This afternoon the folks at DHS ICS-CERT published an update on the ABB WebWare Server that was originally published last week. Readers might remember that ABB declined to patch this legacy system, but, according to ICS-CERT ABB did make some mitigation information available. The original Advisory did not provide a link to that information; this update provides links to two separate documents supporting the security of this application.
Readers will almost certainly remember that an anonymous contributor pointed me at the location on the ABB web site where the links to the mitigation measures could be found. The two documents referenced in this Advisory update are the same ones that I reported on in that blog posting last Friday.
ABB is to be commended on taking the effort to communicate these mitigation measures on an application that they have publicly avowed is unsupported. The discussion continues on the web about whether or not the decision to not issue a security patch was appropriate.