Tuesday, March 3, 2015

Building Management Systems Vulnerability

I am hearing rumors that ICS-CERT has recently published an advisory on the US-CERT Secure Portal regarding a vulnerability in some sort of building management system software.

As I have mentioned on occasion, ICS-CERT uses this limited distribution system to allow critical infrastructure owners a chance to be notified of a vulnerability before they make the advisory available to the general public. This allows such owners to mitigate the vulnerability before it is made generally known. I suspect that the vulnerabilities released in this manner are so simple to exploit that the mere mention of the vulnerability type would allow most hackers to figure out how to exploit the vulnerability.

If you are a critical facility owner (or a control system integrator or ICS cybersecurity consultant) and do not already have access to the ICS-CERT site on the US-CERT Secure Portal you probably should contact ICS-CERT to see about getting that access. It will allow you a little bit more lead time on these types of disclosures.

No comments:

/* Use this with templates/template-twocol.html */