Today, we received a press release from a security company, announcing that they had found a vulnerability in a piece of third-party software. We often get these. I'm not naming names.
What we DON'T get, however, is the context. Such and such a vulnerability was found in such and such a software application. And so? And we didn't get that context in this case either.
Industrial cybersecurity is based on risk analysis...and the security company did its customers a disservice in not explaining what the vulnerability's issues really are. The release did not say a darn thing about the business decisions that have to be made as a result of the vulnerability being discovered.
Say what?
Let me say it another way. There are vulnerabilities and there are vulnerabilities. A particular vulnerability may be a fatal issue for a SCADA system, or it may be a minor annoyance.
It is incumbent on security companies to do the research and outline the risk clearly so that the business decision makers-- who are almost certainly NOT cybergeeks-- can make correct decisions.
Otherwise, it sounds like a bunch of script kiddies saying "Nanny Nanny Boo Boo, we know something you don't know!"
