I was looking over the Advantech vulnerability announced November 20, 2014 on the ICS-CERT Web page.
Something struck me. Well, it has struck me before, but it struck me again: The DHS advisory has no official Advantech counterpart.
For example, if you go over to Advantech, and search for “vulnerability” you don’t find anything. Search for “security”: no hits that address the security of its products. No link. No reference. Nothing — for more than sixty publicly-disclosed vulnerabilities affecting its products.
Now, I don’t necessarily expect customer support chat help to know the details on the security of its products, but to help me be sure I wasn’t missing anything on the Web site, I started up a support chat with Advantech:
You are now chatting with ‘Perry’
Sean: Hi Perry
Perry: Hi Sean
Perry: How may I assist you?
Sean: I was wondering if there is a location on the Web site for vulnerability notifications
Sean: I saw some put out by the DHS in the United States
Sean: but was wondering whether Advantech also covered them
Perry: Let me get you transferred over to one of our website people
Sean: I seached the site for “security” and “vulnerability”
Please wait while I transfer the chat to ‘Mark.Yang’.
You are now chatting with ‘Mark.Yang’
Mark.Yang: Hi Sean
Mark.Yang: Not sure if I understand your question “if there is a location on the Web site for vulnerability notifications”
Mark.Yang: Are you looking for any particular Advantech system(s) that would perform as Intrusion Detection?
Sean: no. I am looking for info on the security of your products,
Sean: here’s the report that came out the other day:https://ics-cert.us-cert.gov/advisories/ICSA-14-324-01
Sean: I was wondering whether Advantech has its version of this advisory
Sean: so I can get more information
Sean: direct from the source
Sean: as opposed from some government Web site
Mark.Yang: I see.
Mark.Yang: Sorry I currently don’t have such details at hand
Mark.Yang: But you can open a support ticket for this request
Mark.Yang: Someone can further assist you in greater details
Sean: right — maybe I will give that a shot
Critical Intelligence has analyzed well over 1,000 ICS-specific vulnerabilities. Advantech is not alone; many vendors do not write their own advisories. If the security bugs are reported through the ICS-CERT then the affected vendor may work with the ICS-CERT to help the ICS-CERT write an advisory, but the vendor does not write its own.
To me this is shirking the duty that a vendor owes its customers — customers that rely on those products to control critical infrastructure. Look, If I bought your product you should tell me about its problems. You shouldn’t expect me to go to some government Web site to do that for you — especially when its not even the government of your home/headquarters country.
I also think that the DHS ICS-CERT should push vendors to step up their game. A true “public-private partnership” requires the private side to contribute. At least *try* to tell your customers.