What good is the ICS CERT?

ICS CERT has issued a For Official Use Only (FOUO) Alert on Siemens Programmable Logic Controller (PLC) Vulnerabilities. This is a continuation of the inadequate response by ICS CERT to most everything specific to ICSs. It is also a continuation of the ludicrous use of the FOUO designation. Remember Aurora - despite being on CNN, it is still classified as FOUO. The most recent ICS CERT Alert is on the Siemens S7-1200 series PLC. If ICS CERT has any value, it should have the technical knowledge to understand what is critical and what is not. It obviously does not or it would recognize this is not a critical model.  If it affects the other models that are critical - say something. The Alert also has a listing from 2008 (anyone notice what year it is) of the Siemens PLC penetration in the various industries. Unfortunately, they don’t address which model Siemens PLCs make up this listing. 

Just so people understand my concerns, enclosed is Ralph Langner’s comments to the Alert on the www.controlglobal.com/unfettered website: “I haven't got a hold of the alert, but my understanding from Siemens' communication on the subject is that Beresford's vulns are ALL related to the S7-1200. This is a micro-PLC that is neither in common use in critical infrastructure nor really compatible with the bread-and-butter PLCs of the same vendor, a.k.a. S7-300 and S7-400. So we got a classified alert out, while for months there is exploit code in the wild (a.k.a. Stuxnet) that injects code into the main sweep of S7-300s and 400s, devices that are actually used in US critical infrastructure, and ICS-CERT didn't bother to even issue a warning? If somebody understands this, I don't.”

DHS’s ICS CERT needs to bite the dust soon and a real technically competent non-governmental ICS CERT stood up. I can think of two approaches. The first would be to have an organization like the Carnegie-Melon Software Engineering Institute (SEI) that operates the CERT, but has no control system expertise add credible, competent control system experts. The second is to have an organization like SCADASec that has control system expertise and has been informally acting like an ICS CERT expand into a formal ICS CERT. There is precedent to this approach with Factory Mutual and UL in the safety area. 

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p class="MsoNormal"> Bryan, </p> <p> I would call that a creative interpretation of the situation. My understanding is that both ICS-CERT and the vendor only acted because Beresford put a gun at their head by announcing that he would release his Metasploit modules within short order. (If he lived in Germany, he would very likely have gotten a phone call from the vendor’s legal department an hour later.) So just because of this little blackmail we now have an alert for a product that is used to control such critical systems like escalators. Forgive me if I don’t agree on your suggestion to stay on this course.</p>


RSS feed for comments on this page | RSS feed for all comments