Today the DHS ICS-CERT published an advisory for a special kind of control system; the the Sensys Networks traffic sensors. The twin vulnerabilities covered in the advisory were initially reported by Cesar Cerrudo of IOActive. Sensys has produced updated versions for two of the three affected products with the third scheduled to be released later this month. There is no indication that Cerrudo has been given the opportunity to verify the efficacy of the mitigation.
The twin vulnerabilities are:
• Download of code without integrity check - CVE-2014-2378; and
• Missing encryption of sensitive data - CVE-2014-2379
ICS-CERT notes that it would take a highly skilled attacker to exploit these vulnerabilities, but it could be done from a neighboring network.
The advisory does not mention that the vulnerabilities were publicly disclosed in an article in Wired magazine and was presented at the 2014 Infiltrate Conference. Nor does it mention that the vulnerabilities were publicly denied by Sensys as late as early last month. So this was hardly a coordinated disclosure and would typically have called for an alert in April.
I can guess why there was no alert from ICS-CERT; this is an industrial control system only in the widest possible definition of the term. Which begs the question; why there was an advisory published today? The only answer that I can think of is that sensor systems like this are destined to become part of a wider network of fully automated traffic systems that would include control of vehicles traversing the system. This advisory may serve as an attempted wake-up call to vehicle control system designers that their un-hackable systems are just as vulnerable as other control systems.
That may be an important effort (if that was the impetus for this advisory), but not if it took away from efforts to deal with control system vulnerabilities that could threaten large populations.