When a vulnerability exists in an industrial control system, it’s vital that the good guys discover it first.
That’s why we’re grateful for the work done by the largely unheralded heroes of cybersecurity – researchers.
These folks work diligently to uncover industrial security vulnerabilities. When they do so before the bad guys and alert companies like ours, so we can fix them, they help prevent what could be major security incidents.
At Rockwell Automation, we embrace researchers. We actively work with them as part of our standards-aligned vulnerability handling and coordinated disclosure process. And we make a point to give credit where credit is due by showing them our appreciation.
Testing the System
Outside researchers test industrial control products the same way an adversary does: they look for flaws in systems and communications protocols and try to work their way in.
If a researcher finds a vulnerability in our products, they can notify our Product Security Incident Response Team (PSIRT). We’ll then work with them to identify and resolve a validated vulnerability.
When we disclose the finding in a security advisory, we recognize the researcher who found it as a sign of our thanks. We also send the researcher a personal communication to reiterate our appreciation. It’s a simple token of thanks – but for us an important one. And often, the gratitude goes both ways.
For example, Jacob Baines, a principal research engineer with Tenable, Inc., recently worked with us on a security disclosure. He relayed the following:
"Rockwell Automation PSIRT is one of the most professional security groups I've disclosed vulnerabilities to. In my experience, Rockwell Automation responds quickly to disclosure-related emails, and they've always taken timelines very seriously, to help ensure the ecosystem is secure.
“Furthermore, whether it be the developer’s progress or planned publication dates, Rockwell Automation does a great job of sharing information. This is key to effective coordinated disclosure. They even share their advisory text in advance. In my mind, the Rockwell Automation PSIRT is a great example of how vendors should work with researchers on coordinated disclosures.”