Monday, July 6, 2015

Another ICS-CERT Advisory to Secure Portal

I am again hearing rumors that ICS-CERT has issued a new control system advisory on the US-CERT Secure Portal. I cannot confirm the rumors because I do not have (actually I have declined) access to the Secure Portal.

As always I would recommend that control system owners regularly access to the Secure Portal to see if there are any new advisories posted for their systems. That is, after all, the purpose of this type semi-public release of control system advisories; let the system owners look at the advisory, make the risk-based decision about applying the identified mitigations, and if appropriate,  applying those steps all before the  vulnerabilities are made public.

Out-of-Date Systems

I am told that there is an interesting side bar involved with this particular vulnerability. It seems that the advisory is for a product that is reaching the end of its commercial life and will soon be removed from the market in the foreseeable future (and that frequently means ‘from support’ not too much further down the line). With the high cost of control system components, these devices frequently remain in service for much longer than their sales life. The problem here would be that once the manufacturer stops supporting a device, any subsequently identified vulnerabilities rarely, if ever get patched. This is becoming a serious issue in the current control system environment.

Just today I had an interesting conversation with a gentleman that has been selling medical monitoring devices for a large number of years and is still active in the field. He was complaining to me about some of the new devices coming into the market place were developed to operate on the Windows 7 OS and had problems interfacing with the computers that his customers were using running Windows XP. And he was particularly proud of the fact that he was using Windows XP Professional.


I suppose at this point in time we really have to consider that every XP based computer is compromised, or at least would be if an attacker was interested in the device. This would mean that any device running on an XP system is at least readily compromisable. But, like my friend, many people are really happy running their XP systems until they die (I mean the machines, of course).

No comments:

 
/* Use this with templates/template-twocol.html */