them create ICS vulnerability disclosure policies.

Unfortunately, the industrial control systems/ supervisory control and data acquisition (ICS/SCADA) industry has been criticized for less than effective disclosures of vulnerabilities in critical infrastructure systems and products. This new document is intended to provide a foundation for the industry to follow once vulnerabilities are discovered and how the faults should be revealed to the vendors and the operators for remediation.

The ICSJWG notes that the new paper is “a living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.’’

The document can be a good starting point. Key sections include:

  • Software Vulnerabilities (Types and Associated Remediation)
  • Types of Disclosure (Private, Public, Third-Party)
  • Vulnerability Disclosure Policy Components
  • Appendix – Terminology/Glossary
  • Appendix – Sample Disclosure Policy Overview
  • Appendix – References


The disclosure of ICS vulnerabilities that affect critical infrastructure such as the electrical grid started to rise dramatically in 2011, following the discovery of Stuxnet. The new framework from ICSJWG could greatly improve how vulnerabilities are disclosed and make it easier for operators to assess and act on threats.

ICS / SCADA Vendors – Start Using this Framework!

As noted in the ICSJWG framework, this is intended to be a “living document and will continue to evolve to reflect the expectations of both asset owners and the IT community in general.”

If you work with ICS / SCADA systems and especially if you could be in a situation where you are aware of vulnerabilities but do not have a sense of how they should be handled and revealed, I’d strongly suggest you look over this framework and use it as your guide.

Secondly, if your company develops and/or tests ICS /SCADA software then you are highly recommended to begin to implement this framework and develop your own internal policy and procedures on how to handle ICS vulnerabilities and their ultimate disclosure.

What are your thoughts on how vendors handle vulnerabilities? If you are an asset owner, would a vendor using the new ICSJWG framework meet your needs for information and mitigation?

Note from Eric Byres: I have been watching and reporting on the development of this report over the past year. Good job ICSJWG, this is a big step forward!

Practical SCADA Security thanks Ernie for this article.


Ernie Hayden, CISSP, CEH
Managing Principal - Energy Security
Verizon Global Energy & Utilities Practice

Related Links

• Webpage: Industrial Control Systems Joint Working Group (ICSJWG)
h •  ICSJWG Email: (Ed. Note: If you have feedback on the ICSJWG Vulnerability Disclosure Framework, send it here)
•  Blog: S4 SCADA Security Symposium Takeaway: Time for a Revolution (Ed. Note: Includes chart showing the dramatic rise in ICS disclosures starting in 2011)
• Tridium Fails and ICS-CERT Flails (Ed. Note: Example of poor handling of a vulnerability by a vendor)
•  Blog: Effective Security Requires Involved Leadership (Ed. Note: Previous blog article by Ernie Hayden)

© Tofino Security 2012 | All Rights Reserved | Tofino Security is part of Hirschmann, a Belden Brand