I am really happy to note that Jeff Potter [Corrected mispelling of name, 03-09-13 21:15 CST], EPM Director-Security Architecture at Emerson has posted a comment on my blog post about the ICS-CERT alert concerning their DeltaV controllers. Vendor clarification of issues raised here or in the ICS-CERT alerts and advisories is always welcome.
The only potentially negative thing that I said about Emerson was a question about the wording of advisory about when Emerson notified their customers (the ICS-CERT advisory says “will notify”). Jeff clears up the point by noting that their customers were notified before the ICS-CERT advisory was published. So it appears that this was an ICS-CERT editorial issue.
An important point that Jeff makes in his comment, that was alluded to in Joel’s comment, is the fact that the original vulnerability discovery only concerned the MD controllers. Emerson work on the issue expanded the disclosure to their SD controllers as well. I think that it is always important for vendors to take that extra step to see if other products have the same or similar vulnerabilities.