Vendors shirk responsibility for writing advisories

I was looking over the Advantech vulnerability announced November 20, 2014 on the ICS-CERT Web page.

advantech advisory

Something struck me. Well, it has struck me before, but it struck me again: The DHS advisory has no official Advantech counterpart.

For example, if you go over to Advantech, and search for “vulnerability” you don’t find anything. Search for “security”: no hits that address the security of its products. No link. No reference. Nothing — for more than sixty publicly-disclosed vulnerabilities affecting its products.

Now, I don’t necessarily expect customer support chat help to know the details on the security of its products, but to help me be sure I wasn’t missing anything on the Web site, I started up a support chat with Advantech:

You are now chatting with ‘Perry’

Sean: Hi Perry

Perry: Hi Sean

Perry: How may I assist you?

Sean: I was wondering if there is a location on the Web site for vulnerability notifications

Sean: I saw some put out by the DHS in the United States

Sean: but was wondering whether Advantech also covered them

Perry: Let me get you transferred over to one of our website people

Sean: I seached the site for “security” and “vulnerability”

Sean: sure

Please wait while I transfer the chat to ‘Mark.Yang’.

You are now chatting with ‘Mark.Yang’

Mark.Yang: Hi Sean

Mark.Yang: Not sure if I understand your question “if there is a location on the Web site for vulnerability notifications”

Mark.Yang: Are you looking for any particular Advantech system(s) that would perform as Intrusion Detection?

Sean: no. I am looking for info on the security of your products,

Sean: here’s the report that came out the other day:

Sean: I was wondering whether Advantech has its version of this advisory

Sean: so I can get more information

Sean: direct from the source

Sean: as opposed from some government Web site

Mark.Yang: I see.

Mark.Yang: Sorry I currently don’t have such details at hand

Mark.Yang: But you can open a support ticket for this request

Mark.Yang: Someone can further assist you in greater details


Sean: right — maybe I will give that a shot

Critical Intelligence has analyzed well over 1,000 ICS-specific vulnerabilities. Advantech is not alone; many vendors do not write their own advisories. If the security bugs are reported through the ICS-CERT then the affected vendor may work with the ICS-CERT to help the ICS-CERT write an advisory, but the vendor does not write its own.

To me this is shirking the duty that a vendor owes its customers — customers that rely on those products to control critical infrastructure. Look, If I bought your product you should tell me about its problems. You shouldn’t expect me to go to some government Web site to do that for you — especially when its not even the government of your home/headquarters country.

I also think that the DHS ICS-CERT should push vendors to step up their game. A true “public-private partnership” requires the private side to contribute. At least *try* to tell your customers.