UPDATE – The video is added.  I wrongly assumed this was the lost 15-minute session. Sorry Sean.

Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis.

If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.


[slideshare id=32994528&doc=icsvulnerabilityanalysismcbride-nn11-140401112857-phpapp01&w=450]

I have some hope that the vendors will learn and get better. I have little hope that ICS-CERT will improve because they have yet to admit they are lacking. The ICS industry doesn’t help by praising the fact that they are putting out so many more Alerts and Advisories than in years past. They could let US-CERT or CERT/CC handle at least 95% of these and truly use their ICS expertise to dive deep in the 5% that matter.