Last week I learned of a new vulnerability and security patch for it on a popular control system application. The good news is the process of the researcher working with the vendor to fix and disclose this vuln is a success story. In fact, we are seeing many vulns being handled in a professional and timely manner, as well as hearing good things about ICS-CERT’s assistance in vuln handling.
When I searched US-CERT and ICS-CERT for their announcement, I found nothing. After a bit of digging, I learned that it is currently only available for US-CERT Secure Portal members. Talking with ICS-CERT I learned a version will be published in the near future on CERT/CC.
I don’t subscribe to the US-CERT portal because we know or hear much of this information from other sources, and I want to avoid any problems with blogging on these issues. But maybe you and I and everyone else with an interest in control system security needs to be on the US-CERT Secure Portal?
My preference would be to see some very limited public announcement of a vulnerability at the same time as more info is available from the vendor and through the US-CERT Secure Portal. For example, “Vendor Application Version x.y has a new published vulnerability. Contact Vendor for a security patch or other remediation methods for this vulnerability. Additional information is available on the US-CERT Secure Portal”. This would get passed through multiple web sites that distribute vulnerability information and have a better chance of reaching affected owner operators.