Thursday, December 1, 2022

Review - Reader Comment - Bedrock Crushed?

Earlier this week, a long-time (near original CFSN Detailed Analysis subscriber) left me a message on LinkedIn about a small ICS supplier, Bedrock Automation, and its apparent going out of business. Small companies go out of business all of the time, so that is unusual, but the ‘new’ company web page is a tad bit odd (as is the lack of any public announcement that I have been able to find):

The company has made new ‘mandatory’ versions of their software and firmware publicly available on their website and has modified the existing security measures, making a public certificate available and reducing the requirements for certificate checking in communicating with and between Bedrock components.


It is always sad to see an OT vendor that has a major focus on cybersecurity disappear from the marketplace. Beyond the immediate effect on the employees of Bedrock, this is going to have some impact on the installed base of equipment manufactured by Bedrock. First and foremost, support completely disappears at the end-of-the-month. Depending on the quality of these products, at some point in time people are going to start looking for replacements, the better the quality the long folks will hold off.

Maybe more important from a security perspective, Bedrock has made the last version of their software and firmware widely available, so researchers are going to have some level of access to search for vulnerabilities. Even if the researcher wanted to coordinate their disclosure, with no vendor available, all vulnerabilities will be forever-day vulnerabilities. That plus the reduction in the communication security provisions in the new updated software and making the certificates publicly available, have made all of the installed devices less secure.


For more information about Bedrock Automation and its closeout actions, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */