|Table of Contents|
Hilscher's approach to vulnerability handling & management
Hilscher has identified the management of security-related issues to be one of the key parts to minimize customers' risks for security breaches. Therefore a vulnerability management policy has been established at Hilscher to adequately handle and react to vulnerabilities and security-related issues found inside software components and products.
The established workflow for vulnerability handling conforms with practice 6 ("Management of security-related issues") and practice 7 ("Security update management") of the IEC 62443-4-1 (Ed. 1.0 - 2018-01 - "Secure product development lifecycle requirements").
The workflow starts with the receipt of notifications of a security-related issue coming from either internal sources such as developers or Hilscher's test department or external sources such as product users and asset owners for example.
Following the receipt of the vulnerability Hilscher will review the reported incident in regard to applicability, verifiability and threats that trigger the issue. If the reported incident has been identified as a vulnerability, a phase of detailed examination and assessment of the issue will follow. This includes impact analysis regarding impairments to availability, confidentiality and integrity. The assessment also involves evaluation of the severity according to CVSSv3 and the identification of affected products and product revisions.
Having thoroughly assessed the vulnerability remedial actions are taken such as providing validated software patches. In case the provisioning of the software patch would take too long or would not be possible, Hilscher will try to provide measures to mitigate the impact of the vulnerability by providing workarounds and suggesting configuration changes that would disable the vulnerable service.
As transparency plays a key role when it comes to security-related issues Hilscher will disclose vulnerabilities and security-related issues at its public Security Advisory in a timely manner. This ensures that product users are informed of resolved vulnerabilities allowing them to make informed security assessments about their operations. If the vulnerability was reported by a third party, Hilscher would stay in contact with the corresponding party throughout the vulnerability handling process providing continuous updates of the issue including severity rating, impact assessment and potentially affected products and product versions.
If you consider the actual impact of a particular vulnerability, listed in the Security Advisory, please regard the overall context. Many devices are used on the OT - Operation Technology - layer, in contrast to the IT - Information Technology - layer.
OT systems typically run in an industrial environment with restricted physical access. OT devices are highly specialized and don't use standard operating systems like MS Windows.
They run autonomously over a long period of time without changes.
Vulnerability scenarios are more critical in IT systems, rather than OT systems with the properties, sketched above.
Installation guidelines contain useful information, related to reliable and secure network oprartionoperation. Please consult the respective documents, issued by the user organisations:
Please allow a reasonable timeframe to address the vulnerability and release a fix before you make technical details public. Timeframes will be estimated during our assessment of the report. We do not commit to any timeframes yet, but promise to handle security issues in an adequate manner inlcuding a quick reaction to any reported vulnerabilities.
How to report a vulnerability
We welcome reports about possible vulnerabilities inside our products. If you assume that you might have discovered a security vulnerability inside a Hilscher product, please do not hesitate to contact firstname.lastname@example.org. When reporting the security vulnerability, please try to include as much information as possible covering the following topics. The more information you provide, the easier it will be for Hilscher to identify the root cause of the security vulnerability which can lead to a quicker resolution of the issue.
Please provide your contact information and tell us if you want to be acknowledged inside the security advisory we're going to publish once we have gone through the vulnerability handling process. If no acknowledgement is desired, your personal data will be handled in a confidential manner.
Please specify the affected product type according to the following products available at Hilscher. If the affected product is not listed, provide as much information about the affected product type.
Please provide the order number and product revision if available.
Please provide the protocol stack name and the exact firmware version. If you are not sure of the firmware version you can also send us the firmware file by extracting it from your device.
Please provide as much information as possible here covering the following topics. Anything you wish to share including screen shots, videos, scripts, etc. will facilitate the identification of the root cause.