It seems that I have stirred up a small hornets nest with my recent comments on DNP and the Crain-Sistrunk reported vulnerabilities. I’ve had emails, private LinkedIn® comments and Google+® responses about the situation. Some of what I’ve been told I’ve been asked not to repeat or to not attribute and I’ve been promised that there will be more to the story in the not too distant future.
I’ve had a couple of people (that should know) assure me that the recent spate of DNP related ICS-CERT advisories are based upon implementation errors, not inherent errors in the DNP protocol. It also seems that there may be other ICS protocols that may be undergoing the same type of detailed review that have resulted in this spate of vulnerability announcements.
Things are not going to be dull.