An anonymous reader posted a response to this morning’s blogpost about the Cimplicity advisory from
ICS-CERT. The reader questioned my question about the step-by-step
instruction provided in the advisory for mitigating the vulnerability in the
unsupported versions of Cimplicity.
Anonymous wrote:
“When I read the ICS-CERT Advisory,
it looks like they are just repeating the instructions from GE, and not
providing ICS-CERT recommendations. If this is the case, do you have problems
with this approach?”
I assume that GE probably did provide ICS-CERT with the mitigation
measures listed. My comment came because ICS-CERT provided step-by-step
instructions for that mitigation instead of referring to a GE web link.
This does provide another discussion point though about
unsupported control systems. Many facilities continue to use their existing
systems (because they work just fine) long past the time that the vendor will
make any effort to continue to provide support for those systems and wayyy past
the time that the hardware vendors (or operating system vendors) provide
support for the computers upon which the systems run. If security vulnerabilities
are found in these systems do the owners just junk them?
Well, one school of thought says junk the old stuff; it just
isn’t securable. The only problem with that, as Dale Peterson is quick to point out, is
that the current replacements aren’t much better from a security perspective.
Besides, the economy still isn’t too hot, the new systems are expensive to buy
and implement, and the current stuff is working just fine.
Now the vendors have good business reasons to stop
supporting old systems at some point (where is an interesting discussion of its
own). Money spent on updating old systems isn’t going into developing new, more
secure systems.
So, maybe ICS-CERT is the answer, particularly when the
solution is as simple as this. I don’t have any problem with that, but it is
something that needs to be discussed. And Congress needs to be brought into
that discussion because it is going to be a funding issue. Are the limited
funds being given to ICS-CERT going to be spent keeping old systems secure, or
is ICS-CERT going to be a cutting edge research organization, or something else
entirely?
Now that is an interesting thought. What is the real role of ICS-CERT?
Posts
No comments:
Post a Comment