Review – Reader Comment – Bedrock Crushed?

Earlier this week, a long-time (near original CFSN Detailed
Analysis subscriber) left me a message on LinkedIn about a small ICS supplier,
Bedrock Automation, and its apparent going out of business. Small companies go
out of business all of the time, so that is unusual, but the ‘new’ company web page
is a tad bit odd (as is the lack of any public announcement that I have been
able to find):

The company has made new ‘mandatory’ versions of their
software and firmware publicly available on their website and has modified the existing
security measures, making a public certificate available and reducing the
requirements for certificate checking in communicating with and between Bedrock
components.

Commentary

It is always sad to see an OT vendor that has a major focus
on cybersecurity disappear from the marketplace. Beyond the immediate effect on
the employees of Bedrock, this is going to have some impact on the installed
base of equipment manufactured by Bedrock. First and foremost, support completely
disappears at the end-of-the-month. Depending on the quality of these products,
at some point in time people are going to start looking for replacements, the
better the quality the long folks will hold off.

Maybe more important from a security perspective, Bedrock
has made the last version of their software and firmware widely available, so
researchers are going to have some level of access to search for
vulnerabilities. Even if the researcher wanted to coordinate their disclosure,
with no vendor available, all vulnerabilities will be forever-day
vulnerabilities. That plus the reduction in the communication security
provisions in the new updated software and making the certificates publicly
available, have made all of the installed devices less secure.

 

For more information about Bedrock Automation and its
closeout actions, see my article at CFSN Detailed Analysis – https://patrickcoyle.substack.com/p/reader-comment-bedrock-crushed
– subscription required.

By admin