Wednesday, June 22, 2022

CISA Publishes Notice About OT:ICEFALL

Today CISA published a notice on their Current Activity page on “CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report”. It lists the NCCIC-ICS advisories that were published yesterday that were based upon the OT:ICEFALL report. While those advisories mentioned the Report, they did not provide links to it. This notice not only provides a link to the document but specifically mentioned that the researchers were from Forescout.

Reading this notice, it would be easy to assume that the five listed advisories provided an exhaustive list of the 56 vulnerabilities reported by Vedere Labs. It does not report that there are other vendors affected, much less list those vendors. Again, as I mentioned yesterday NCCIC-ICS should have published an OT:ICEFALL advisory that lists the known affected vendors and the full list of 56 vulnerabilities reported by Forescout.

Oh, and no one at CISA is mentioning that these 56 vulnerabilities are going to be affecting an as of yet unknown number of other ICS products as third-party vulnerabilities.

No comments:

/* Use this with templates/template-twocol.html */