Last night Dale Peterson, owner of Digital Bond and a cybersecurity blogger of much more note
than I, posted
a comment about yesterday’s
blog about the lack of response from ICS-CERT on the VPN vulnerability
reported at DEFCON. Basically, he defended (an unusual role for Dale)
ICS-CERT’s failure to note the vulnerability with an alert. He said (in part):
“By your logic, ICS-CERT would need
to put up a bulletin for every Microsoft, Oracle, *nix, ... vuln and patch
because they are widely used in control systems.”
In general I agree with Dale; alerts that are covered on the
US CERT web site should not need to be duplicated on the ICS-CERT site. In this
specific instance, however, just because ICS-CERT re-asserts in every alert and
advisory that the use of a VPN is a suggested security practice for remote
access to a control system, they have a special responsibility to call
attention to security issues related to VPN use.
Dale goes on to say that:
“Owner/operators should be
monitoring the vendor support site and US-CERT for these security bulletins.”
Again, I agree with Dale in general, that such monitoring
should be done. I doubt that most of the control systems users in this country
do so, but they should. Similarly, I doubt that they monitor the ICS-CERT web
site either. If we can get them to monitor at least one such site I propose
(and Dale would probably object) that it should be the ICS-CERT site.
Oh, by the way, the US CERT site does not have an alert for
the VPN vulnerability. They do have, from back in January, an alert on
what appears to be a very similar problem with WiFi sites, but it doesn’t
mention VPN’s at all.
The summary of new vulnerabilities
from July 30th, the latest I saw on the US CERT site this morning,
does not appear to list the VPN vulnerability either. I’m not positive; this
site is confusing and one of the reasons that I don’t monitor the US CERT site.
There is just too much information to wade through. The ICS-CERT site provides
an easier to understand summary of those vulnerabilities that I would be
interested in.
Posts
No comments:
Post a Comment