What good is the ICS CERT?

June 8, 2011
ICS CERT has issued a For Official Use Only (FOUO) Alert on Siemens Programmable Logic Controller (PLC) Vulnerabilities. This is a continuation of the inadequate response by ICS CERT to most everything specific to ICSs. It is also a continuation of the ludicrous use of the FOUO designation. Remember Aurora - despite being on CNN, it is still classified as FOUO. The most recent ICS CERT Alert is on the Siemens S7-1200 series PLC. If ICS CERT has any value, it should have the technical knowledge to understand what is critical and what is not.
ICS CERT has issued a For Official Use Only (FOUO) Alert on Siemens Programmable Logic Controller (PLC) Vulnerabilities. This is a continuation of the inadequate response by ICS CERT to most everything specific to ICSs. It is also a continuation of the ludicrous use of the FOUO designation. Remember Aurora - despite being on CNN, it is still classified as FOUO. The most recent ICS CERT Alert is on the Siemens S7-1200 series PLC. If ICS CERT has any value, it should have the technical knowledge to understand what is critical and what is not. It obviously does not or it would recognize this is not a critical model.  If it affects the other models that are critical - say something. The Alert also has a listing from 2008 (anyone notice what year it is) of the Siemens PLC penetration in the various industries. Unfortunately, they don’t address which model Siemens PLCs make up this listing. 
Just so people understand my concerns, enclosed is Ralph Langner’s comments to the Alert on the www.controlglobal.com/unfettered website: “I haven't got a hold of the alert, but my understanding from Siemens' communication on the subject is that Beresford's vulns are ALL related to the S7-1200. This is a micro-PLC that is neither in common use in critical infrastructure nor really compatible with the bread-and-butter PLCs of the same vendor, a.k.a. S7-300 and S7-400. So we got a classified alert out, while for months there is exploit code in the wild (a.k.a. Stuxnet) that injects code into the main sweep of S7-300s and 400s, devices that are actually used in US critical infrastructure, and ICS-CERT didn't bother to even issue a warning? If somebody understands this, I don't.”
DHS’s ICS CERT needs to bite the dust soon and a real technically competent non-governmental ICS CERT stood up. I can think of two approaches. The first would be to have an organization like the Carnegie-Melon Software Engineering Institute (SEI) that operates the CERT, but has no control system expertise add credible, competent control system experts. The second is to have an organization like SCADASec that has control system expertise and has been informally acting like an ICS CERT expand into a formal ICS CERT. There is precedent to this approach with Factory Mutual and UL in the safety area. 
Joe Weiss