Today the DHS ICS-CERT published another advisory for the CodeWrights Hart-DTM vulnerability that was originally reported in January. This time it was for a large number of devices from Endress+Hauser. Interestingly Endress+Hauser had already been added to the latest version of the CodeWrights version (C) of the advisory published in February.
The only new information in this advisory in this new advisory is the extensive list of E+H affected products and the fact that E+H had finally gotten around to updating the version of the CodeWrights library that they were using.
Nothing to see here move along.
Oh wait. There was an interesting tweet from ICS-CERT this afternoon before they announced the new advisory. It seems that they have recently updated/revised/whatever their public PGP key for secure submission to ICS-CERT. This is certainly important news. Fortunately they tweeted it because there is nothing on their web page that indicates that the key had been changed.
Instead of providing a direct link to the PGP key they send you to the main landing page. To find the link to the key you have to scroll all the way to the bottom of the page and click on “Download PGP/GPG keys”. This is NOT a download link but a link to the page where you can copy the PGP key.
I got there by a slightly more circuitous route starting with clicking on the “Report an Incident” button near the top of the same page. That page provides some interesting information on reporting stuff to ICS-CERT and is good to know. Near the bottom of the page it says:
“Organizations can download our PGP key at https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-CERT.asc”
Don’t waste your time clicking on that link unless you want to see the ICS-CERT 404 page; nothing special there. Fortunately there is the same “Download PGP/GPG keys” link on the bottom of this page to take you to the real PGP key.
At least I think this is the new key. Nothing on the web site mentions that the key has been changed. This is getting to be a real problem on the ICS-CERT web site. There is no way to tell if something is new or old.