SCADA-ICS Vulnerability Reference

Joel Langill over at SCADAHacker.com has come up with another interesting public service on his web site, a listing of control system vulnerabilities. While the listing of the ICS vulnerabilities (with links to the information about them) is valuable in and of itself, Joel went one step further and listed them by control system. That way you can easily find each of the currently known vulnerabilities linked to your particular control system.

Just to make sure that you don’t get complacent he added another frustrating bit of information a listing of coordinated disclosures that have been made to ZDI (Zero Day Initiative). The frustrating thing about this listing is that it only provides the vendor name not the identity of the system. Of course, the whole point of a coordinated disclosure it to keep the actual vulnerability under wraps until a correction is available.

If a security manager gets too crazy about knowing that the vendor for his system has a coordinated vulnerability being worked upon, maybe he should just call up the vendor and ask them what’s going on. Showing the vendor your interest in security issues may make issue free software a priority to the vendor.