Early this morning there was an interesting response posted to a LinkedIn discussion group about my earlier blog post on the Raven X EV-DO ICS-CERT Advisory. Michael Thibodeaux commented:
“I love the Raven X EV-DO advisory the best as it is a OEM issue and there is no good way to get a list of the companies that implement this device in their product. A good thesis for an undergraduate would be on this theme. To gather the who and what uses this device take lots of research and time that Undergraduates are willing to put to work for such a theme.”
This is an ongoing issue for a large number of the vulnerabilities that are reported in the ICS arena. It is bad enough when there is a patch or firmware upgrade to apply to fix the problem, but when the mitigation strategy selected by the equipment vendor is hardware replacement (especially when there is inadequate communication of that recommendation as in this case) it becomes much less likely that the fix will take place.
Since the problem here involves a wireless communications device it is particularly vexing that better solutions are not forth coming. These devices are, almost by definition, outside of the physical security protections of an installation. This could allow the access to the ‘isolated’ control system network that too many other vendor’s security vulnerabilities are relying upon for protection.