When is an actual vulnerability no longer considered a vulnerability?

Sept. 23, 2011
In a stunning statement at the 2011 ACS Cyber Security Conference, Marty Edwards from DHS stated that in order for a design deficiency to be considered a vulnerability, it must be fixable by a patch. This means exploitable design deficiencies such as those found by Ralph Langner and Dillon Beresford are not considered vulnerabilities by DHS because they cannot be fixed by patches. It also implies theses exploitable design deficiencies do not have to be disclosed by ICS-CERT.  This is bizarre.  

Joe Weiss
In a stunning statement at the 2011 ACS Cyber Security Conference, Marty Edwards from DHS stated that in order for a design deficiency to be considered a vulnerability, it must be fixable by a patch. This means exploitable design deficiencies such as those found by Ralph Langner and Dillon Beresford are not considered vulnerabilities by DHS because they cannot be fixed by patches. It also implies theses exploitable design deficiencies do not have to be disclosed by ICS-CERT.  This is bizarre.  
Joe Weiss

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.