After a fair amount of soul searching and delay, Digital Bond is finally releasing our iccpsic tool set to subscribers who are vetted asset owners.
This was a difficult decision because this tool set will crash vulnerable ICCP servers. It was what we developed and used to find a number of ICCP protocol implementation vulnerabilities, including some of those responsibly disclosed by US-CERT.
Here is why we are releasing it to subscribers who are vetted asset owners:
- The vulnerabilities disclosed by US-CERT have been properly addressed by the vendors who make the ICCP stacks, primarily SISCO and LiveData, but many vendors who integrate and resell SISCO and LiveData stacks under private label have not issued security bulletins notifying their customers of the need to patch or upgrade the ICCP server to address the vulnerability. This tool will allow the asset owner to identify if they have a vulnerable ICCP server irrespective of the ICCP vendor’s disclosure decision.
- Digital Bond has limited access to ICCP servers. We have tested versions of the more popular stacks, but new vulnerabilities could be introduced in future versions. It is not rare to see vulnerabilities reappear. There are many ICCP stacks with smaller distributions we have not tested and probably don’t know about. Asset owners can test the server they use and report any crashes/vulnerabilities to the vendor. We encourage and will support disclosing newly identified vulnerabilities to US-CERT.
- Not all vulnerabilities get disclosed by US-CERT. If the vendor does not patch the vulnerability, US-CERT typically will not issue a Vulnerability Note. In other cases, vulnerabilities are not disclosed to US-CERT based on NDA’s or other reasons. Asset owners can take matters into their own hands and test their ICCP server.
This was not an easy decision, but we feel selectively releasing these types of tools is critical to achieving our primary goal of assisting asset owners in securing control systems through information, tools and services.
In our web site redesign we envisioned releasing tools to vetted subscribers and built in the mechanism. We went through our list of subscribers and marked an initial set of asset owners as having vetted accounts. You will be able to download the iccpsic tool set and documentation from our Resources section after accepting the license terms.
For those subscribers who believe they warrant vetted status please send us an email and request vetted status.