An anonymous reader posted a response to this morning’s blogpost about the Cimplicity advisory from ICS-CERT. The reader questioned my question about the step-by-step instruction provided in the advisory for mitigating the vulnerability in the unsupported versions of Cimplicity.
“When I read the ICS-CERT Advisory, it looks like they are just repeating the instructions from GE, and not providing ICS-CERT recommendations. If this is the case, do you have problems with this approach?”
I assume that GE probably did provide ICS-CERT with the mitigation measures listed. My comment came because ICS-CERT provided step-by-step instructions for that mitigation instead of referring to a GE web link.
This does provide another discussion point though about unsupported control systems. Many facilities continue to use their existing systems (because they work just fine) long past the time that the vendor will make any effort to continue to provide support for those systems and wayyy past the time that the hardware vendors (or operating system vendors) provide support for the computers upon which the systems run. If security vulnerabilities are found in these systems do the owners just junk them?
Well, one school of thought says junk the old stuff; it just isn’t securable. The only problem with that, as Dale Peterson is quick to point out, is that the current replacements aren’t much better from a security perspective. Besides, the economy still isn’t too hot, the new systems are expensive to buy and implement, and the current stuff is working just fine.
Now the vendors have good business reasons to stop supporting old systems at some point (where is an interesting discussion of its own). Money spent on updating old systems isn’t going into developing new, more secure systems.
So, maybe ICS-CERT is the answer, particularly when the solution is as simple as this. I don’t have any problem with that, but it is something that needs to be discussed. And Congress needs to be brought into that discussion because it is going to be a funding issue. Are the limited funds being given to ICS-CERT going to be spent keeping old systems secure, or is ICS-CERT going to be a cutting edge research organization, or something else entirely?
Now that is an interesting thought. What is the real role of ICS-CERT?