Earlier this week David Spinks, moderator of the Cyber Security in Real-Time Systems group on LinkedIn, left a comment in that group about my short post on the changes in Siemens advisory formats. He noted that:
“If I were a Siemens customer I would want to understand the reason for these changes. If you have a PDF document then you can detect any changes whereas in HTML format that is very difficult! UK HMG are in the same mode they DO NOT like to issue PDFs because it provides and audit trail ....”
Siemens had provided the following explanation for reason for dropping the .pdf and .txt version of their advisories and updates:
“As expected, the CSAF format is now the dominant standard for machine readable advisories, and the HTML format provides much better readability for humans due to interactive content like product grouping. Due to these improvements, the download rates of PDF and TXT advisories decreased further.”
Not explicitly stated here, but certainly implied is the fact that the storage and maintenance of the number of advisories that Siemens issues every month (November 2025 was a relatively light month with 7 new advisories and 18 updates) in multiple formats has got to be a rather significant business expense. Having said that, it would seem to me that the storage cost for .html files would be higher than .pdf files.
David does make an important point though about changeability issues. Even ignoring any possibility of nefarious intent, it is easier to correct minor mistakes and typos in an .html document than in one in a pdf format. And that could lead to management of change issues as people inevitably (and not necessarily with malice aforethought) incrementally expand the scope of ‘minor mistakes and typos’ that are acceptable to change.
We, as consumers of these advisories, have little chance to
influence the decision-making processes of companies as large as Siemens, but
if you have concerns similar to those that David has voiced, at least let your
sales/service reps know about them. In the meantime, to keep your internal management
of change documentation in good shape, save the Siemens .html documents to .pdf
when you first access them, and each time you do a formal review (risk
assessments, etc) of that vulnerability in your system, download (and date) the
advisory again from the Siemens site. That way you will be sure to have the
latest version, with any ‘minor changes’ that may have crept in without
notification.
Posts
No comments:
Post a Comment