I am really happy to note that Jeff Potter [Corrected mispelling of name, 03-09-13 21:15 CST], EPM
Director-Security Architecture at Emerson has posted
a comment on my
blog post about the ICS-CERT alert concerning their DeltaV controllers.
Vendor clarification of issues raised here or in the ICS-CERT alerts and
advisories is always welcome.
The only potentially negative thing that I said about
Emerson was a question about the wording of advisory about when Emerson
notified their customers (the ICS-CERT advisory says “will notify”). Jeff
clears up the point by noting that their customers were notified before the
ICS-CERT advisory was published. So it appears that this was an ICS-CERT
editorial issue.
An important point that Jeff makes in his comment, that was
alluded to in Joel’s
comment, is the fact that the original vulnerability discovery only
concerned the MD controllers. Emerson work on the issue expanded the disclosure
to their SD controllers as well. I think that it is always important for
vendors to take that extra step to see if other products have the same or
similar vulnerabilities.
Posts
1 comment:
I can confirm that customers knew before the alert came out.
Post a Comment