Today, Siemens published another new Log4Shell advisory and updated their original advisory.
New Advisory - Siemens published an
advisory discussing the three Log4Shell advisories in their Energy
Sensformer (Platform, Basic and Advanced).
Update - Siemens published an update for their original Log4Shell advisory that that was originally published on December 12th, 2021 and most recently updated on December 20th, 2021.
Commentary
One thing that has become obvious during my coverage of this set of vulnerabilities is that cloud versions of control system software appear to be ideally suited to responding to vulnerabilities. It looks like (from the outside) that it takes less time to develop mitigations and it certainly gets them into actual operations much faster. The only question is, how does this affect the ‘requirement’ to test patches, updates, and new versions off-line before they are run on operational systems? Yes, the vendors like Siemens certainly do inhouse testing ‘offline’, but that testing cannot include all of the other pieces of the control system that must physically reside in the plant like sensors, valves and motors. Is this not necessary for control system software as a service products?
For more details on these advisories, see my article at CFSN
Detailed Analysis - https://patrickcoyle.substack.com/p/12-21-21-siemens-advisories-for-log4shell
- subscription required.
Posts
No comments:
Post a Comment