Kontakt
Feedback

SICK Product Security Incident Response Team
(SICK PSIRT)

SICK Security Advisories

SICK AG products and services are subject to the highest quality requirements. That is why cyber security is taken into account and tested in the development phase. To ensure that products and services are secure throughout their entire service life, reports on possible vulnerabilities are taken very seriously and handled with the greatest sense of responsibility. Uncovering vulnerabilities is understood as a common goal of different parties with the aim of offering our customers a consistently high level of security.

The SICK Product Security Incident Response Team (SICK PSIRT)

The SICK PSIRT is the central team of SICK AG which is authorized to answer reports regarding the cyber security of products, solutions and services as well as provide information. All reports concerning potential vulnerabilities or other security incidents connected to SICK AG products can be passed on to the SICK PSIRT.

The SICK PSIRT manages the inspection, internal coordination and disclosure of security vulnerabilities. A security advisory is issued for confirmed vulnerabilities as soon as a solution is available. If the situation requires, a security advisory with the measures to be taken is sent out before an update is available.

Reports on potential vulnerabilities or other incidents are more than welcome from anyone, regardless of their customer status. SICK AG respects and takes into account the different interests of reporters and encourages the reporting of information to the SICK PSIRT. The aim is to follow a process of coordinated disclosure of vulnerabilities (coordinated vulnerability disclosure).

Handling vulnerabilities is described in document “Vulnerability Handling Guideline”.

Reporting a vulnerability

The SICK PSIRT aims to process every vulnerability with confidentiality and professionalism together with the respective reporters. Neither a non-disclosure agreement (NDA) nor another type of contract is necessary or a requirement for collaboration.

Coordinated vulnerability reports from all members of the security community are greatly appreciated. These include security researchers, universities, CERTs, business partners, authorities, industry associations and suppliers.

Many SICK AG products fulfill important protective functions and are used in critical infrastructures. SICK AG therefore asks for cooperation when dealing with the coordinated disclosure of vulnerabilities and also requests that vulnerability information not be disclosed prematurely.

SICK AG requests that as much information as possible is provided in a report in order to speed up processing. This information should contain the following:

  • Contact information and availability
  • Affected product including model and version number
  • Classification of the vulnerability (buffer overflow, XSS, …)
  • Detailed description of the vulnerability (with verification if possible)
  • Effect of the vulnerability (if know)
  • Current level of awareness of the vulnerability (are there plans to disclose it?)
  • (Company) affiliation of the reporter (if reporter is prepared to provide such information)
  • CVSS score (if known)

If more information is necessary for the inspection of a vulnerability, the SICK PSIRT will contact the reporter.

If the reporter would like, he/she will be publicly acknowledged after disclosing a new vulnerability.

Contact information

Reports for the SICK PSIRT are to be sent to this address:

  • psirt@sick.de (PGP Public Key with fingerprint: D441 9CE6 6F46 4D8C C017 520D 70D6 2CF8 AA9D 9E95)
  • Accepted languages: German and English
  • Transmission: Encryption preferred

Encrypted reports are preferred to protect sensitive information and data. German and English are accepted. 

The SICK PSIRT is happy to provide additional information about its operating principle or answer general questions about reports of vulnerabilities. If you have any other questions or concerns not related to security, we ask that you contact SICK AG customer service. The SICK PSIRT cannot provide information about these issues.

Security Advisories

  • 2019
    ID Title CVSS Score Products Date Download (PDF) Signature
    SCA-2019-0001 Use of hard-coded credentials in MSC800 9.8 MSC800 all versions 24.06.2019 Download Download
    SCA-2019-0002 Vulnerability in FX0-GENT00000 and FX0-GPNT00000 7.5 FX0-GPNT00000 (1044074) FX0-GENT00000 (1044072) 20.09.2019 Download Download

     

History

12/10/2018 - Introduction of the SICK PSIRT

Contact

SICK PSIRT – cyber security contact for SICK products

psirt@sick.de

 

Reports can be sent in German or English.

Security Advisories

SICK Security Advisories

Dokumente

PGP Public Key with fingerprint: D441 9CE6 6F46 4D8C C017 520D 70D6 2CF8 AA9D 9E95

Vulnerability Handling Guideline

Acknowledgments

Acknowledgments

Further information

BSI

ICS-Cert

ISA

IEC

Upp