I am again hearing rumors that ICS-CERT has issued a new
control system advisory on the US-CERT Secure Portal. I cannot confirm the
rumors because I do not have (actually I have declined) access to the Secure
Portal.
As always I would recommend that control system owners
regularly access to the Secure Portal to see if there are any new advisories
posted for their systems. That is, after all, the purpose of this type
semi-public release of control system advisories; let the system owners look at
the advisory, make the risk-based decision about applying the identified
mitigations, and if appropriate, applying those steps all before the vulnerabilities are made public.
Out-of-Date Systems
I am told that there is an interesting side bar involved
with this particular vulnerability. It seems that the advisory is for a product
that is reaching the end of its commercial life and will soon be removed from
the market in the foreseeable future (and that frequently means ‘from support’
not too much further down the line). With the high cost of control system
components, these devices frequently remain in service for much longer than
their sales life. The problem here would be that once the manufacturer stops
supporting a device, any subsequently identified vulnerabilities rarely, if
ever get patched. This is becoming a serious issue in the current control
system environment.
Just today I had an interesting conversation with a
gentleman that has been selling medical monitoring devices for a large number
of years and is still active in the field. He was complaining to me about some
of the new devices coming into the market place were developed to operate on
the Windows 7 OS and had problems interfacing with the computers that his
customers were using running Windows XP. And he was particularly proud of the
fact that he was using Windows XP Professional.
I suppose at this point in time we really have to consider
that every XP based computer is compromised, or at least would be if an
attacker was interested in the device. This would mean that any device running
on an XP system is at least readily compromisable. But, like my friend, many
people are really happy running their XP systems until they die (I mean the
machines, of course).
Posts
No comments:
Post a Comment