Last night Dale Peterson, owner of Digital Bond and a cybersecurity blogger of much more note than I, posted a comment about yesterday’s blog about the lack of response from ICS-CERT on the VPN vulnerability reported at DEFCON. Basically, he defended (an unusual role for Dale) ICS-CERT’s failure to note the vulnerability with an alert. He said (in part):
“By your logic, ICS-CERT would need to put up a bulletin for every Microsoft, Oracle, *nix, ... vuln and patch because they are widely used in control systems.”
In general I agree with Dale; alerts that are covered on the US CERT web site should not need to be duplicated on the ICS-CERT site. In this specific instance, however, just because ICS-CERT re-asserts in every alert and advisory that the use of a VPN is a suggested security practice for remote access to a control system, they have a special responsibility to call attention to security issues related to VPN use.
Dale goes on to say that:
“Owner/operators should be monitoring the vendor support site and US-CERT for these security bulletins.”
Again, I agree with Dale in general, that such monitoring should be done. I doubt that most of the control systems users in this country do so, but they should. Similarly, I doubt that they monitor the ICS-CERT web site either. If we can get them to monitor at least one such site I propose (and Dale would probably object) that it should be the ICS-CERT site.
Oh, by the way, the US CERT site does not have an alert for the VPN vulnerability. They do have, from back in January, an alert on what appears to be a very similar problem with WiFi sites, but it doesn’t mention VPN’s at all.
The summary of new vulnerabilities from July 30th, the latest I saw on the US CERT site this morning, does not appear to list the VPN vulnerability either. I’m not positive; this site is confusing and one of the reasons that I don’t monitor the US CERT site. There is just too much information to wade through. The ICS-CERT site provides an easier to understand summary of those vulnerabilities that I would be interested in.