Threatpost has an interesting article on how the Department of Homeland Security is going to begin reclassifying vulnerabilities in Industrial Controls Systems (ICS) and not create ICS-CERT alerts for vulnerabilities that are deemed "design flaws". Like ICS communications transmitted in clear text. The explanation is that clear text transmission, or better stated as the lack of secure communications, is a design issue across the board that is too big to be considered a "bug", like a buffer overflow in an application would be considered. So they are not going to issue an ICS-CERT security advisory about it.
Given that other vulnerability management systems such as the CVE DB, Secunia and the like all create vulnerability announcements on design flaws such as clear text transmission, why should the DHS act any differently? Perhaps there are so many inherent design flaws in business critical ICSs that they are worried the resulting alerts would scare the kittens out of people in the light of the enhanced press coverage of so many high profile intrusions within the last 8 months.
Or ICS vendor lobbyists. Could go either way.
