Tweets and Comments – Pay for Patch

I’m really not trying to run a cybersecurity blog here, but it certainly does seem that cybersecurity posts seem to draw the most attention. I had two readers respond quickly, Joel Langill in a Tweet and Dale Peterson in a blog comment, to today’s blog post telling me that the practice of charging for security patches is fairly wide spread in the ICS vendor community.

 

I’m sorry to hear that, as one should be able to deduce from reading my blog post. Since I haven’t worked on an ICS since 2006 and didn’t maintain it then, it isn’t too surprising that I haven’t heard about this since it certainly hasn’t been discussed in any of my reading sources for the last couple of years.

Oh, well, I guess I could avoid some embarrassment and delete the last paragraph of my post since I obviously got it wrong (along with my tweet about the original posting), but I think I’ll let it stand. I’ve never been one to try to hide my mistakes.

It does make me wonder, if it is fairly wide spread, why ICS-CERT chose to mention the fact in their advisory about the EOScada system. I don’t recall seeing this mentioned in any other advisory that I have read over the last three years. Could it be that someone there in Idaho was trying to provoke a reaction to get a discussion started about the issue? We’ll probably never know, but I would like to think the issue deserves to be discussed, so let this be the forum. I’m not getting paid by either side and I don’t have a personal axe to grind in the matter.

So let’s hear what people have to say on the issue. I would like to hear from owners, and vendors, and integrators, and researchers, and even the politicians. I have a smattering of readers from all of the above. By all means hide behind the anonymous first name but please add your last name as vendor, owner, integrator, researcher or politician, that way we know where the comments are coming from.

And let us see if we can do this politely. On the day before our national election, we need to show the politicians reading this blog how adults discuss the important issues.

 

NOTE: Dale made a second, relatively unrelated point in his comment that I will discuss in a later blog posting.