This has been an interesting weekend for rumors about ICS-CERT releases on the US-CERT Secure Portal. First I have heard from multiple sources that there may be two or more control system advisories from ICS-CERT currently listed on the Secure Portal. With this you get the normal reminder that critical infrastructure owners and legitimate security researchers may request access to the Secure Portal; see instructions on the bottom of the ICS-CERT landing page.
I have had a single source tell me that the Unitronics advisory I described earlier this week was, in fact, originally released to the Secure Portal on October 1st as I surmised, but that an updated version was released on that portal on November 3rd as described in the publicly released version of the advisory. That reasonably explains the discrepancy that I noted in that earlier post.
Finally I am hearing a disturbing rumor (admittedly from a different single source) that there is a control system vulnerability that has been released to a government-only limited distribution section of the Secure Portal. I can certainly see a need for a really limited initial disclosure of an advisory if it was dealing with military hardware for instance. What is disturbing to me is that there is reportedly (again single source without verifiable details) not going to be a public disclosure of the vulnerability. Again, if this would only affect military hardware, that is perfectly legitimate. I just don’t have enough details to make the call.